ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
For the 15th and final task: "Draw a pony graduating // Draw a pony who just hit the jackpot". I already did a graduated cylinder gag a few years ago. Perhaps I can do something with taking a hit of Cranky Jack's pot? Ugh! I can almost smell the stuff! X^p Maybe it's the wildfire smoke in the air this morning. Confound this NATG! It keeps driving me to pot!

The good news is that there _will_ be a Makeup day on July 1st.

As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the last task at 9 PM (MST) on July 1st. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears.

So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). King Grimlock is _not_ waiting until the cutoff time to prep and queue the gallery. The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.

Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony feeling the heat / pony with their eye on the clock.
altamira16: A sailboat on the water at dawn or dusk (Default)
[personal profile] altamira16
This is a weird slipstream book that feels like it is trying to horn in on Nick Mamatas's territory sometimes.

Jonathan Abernathy is a lonely adult. He is an orphan, and his life is going nowhere. He goes and begs his old manager at the hotdog stand for a job because he desperately needs the money.

But he is working on a bigger project where he is a dream auditor. At night, he enters people's dreams and sucks away the bad parts so that they can be more productive. (This is the thing that feels Mamatas-like. People are doing weird things because of capitalism.) There are all sorts of things about the dream world that are unclear. What happens to the parts of the dreams that are sucked away? What happens to the lives of the people whose dreams have been changed?

He has a neighbor named Rhoda who has a daughter named Timmy, and sometimes Rhoda asks Jonathan to watch Timmy.

He likes her. He starts seeing her in dreams, but whose dreams are they? Which dreams are real?
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
The 14th task, will we get lucky? Nope: "Draw a pony living their best life // Draw a pony painting the town red". Am I going to have to draw substance abuse ponies now? Only one more prompt to go!

As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the last task at 9 PM (MST) on June 28th. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears. Ta da! https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv_01215997842.html Technology is magic.

So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). King Grimlock is _not_ waiting until the cutoff time to prep and queue the gallery. The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.

Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony on the job / pony who is the breadwinner.
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
The 13th task, will we get lucky? Nope: "Draw a pony hitting the road // Draw a pony starting a new chapter of their life". The choices are road abuse (ouch) or autobiography writing. Or bouncing road apples.

As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the next task at 9 PM (MST) on June 26th. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears. Le voici: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv_01781599238.html

So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.

Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony emptying their thoughts / Draw a pony going with the flow. Time to break out the edibles.
[personal profile] mjg59
Single signon is a pretty vital part of modern enterprise security. You have users who need access to a bewildering array of services, and you want to be able to avoid the fallout of one of those services being compromised and your users having to change their passwords everywhere (because they're clearly going to be using the same password everywhere), or you want to be able to enforce some reasonable MFA policy without needing to configure it in 300 different places, or you want to be able to disable all user access in one place when someone leaves the company, or, well, all of the above. There's any number of providers for this, ranging from it being integrated with a more general app service platform (eg, Microsoft or Google) or a third party vendor (Okta, Ping, any number of bizarre companies). And, in general, they'll offer a straightforward mechanism to either issue OIDC tokens or manage SAML login flows, requiring users present whatever set of authentication mechanisms you've configured.

This is largely optimised for web authentication, which doesn't seem like a huge deal - if I'm logging into Workday then being bounced to another site for auth seems entirely reasonable. The problem is when you're trying to gate access to a non-web app, at which point consistency in login flow is usually achieved by spawning a browser and somehow managing submitting the result back to the remote server. And this makes some degree of sense - browsers are where webauthn token support tends to live, and it also ensures the user always has the same experience.

But it works poorly for CLI-based setups. There's basically two options - you can use the device code authorisation flow, where you perform authentication on what is nominally a separate machine to the one requesting it (but in this case is actually the same) and as a result end up with a straightforward mechanism to have your users socially engineered into giving Johnny Badman a valid auth token despite webauthn nominally being unphisable (as described years ago), or you reduce that risk somewhat by spawning a local server and POSTing the token back to it - which works locally but doesn't work well if you're dealing with trying to auth on a remote device. The user experience for both scenarios sucks, and it reduces a bunch of the worthwhile security properties that modern MFA supposedly gives us.

There's a third approach, which is in some ways the obviously good approach and in other ways is obviously a screaming nightmare. All the browser is doing is sending a bunch of requests to a remote service and handling the response locally. Why don't we just do the same? Okta, for instance, has an API for auth. We just need to submit the username and password to that and see what answer comes back. This is great until you enable any kind of MFA, at which point the additional authz step is something that's only supported via the browser. And basically everyone else is the same.

Of course, when we say "That's only supported via the browser", the browser is still just running some code of some form and we can figure out what it's doing and do the same. Which is how you end up scraping constants out of Javascript embedded in the API response in order to submit that data back in the appropriate way. This is all possible but it's incredibly annoying and fragile - the contract with the identity provider is that a browser is pointed at a URL, not that any of the internal implementation remains consistent.

I've done this. I've implemented code to scrape an identity provider's auth responses to extract the webauthn challenges and feed those to a local security token without using a browser. I've also written support for forwarding those challenges over the SSH agent protocol to make this work with remote systems that aren't running a GUI. This week I'm working on doing the same again, because every identity provider does all of this differently.

There's no fundamental reason all of this needs to be custom. It could be a straightforward "POST username and password, receive list of UUIDs describing MFA mechanisms, define how those MFA mechanisms work". That even gives space for custom auth factors (I'm looking at you, Okta Fastpass). But instead I'm left scraping JSON blobs out of Javascript and hoping nobody renames a field, even though I only care about extremely standard MFA mechanisms that shouldn't differ across different identity providers.

Someone, please, write a spec for this. Please don't make it be me.
[syndicated profile] sumana_feed

Posted by Sumana Harihareswara

Last-minute recommendations for New York City's Democratic primary election. (Early voting concluded Sunday; tomorrow, Tuesday the 24th, is the final day to vote.)I'm going to start with lesser-publicized races and move up the ballot.Western Queens …
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
The 11th task: "Draw a pony trying something new // Draw a pony getting their cutie mark". Didn't we get that first one already? As for the other, how about a cutie mark for accidentally eating insects. Worst. Mark. Ever!

As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the next task at 9 PM (MST) on June 24nd. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv_01128921257.html

So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.

Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony bouncing back / Draw a pony making a comeback.
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
The 11th task: "Draw a pony who is dressed to kill // Draw a pony in a fashion crisis". Hockey masks and long knives.

As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the next task at 9 PM (MST) on June 22nd. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears. Here it is: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv_01201350396.html

So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.

Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony shooting for the stars / pony seizing the day. Well, if it ain't knives, it's guns.

My a11y journey

Jun. 20th, 2025 01:11 am
[personal profile] mjg59
23 years ago I was in a bad place. I'd quit my first attempt at a PhD for various reasons that were, with hindsight, bad, and I was suddenly entirely aimless. I lucked into picking up a sysadmin role back at TCM where I'd spent a summer a year before, but that's not really what I wanted in my life. And then Hanna mentioned that her PhD supervisor was looking for someone familiar with Linux to work on making Dasher, one of the group's research projects, more usable on Linux. I jumped.

The timing was fortuitous. Sun were pumping money and developer effort into accessibility support, and the Inference Group had just received a grant from the Gatsy Foundation that involved working with the ACE Centre to provide additional accessibility support. And I was suddenly hacking on code that was largely ignored by most developers, supporting use cases that were irrelevant to most developers. Being in a relatively green field space sounds refreshing, until you realise that you're catering to actual humans who are potentially going to rely on your software to be able to communicate. That's somewhat focusing.

This was, uh, something of an on the job learning experience. I had to catch up with a lot of new technologies very quickly, but that wasn't the hard bit - what was difficult was realising I had to cater to people who were dealing with use cases that I had no experience of whatsoever. Dasher was extended to allow text entry into applications without needing to cut and paste. We added support for introspection of the current applications UI so menus could be exposed via the Dasher interface, allowing people to fly through menu hierarchies and pop open file dialogs. Text-to-speech was incorporated so people could rapidly enter sentences and have them spoke out loud.

But what sticks with me isn't the tech, or even the opportunities it gave me to meet other people working on the Linux desktop and forge friendships that still exist. It was the cases where I had the opportunity to work with people who could use Dasher as a tool to increase their ability to communicate with the outside world, whose lives were transformed for the better because of what we'd produced. Watching someone use your code and realising that you could write a three line patch that had a significant impact on the speed they could talk to other people is an incomparable experience. It's been decades and in many ways that was the most impact I've ever had as a developer.

I left after a year to work on fruitflies and get my PhD, and my career since then hasn't involved a lot of accessibility work. But it's stuck with me - every improvement in that space is something that has a direct impact on the quality of life of more people than you expect, but is also something that goes almost unrecognised. The people working on accessibility are heroes. They're making all the technology everyone else produces available to people who would otherwise be blocked from it. They deserve recognition, and they deserve a lot more support than they have.

But when we deal with technology, we deal with transitions. A lot of the Linux accessibility support depended on X11 behaviour that is now widely regarded as a set of misfeatures. It's not actually good to be able to inject arbitrary input into an arbitrary window, and it's not good to be able to arbitrarily scrape out its contents. X11 never had a model to permit this for accessibility tooling while blocking it for other code. Wayland does, but suffers from the surrounding infrastructure not being well developed yet. We're seeing that happen now, though - Gnome has been performing a great deal of work in this respect, and KDE is picking that up as well. There isn't a full correspondence between X11-based Linux accessibility support and Wayland, but for many users the Wayland accessibility infrastructure is already better than with X11.

That's going to continue improving, and it'll improve faster with broader support. We've somehow ended up with the bizarre politicisation of Wayland as being some sort of woke thing while X11 represents the Roman Empire or some such bullshit, but the reality is that there is no story for improving accessibility support under X11 and sticking to X11 is going to end up reducing the accessibility of a platform.

When you read anything about Linux accessibility, ask yourself whether you're reading something written by either a user of the accessibility features, or a developer of them. If they're neither, ask yourself why they actually care and what they're doing to make the future better.
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
The 10th task pair asks: "Draw a pony learning a new skill // Draw a pony with their nose to the grindstone". Well, Celestia has time on her hooves and is a lousy thespian. She could learn to be a mime.

As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, eventually. King Grimlock forgot to make a submission form for prompt 10. When it finally emerges it'll be the usual: you will be able to enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the next task at 9 PM (MST) on June 20th. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears. Here it is: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv_0834910267.html

So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.

Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony at the beach / pony catching some sun. Well, these are more reasonable than KG's asks.

More tiny excitements

Jun. 18th, 2025 09:31 pm
azurelunatic: Vivid pink Alaskan wild rose. (Default)
[personal profile] azurelunatic
* Shelves are fairly well stuffed. The other brackets have arrived, so we can go get more boards and tiny hardware at our convenience.
* There is now Shelf in the living room. Things are going in it.
* Household tidying progresses.
* Today I filled boxes for 13 weeks of my morning and evening pills. It feels like it took less time than usual, but I think that's a trick of the light. I think I usually start later in the day, and keep going until it's dark. It took about four and a half hours; I try to allocate at least 5.
* This means that I've got pills packed until sometime in September. Go, me?
* Juneteenth is tomorrow!
* Turns out that being a director at a certain kind of non-technical organization means that you spend evenings face-down in the user interface level of a misbehaving database. I am chockablock with sympathy.
* Yellface is adorable, and likes to spend the part of the day when I'm awake but still in bed sitting on my legs.
* Had games and pizza with friends last week; they've got a young-ish teeneager placed with them right now. She wasn't up for games but she did appear to fill her water bottle. Luna-cat is very curious about new people and apparently charged her, which was off-putting. I faded early.
* I got some new bras; I'll have to add pockets but the test wear was promising!
* Nobody told me about the dragons in The Priory of the Orange Tree, everyone just mentioned the lesbians.
* There's a new serial at [personal profile] the_comfortable_courtesan!!!
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
The 9th task pair asks: "Draw a pony as your favorite fictional character // Create a crossover between pony and a franchise of your choice". Like, Bambi's mother foals a My Little Pony? Pinkie chugs gummiberry juice?

As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the next task at 9 PM (MST) on June 18th. KG threw me a wobbler the last two times in a row... and yep, unguessable: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv_0279562510.html .

So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.

Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony experiencing something beyond their wildest dreams / pony doing the unexpected. Again, how the hell do you draw that?
[personal profile] mjg59
I'm lucky enough to have a weird niche ISP available to me, so I'm paying $35 a month for around 600MBit symmetric data. Unfortunately they don't offer static IP addresses to residential customers, and nor do they allow multiple IP addresses per connection, and I'm the sort of person who'd like to run a bunch of stuff myself, so I've been looking for ways to manage this.

What I've ended up doing is renting a cheap VPS from a vendor that lets me add multiple IP addresses for minimal extra cost. The precise nature of the VPS isn't relevant - you just want a machine (it doesn't need much CPU, RAM, or storage) that has multiple world routeable IPv4 addresses associated with it and has no port blocks on incoming traffic. Ideally it's geographically local and peers with your ISP in order to reduce additional latency, but that's a nice to have rather than a requirement.

By setting that up you now have multiple real-world IP addresses that people can get to. How do we get them to the machine in your house you want to be accessible? First we need a connection between that machine and your VPS, and the easiest approach here is Wireguard. We only need a point-to-point link, nothing routable, and none of the IP addresses involved need to have anything to do with any of the rest of your network. So, on your local machine you want something like:

[Interface]
PrivateKey = privkeyhere
ListenPort = 51820
Address = localaddr/32

[Peer]
Endpoint = VPS:51820
PublicKey = pubkeyhere
AllowedIPs = VPS/0


And on your VPS, something like:

[Interface]
Address = vpswgaddr/32
SaveConfig = true
ListenPort = 51820
PrivateKey = privkeyhere

[Peer]
PublicKey = pubkeyhere
AllowedIPs = localaddr/32


The addresses here are (other than the VPS address) arbitrary - but they do need to be consistent, otherwise Wireguard is going to be unhappy and your packets will not have a fun time. Bring that interface up with wg-quick and make sure the devices can ping each other. Hurrah! That's the easy bit.

Now you want packets from the outside world to get to your internal machine. Let's say the external IP address you're going to use for that machine is 321.985.520.309 and the wireguard address of your local system is 867.420.696.005. On the VPS, you're going to want to do:

iptables -t nat -A PREROUTING -p tcp -d 321.985.520.309 -j DNAT --to-destination 867.420.696.005

Now, all incoming packets for 321.985.520.309 will be rewritten to head towards 867.420.696.005 instead (make sure you've set net.ipv4.ip_forward to 1 via sysctl!). Victory! Or is it? Well, no.

What we're doing here is rewriting the destination address of the packets so instead of heading to an address associated with the VPS, they're now going to head to your internal system over the Wireguard link. Which is then going to ignore them, because the AllowedIPs statement in the config only allows packets coming from your VPS, and these packets still have their original source IP. We could rewrite the source IP to match the VPS IP, but then you'd have no idea where any of these packets were coming from, and that sucks. Let's do something better. On the local machine, in the peer, let's update AllowedIps to 0.0.0.0/0 to permit packets form any source to appear over our Wireguard link. But if we bring the interface up now, it'll try to route all traffic over the Wireguard link, which isn't what we want. So we'll add table = off to the interface stanza of the config to disable that, and now we can bring the interface up without breaking everything but still allowing packets to reach us. However, we do still need to tell the kernel how to reach the remote VPN endpoint, which we can do with ip route add vpswgaddr dev wg0. Add this to the interface stanza as:

PostUp = ip route add vpswgaddr dev wg0
PreDown = ip route del vpswgaddr dev wg0


That's half the battle. The problem is that they're going to show up there with the source address still set to the original source IP, and your internal system is (because Linux) going to notice it has the ability to just send replies to the outside world via your ISP rather than via Wireguard and nothing is going to work. Thanks, Linux. Thinux.

But there's a way to solve this - policy routing. Linux allows you to have multiple separate routing tables, and define policy that controls which routing table will be used for a given packet. First, let's define a new table reference. On the local machine, edit /etc/iproute2/rt_tables and add a new entry that's something like:

1 wireguard


where "1" is just a standin for a number not otherwise used there. Now edit your wireguard config and replace table=off with table=wireguard - Wireguard will now update the wireguard routing table rather than the global one. Now all we need to do is to tell the kernel to push packets into the appropriate routing table - we can do that with ip rule add from localaddr lookup wireguard, which tells the kernel to take any packet coming from our Wireguard address and push it via the Wireguard routing table. Add that to your Wireguard interface config as:

PostUp = ip rule add from localaddr lookup wireguard
PreDown = ip rule del from localaddr lookup wireguard

and now your local system is effectively on the internet.

You can do this for multiple systems - just configure additional Wireguard interfaces on the VPS and make sure they're all listening on different ports. If your local IP changes then your local machines will end up reconnecting to the VPS, but to the outside world their accessible IP address will remain the same. It's like having a real IP without the pain of convincing your ISP to give it to you.

Profile

terriko: (Default)
terriko

June 2025

S M T W T F S
1234567
89 1011121314
15161718 19 20 21
22232425262728
2930     

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jun. 30th, 2025 02:19 am
Powered by Dreamwidth Studios