Basically what I want to do is setup a machine that provides an exit-node. All traffic out of the exit-node should then go into a VPN service. Basically I like mullvad but I can't seem to use the tailscale exit-node reliably due to hit-or-miss encounters with draconian firewalls. I think these firewalls are using IP not any sort of SPI. I need to hop off one of my devices first. Goal:

[my clients] -> [my exit-node] -> [mullvad servers] -> [internet] 

If I use the tailscale mullvad directly from what I understand (i.e. my testing) it seems to end up functioning this way which is honestly preferred except for these annoying firewalls I encounter periodically (I'm trying to use this on my phone since I can't mix VPNs with tailscale on Android):

[my clients] -> [mullvad servers] -> [internet] 

The reason this doesn't work is apparently mullvad servers are blacklisted by various public networks. It affects my laptop but that's not as big a deal as my phone losing internet on some public wifis when cell network is unreachable. This works just fine, but looses the VPN hop (which is why I think packet inspection is not involved):

[my clients] -> [my exit-node] -> [internet] 

So my question is how can I make traffic hop to the exit-node first? Is this something that can be configured in tailscale or do I need to do some sort of packet engineering on the exit-node server? Is there a way to configure the tailnet to use my exit-node as first hop?
Can anyone suggest any examples or tutorials? Would learning about pi-hole setups and configs help? I am unfamiliar with pi-hole. I'm just looking for some guidance about where to focus my efforts.

spoiler
Discord: sbt5634
Add me on discord and ask anything you want, the offer you got and maybe we make something work out. I don't bite!!!
🦈WE LOVE LOYAL CLIENTS SO WE GIVE DISCOUNTS FOR RECURRING CLIENTS🦈
🦈FREE GAMES AFTER THE BOOST IS DONE ON MULTIPLE RANKS BOOSTS🦈
🦈 WE USE VPN AND OFFLINE MODE AND DO NOT CHARGE EXTRA FOR IT!!!🦈
🦈CHAT DISABLED FOR SOLO BOOSTS AND SAME SUMMONERS AS THE CLIENT🦈
🕵️‍♀️We offer INCOGNITO BOOSTING which means that the booster will play on different accounts for MAXIMUM discretion. You can ask us on discord for more details. 🕵️‍♀️
🦈 At your request SOLO BOOSTS can be STREAMED on discord or twitch on anonymous accounts so that the client can LEARN and see everything we do on the account for MAXIMUM SECURITY 💯
🦈I boost all day long so we finish fast with high win rate🦈
Hello guys.
Me and a friend , both challenger solo queue monsters decided to give some help to those in need with climbing for a fair price. We can cover every role but preferably Jungle, Support and ADC. Also we offer duo boosting for those who want to play with the booster and learn from them. We offer general tips and tricks for an easier climb and a better time on the rift. For SOLO boost we disable chat and keep the summoner spells as the client and use vpn and offline mode if the client asks for it.
If you want to join as a BOOSTER in my team you need to have been challenger with proof and play 1-2 games in high elo live. Msg me on discord so we schedule it.
Just add us on discord and we will talk out what is a fair price for both you and me💰
Server: NA, EUW, EUNE
Discord: sbt5634
Vouch Post : https://www.reddit.com/Lolboosting/comments/11bfq6o/vouch_thread_for_usharky16x/

Hello,
I would like to be able to connect and disconnect a FortiClient VPN tunnel using the Windows Command line.
Is this possible? If so, what is the command and syntax please?
Clients are running Windows 10 or 11.
FortiClient 7.2.4 (full version deployed via EMS).
Many thanks!

I have set up the client VPN on my MX. If I am not on the same network as the MX, I can login to the VPN and it works fine. If I am on the same network, however, the VPN just says "connecting" and eventually times out.
The reason I would need to use the VPN this way is because I have users with tablets that in most cases need to be connected to the VPN, and it's a hassle if they have to turn the VPN off to use our network if they need to use our wifi. Hopefully this makes sense.

Hi sysadmin
Looking here for potential troubleshooting avenues or if anyone has run into a similar issue.
We recently set up the FortiGate VPN service to leverage SAML authentication through Entra ID. Our devices are Entra ID joined. All the users are dynamically added to the group used for the SAML integration.
What I find weird is that it’s working for 99% of users except one (of course). The only item that’s different besides teams/azure groups unrelated to the authentication setup is that this user’s name was misspelled when his device was first joined to Entra ID. Looking at the logs from the FortiGate his request doesn’t send anything to Entra, it’s all blank. On the Entra side the authentication shows successful as he’s able to input a password and even go through MFA. The VPN client itself climbs to 40% after the user enters his password and answers the MFA prompt, then it immediately disconnects.
Unfortunately, I’m fairly new to Entra ID since I’ve mostly worked with on-prem AD.
Has anyone else ran into a similar issue? So far it’s just this single user.
Thanks ahead of time!

Install this yesterday and I have a couple questions. I first installed this on my Mac, iPad, iPhone, (I call these clients), two different nas servers. Everything worked fine, all five are a part of my network. I then installed this on my opnsense router. The only way to connect to opnsense, is with the vpn off on clients. When I turn it off, I can connect to opnsense, but loose the connection to both nas.

Hey Hello,
I'm dealing with a frustrating issue and could use some help. We have a client with two locations: Location A and Location B. At Location A, there's a print server, and both locations have different printers that are successfully added to this print server.
The print server has a virtual 'Follow Me' printer. We're trying to add this printer to workstations via SMB by going to //print-serve in Explorer, right-clicking the printer, and selecting 'Add'.
Here's the problem: This works perfectly from Location A (where the print server is), but it fails from Location B. We can access the network share and see all the shared documents, but when we try to connect to the printer, we get an error message.
Both locations are connected via a LAN-to-LAN VPN. Interestingly, if I set up a VPN connection from any location to the network of Location A, I can add the printer without any issues.
The print server and workstations are linked to Entra-ID, so users don’t need to enter login credentials when searching for the printers.
Any ideas on why this might be happening or how to fix it? Thanks in advance!

I don't feel like it is a good way of managing a firewall to force an "allow any to any" rule as default, and it makes it more complicated to group rules and make them more user friendly. Also my first rule was to deny everything, and I still see some "hits" showing on the allow any to any rule, and I'm a bit scared about that fact...
The firewall rule's interface is terrible for more than a few rules.
Client VPN is very limited, as there is no way to differentiate users from admins. I tried to setup AD, but nothing tells me if my firewall is connected, as I can't use my domain login to authenticate.
I'm a bit demoralized for having suggested this appliance to my client... I hope I will find out how to make it work...

As the holder of a multiple decades old email address, plenty of bots and sweatshops are trying to sign into my uniquely passworded account due to that email being credentials for other accounts.
MS told me my account required a password reset. I thought maybe I goofed up and let my email client on a weird VPN location and MS flagged it (has happened before and I had to verify all my MS accounts), but only two accounts got flagged for a reset.
So I thought maybe someone did manage to get into my account somehow.
So I sign in on live.com, go through the prompts to verify identity, and I set a new password. Then I look at the successful sign in activity. Oddly my email client is not recorded on there, as I know it had successful syncs, so I can't rule out that that one being a weird location didn't trigger it. But all the activity until I signed in on my browser says unsuccessful login or for one section of automatic sync, a dozen or more ip6 addresses from around the world were all recorded as unsuccesful sync.
Any idea how to trace the client syncs? I can't recall if I am set up with IMAP or POP, but by this morning my client did get locked out of the 2 MS accounts approximately 40 minutes after I saw the emails, and it tries to sync every hour, so I would have expected those to be on the log even as unsuccessful attempts...

Hello, I have three OpenVPN servers and three OpenVPN client configuration files. I need to create just one client configuration file containing the addresses of the three servers with certificates... When the client clicks to connect, if it can't connect to the first server, it should try to connect to the next one in the list. Is it possible to do that?

Hello. I recently bought an AXT1800 to use as my home router. I really love gl inet products due to the level of control they give me over my home network.
I have some issues some questions about this one.
Issue 1 - it seems to crash/freeze up sometimes and need the unplug/replug treatment. This has happened a few times when I've been doing some high volume file transfers over the network.
Issue 2 - I think we have dramas with wifi calling when the VPN is on. I have a mullvad VPN client set up on the router. My partner reports issues with wifi calls to me sometimes, and when they do I turn off the VPN and it seems to fix it. I'm not sure if its the VPN causing this or wifi calling in general. This happens on their work phone when they are working from home.
Question 1 - can I schedule the VPN on/off times? This way I could make sure it is off during the day to help with the wifi calling issue, if that's even the cause (maybe its their workplace taking issue with the call coming from another country? I could set the VPN to be in our country?)
Question 2 - generally in my experience, weird/unexplainable issues are a result of power issues. If I use a power supply that can supply more than the 20W the supplied charger gives, could that help the freezing up issues?
Question 3 - guest wifi. I get that the guest devices are isolated from my main network. Are they isolated from each other? And do they still use the VPN client on the router? Also, does the guest wifi add much strain to the AXT1800's CPU/cooling?
Thanks very much.

What I want to do:

1. Use a new wg-network for VyOS in my docker environment.
2. In my VyOS container, run wireguard in client mode to connect to my paid vpn service.
3. Make VyOS a sort of the default gateway for other containers in the wg-network.
4. Connect other containers to wg-network and ensure all the traffic goes out throught the VyOS' wireguard interface.

What I have been able to do so far:

1. I have been able to create a VyOS docker image and run it in a container from these instructions.
2. Have put my wireguard config in /etc/wireguard/wg0.conf (The config works fine btw I've tested it in other distros)

What's the blocker:

1. When I run the command ip link show - it does not display a wireguard interface.
2. Output of the wg-quick up command:

wg-quick up /etc/wireguard/wg0.conf
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Device or resource busy: \my-paid-vpn-endpoint:51820'. Trying again in 1.00 seconds...`
Device or resource busy: \my-paid-vpn-endpoint:51820'. Trying again in 1.20 seconds...`
Device or resource busy: \my-paid-vpn-endpoint:51820'. Trying again in 1.44 seconds...`
^C[#] ip link delete dev wg0
Unable to access interface: No such device
[#] ip link delete dev wg0
Cannot find device "wg0"
According to the documentation- a new key-pair needs to be generated for the wireguard interface. However, I'm afraid that it will make it run in a server (or peer) mode and won't help connect to my paid vpn service because they already have provided me with a public and private keypair which I have put in the wg0.conf file.
Can someone help me troubleshoot this further, please? Much appreciated.

**What I want to do:**

1. Use a new wg-network for VyOS in my docker environment.
   
2. In my VyOS container, run wireguard in client mode to connect to my paid vpn service.
   
3. Make VyOS a sort of the default gateway for other containers in the wg-network.
   
4. Connect other containers to wg-network and ensure all the traffic goes out throught the VyOS' wireguard interface.
   

**What I have been able to do so far:**

1. I have been able to create a VyOS docker image and run it in a container from these [instructions](https://docs.vyos.io/en/latest/installation/virtual/docker.html#deploy-container-from-iso).
   
2. Have put my wireguard config in /etc/wireguard/wg0.conf (The config works fine btw I've tested it in other distros)
   

**What's the blocker:**

1. When I run the command `ip link show` - it does not display a wireguard interface.
   
2. Output fo wg-quic up command:
   

```

wg-quick up /etc/wireguard/wg0.conf

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Device or resource busy: `my-paid-vpn-endpoint:51820'. Trying again in 1.00 seconds...
Device or resource busy: `my-paid-vpn-endpoint:51820'. Trying again in 1.20 seconds...
Device or resource busy: `my-paid-vpn-endpoint:51820'. Trying again in 1.44 seconds...
^C[#] ip link delete dev wg0
Unable to access interface: No such device
[#] ip link delete dev wg0
Cannot find device "wg0"
```
According to the [documentation](https://docs.vyos.io/en/latest/configuration/pki/index.html#wireguard) - a new key-pair needs to be generated for the wireguard interface. However, I'm afraid that it will make it run in a server (or peer) mode and won't help connect to my paid vpn service because they already have provided me with a public and private keypair which I have put in the wg0.conf file.
Can someone help me troubleshoot this further, please? Much appreciated.

Hello,
Why is port forwarding only available on the Windows clients? Why isn't it available on Mac like other competitors (AirVPN, PIA, Windscribe, hide.me, TorGuard, AzireVPN, etc.)?
I realize I can port forward using the configs manually, but it's a hassle and annoying for torrenting since I have to keep changing the port. In addition to that hassle, I have to go through the process of installing python, and running a bunch of commands plus running a command and leaving terminal open each time I want to request a port... With VPNs like Azire or Airvpn regarding manual configs, they provide a static port and it works straight away after connecting, so I don't need to change the port or run a command each time. For a "premium" VPN, supporting such a critical feature in your official clients should be a given, regardless of the operating system. It seems like your company has lots of time to create new Proton services like ProtonPass. Why don't you allocate some of that time to actually refine existing products instead of rolling out half-baked products?
It's been almost a year since I made a post about this exact issue, and there has been absolutely no progress. Kinda disappointed.

Edited to add: I'm eyeing off the Firefox M290/M390, anticipating the M290 will be more than sufficient.
We're currently running a pair of Palo Alto PA-220s which are end of sale and now underspec'd for our needs. Whilst I love PA firewalls, I've been left feeling rather underwhelmed with the support and given they won't let us add new subscriptions simply because it's end of sale has made me unhappy.
I've never been a fan of Fortigate or Cisco firewalls so they're out, as are Sonicwall. I worked with WatchGuards for 3-4 years in the early 2010s and found them to be good bang for buck and easy to work with, but that was almost a decade ago. Would like to hear from anyone who has recently made the switch or otherwise uses Watchguard firewalls to get some feedback before making any enquiries.
Our requirements are pretty basic / standard, listing them here to help keep responses on point. Thanks in advance for any feedback!

• Client-based VPN support on Mac, Android and Windows (currently using GlobalProtect)
  • Want to be able to stick with M365 & Azure MFA for SSO
  • Granular VPN policies based on user
• Geoblocking (currently performed within security policies)
• Zone protection (not a must have but desirable)
• High availability (active/standby)
• Policy based forwarding
• QoS for Voice network
• Ability to set up U-turn NAT (or whatever the WG equivalent is)
• IPSec VPN
• Standard DHCP serverelay (both simultaneously)
• URL whitelisting/blacklisting and categories
• Log forwarding of all logs to syslog
• Netflow export to PRTG
• Ability to use Bitlocker Network Unlock (ideal, don't have that ability on PA, not a must have)
• Custom block pages (eg when a blacklisted URL category is visited)
• 10Gbps SFP+ support (I understand this can be done by purchasing a plug-in module?)

When I connect to a server with my VPN the IP it's displaying in client the one I should have is different from IP that I'm actually seeing when I test it. I mean it's still not my IP and when I test for DNS leaks it's the same IP that is not the one in the client also still not my IP.
For what I'm doing I'd prefer my ISP to not see considering I've already got a couple of warnings, but is it fine? I mean if I just disconnect and reconnect a few times it eventually lines up with the IP in the client, but I'm not sure if it stays the same if I left on for a few hours.

Currently getting the issue "Application error: a client-side exception has occurred (see the browser console for more information)." when entering any of the prompt menus. Disabling my VPN did not fix this and I can't see any issues in the web console, but I may be looking in the wrong place.

I have to keep a server always connected to my company's VPN to download reports every time. I have a script for this task.
All I've been given were credentials for the VPN, and I use FortiClient free stand-alone version.
However sometimes the VPN disconnects. I want it to reconnect if it drops, and also to connect when Windows starts up.
I see the banner "Upgrade to the full version to access additional features and receive technical support." but I have no clue on what (and how) I should buy. I am not their IT manager and I believe I cannot access their internals. I want the same experience I have now, plus autoconnect on Windows startup and auto-reconnect on connection failure.
I also could not find any resource to a command line interface that works to load and connect to a specific VPN.
Is there some link I can just put my credit card, buy and install something, and these two incredible features will then be available for me?

Wondering if anyone else has seen slow GP throughput after upgrading to one of the latest PANOS to mitigate CVE-2024-3400. We had the occasional ticket for slow VPN, but it was always a user with a terrible ISP. Now we have a lot of tickets over the last 3+ weeks for slow VPN and seeing from client to data center over GP sometimes <1mbit....even for the IT staff that didn't have any issues previously. Typical transfer rate is ~50mbit.
We are mostly on an older version of GP (5.2.7), but have seen this all the way up to testing with newer preferred versions (6.1.4).
Do have a case open with PA, just curios if anyone has had similar issues.
EDIT - Did some testing and I was able to copy files to and from at around 25/25 mbit. I went to open an Excel file and watched the bandwidth monitor on the PANGP adapter and it was very slow. I look in Excel and the 'downloading' in the splash screen was stuck and nothing was transferring and eventually bombed out. I try to go to the management interface of the PA and it won't come up. Wondering if my IP is blocked for making the PA mad.....did I maybe hit some threat rules? I'm not able to check.

A long time ago I used to use Teamviewer to manage mine and my family's PC.
With the pandemic there followed remote work where I left my laptop there and remoted in to use.... just as Teamviewer were clamping down on business use. Which is fine, but their customer support were dire, so I tried Anydesk and was very happy with them and paid for a commercial licence ever since. Well worth it not to have to carry my laptop on the commute (old back injury).
I still am a fan of Anydesk, but recent security tightening at work led to the Anydesk ports being locked down. At first it was at our client site where I work, but I could still remote connect if my work VPN was on. Then my work also locked down the ports.
So I've been looking for alternatives and wondered if anyone had any suggestions? We have the usual homelab setup here with reverse proxy, proxmox, NAS, docker etc, so I have a lot of my home tools available to me at work through the proxy and I'm happy to self host, but it has to be secure if my work's laptop is connecting.
I had been looking at RustDesk which feels very similar to Anydesk and I think I might be able to use with NProxyManager(?), but from what I've seen in this reddit they may also have questionable ownership originating from CN.
Any recommendations welcome
W

3rd time is a charm. I've tried to post this a couple of times before but for some reason it auto mod deletes it.
Hey all! Been following this sub from afar for a very long time. I have kind of compiled a bunch of stuff in here that may be of interest to some of you. It's still very much a work in progress, but completely relevant to this community. With that said, I have hacked this together over the last few months standing up my homelab and tried to document as much as I can related to the setup.
This is just my setup, but i have kept everything separated so you can kind of pick and choose what you want from this setup.
Most of this project is driven my the env file and docker compose profiles to help separate services or only spin up certain ones. Out of the box, Traefik and Authentik are not enabled purely because I have ran this for a long time without those services, and only recently enabled them.
Here's a list of all the things in this repo. Feel free to comment and star it! I know every setup is different but I have spent many hours on this project for my own homelab and it should help someone else out or at least help you get started with self hosting and docker.

1. Authenitk - SSO - (Optional) (TODO - need to document this)
2. Bookstack - Notes! Wiki! If you haven't used this, it's like an open source alternative to Confluence
3. Dashy - Dashboarding
4. Duplicati - For backups
5. Emby - Media Server
6. Heimdall - Another dashboard
7. Homeassistant - FOSS home automation
8. Jackett - Web crawler, but this is kinda deprecated. Just from my old setup and i kept it. Prefer Prowlarr
9. Jellyfin - Media Server
10. Jellyseer - Content Request Management
11. Komga - Comics/Manga server
12. PiHole - DNS and ad blocker
13. Plex - Media server
14. Portainer - Container management
15. Prowlarr - preferred web crawler
16. Radarr - Movie scraper
17. Sonarr - TV Scraper
18. Traefik reverse proxy (Optional) (TODO - need to document this)
    • This is something I have just implemented so I don't have to remember all the ports.
    • I have this configured for both netlify hosting and cloudflare, just change the cert resolver in the .env file
19. Transmission - Download client
20. VPN - I have a few options here pre-configured for NordVPN, and i have documented IPVanish in my docs but haven't tested it. I know this solution will be different for everyone.
21. Zigbee2Mqtt - To be paired with Home Assistant
22. ZwaveJS - To Be paired with Home Assistant

This comes with some networking internally built with it. Most things are assumed to be communicated on the same docker network, so if you have things on separate bare metal machines then note that it may need to be tweaked.
Most data is stored in `./.containers/APPNAME` so you can easily manage your data.
I have written a few scripts as well to help out with the standing up process.
This project has github actions running on every push to test the builds, and can be stood up simply by copying and pasting the .env-example into a .env and running your command to compose up the project. But I know the .env will be a place of constant tweaking. If you primarily live there and don't change much on the compose files then you can easily pull in my changes if I add anything new.
This is all documented in my handwritten docs. I have tried to be as verbose as possible, and also tried to keep my own docs because if i ever have to redo my setup, i will have a place to go!
Anyway. Here's the repo. Enjoy and please do comment/star it! :) Happy to finally contribute this back to the community.
Home Media Docker (Github)