I want to go work in Mexico for a bit and enjoy life outside the USA, however I believe my company would not approve. There are strenuous checks in place to ensure a VPN is not being used.
With my last job, I actually lost it because I accidentally used a VPN (they allowed you to travel outside the USA), but didn't allow VPNs. Bummer.
This new job allows remote travel anywhere in USA, but not outside.
My plan is to purchase a top quality dedicated VPN for myself only and only connect to that when I work on the website.
ChatGPT says that as long as I don't connect to public wifi and only access work through this VPN, they should never know that I am using a VPN.
I'm planning on getting a VPN in Dallas, TX. I wonder if they see that as suspicious as it's a major hub and I'm originally not from there (one state over). Could they check the location and see that the location is in a giant known server room and therefore link that to being a VPN?
Any tips or ideas to help here would be nice!

16-minute read.

the AM-AZ border delimitation in Tavush is drawn with 1976 maps; village Kirants gains access to lands unreachable since the 1990s; loses 4 properties

On May 15 the border commissions of Armenia and Azerbaijan held a meeting to discuss the continuation of the Tavush-Gazakh delimitation. They confirmed the completed work and agreed to continue.
The statement says that parties are using the 1976 maps by Soviet CoGS [the one that Armenia wanted].
A Protocol was signed on the meeting results. The sides agreed to set the date and the place of the next meeting of the Commissions.
REPORTER: What does this mean?
PASHINYAN OFFICE: The commissions had installed several border posts to locate the coordinates on the ground. These coordinates were taken from the 1976 maps. Now the cartographers have agreed on the border lines between the posts, again based on the same maps. In other words, the reproduction of the border in these areas is complete and signed, and the border is considered delimited in these sections.
REPORTER: Why the 1976 maps?
PASHINYAN OFFICE: It's the map with de jure power at the time of the collapse of the USSR. The Armenian government announced that we were not drawing a new border, but rather reproducing the existing border at the time of the collapse of the USSR.
REPORTER: The commissions' statement says that these 1976 maps went through legal procedures in 1979. What does it mean, and why didn't we use the 1990 maps?
PASHINYAN OFFICE: In 1979 the relevant USSR authority verified the 1976 maps and their legal basis. These maps were used until the collapse of USSR. These are the most recent maps verified by authorized state agencies of USSR.
REPORTER: Not all border posts have been installed in the convoluted section of Kirants. How will this be resolved? Will you build new roads or houses?
PASHINYAN OFFICE: The 3 remaining coordinates of Kirants were pinpointed with the use of a computer and the border posts will be installed later. The rest [another 8 posts in Kirants] are already there. The good news for Kirants is that around 25 hectares of land that have been unreachable for 33 years will be returned to the village. The border resembles the 1976 line. As we said earlier, yes, there is a need to build a bypass road, which can be accomplished in 2-3 months. We will also rebuild the road between H-26 and Acharkut and Kirants, which is an alternative road for Kirants. As for property issues, the volumes are small and the government will compensate in such situations.
REPORTER: What about Baghanis, Berkaber, and Voskepar?
PASHINYAN OFFICE: The most sensitive topic in Voskepar was the fate of the church, and on the Voskepar-Baghanis section, it was the Soviet-era road. Both issues received the best resolution: the road is fully within Armenia and so is the church, and the border line is quite far from the road and the church. As for Berkaber, there were no such sensitive topics.
REPORTER: When will the sides deploy border guards?
PASHINYAN OFFICE: Within 8-9 days, and a bit later in the 3 sensitive areas of Kirants after further clarifications. //
On Thursday, PM Nikol Pashinyan spoke about the May 15 border commission.
PASHINYAN: This is a major success for two reasons: (1) A very important cornerstone was placed for the future development of Armenia as an independent and sovereign state, (2) for the first time since independence, we have an officially delimited border, which will significantly increase the level of stability and security in that section and along the entire border. I'd like to thank the border commission leader Deputy PM Mher Grigoryan and all members, and every member of the National Security Council.
I'll provide further details. As you recall from the May 15 statement, it says the borders are delimited based on the 1976 maps that underwent the legal procedures in 1979. As you know, our principle was to reproduce the existing border with de jure power instead of drawing a new one. To accomplish this, we made a reference to the 1991 Almaty Declaration in the April 19 agreement, and it became the basis for the entire delimitation process. On May 15 we specified the 1976 maps; these are the most up-to-date USSR maps with de jure power.
In USSR, a map could be granted a de jure power by a special state agency that collected maps and legal processes and verified their accuracy and legitimacy before confirming the administrative border of Soviet republics. In the area where these delimitations are taking place, in 1979 this USSR state agency verified the 1976 map and it's the most recent map with de jure power.
This was a very important principle for us. We must accept wherever this border passes through. If we chose to draw new borders, that would create a ground for future military conflicts and escalations. The ongoing process, which should not be underestimated or overestimated, abides by the principle of adhering to the legal border and significantly reduces or eliminates possible escalations. This agreement was a major success.
Berkaber: there were no issues here.
Baghanis & Voskepar: at first we thought that some issues could arise here, around the church and, as the locals say, the "old road". If you've ever been there you have seen this road sign, when you pass Baghanis, the sign warns you that the road is being observed [under Azeri scope] and it was not advised to use this road during tense periods. Now, as a result of border delimitation, this road is not only confirmed within Armenia, but it will be safer for travel as a result of the new circumstances [border guards replacing the militarized armed forces, less dispute = less conflicts]. As for the church, we don't have a problem here because the border passes significantly further away from it.
So to recap, we recorded no problems in Berkaber, Baghanis, and Voskepar because we chose to follow the de jure border line and we did so. Following this principle is also why we will have certain problems in Kirants because we don't want to draw an entirely new border. We must use this principle for the entire AM-AZ border, with no exceptions. Not only we are creating a precedence for delimitation, but also a formula to be used for the future entire delimitation process and to make it predictable. If parties decide to make mutual concessions in certain areas, we could discuss the launch of legislative processes to authorize them, but for now, we have agreed on a principle to be used for the entire AM-AZ border. On each section of the border, we will use the most recent USSR maps that hold de jure power.
MHER GRIGORYAN: On May 15 the border commissions also discussed the Regulation and it appears we have an agreement to reflect these principles in the Regulation. Efforts are underway to prepare the Regulation. Azerbaijan wants to continue the border delimitation with the same framework and algorithm used thus far.
PASHINYAN: We should implement the reached agreements in full within 8-10 days. The border guards were deployed in Baghanis-Voskepar around 10 days ago. They were deployed alongside the installation of the white border markers. They are currently studying the terrain to launch the permanent service there. The same will be done in other sections.
source, source, source, source, video,

the list of properties that fall under the Azeri side of the border in Kirants after the delimitation of the 3 problematic sections

1 house, 1 lodging, 1 trailer-shop that doesn't operate, and 1 garage. The government plans to compensate for them and will build a new section of this road that passes fully through Armenia.
source, source, see the map here,

opposition MP from ARF/Kocharyan faction got fed up with protesters' road blocks in Tavush villages

Gegham Nazaryan, a father of a fallen soldier and an opposition MP who - unlike his colleagues - doesn't always engage in toxic exchanges with the ruling party, decided to visit the border village Kirants, where he asked the road blockers to open it.
He engaged in an argument with a protester from another region who came to Kirants to block the road. The MP complained that blocking the road is what Azeris would want.
The MP also engaged with an activist-reporter from an opposition outlet who was covering the road blockings. The MP accused the reporter of "having bad intentions" and of "manipulations". The activist-reporter accused the MP of having secret ties with Pashinyan during an intense yelling match. "Great speech. You call yourself a journalist?", rhetorically asked the opposition MP.
ARF leaders responded saying their MP was not speaking/acting on behalf of the party.
STYOPA SAFARYAN (pro-West figure): MP Gegham Nazaryan also senses that some forces are attempting to carry out Artsakh 2.0 in Armenia by attempting to derail the border delimitation process. //
In related news. The protesters pressured the mayor of Kirants who gave an interview last week and admitted that the delimitation went much better than he expected. On Thursday he offered to resign from his position during a confrontation with an opposition media outlet reporter who was unhappy about the mayor's positive portrayal of the delimitation process.
longer video, video, video, video, source, source,

Armenian government approves a $2 billion permanent housing assistance program for Nagorno-Karabakh refugees; rollout in stages

SOCIAL MINISTRY: We need to provide long-term housing to allow the forcefully displaced persons to socially and economically integrate into Armenia. The program has three components: (1) Obtaining a house or an apartment with a subsidy, (2) building a house with a subsidy, (3) subsidizing the mortgage if the refugee has already purchased a house.

... The size of the subsidy varies depending on the geographical location and the size of the family

(1) ֏5 million ($12,900) per family member to obtain housing in one of the 242 towns or villages.
(2) ֏4 million ($10,300) per family member to obtain housing in one of 148 towns or villages.
(3) ֏3 million ($7,700) per family member for all other settlements except Yerevan's 1st and 2nd Zones.
(4) and ֏2 million ($5,200) if you already have a mortgage.

... Conditions to qualify

(a) Families forcefully displaced after 27 September 2020.
(b) Refugees who accept Armenian citizenship.
(c) The living space cannot be smaller than 12 m² per family member.
(d) The property's value cannot exceed ֏55 million ($141,000).

... If you buy a house cheaper than the subsidy amount, you can use the remaining balance to...

(1) buy agricultural land worth up to ֏5 million
(2) renovate the newly purchased house if necessary, worth up to ֏4 million
(3) buy furniture and appliances, up to ֏2 million

... Which forcefully displaced families do NOT qualify?

(a) If they are already a recipient of another housing program that began immediately after the 2020 war.
(b) If one of the family members owned a house or apartment in Armenia as of 2023-09-19 or at the time of application.

... Conditions if you want to receive aid to build your own house

(a) Select one of the preapproved projects/plans.
(b) The construction company must be licensed in Armenia.

... The assistance will stop if

(a) If two family members under the age of 55 are absent from Armenia for >180 days per year unless they leave Armenia to receive education in one of the top 400 international universities, aviation training, or military training.

... The housing assistance will roll out in phases

The first phase will include families with 3 or more children if they want an apartment or 2+ children if they want a house, low-income families, those who already have a mortgage, families who lost a member in war, and creditworthy families who can take out a separate loan amounting 50% of the assistance size.
The second phase, starting 2026-01-01, will include families with 2 children if they want an apartment or families with 1 child if they want a house.
The third phase, starting 2027-01-01, will include everyone else.

... PM Pashinyan about the refugee housing program

PASHINYAN: The working group has done a lot of work to get here, thank you. Spread the word so people will know the details of this assistance program. No one should be forced to visit or call an office to receive basic details.
We have decided not to adopt a "flat" approach; the amount of aid increases based on the family size and the location of the house. We had to exclude the [expensive and crowded] central parts of Yerevan. We also have to ensure a proportional load on the educational facilities.
If the refugee has an active mortgage loan taken in Armenia, let's say taken in 2016, each family member will receive ֏2 million towards that mortgage. So if you have a family of 6 [Nagorno-Karabakh families are often larger than Armenia-based families], you receive $31,000 to pay off your mortgage.
On the other hand, our brothers and sisters from Nagorno-Karabakh who are well-off and already own a house without an outstanding mortgage balance, won't receive assistance because the goal of this program is to help those who don't have a house.

... How much will this cost?

FINANCE MINISTER: There will be up to 25,000 recipient families, and if we use the averages, it amounts to [voice is starting to crackle] ֏500 billion ($1.3 billion) for the housing costs alone. There will be additional expenses associated with this program. Every year, for the next 10-12 years, we will confirm the annual expenditures. So the overall costs will amount to ֏700-800 billion.
PASHINYAN: So that's roughly a $2 billion investment program in Armenia. Also, by becoming citizens of Armenia to take advantage of this housing program, the refugees won't lose any refugee rights or privileges, and they will not lose the ongoing monthly cash [40+10] assistance programs.
FINANCE MINISTER: We have launched a new line in the migration services to handle the expected uptick in applications in the coming months so people won't face long lines. The passport departments in provinces will begin to handle citizenship applications just for refugees; today this is only possible in Yerevan.
video,

EU's EBRD and US's USAID to develop connectivity in the South Caucasus

During the EBRD forum held in Yerevan, the two signed a Memorandum of Understanding to develop the Trans-Caspian International Transport Route, also known as the Middle Corridor, to further enhance connectivity between Asia and Europe via the South Caucasus.
It's about expanding trade, green energy, investment, as well as transport and digital infrastructure in Armenia, Azerbaijan, and Georgia.

The MoU seeks to enhance the planning, design and construction of critical energy, transport, digital and agricultural infrastructure in the region. It also aims to: improve the efficiency of customs, tariff and border operations; attract private capital investment into the South Caucasus economies for the development of the Middle Corridor; and adopt the highest international standards to promote economic connectivity with Europe and among South Caucasus countries.

source,

other EBRD projects were announced

source,

Lake Sevan is back to 2021 levels after the heavy precipitation in May: VIDEO

OFFICIAL: As of May, the level was 1900.46, which is 2 cm higher than the 2021 mark and 29 cm higher than January 1.
2021 was a harmful year for Sevan because of unprecedented heat waves. In June 2021 there was an evaporation of 153M m³ water, which was a historical high, while the precipitation on the surface was only 4.8M m^3, which was 4x lower than the previous historical low [WTF?]. Also, the river flow was at 40%. As a result of all this, instead of the usual 7 cm increase for June, we observed a 10 cm decline.
This year the conditions have been much better. We are finally back to the May 2021 levels. The rains filled it up from above, and the Arpa-Sevan tunnel from below the rocks. This tunnel has already brought 89M m³ this year, which is 2x more than last year.
Another contributing factor is the reduced reliance on Sevan for irrigation because the agricultural fields are still wet. Last year we had to tap into Sevan starting May 14. This year the government hasn't even summoned a meeting to authorize a release of water.
The 5 largest reservoirs currently hold 605M m^3, up by 240M. Only the Aparan reservoir is lacking. In Ketchut reservoir the water is above the famous "flowers" (margaritka). This is the first time in 5 years that the water is above the margaritkas. When the water rises above margaritkas, it drops down and flows into Lake Sevan. Overall, 90% of the water entering Sevan is wasted by evaporation.
REPORTER: Rains will return starting May 22.
video,

EBRD will provide $10 million to finance the Armenian private sector’s investments in growth, competitiveness, and greener and more sustainable practices

upgrading their production facilities and processes to EU standards. At least 70 per cent of the loans will go to support the green transition. Borrowers will receive incentive grants and technical advice funded by the European Union

source,

anti-corruption: former MP from Gagik Tsarukyan's BHK party is arrested under the suspicion of defrauding several homebuyers through real estate machinations

AUTHORITIES: Ex-MP Aragats Akhoyan's construction companies collected ֏274 million from several prospective apartment buyers in 2010-2014. He pocketed the funds.
source, source, video,

Armenia signs Council of Europe's Bioethics Convention

The Oviedo Convention is the only international legal instrument that defines the principles for the protection of human rights in the field of medicine and biological medicine.
FM Mirzoyan met Marija Burić on Thursday in Strasbourg to sign it.
source,

Armenia will open an embassy in Cyprus

Currently, Armenia’s Ambassador to Greece also serves as Ambassador to Cyprus. The seat of the Cypriot Embassy in Armenia is in Moscow.
In March Cyprus said it would open an embassy in Yerevan.
source,

Belarus leader Lukashenko suggests he and Ilham Aliyev discussed the 2020 war before it began

Lukashenko is in Baku to strengthen the strategic AZ-BY relations.
LUKASHENKO: We are brothers and we have a common vision of the world and where it's headed. I remember our conversation before the 2020 war, your liberation war, when we had a philosophical debate at a dinner table. At the time we came to the conclusion that it's possible to win the war. That's important. It's very important to preserve that victory. I also agreed with you at the time that the most difficult period would come after the liberation of the lands. Today is that difficult period when we have to revive those lands and return people, while others will born there. It'll be difficult to revive these lands in 5-10 years; it requires extensive work. Belarus is ready to help Azerbaijan. //
Nikol should have greeted Putin at the airport to avoid the war.
source,

Luxembourg lawmakers urge government to act for implementation of World Court orders by Azerbaijan

Deputies have unanimously adopted a motion asking the government to act for the implementation of the ICC orders by Azerbaijan.
The MPs urge to demand from Azerbaijan an immediate release of all Armenian prisoners of war, support peace between Armenia and Azerbaijan, expand the partnership between Armenia and EU, support the normalization of relations between Armenia and Turkey, deepen the diplomatic relations between Armenia and Luxembourg.
source,

ranking member of Armenia's ruling party about EU membership

The MP Khandanyan says Pashinyan has already announced that Armenia wants to deepen ties with the EU as much as possible and that how soon Armenia submits a bid to become an EU candidate will depend on the signals coming from the EU. In general, today the EU is not ready to expand because some EU members oppose it, said Khandanyan. When the EU sends a signal that it's ready, Armenia will "accelerate" the steps, said Khandanyan, adding that Armenia itself has already sent that "signal" that it wants closer integration with the EU.
But first, Khandanyan says Armenia must improve its resilience because the transitional phase will be full of risks. Armenia expects the EU's assistance to improve the resilience [reduce reliance on Russia].
source,

Բրյուսելի հանդիպման արդյունքներով ԵՄ-ն կշարունակի նպաստել ՀՀ տնտեսական զարգացմանը

PM Pashinyan hosted EU's Trade Commissioner Valdis Dombrovskis to discuss the implementation of the economic agreements reached on April 5 in Brussels to improve Armenia's resilience.
Pashinyan also called for the EU's assistance in implementing the refugee housing program adopted by the Government this morning.
The EU Trade Commissioner said the EU will continue to assist Armenia's development, including in the areas of energy, infrastructure, diversification of markets, implementation of higher standards, improvement of business environment, etc.
source, other meeting, other meeting,

U.S. Ambassador Kvien is "optimistic about the opportunities offered by Armenia to U.S. and other foreign companies"

A meeting was held at the central bank building participated by Ambassador Kvien and other guests of the EBRD forum that's being held in Yerevan this year.
Ambassador Kvien also highlighted Armenia's high economic growth rate in recent years.
source,

Armenia's membership to EAEU is beneficial for Armenia: Moscow

DEPUTY FM of RUSSIA: I don't know what the Armenian leadership plans to do in the future, but EAEU is undoubtedly a mutually beneficial process. This is reflected in the economic growth figures of Armenia.
source,

Armenian government invites the head of Metsamor nuclear plant to join talks with European Commission officials

The infrastructure ministry and NPP chief met a delegation led by the European Commission's Deputy Director-General for International Cooperation and Development Marjeta Jager.
The European Commission official thanked for the invitation and welcomed the steps by the Armenian government towards the energy reforms in Armenia. They spoke about NPP's operation and future plans.
They discussed the exchange of experience and financial programs.
source,

Armenia and European Commission officials discussed the implementation of April 5 agreements reached in Brussels

The head of the European Commission's Neighbourhood and Enlargement Negotiations Adrienn Kiraly was hosted by foreign ministry on Thursday.
They discussed programs to improve Armenia's resilience under the April 5 agreement, the full implementation of CEPA and its expansion.
source,

Moscow released a somewhat misleading statement after the recent meeting between Pashinyan and Putin, according to National Security Council chief Armen Grigoryan

According to Grigoryan, Pashinyan did not "ask" Putin to maintain troops on the borders with Turkey and Iran. According to Grigoryan, Pashinyan asked Putin to remove the Russian guards from Yerevan's airport and AM-AZ border, and when Putin asked Pashinyan if he also wanted to remove them from TR and IR border, Pashinyan said "no", because those guards were installed under a different agreement. Context in Wednesday news digest.
Grigoryan also criticized Russia's attempts to stoke divisions between Armenia and Iran by presenting the EU observer mission as anti-Iranian. Grigoryan demanded Russia present evidence of the EU mission carrying out activities outside of their AM-AZ border monitoring mission. "Iran has already expressed its stance. I don't understand why Russia is attempting to use the EU's Monitoring Mission to cause issues," said Grigoryan.
source,

Armenia's NatSec chief Armen Grigoryan advised Russia to improve its own human rights conditions and freedom of speech before commenting on Armenia's internal affairs

Russia's foreign ministry spokeswoman Maria Zakharova recently complained about Armenian police using force to clear the roads blocked by pro-Russian party activists. Zakharova also complained that the West wasn't criticizing the Armenian government for it.
NatSec GRIGORYAN: Armenian protesters have been able to fully exercise their freedom of speech during legally organized rallies. Illegal actions are obviously countered by police. Perhaps Russia should first look at itself before criticizing us.
REPORTER: Look at what? Russia doesn't have opposition, how can they oppress something that doesn't exist?
ARMEN GRIGORYAN: Russia should discuss its own kitchen. The developments in Armenia are not related to Russia.... or are they? If these protests are tied to Russia, Moscow should directly say so. If Moscow sees a problem, they must say it directly, and not do so by dragging others like they did in the case of Iran and the EU Mission.
source,

during a meeting in Yerevan, Jordan's foreign ministry expressed concern over the attempted takeover of part of the Armenian district of Jerusalem

The Deputy FM of Jordan met his Armenian counterpart in Yerevan to discuss bilateral relations and regional issues. The parties criticized the attempts to change the status quo in Jerusalem.
source,

Pashinyan and Diaspora Office held a meeting about the iGorts professional repatriation program: VIDEO

source,

monkeys could soon become smarter than you

Are monkeys entering the stone age? Capuchin primates were filmed using tools to dig for food underground, days after an orangutan treated its own wound with plant.
The footage joins a growing number of studies looking into the tiny South American primate's use of stone and stick tools, an emerging field that some research universities now describe as 'documenting the Monkey Stone Age in real-time.'
video,

Hi guys
Sorry if i may seem to not understand some basic things but i am really a noobie.
I have a PC in my local network which is hosting jellyfin and it is connected to ProtonVPN through Wireguard, i have DynDNS configured on my router and opened a port for jellyfin, i want to be able to share jellyfin with my friends by connecting to my DynDNS:port but while i'm connected to ProtonVPN through Wireguard i'm unable to do it.
What's the best solution for this problem?
The PC is running Debian12

Discord: jperez
Email: [jperezonline@outlook.com](mailto:jperezonline@outlook.com)
Hola, ¿qué tal? My name is Jhon Pérez, a native Spanish tutor with over 10 years of experience in Spanish homework. I can help you with any type of Spanish assignments: exams, quizzes, tests, worksheets and essays.
I've done many accounts on VHL Central, McGraw Hill, Blackboard, Canvas, MyLabs, Cengage, Desire2Learn, ELEteca, Edgenuity, Contraseña, WileyPlus and more.
Besides being a native Spanish speaker, I have knowledge of vocabulary, functional grammar and the functions of all levels of Spanish (Beginners A1-A2, Intermediate B1-B2 and Advanced C1-C2.)
I can work with login, TeamViewer and screenshots. If you choose the latter I will make sure to be online at the agreed time to work with you (you send the screenshots and I send the answers.)
This is not an agency. It's just me, the Spanish tutor, so you don't have to pay double fees (one to the agency owner and another to the tutor.)
Unlike other Spanish tutors, I will provide you with safe, untraceable VPN connection to your closest location and follow your instruction(s) to deliver plagiarism-free Spanish papers.
For tight deadlines I can deliver the same day as long as I am contacted at least 4 hours before deadline.
My rates are pocket-friendly and flexible to fit your budget. You can use milestone payments or pay as you go.
Proof and vouches can be seen on my profile.
Send your prompt and get a quote today!
Email: [jperezonline@outlook.com](mailto:jperezonline@outlook.com)
Discord: jperez
¡Nos vemos!

Cisco Router Security
What are the two access privilege modes of the Cisco router?
User EXEC Mode: This is the initial access mode for a router. In this mode, the user can access only a limited set of basic monitoring commands.
Privileged EXEC Mode: This mode provides access to all router commands, such as debugging and configuration commands. It requires a password for access to ensure security.
What is the approach for password for the privileged mode of the router?
enable secret [password]
uses hashing algorithm so that the password is not in plain text but encrypted
How to ensure that all passwords in the router are stored in the encrypted form?
service password-encryption
What is the difference between the Cisco router’s startup and running configurations?
How to save the running configuration into start up configuration?
Startup Configuration: Stored in the NVRAM, this configuration is used to boot the router. It remains unchanged until an administrator explicitly saves the running configuration to it.
Running Configuration: Held in the router’s RAM, this configuration is active on the router. Changes to the router’s configuration are made here and are effective immediately.
Know and be able to configure all aspects of the Cisco router covered in class. For example,
configuring the router interfaces, setting the router OSPF ID, etc.
enable
configure terminal
hostname MyRouter
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
interface Serial0/0/0
ip address 10.0.0.1 255.255.255.252
clock rate 64000
no shutdown
exit
router ospf 1
router-id 1.1.1.1
network 192.168.1.0 0.0.0.255 area 0
exit
enable secret mysecretpassword
line console 0
password myconsolepassword
login
exit
line vty 0 4
password myvtypassword
login
exit
crypto key generate rsa
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 2
ip route 0.0.0.0 0.0.0.0 192.168.1.254
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny any
Practical Routing, OSPF, and Security
What is the difference between static and dynamic routing?
Static Routing: Involves manually setting up routes in the router's routing table through configuration commands. These routes do not change unless manually updated or removed. Static routing is simple, secure, and uses less bandwidth but lacks scalability and flexibility.
Dynamic Routing: Automatically adjusts routes in the routing table based on current network conditions using routing protocols. This approach allows for more flexibility, scalability, and fault tolerance, but consumes more resources and can be complex to configure.
What is the difference between link state and distance vector routing?
Distance Vector Routing: Routers using distance vector protocols calculate the best path to a destination based on the distance and direction (vector) to nodes. Updates are shared with neighboring routers at regular intervals or when changes occur. This approach can lead to slower convergence and issues like routing loops.
Link State Routing: Each router learns the entire network topology by exchanging link-state information. Routers then independently calculate the shortest path to every node using algorithms like Dijkstra’s. This results in quicker convergence and fewer routing loops.
Distance Vector Routing: Each router computes distance from itself to its next immediate neighbors. (RIP, EIGRP, & BGP)
-Does not build a full map of the network
-Focuses more on the next hop towards the destination
Link State Routing: Each router shares knowledge of its neighbors with every other router in the network. (OSPF and IS-IS)
-Builds a full map of the network
-Each router shares information
-Maintains a database of the entire network.
Give an example of the distance vector and link state algorithms.
Distance = RIPLink State = OSPF
What type of protocol is Routing Information Protocol (RIP)? Be able to understand
examples and solve problems.
Example of a distance vector protocol
dynamic protocol
-shares routing info with neighboring routers
-an interior gateway protocol that operates within autonomous system
-oldest of all dynamic protocol; RIPv1
-widely used open standard developed by IETF
-a distance vector routing protocol
-limited to maximum 15 hops;

 how rip works -rip sends regular update message (advertisements to neighboring routers) 

-every 30 seconds that resets after each successful ack
-route becomes invalid if it has not received a message for 180 seconds
-RIPv1 (obsolete) uses broadcast, while RIPv2 uses a multicast address -Update message only travel to a single hop
downside : limitations, each router in its table can only have one entry per destination. Have to wait for advertisement for an alternative path, cannot reach hops 15 paths away, little to no security.
What type of protocol is Open Shortest Paths First (OSPF) protocol? Be able to under-
stand examples and solve problems.

• an interior gateway protocol that operates within autonomous systems to build a full map of the network.
  
• widely used open standard developed by IETF
  

-a link state routing protocol

 intra as routing with RIP 

What is the Link State Advertisement (LSA) in OSPF? What is the Link State Database
(LSDB)?
-LSA contains data about a router, its subnets, and some other network information.-OSPF puts all the LSAs from different routers into a Link-State Database (LSDB)
The goal of OSPF is to be able to determine a complete map of the interior routing path to be able to create the best route possible.
The way this is done is that OSPF finds all the routers and subnets that can be reached within the entire network. The result is that each router will have the same information about the network by sending out LSA.
How does each router in OSPF create a map of the entire network?
Step 1 : Acquire neighbor relationship to exchange network information.
Step 2: Exchange database information, neighboring routers swap LSDB information with each other
Step 3: Choosing the best routes, each router chooses the best routes to add to its routing table based on the learned LSDB information.
What is the process for two OSPF routers to become neighbors?
A. a neighbor sends out a Hello packet including the router ID along with subnets that it routes to the given multicast address to a given OSPF area ID.

this is also a way for routers to tell neighbors that they are still on and good to go. 

B. Once other routers receive this packet, they run some checks. The neighboring routers must match the following requirements:
-area id needs to be the same (also used when scaling up OSPF)
-the shared or connecting link should be on the same subnet.
-The Hello and dead timer must be the same.
-the dead timer is having enogh time before the sending router assumes that the neighbor is down.
-this timer is typically 10 secs for point-to-point and broadcast networks.
C. If all is fine, the receiving router will go into Init stage and sends a hello message of its own. This Hello packet list its own network info along with the known neighbor R1. This puts R1 into a 2-way communication status.
D. R1 sends another Hello message to R2 with the information as a known neighbor. This allows the R2 now with a 2-way communication status as well.E. We now have a 2-way neighboring routers
What is the difference between point-to-point and multi-access networks? How does OSPF
handle each case?

Point-to-Point: A network setup where each connection is between two specific nodes or devices. OSPF treats these links with straightforward neighbor relationships since there are only two routers on each segment. 

Multi-Access Networks: Networks where multiple routers can connect on the same segment, such as Ethernet. OSPF uses a Designated Router (DR) and a Backup Designated Router (BDR) on these types of networks to reduce the amount of OSPF traffic and the size of the topological database.
DR selected by the highest OSPF prio.
Be able to configure OSPF routing given a topology.
–
Example:
Consider a topology with three routers R1, R2, and R3. The routers
are connected R1 =⇒R2 =⇒R3 =⇒R1.
R1 has interface f0/0 connected to the
interface f0/0 of R2. R2 has interface f0/1 connecting to the interface f0/0 of R3.
Finally R3 has interface 1/0 connecting to the interface 1/0 of R3. Assuming all
routers are Cisco 7200 routers, configure them to use OSPF to dynamically route in
this topology (you will be given the Cisco router manual for such questions).
•
R1enable
configure terminal
hostname R1
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
no shutdown
exit
interface FastEthernet1/0
ip address 192.168.31.1 255.255.255.0
no shutdown
exit
router ospf 1
router-id 1.1.1.1
network 192.168.12.0 0.0.0.255 area 0
network 192.168.31.0 0.0.0.255 area 0
exit
end
write memory
R2enable
configure terminal
hostname R2
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
no shutdown
exit
interface FastEthernet0/1
ip address 192.168.23.1 255.255.255.0
no shutdown
exit
router ospf 1
router-id 2.2.2.2
network 192.168.12.0 0.0.0.255 area 0
network 192.168.23.0 0.0.0.255 area 0
exit
end
write memory
R3enable
configure terminal
hostname R3
interface FastEthernet0/0
ip address 192.168.23.2 255.255.255.0
no shutdown
exit
interface FastEthernet1/0
ip address 192.168.31.2 255.255.255.0
no shutdown
exit
router ospf 1
router-id 3.3.3.3
network 192.168.23.0 0.0.0.255 area 0
network 192.168.31.0 0.0.0.255 area 0
exit
end
write memory
How does OSPF authenticate packets to protect against packet spoofing and tempering?
Be able to enable it a Cisco router.
OSPF (Open Shortest Path First) can authenticate packets to protect against packet spoofing and tampering using several methods. The two main types of authentication are:
Plain Text Authentication: This is simple and provides minimal security. It sends the password in clear text.
Message Digest 5 (MD5) Authentication: This provides stronger security by using cryptographic hash functions to authenticate OSPF packets.
Plain textenable
configure terminal
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
ip ospf authentication
ip ospf authentication-key cisco123
no shutdown
exit
router ospf 1
router-id 1.1.1.1
network 192.168.12.0 0.0.0.255 area 0
area 0 authentication
exit
write memory
MD5enable
configure terminal
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 securepassword
no shutdown
exit
router ospf 1
router-id 1.1.1.1
network 192.168.12.0 0.0.0.255 area 0
area 0 authentication message-digest
exit
write memory
Network Defense Fundamentals
•
What is IP spoofing? Explain.
-The ip packet contains the source and destination Ip addresses.-Is it straightforward to modify the ip address of the packet.
-IP Spoofing: sender chagrin his source address to something other than his real address.
How can IP spoofing be used in security attacks?
-If the attacker sends an Ip packet with a spoofed IP, they will not receive a response form the destination: the machine with the IP matching the spoofed IP will receive the response.Ip spoofing operation - the sender spoofs the source IP address to point to another target. The receiver system replies to the spoofed IP.
•
What are the countermeasures to IP spoofing?
Ingress and Egress Filtering: Network operators should implement filtering rules on routers and firewalls to block packets with source IP addresses that should not originate from those networks. Ingress filtering blocks incoming packets with a source IP address that is not valid for the network, while egress filtering blocks outgoing packets with an invalid source IP address.
Reverse Path Forwarding (RPF): This technique ensures that the incoming packets are received on the same interface that the router would use to send traffic back to the source. If the path does not match, the packet is discarded, preventing spoofed packets from passing through.
IPsec (Internet Protocol Security): IPsec can be used to authenticate and encrypt IP packets, ensuring that they come from legitimate sources and have not been tampered with. This makes spoofing attacks significantly more difficult.
How can IP spoofing be used to perform DoS attacks?
IP spoofing is often used in Denial of Service (DoS) attacks to obscure the attacker's identity and to overwhelm the target with traffic from what appears to be multiple sources. One common type of DoS attack that utilizes IP spoofing is a Smurf Attack. In a Smurf Attack, the attacker sends ICMP (Internet Control Message Protocol) echo requests to broadcast addresses of networks, with the source IP address spoofed to that of the victim. The devices on the network respond to the echo requests, sending replies back to the victim's IP address. This amplifies the traffic directed at the victim, potentially overwhelming their network and causing a DoS condition.
•
Know how to use
hping3
for performing ping floods.
Using hping3 to perform ping floods involves sending a high volume of ICMP Echo Request packets to a target to overwhelm it.basic ping floodsudo hping3 -1 --flood [target_IP]
Using spoofed source ipsudo hping3 -1 --flood -a [spoofed_IP] [target_IP]
Controlling the Packet Sending Rateo hping3 -1 --flood -i u1000 [target_IP]Combining sudo hping3 -1 --flood -a 10.0.0.1 -i u1000 192.168.1.1
Firewalling
What is a firewall?
a filtering device on a network that enforces network security policy and protects the network against external attacks.
According to NIST SP 800-41, what are the characteristics of a firewall?
NIST standard defines the possible characteristics that a firewall can use to filter traffic.
-(IP Address and Protocol type) filtering based on source/destination IP address/ports, traffic direction and other transport layer characteristics.
-(Application Protocols)controls access based on application protocol data
-(User identity) controls access based on user identity
-(Network activity)
What are the limitations of the firewall?
Firewall capabilities: -Define a traffic chokepoint in the network and protects against IP spoofing and routing attacks
-Provide a location for monitoring the security events -Provide non-security functions: loggin internet usage, network address translation-Serve as platform for VPN/IPSec
Firewall limitations:-protect against attacks bypassing the firewall, connections from inside the organization to the outside that do not go through the firewall.-protect against internal threats such as disgruntled employees.
What is a packet filter firewall? Be able to write and interpret rules and to spot configu-
rationflaws.
Packet filtering firewall : applies a set of rules to each packet based on the packet headers.Filters based on: source/destination IP, source/destination port numbers, IP Protocol Field:defines the transport protocol, Interface : for firewalls with 3+ network interfaces, the interface from which the packet came from/going to
•
What is the difference between the default and allow and default deny policies? Which
one is the more secure one?
-when no rules apply to a packet, a default rule is applied: default deny : what is not explicitly permitted is denied default forward : what is not explicitly denied is allowed
default deny is more secure, you dont have to identify all of the cases that needs to be blocked, if one is missed, default deny will deny it.
Port 0-1023 reserved
1024-2**17 ephemeral
source port used by the system initialiatizng a connection is always chosen from the ephemeral ports
Be able to configure the packet filtering functions of iptables.
–
Example:
Write iptables rules to block all ICMP traffic to and from the system.
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
Example:
Write iptables rules to block all traffic on port 22
iptables -A INPUT -p tcp --sport 22 -j DROP
iptables -A OUTPUT -p tcp --dport 22 -j DROP
–
Example:
Write iptables rules to block traffic to host 192.168.2.2
iptables -A OUTPUT -p tcp --dest 192.168.2.2 -j DROP
iptables -A INPUT -p tcp --src 192.168.2.2 -j DROP
What are the limitations of the packet filter firewall?
-does not examine upper layer data : cannot prevent attacks that employ application specfic vulnerabilities or functions.cannot block application specific commands.
•
What is the stateful firewall and how does it compare to a packet filter?
A stateful firewall is a network security device that monitors and tracks the state of active connections, making decisions based on the context of the traffic. Unlike a simple packet filter, which examines individual packets in isolation based on predetermined rules, a stateful firewall keeps track of connections over time, distinguishing between legitimate packets that are part of an established session and potentially malicious ones. This contextual awareness allows it to block unauthorized connection attempts and prevent attacks such as spoofing and session hijacking. While packet filters, or stateless firewalls, operate faster and consume fewer resources by applying static rules to each packet independently, they lack the sophisticated traffic pattern handling and enhanced security provided by stateful firewalls.
•
What is the application-level firewall? What are its advantages and limitations?
An application-level firewall, also known as an application firewall or proxy firewall, operates at the application layer of the OSI model. It inspects and filters traffic based on the specific application protocols (e.g., HTTP, FTP, DNS) rather than just IP addresses and port numbers. limitations : increased communications overhead due to two separate TCP connections

 and not transparent to the client 

Application-level gateways are also known as application-level proxies.
-act as a relay for the application-level traffic.
-runs at the application layer, and examines application-layer data
Supported ProtocolsFTPSTMPHTTP
What is a circuit-level firewall? What are its advantages and limitations?
-Similar to the application-level gateway, but only tracks the state of the TCP/UDP sessions.
-Does not examine application data , simply relays TCP segments
-Allow/deny decisions based on whether a packet belongs to an established and trusted connection
Advantage of circuit-level firewall -do not filter individual packets(simplifies rules)

-fast and efficient 

Disadvantages:

-do not filter individual packets -require frequent updates: traffic is filtered with rules and policies that need regular updates for new threats and risks -the vendor needs to modify the TCP/IP implementation for thor applications to use the circuit-level proxy. 

What are the different approaches to basing the firewall?

-stand-alone machines -software modules in roosters, switches, or servers, or pre-configured security appliances. 

What are the host-based firewalls?
Host-based firewalls: a firewall software module used to secure a single host.
What are the network device firewalls?
Network device firewall = routers and switches often have firewall functions, like packet filtering and stateful inspection, to check and filter packets
What are the virtual firewalls?
-in a virtualized environment, servers, switches, and routers can be virtualized and share physical hardware. The hypervisor that manages the virtual machines can also have firewall capabilities.
What is the DMZ? How is it used for securing networks?
A Demilitarized Zone (DMZ) in network security is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, typically the internet. The primary purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN). By isolating these externally accessible services, the DMZ ensures that if an attacker gains access to the public-facing systems, they do not have direct access to the rest of the network.
How the DMZ Secures Networks
Isolation of Public Services: Services that need to be accessible from the outside, such as web servers, mail servers, FTP servers, and DNS servers, are placed in the DMZ. These services are isolated from the internal network, which helps protect the internal systems from attacks that may exploit vulnerabilities in the public-facing services.
Controlled Access: Firewalls are used to create boundaries between the internet, the DMZ, and the internal network. The firewall rules are configured to allow only specific types of traffic to and from the DMZ. For example, incoming web traffic might be allowed to reach a web server in the DMZ, but not to access internal systems directly.
Minimal Exposure: Only the necessary services are exposed to the internet. This minimizes the attack surface, reducing the number of entry points that an attacker can exploit. Internal systems and data remain protected behind the additional layer of the firewall.
Layered Security: The DMZ provides an additional layer of defense (defense-in-depth). Even if an attacker manages to compromise a server in the DMZ, the internal network is still protected by another firewall, making it harder for the attacker to penetrate further.
Monitoring and Logging: Activities within the DMZ can be closely monitored and logged. Any suspicious behavior can be detected early, and appropriate actions can be taken to mitigate potential threats before they impact the internal network.
Traffic Filtering: The firewalls between the internet and the DMZ, as well as between the DMZ and the internal network, can filter traffic based on IP addresses, ports, and protocols. This filtering ensures that only legitimate traffic is allowed and that malicious traffic is blocked.
-if attacker compromises a server on the network, they will be able to pivot to other systems on the network.
What are the advantages and disadvantages of having the two DMZ firewalls be from
different vendors?
Using different firewall manufacturers for the two firewalls maybe a good idea, avoids possibility of both having the same vulnerability but introduces more complexity and management overhead.
Be able to write pfSense firewall rules
Penetration Testing
•
What is penetration testing?
-legal and suthorzied attempt to locate and exploit vulnerable systems for the purpose of making those systems more secure.

pen testing, pt, hacking, ethical hacking, whitehate hacking, offensive security, red teaming 

What is the objective of the penetration testing?

Use tools and techniques used by the attackers in order to discover security vulnerabilities before the attackers do. 

What is the BAD pyramid?

The purpose of a red team is to find ways to improve the blue team, so purple teams should not be needed in an organization where the red/blue teams interaction is healthy and functioning properly. 

red attack
purple defender changes based off attack knowledge
blue defend
green builder changes based on defender knowledge
yellow build
orange builder changes based on attacker knowledge
Why are the penetration tests conducted?
-a company may want to have a stronger understanding of their security footprint.

-system policy shortcomings -network protocol weaknesses -network/software misconfigurations -software vulnerabilities 

What is the difference between penetration testing and vulnerability assessment?
-two terms often incorrectly ,interchangeably used in practice.
-vulnerability assessment : review of systems services to find potential vulnerabilities-penetration testing: finding an exploiting system vulnerabilities as proof-of-concept
What is the difference between black-box, white-box, and grey-box testing.
Black-Box Testing
Tester Knowledge: The tester has no knowledge of the internal structure, code, or implementation details of the system.
-lack knowledge of system
White-Box Testing
Tester Knowledge: The tester has full knowledge of the internal structure, code, and implementation details of the system.
-very thorough , but not completely realistic
Grey-Box Testing
Tester Knowledge: The tester has partial knowledge of the internal structure, code, or implementation details of the system.
What is the difference between ethical and unethical hackers?
-penetration testers, with proper authorization of the company, help improve the security of the company.
-unethical hackers, personal gain through extortion or other devious methods, profit, revenge, fame, etc. No authorization to conduct the attacks
•Ethical vs unethical hacking, penetration testers: obtain the authorization from the organization whose systems they plan to attack unethical hackers: attack without authorization.
Know the stages of penetration testing and the importance of following a structured ap-
proach.
–
Planning and Reconnaissance:
Planning: Define the scope and goals of the test, including the systems to be tested and the testing methods.
Reconnaissance: Gather information about the target, such as IP addresses, domain names, and network infrastructure, to understand how to approach the test.
Scanning:
Purpose: Identify potential entry points and vulnerabilities in the target system.
Methods: Use tools to scan for open ports, services running on those ports, and known vulnerabilities.
Gaining Access:
Purpose: Attempt to exploit identified vulnerabilities to gain unauthorized access to the system.
Techniques: Use techniques like password cracking, SQL injection, or exploiting software vulnerabilities.
Maintaining Access:
Planning and Reconnaissance:
Purpose: Ensure continued access to the compromised system to understand the potential impact of a prolonged attack.
Methods: Install backdoors or use other methods to maintain control over the system.
Analysis and Reporting:
Scanning
Purpose: Document the findings, including vulnerabilities discovered, methods used, and the level of access achieved.
Report: Provide a detailed report to the organization, highlighting the risks and recommending steps to mitigate the vulnerabilities.
Remediation:
Gaining Access
Purpose: Address and fix the identified vulnerabilities to improve the security of the system.
Action: Implement the recommended security measures from the report to protect against future attacks.
Retesting:
Maintaining Access
Purpose: Verify that the vulnerabilities have been successfully remediated.
Process: Conduct a follow-up test to ensure that the fixes are effective and no new issues have been introduced.
Importance of Following a Structured Approach
Consistency: A structured approach ensures that each stage is systematically followed, making the testing thorough and reliable.
Comprehensiveness: Following each stage helps identify and address all potential vulnerabilities, leaving no gaps in the security assessment.
Documentation: A structured method produces detailed documentation, which is crucial for understanding the security posture and for future reference.
Effectiveness: It ensures that the penetration test effectively mimics real-world attack scenarios, providing valuable insights into how an actual attacker might exploit vulnerabilities.
Risk Management: By identifying and addressing vulnerabilities, organizations can proactively manage security risks and protect their assets from potential attacks.
Example:
What is the difference between the passive and active reconnaissance?
•
Passive Reconnaissance
Definition: Gathering information about the target without directly interacting with the target system or network. The aim is to collect data without alerting the target.
Methods:
Publicly Available Information: Searching for information that is freely available on the internet, such as social media profiles, company websites, and news articles.
DNS Queries: Looking up domain registration information (WHOIS data), DNS records, and IP address ranges.
Network Traffic Analysis: Capturing and analyzing network traffic without sending packets to the target (e.g., using tools like Wireshark in a non-intrusive manner).
Search Engines: Using search engines to find information about the target, such as employee names, email addresses, and technical details.
Advantages:
Low Risk: Minimizes the chance of detection by the target because no direct interaction occurs.
Stealth: Suitable for the early stages of reconnaissance when the goal is to remain undetected.
Disadvantages:
Limited Information: May not provide as much detailed or specific information about vulnerabilities or configurations as active reconnaissance.
Active Reconnaissance
Definition: Actively engaging with the target system or network to gather information. This involves direct interaction, such as sending packets or probing the target.
Methods:
Network Scanning: Using tools like Nmap to scan for open ports, running services, and network topology.
Vulnerability Scanning: Running vulnerability scanners (e.g., Nessus, OpenVAS) to identify known weaknesses in the target systems.
Social Engineering: Directly interacting with individuals (e.g., phishing attacks) to gather information.
Probing and Enumerating: Sending specific queries or packets to the target to elicit responses that reveal information about the system (e.g., banner grabbing).
Advantages:
Detailed Information: Provides more detailed and specific information about the target's vulnerabilities, configurations, and active services.
Identification of Weaknesses: More effective in identifying exploitable vulnerabilities that can be used in subsequent attack phases.
Disadvantages:
Higher Risk: Increases the risk of detection by the target, which could alert them to the reconnaissance activity.
Potential Legal Issues: Unauthorized active reconnaissance can lead to legal repercussions if done without permission.
Summary
Passive Reconnaissance: Involves gathering information without direct interaction with the target, resulting in lower risk of detection but potentially less detailed information.
Active Reconnaissance: Involves direct interaction with the target to gather detailed information, but carries a higher risk of detection and potential legal consequences.
Both types of reconnaissance are essential in penetration testing to understand the target's environment and identify potential vulnerabilities while balancing the need for stealth and detailed information.
Be able to use the penetration testing tools discussed in class
nmap 192.168.1.1
nmap -sS -sV -O -A 192.168.1.1-sS: Perform a stealth SYN scan.
-sV: Detect service versions.
-O: Detect operating system.
-A: Perform aggressive scan (includes OS detection, version detection, script scanning, and traceroute).

I came across this Microsoft link below, and it says you can RDP into a remote Azure AD Join computer.
Use the Remote Desktop Connection app to connect to a remote PC using single sign-on with Microsoft Entra authentication
I gave it a try and seems to work great without the need of VPN, and I did NOT have to open an RDP port on my router.
Here's what I've done by enabling this feature.

1. Add my Azure AD credentials on the Azure AD Joined remote computer
2. Add my user account to the "Remote Desktop Users" group
3. Enable RDP
4. Enabled NLA
5. Created a Conditional Access policy to require MFA and Session Control whenever I need to RDP into the Azure AD Joined Computer. See link.

Log on to the local Hybrid AD joined computer using the same Azure AD Credentials, launch the RDP client, go to the Advanced Tab, and check the box Use a web account to sign in to the remote computer. Click "Connect", and a mini web browser appears, requesting me to enter my MFA Number Matching code. After entering the code, I'm remoted into my Azure AD Joined computer.
My question is, how secure is this? I did not have to enter the password. I basically SSO with MFA enabled into the remote computer. Also, the RDP traffic is encrypted with TLS 1.2.
I can't ping the remote computer by IP address nor by computer name.
I know that in the past and still to this day, in best practice, VPN should be used, but in this case, it doesn't seem necessary. What are everyone's thoughts on this?

Hi!
i have a mini-pc running proxmox and on it a virtual machine running kali linux. Im also using a Unifi Cloud Gateway Ultra that has the ability to add a client VPN (like Surfshark) and make dedicated routings for certain devices.
What im trying to do: route all traffic from (and to) the kali VM through the unifi client vpn (surfshark).
Problem: as soon as I activate the routing in my gateway the chrome browser inside the kali vm looses connection. im not sure if the error is on the unifi gateway side or the proxmox side. Maybe you could help me out and give me a hint.
Here are some screens of the settings I made in my router:
https://preview.redd.it/4vknavgmnu0d1.png?width=1268&format=png&auto=webp&s=9f9033c3205b06e7a2b8fc9ac435a287cb95b0d4
https://preview.redd.it/3py87mhmnu0d1.png?width=2316&format=png&auto=webp&s=8d349f28e32200e6c3ee56aee011b22e64b6cb8c

Mine hasn't been able to connect for a while. Keeps showing the same message "VPN is temporarily unavailable. Opera is resolving the problem". Is anyone else having the same issue? Is this some kind of problem on my end? Please help.

Let's suppose you are using a third-party VPN, and you decide to run a MYST node in your computer while connected to this VPN, with the aim of hidding your ISP IP address, what would be the odds of doing this?

I have read the sticky, and other posts. Seem like LetsVPN is faster than Astrill, but that Astrill is less suspicious and more reliable? A really hard choice, since I need to be able to make video calls with as little latency and risk of not being able to connect as possible.
Edit: Microsoft Teams on a MacBook Pro

RuPaul’s Drag Race: All Stars Season 9 sashays onto screens worldwide! This season is more thrilling than ever, promising to bring back the glamour, drama, and jaw-dropping performances from some of your favorite queens. But there’s a twist—it’s all for a good cause! For the first time in the show’s history, these iconic drag superstars will be competing to win a whopping $200,000 for their chosen charities. Whether you’re a die-hard fan or a curious newcomer, this season is a must-watch.

Quick Steps: Watch RuPaul’s Drag Race: All Stars Season 9 From Anywhere

1. Download a reliable VPN [we recommend ExpressVPN OR PureVPN as it provides exceptional streaming experience globally]
2. Download and install VPN app!
3. Connect to a server in the US
4. Login to Paramount Plus
5. Watch your favorite content on Paramount Plus

Follow these simple steps to watch RuPaul's Drag Race: All Stars Season 9 from anywhere!
Why You Need a VPN to Watch This Show
Due to geo-restrictions, Paramount+ content is not available from anywhere. This means that fans of RuPaul’s Drag Race: All Stars outside the USA need a VPN (Virtual Private Network) to access the show. A VPN masks your IP address, making it appear as if you are browsing from a different location. This allows you to bypass geographic restrictions and enjoy your favorite shows without interruption.
What To Expect From This RuPaul’s Drag Race: All Stars Season 9
RuPaul’s Drag Race: All Stars Season 9 brings an exciting twist to the iconic series, combining the glamour and competition of drag performance with a heartfelt emphasis on charity. This season features eight standout queens from previous seasons, each returning to the runway not just for the crown but to make a difference. These contestants are competing for a generous $200,000 prize, but with a catch: the winner will donate the entire sum to a charity of their choice. With no eliminations, each episode allows the queens more opportunities to showcase their charisma, uniqueness, nerve, and talent, all while supporting causes that are close to their hearts.
Cast Members of RuPaul’s Drag Race: All Stars Season 9

• Angeria Paris VanMichaels (Los Angeles, CA, Season 14) - National Black Justice Collective
• Gottmik (Los Angeles, CA, Season 13) - Trans Lifeline
• Jorgeous (Los Angeles, CA, Season 14) - National Alliance on Mental Illness
• Nina West (Columbus, OH, Season 11) - The Trevor Project
• Plastique Tiara (Los Angeles, CA, Season 11) - The Asian American Foundation
• Roxxxy Andrews (Orlando, FL, Season 5 & All Stars 2) - Miracle of Love
• Shannel (Las Vegas, NV, Season 1 & All Stars 1) - Anxiety and Depression Association of America
• Vanessa Vanjie Mateo (Los Angeles, CA, Seasons 10 & 11) - ASPCA

Season 9 has set a new benchmark for how reality television can be both entertaining and profoundly impactful. For those watching from outside the USA, this season has proven that art and heart know no boundaries.
By following this guide you can watch RuPaul’s Drag Race: All Stars Season 9 in Spain, Canada, Australia, United Kingdom, Philippines, Ireland, New Zealand, Costa Rica, Portugal, Netherlands and many more countries!

Curious what everyone thinks about using DNS vs your public IP when setting up a vpn to a home network. My IP seems to be static although I’m not sure officially (Spectrum home internet - been the same for at least 1+ years). Is it less secure to have a sub domain that points to my public IP? Anyone have solutions for doing ddns with Wireguard if I were to stop pointing it to dns? Any other things to consider when setting up a vpn to a home network? Mainly I’m connecting my phone, laptop, iPad (via Wireguard) etc. to home network (via Wireguard set up on Unifi UDM Pro) to access self hosted services running on unraid, promox, other docker containers.
Thanks in advance for any input!

Picks: 30 minutes prior, 2 pre-selected Brown and Sticky and Stryker Ex: Human Revolution
Duration: 5 hours roughly. May be more.
Players: 3-4
Communication: Roll20 and Discord
Metaplot: N/A
Game Topic: Crime and Shadows
Threat: High or Deadly.
Game Tone: Mirrorshades
GM Style Sheet: I do my best!
Location: New Orleans, CAS

Connecting ShadowHaven VPN . . . Matrix Access ID Spoofed . . . Encryption Keys Generated . . . Connected to Onion Routers . . . Redirected to ShadowHaven Forum . . . Enter Passcode . . . Password Confirmed. Enter Biometrics . . . Biometric Scan Confirmed. Connected to Node: ShadowHaven_BBS. Welcome back to ShadowHaven, omae. 

Connecting to Guest Node. . . Welcome to ShadowHaven 1 Posting Found. . . Opening Job Posting . . .

"Not um... not exactly familar with this whole Johnson thing. All I know is Shadowhaven is cream of the crop and thats what I need. I'll even pay for the flight just... just get over here."
Please respond with:

• Your character's role and summary
• Link to wiki page
• IC response to the following prompt: "How dark can crime truly be in the sixth world? Are the corporations the only ones capable of great evil?"

Hello all,
I am currently working on setting up an internal gateway for Global Protect and I have had no success. I suspect the internal gateway created is the issue and wanted to ask some (possibly stupid) questions to anyone willing to answer them.
Looking at the Portal config, an internal config has been created. Internal host detection has been entered along with an internal gateway pointing at a private IP address which has been set as an A record only within our local DNS server. Currently that private IP (the internal gateway address) only exists on the firewall as an entered address and as a DNS record. Is there somewhere else I should be entering this information? I know that external hosting requires a public DNS record matched to a local DNS record, does internal hosting only require a private DNS record?
I also noticed that my Internal gateway does not have an IP pool like the external gateway does. Is this because an internal IP has already been assigned? Or does the device get reassigned an IP after connecting to the VPN internally?
Thank you for any assistance!

Hey there guys. I'm using WireGuard with my router and it works amazing for my access outside of my home. I love it and now also want to use it to have a site-to-site VPN from my server to an Azure VM to monitor my server.
The problem is that I'm not able to achieve it. The setup: I have an unRAID server with IP 192.168.132.89. For that server, I forwarded port 51820/UDP in my router. Then I have a Ubuntu VM running in Azure with Docker installed. I created a network rule to open port 51820/UDP as well. I got a duckdns address.
In Azure, I run the linuxserver.io/wireguard Docker container. Why? I try to always run everything in Docker but if it is so much more complicated for VPN I would also install it on bare metal if that's the problem.
My docker-compose:

--- services: wireguard: image: linuxservewireguard:latest container_name: wireguard cap_add: - NET_ADMIN - SYS_MODULE #optional environment: - PUID=1000 - PGID=1000 - TZ=Europe/Berlin - SERVERPORT=51820 #optional - SERVERURL=xyz.duckdns.org - PEERS=1 - PEERDNS=auto - INTERNAL_SUBNET=10.13.13.0 - PERSISTENTKEEPALIVE_PEERS=25 - LOG_CONFS=true - ALLOWEDIPS=0.0.0.0/0 volumes: - /media/appdata/wireguard/config:/config - /lib/modules:/lib/modules #optional ports: - 51820:51820/udp sysctls: - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped networks: - azure networks: azure: external: true 

The wg0.conf looks like this:

[Interface] Address = 10.13.13.1 ListenPort = 51820 PrivateKey = xxxxxx PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE [Peer] # peer1 PublicKey = xxxxxx PresharedKey = xxxxxx AllowedIPs = 10.13.13.2/32 

In unRAID WireGuard is part of the system and you can easily set it up in the frontend but the config looks like this:

[Interface] #unRAID PrivateKey=xxxxxx Address=10.13.13.1 ListenPort=51820 PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started';/uslocal/emhttp/webGui/scripts/update_services PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped';/uslocal/emhttp/webGui/scripts/update_services PostUp=ip -4 route flush table 200 PostUp=ip -4 route add default via 10.13.13.1 dev wg0 table 200 PostUp=ip -4 route add 192.168.178.0/24 via 192.168.178.1 dev br0 table 200 PostDown=ip -4 route flush table 200 PostDown=ip -4 route add unreachable default table 200 PostDown=ip -4 route add 192.168.178.0/24 via 192.168.178.1 dev br0 table 200 [Peer] #Azure PublicKey=xxxxxx AllowedIPs=10.13.13.2/24 PersistentKeepalive=25 

And unRAID tells me I should use this config for the peer (Azure):

[Interface] #Azure Address=10.13.13.2/32 [Peer] #unRAID PersistentKeepalive=25 PublicKey=+jKnW8gXR4+O5sNIOQwsIK1VZ9uVzEVhzr+Z+WAqP0c= Endpoint=xyz.duckdns.org:51820 AllowedIPs=10.13.13.1/32, 192.168.132.89/32 

I even tried to edit the wg0.conf manually to this but it didn't work. But there is also a note on the docs of linuxserver.io/wireguard:

Site-to-site VPN in server mode requires customizing the AllowedIPs statement for a specific peer in wg0.conf. Since wg0.conf is autogenerated when server vars are changed, it is not recommended to edit it manually.

I read multiple articles and threads but couldn't achieve the connections as the pings are not possible.
Can somebody tell me what I'm doing wrong?

Hi everyone,
I’m experiencing a frustrating issue with my home network and could use some advice. I have a TP Link AX6000 router and use NordVPN, all running on a 1GB fiber internet connection. About twice a day or so, my iPhone seems to lose its internet connection despite still showing as connected to the network. When this happens, other devices like my TV remain connected to the same router, but the video quality becomes very pixelated.
Has anyone faced a similar issue or have any suggestions on how to troubleshoot this? I’m not sure if it’s a problem with the router settings, the VPN, or perhaps something specific to the iPhone. Any help or pointers would be greatly appreciated!
Thanks in advance!

I went through several posts seeing if I can find the issue with what is happening and only found maybe 2 that were having the issue and one definitely didn't get theirs resolved but the other was a VPN issue which I do not have. I'm not able to setup my new shop. I have tried countless times with adding the bank information and waiting for them to process the $15 fee that they are saying has to be done. They connected my bank account for the deposits to be made from the sales but paying that fee isn't going through. I have contacted them about the issue and I get the generic "clear your cache, cookies" blah blah blah blah. I have tried every single browser I could possibly think of including what they said and still its not going through. I contacted my bank and they said there isn't even a chance that they are trying to process it. Etsy won't answer and of course they don't have their chat up where you can talk to someone right then and there.
Any advice on this? I'm not wanting another site because this is the only one I found that can be trusted and I have heard good things from friends but this is ridiculous now.

I currently have an application running on a k3s cluster, but it's inside of vcentevsphere client which is protected by a VPN. I installed Metallb as a Loadbalancer in the hopes that it would help expose it but sadly not. It does get assigned an external IP correctly and I can open my app using that IP, but not when I close down the VPN connection.
What else can I use to expose my app to outside of the VPN, my main goal is to loadtest it in my CI/CD pipeline with a tool like Artillery.io. Any help would be appreciated!

I am trying to setup global protect to either disconnect or not route traffic over the VPN when connected to the corporate network. For my portal I setup the internal host detection, and when try to connect the client on the corporate network it states I am connected to an internal network. Then I will flip the wifi connection over from the corporate wifi to my hotspot and the client will reestablish the VPN tunnel and routes the subnets over the VPN. Then when I reconnect back to the corporate wifi the VPN will continue to route the subnets over the VPN.
What do I need to do so when an already connect GP client connects to our corporate network it does not route the subnets over the VPN.
I feel like it is working somewhat because if I disconnect and reconnect the VPN client on the corporate network it runs its detection step and see I am on the internal network. Then when I connect to my hotspot things route as they should. But when I go from hotspot to the corporate network it seems to be skipping the internal detection step.

I’ll try to keep this in as few words as possible.
This campground offers free internet, but it’s poor and the nearest wireless access point to the lot is down and won’t be coming back up.
Here’s what I’ve tried so far:

1. Outdoor WiFi repeater. This works to a certain extent, but it isn’t going to speed up the campground’s connection.
   
2. Cellular internet. Both Verizon and T-Mobile have service here. Neither have their cellular home internet options available here.
   

• Verizon: This led me to break TOS and make my own Verizon setup. However, you have to use a VPN to bypass throttling which causes location consistency issues (no local channels). Wasn’t fast enough either.
  
• T-Mobile (what I’m currently using): I got special pricing for 30GB of data. This plan allows for streaming, so no VPN or bypass required, not breaking TOS. I put the sim into a GL iNet router and I’m load balancing between the WiFi repeater campground connection and the T-Mobile data. 70% campground, 30% data. This sort of works, but occasionally will use the T-Mobile IP address, causing location discrepancy in local TV.
  

(3.) OTA TV antenna. Only some local live TV channels show up on Paramount+. I’ve tried multiple antennas but I can’t grab a good connection to any local stations. Maybe I need something like a Tablo?
Any ideas? Thanks!

small post with a shootout to one security/operation tools that I think have stood our in the last year for me as an enterprise user.
As a security practitioner in enterprise companies, many times I began to use a tool for the company I work for, to discover that either part of the features are , how to say it, more for the demo than for actual use, and missing features take years to appear.
so when you have a product that : already provides value , and adds value with time, to the point that you check the changelog every few weeks to see, that means that :

• they have a world class product team
  
• they also have a good technological base and process that allows them to evolve quickly and efficiently.
  

so about tailscale : - based on wireguard so allows you to connect whatever you want however you want, and support all your weird use cases,

• uses and contributes to open-source,
  
• codebase in a modern language, so their sdlc can support modern features like feature flagging ( more than once support told me " the feature you want is in alpha/early beta, I can enable it for you)
  
• changelog transparency ( the security advisory page is also greatly informative). just read the k8s operator changes and OMG I need to try this :-)
  

do I have some remarks ? of course! their billing could be improved to be more transparent, the UI is basic, and I'd love things like multiple files acl, and yes the derp bandwidth should be larger, so even when direct connection does not work there is no real impact.
but the essential part : the vpn connection works to the point that it becomes boring.
big shootout !