endlessh was pretty cool and a more modern version is even better ! I’ll give it a shot !

On a side note, I found a way to trap HTTP connections too while working on my cyb.farm project. The go implementation is ridiculously simple: tarpit.go. It works by providing an endless stream of custom headers to the client, which it is supposed to ingest before getting to the content itself.

Keeping the source IP intact means you’ll have troubles routing back the traffic through host B.

Basically host A won’t be able to access the internet without going through B, which could not be what you want.

Here’s how it works:

On host A:

• add a /32 route to host B public IP through your local ISP gateway (eg. 192.168.1.1)
• setup a wireguard tunnel between A and B
• host A: 172.17.0.1/30
• host B: 172.17.0.2/30
• add a default route to host B wireguard IP

On host B:

• setup wireguard (same config)
• add PAT rules to the firewall so to DNAT incoming requests on the ports you need to 172.17.0.1
• add an SNAT masquerade rule so all outbound request from 172.17.0.1 are NATed with host B public address.

This should do what you need. However, if I may comment it out, I’d say you should give up on carrying the source IP address down to host A. This setup I described is clunky and can fail in many ways. Also I can see no benefits of doing that besides having “pretty logs” on host A. If you really need good logs, I’d suggest setting up a good reverse proxy on host B and forwarding it’s logs to a collector on host A.

OpenBSD is the most pleasing expérience I’ve had with an OS. It’s fully contained and has all the tools you need without needing to install anything (eg a DNS, HTTP, SMTP servers, a proxy, a good firewall). All config files look alike and use the same keywords for the same things, making it straightforward to configure everything.

And regarding RAID 1, I’ve never done it myself, but it totally works out of the box (as well as full disk encryption).

OpenBSD for all of them.

I messed up, that’s the opposite actually ^^

I’m reading all the comments and I’m shocked… In France, with uncapped access and 1Gbps down/600Mbps up (theorical) I pay 40€/mo (30€ every six month when I call to complain that it’s too expensive). And it’s definitely not the cheapest provider.

That’s insane !

That’s cheap indeed. Is it possible to install a different OS than those listed on their website ?

I’ll look more into FUSE based remote storage more generally because it seems to be my only option besides NFS. I’ve heard great feedback from SSHFS so I’ll bench it eventually and see how it goes.

My main issue with NFS is that it’s been unreliable in my case (multiple servers connected over wireguard, over internet). Which cause locks and latency for the applications that read/write to it (Matrix server, distributed repository, …).

Of course if you can afford connecting the NFS server directly to the servers, that’s perfect but I’m more on the worst case scenario ^^

Ok thanks, so it’s similar to rclone mount, just with another tool.

How do you mount it ?

How do you use them ? Do you mount the bucket locally on the server ?

I didn’t know about their storage box. That’s interesting, thanks !

The best example would be a running an email or chat server. The spool/media directories can go large pretty quick as users share pictures, gifs, … So I would like to mount it from a remote location because the matrix server itself only has a 20G SSD for the whole OS. Rsync won’t cut it there as I have a specific process writing to a location.

I’m never going with Google/Dropbox ^^ the goal is to be in control of my data. Backblaze could be an option, but I expect too many read/writee for it to be cheap.

I considered the NAS at home but my home net is not reliable enough.

TBH I’m still looking for a better option to share storage between servers other than NFS. There has to be something better in 2023!

I ise backblaze for backups already. But is an S3 backend any good for mounting locally and doing many read/write ? What are my options to mount it besides rclone ?

I’d like to avoid that as I don’t consider my home network reliable enough for such a critical task.

Setup a local DNS server in your local network, and configure it to forward everything to an external DNS provider over TLS (port 853 usually). This is known as DNS over TLS (or DoT as other people mentioned).

I personally like https://cyberia.is

To each their own ! Security is a complex topic which usually resolves to adjusting the “security/annoyance” cursor to the best position.

In my case the constraints of using a VPN simply outweighs the security benefits.

Agreed ! Also it would make graphs pretty boring ;)