undefined | Better HN

0 pointschadsix1y ago0 comments

>but it’s basically a mitm no?

Yes [1]

You could try IPv6.rs (shameless plug). We provide a routed IPv6 IP and reverse proxy for IPv4. We made it easy to run servers with Cloud Seeder [2], our open source server manager.

[1] https://blog.ipv6.rs/understanding-tls-mitm-and-privacy-poli...

[2] https://github.com/ipv6rslimited/cloudseeder

0 comments

illiac7861y ago

What I want is a transparent reverse proxy for both IPv4 and IPv6. Ideally it should work with encrypted SNI and ECH, using a static IP, because this is where the internet is going and anything else is probably a dead end I would like to avoid investing time in today.

Ideally, it has some simple firewall IDS/IPS capabilities (limit destination ports, limit source IPs…).

My threat scenario is, once someone has my home IP, they can cut off my internet very easily, just brute force traffic to my IP will clog my internet access.

The same would work via the above described reverse proxy, but I can diagnose it and turn off the proxy. My self hosted services will be down but at least I have Internet. If my home IP is known, there isn’t much I can do… My ISP doesn’t rotate the IP of a user very often (think months).

Currently I feel that cloudflare tunnelling is less worse than the above described risk, but it’s far from ideal, hence looking for alternatives.

chadsixOP1y ago

> Ideally it should work with encrypted SNI

IPv6.rs doesn't work with ESNI because you'll have to decrypt the encrypted packet to read it. Cloudflare decrypts your traffic so it can read it.

> If my home IP is known,

IPv6.rs hides your home IP. The only exposed IP will be the IPv6 IP you receive from IPv6rs. The reverse proxy proxies to your IPv6 address, so your home IP will never be exposed (and technically you could change the IPv6rs IP if you wanted to at ANYTIME).

If you're interested in giving it a shot I can give you a coupon that discounts significantly!

illiac7861y ago

Im sorry if it’s a trivial question, but why does a “dumb” forwarder have to decrypt the packet? I only need to tunnel/forward it, static destination IP, there are no decisions taken on the base of the SNI as far as I can tell.

I need IPv4 as well unfortunately, still.

1 more reply

j / k navigate · click thread line to collapse

0 comments

illiac7861y ago

Ideally, it has some simple firewall IDS/IPS capabilities (limit destination ports, limit source IPs…).

My threat scenario is, once someone has my home IP, they can cut off my internet very easily, just brute force traffic to my IP will clog my internet access.

Currently I feel that cloudflare tunnelling is less worse than the above described risk, but it’s far from ideal, hence looking for alternatives.

chadsixOP1y ago

> Ideally it should work with encrypted SNI

IPv6.rs doesn't work with ESNI because you'll have to decrypt the encrypted packet to read it. Cloudflare decrypts your traffic so it can read it.

> If my home IP is known,

If you're interested in giving it a shot I can give you a coupon that discounts significantly!

illiac7861y ago

I need IPv4 as well unfortunately, still.

1 more reply

j / k navigate · click thread line to collapse