right right right, when not using the host IP, the source IP comes from the cluster, despite cilium egress gateway being enabled

so I had to add the pod network range to AllowedIPs on the cloud side, and that is indeed different on the new cluster.

this of course is not ideal, because if I wanted to join multiple, I could, but I'd have to modify the talos wireguard config, with the node's podCIDR which is known only after joining the cluster.... bleh

There should be some masquarading going on with the egress gateway, right?

Anyhow this is exactly the issue I was facing a while ago when I lost momentum on the blog the last time so it has gone full circle

#Homelab #Kubernetes #Wireguard #Networking

@bradley I'm NOT exposing my #pihole (s) directly to the internet - I use one at home and another one via #wireguard #vpn whereever I may roam Exposed ports for GUI and "healtchecks" are on a "random" highport which keeps logs mostly clear of "noise". Sometimes some scanners like #censys (or #shodan ) might also find these ports, but #iptables is very helpful
Feel free to ask my via PM if something is not clear. I like feedback to make my docs better.

@zak I'm running #tailscale with exit nodes on my home network, so when I enable it on my phone, I get both ad-blocking DNS (pihole at home) and access to home resources at the same time. Based on #wireguard.

@Edent I use #freedombox which includes #nextcloud. I wonder if this means I can't run #wireguard?

@StaceyCornelius In the past I did configure seperate systems for clients so they can travel without fuss regardless if "P.R." #China or #Russia or the #USA or #KSA...

• The trick is to never have anything on your device and have a dedicaded burner!

Using @tails_live / @tails / #Tails and @torproject / #TorBrowser and when that's not an option, a #SSH-Tunnel / #OpenVPN or #WireGuard-#VPN to be able to #VNC into a machine.

• Remember: They can only extract data that was saved on a machine!

CONSIDER THE #US ENEMY TERRITORY AS IN "If you wouldn't enter #NorthKorea, then why would you enter the USA?"

@ceresbzns You'd probably hate it, as it involves using short-lived nfs mounts through #wireguard tunnels. The hosts in the LAN copy the certs they need in this way. Systemd timers automate this "pulling". I only had to write 10 lines of bash code, in the way of actual programming.

Yes, for some reason, #KDE is way better than #Linux Mint's Cinnamon (or Mate) desktop (LM22), when one has multiple #Wireguard connections.

I'm also really liking how the Bluetooth devices are connected to right from KDE's panel applet - several steps saved. Worked great.

@floe

Through a #wireguard tunnel ssh works in both directions.

With wireguard use PersistentKeepAlive on the "forgetting" side of NAT. Usually a home modem does NAT, so the computer that is not at home needs PersistentKeepAlive, and the home modem ideally has a fixed IP address or a DNS host name.

Odd that /e/os app store fails to find and install #wireguard. Store is logged into google play store. Still it shows some old f-droid version of it, and can't install that either.