ditatompel/insights
1
0
Fork 0
mirror of https://github.com/ditatompel/insights.git synced 2025-01-08 03:12:06 +07:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

base: ditatompel:88adfba38dee3c553f0beb2263fd6fa76c93d65b
Branches Tags
ditatompel:main
ditatompel:renovate/github.com-hbstack-syntax-highlighting-0.x
ditatompel:renovate/github.com-hugomods-katex-0.x
ditatompel:renovate/github.com-katex-katex-0.x
ditatompel:renovate/github.com-hugomods-simple-icons-13.x
ditatompel:renovate/github.com-hugomods-icons-vendors-simple-icons-1.x
ditatompel:renovate/github.com-hbstack-socials-0.x
ditatompel:renovate/github.com-jakearchibald-idb-8.x
ditatompel:renovate/github.com-hbstack-docs-0.x
ditatompel:renovate/github.com-hbstack-blog-0.x
ditatompel:renovate/github.com-hugomods-shortcodes-0.x
ditatompel:deskflow-patch
...
compare: ditatompel:e1a8db1b2d72f7176ff754dbb809009a8cbe7ba9
Branches Tags
ditatompel:renovate/github.com-hbstack-syntax-highlighting-0.x
ditatompel:renovate/github.com-hugomods-katex-0.x
ditatompel:renovate/github.com-katex-katex-0.x
ditatompel:renovate/github.com-hugomods-simple-icons-13.x
ditatompel:renovate/github.com-hugomods-icons-vendors-simple-icons-1.x
ditatompel:renovate/github.com-hbstack-socials-0.x
ditatompel:renovate/github.com-jakearchibald-idb-8.x
ditatompel:renovate/github.com-hbstack-docs-0.x
ditatompel:renovate/github.com-hbstack-blog-0.x
ditatompel:renovate/github.com-hugomods-shortcodes-0.x
ditatompel:main
ditatompel:deskflow-patch

3 commits
88adfba38d ... e1a8db1b2d

Author SHA1 Message Date
jasmerah1966
e1a8db1b2d
Merge pull request #59 from viechoco/main 
chore: Fix typos and spellings
 2024-02-24 00:28:59 +07:00
Vie Liana
b3f320361e chore: Typo subnetting 2024-02-24 00:23:17 +07:00
Vie Liana
32937022d2 chore: Fix typos and spellings 2024-02-24 00:19:46 +07:00
14 changed files with 115 additions and 111 deletions
Show stats Expand all files Collapse all files

4
content/blog/announcement-permanently-shutdown-services-and-public-nodes/index.md
View file

@ -41,8 +41,8 @@ I hope this announcement finds you well. It's been more than 2 years that I run
For the last few months, I have several problems in providing and maintaining these services, so I decided to permanently close these services. It's hard for me, but I have to.
There are several reasons that make me unable to continue maintain these services alive:
1. I **want and need** to **have more time with the someone I love the most**.
There are various reasons that make me unable to continue to maintain these services alive:
1. I **want and need** to **have more time with someone I love the most**.
2. Regarding point `#1`, I don't have time to maintain these services anymore.
3. Reduce server costs that I have to spend.

4
content/blog/announcement-temporary-inaccessibility-of-my-libreddit-instance-in-support-of-reddit-blackout/index.md
View file

@ -36,7 +36,7 @@ To support the **Reddit blackout movement**, my Libreddit instance will be inacc
Dear Users,
I hope this announcement finds you well. I would like to inform you of an important decision I have made to support the **Reddit blackout movement**. In solidarity with this cause, my Libreddit instance will be inaccessible for *unknown period of time* and I will see [how it goes (Libreddit github issue #818)](https://github.com/libreddit/libreddit/issues/818).
I hope this announcement finds you well. I would like to inform you of an important decision I have made to support the **Reddit blackout movement**. In solidarity with this cause, my Libreddit instance will be inaccessible for *unknown period of time* and I will see [how it goes (Libreddit GitHub issue #818)](https://github.com/libreddit/libreddit/issues/818).
Starting **12th of June 2023**, my Libreddit instance (libreddit.ditatompel.com) will be taken offline as part of the protest against Reddit policies and [API cost changes](https://www.reddit.com/r/Save3rdPartyApps/comments/13yh0jf/dont_let_reddit_kill_3rd_party_apps/). During this time, I encourage you to participate in discussions and engage with other online communities to voice your concerns about the importance of an open and inclusive digital space.
@ -44,7 +44,7 @@ I understand that this inaccessibility may cause inconvenience, and I sincerely
## Updates
### 2023-06-18
> It's impossible for me to run and maintain my Libreddit instance with the new reddit API cost, so I decide to **permanenly shutdown my Libreddit instance**. I appreciate your understanding and support during this crucial time. Thank you!
> It's impossible for me to run and maintain my Libreddit instance with the new Reddit API cost, so I decide to **permanently shutdown my Libreddit instance**. I appreciate your understanding and support during this crucial time. Thank you!
Sincerely,

42
content/blog/new-stage-of-internet-censorship-in-indonesia-dpi-tcp-reset-attack/index.md
View file

@ -42,17 +42,17 @@ A few months ago, I started facing problems when trying to access **reddit.com**
My browser always shows **_"The connection was reset"_** error message when I try to access reddit.com. [My libreddit service](https://libreddit.ditatompel.com/) that I provided to access **Reddit** without **NSFW** contents stopped working (Previous server location: **Indonesia Data Center Duren Tiga** or **IDC-3D**).
After discussing with colleagues and make some observations, I'm sure that I'm become a victim of **TCP reset attack (TCP RST)** and it happened at the *upstream provider* / *network checkpoint* that I used. It seems (in my personal opinion), my *upstream provider* is *"forced"* to carry out this *"evil"* activity.
After discussing with colleagues and make some observations, I'm sure that I've become a victim of **TCP reset attack (TCP RST)** and it happened at the *upstream provider* / *network checkpoint* that I used. It seems (in my personal opinion), my *upstream provider* is *"forced"* to carry out this *"evil"* activity.
Why do I say *"forced"*? Because most *upstream providers* are typically business oriented, and one of the their business goals is to get the maximum profit. Meanwhile, doing **Deep Packet Inspection (DPI)** for large amount of traffic is not cheap. Just search for the price of **Palo Alto 5200** series, **Cisco Firepower 9300** series, or **FortiGate 6000** series if you did not believe in me. That's just hardware costs, not for maintenance costs, and operational expenses such as training, salaries, and others.
Why do I say *"forced"*? Because most *upstream providers* are typically business oriented, and one of their business goals is to get the maximum profit. Meanwhile, doing **Deep Packet Inspection (DPI)** for large amount of traffic is not cheap. Just search for the price of **Palo Alto 5200** series, **Cisco Firepower 9300** series, or **FortiGate 6000** series if you did not believe in me. That's just hardware costs, not for maintenance costs, and operational expenses such as training, salaries, and others.
I'm aware that *enterprise firewall* devices like the ones I mentioned above must be owned by large ISP companies, especially at *network checkpoints*. But I'm sure, business people will prefer to save *resources* and avoid complaints from their customers (*downstream*) rather than to *deploy* and *integrate* DPI in their network infrastructure they already run.
If the cost of doing **DPI** will be very expensive, is it possible that the **TCP-RST attack** is implemented at every *checkpoint* on a national scale? It just impossible, right? *Hold my beer*, read how *"rich"* our country is to buy and implement such things in [#Privacy](#privacy) section.
If the cost of doing **DPI** will be very expensive, is it possible that the **TCP-RST attack** is implemented at every *checkpoint* on a national scale? It is just impossible, right? *Hold my beer*, read how *"rich"* our country is to buy and implement such things in [#Privacy](#privacy) section.
## Investigation
I did a very simple investigation to prove whether it was true that **TCP-RST attack** was automatically performed. There are 2 things that I do:
1. Simply use my browser's *inspect element* feature (*simple*).
1. Simply use my browsers *inspect element* feature (*simple*).
2. Directly check from my server in Indonesia and do network capture using `tcpdump` (*advanced*).
> _NOTE: From what I have observed, **TCP-RST attack** has not been implemented in all *checkpoint* / *upstream*. So there are still many providers who have not been affected._
@ -62,7 +62,7 @@ I did a very simple investigation to prove whether it was true that **TCP-RST at
The easiest (but less detail) way is to use your browser. When you can't access reddit.com (or any other government-blocked site) and get **_"The connection was reset"_** error message; most likely your ISP (or *upstream* ISP) already implemented this method.
In a more detailed way, before trying to access reddit.com, *right-click* on your browser and look for something like "*inspect*" or "*developer tools*". Go to the "**Network**" tab and try to access reddit.com. The "*CONNECTION_RESET*" information message in the *status* column appears when the server sends *packet reset* (**RST**).
In a more detailed way, before trying to access reddit.com, *right-click* on your browser and look for something like "*inspect*" or "*developer tools*". Go to the "**Network**" tab and try to access reddit.com. The "*CONNECTION_RESET*" information message in the *status* column appears when the server sends *packet reset* (**RST**).
### Using `tcpdump` and `curl` (*advanced*)
> In order to understand this method, you need to know **basic concepts of TCP/IP** and [**3-Way-Handshake**](https://en.wikipedia.org/wiki/Handshake_(computing)#TCP_three-way_handshake).
@ -133,20 +133,20 @@ In the future, obtaining information that is considered *"forbidden"* by the gov
I've experienced it myself, although it's not like and as bad as in China, but it's very inconvenient and annoying. For example, when I try to search something related to **IT** problems, Reddit discussion usually appears on search engine results, the solution was there (or at least, link to the solution was there). But to access it, I have to route all my laptop internet traffic to my VPN server (outside Indonesia) first before entering the reddit link page of the search results.
### Damage to human rights and democratic values
Restrictions on digital rights can undermine human rights and reduce democratic values. For example, at the beginning of 2021, residents of **desa Wadas** who had rejected the Andesite stone mining project (for the purposes of the **Bendungan Bener** project). Over the next few monts, residents of *desa Wadas* are still launched a series of protests and using social media as online mobilization tools and raise awareness. However, their internet connectivity was (believed to be) restricted by the authorities in response to citizen protests in February 2022.
Restrictions on digital rights can undermine human rights and reduce democratic values. For example, at the beginning of 2021, residents of **desa Wadas** who had rejected the Andesite stone mining project (for the purposes of the **Bendungan Bener** project). Over the next few months, residents of *desa Wadas* are still launched a series of protests and using social media as online mobilization tools and raise awareness. However, their internet connectivity was (believed to be) restricted by the authorities in response to citizen protests in February 2022.
*Wadas* protesters reported difficulty accessing their Twitter accounts that same week, though it remains unclear how authorities limiting their access to their own Twitter accounts. Read more complete article from **DetikX**: "[*Derasnya Penindasan Hak Digital di Wadas*](https://news.detik.com/x/detail/investigasi/20220221/Derasnya-Penindasan-Hak-Digital-di-Wadas/)" written in Bahasa Indonesia.
### *Chilling Effect* and the death of freedom of expression
[*Chilling Effect*](https://en.wikipedia.org/wiki/Chilling_effect) is a concept of public fear that arises due to ambiguous laws or regulations (*EHEMMMMM... [UUITE](https://en.wikipedia.org/wiki/Internet_censorship_in_Indonesia#ITE_Law).. Ehemmmm.. Sorry for coughing suddenly*). In Indonesia *chilling effect* usually is related defamation or hate speech (*Ehemmm... sorry cough again..*).
[*Chilling Effect*](https://en.wikipedia.org/wiki/Chilling_effect) is a concept of public fear that arises due to ambiguous laws or regulations (*EHEMMMMM… [UUITE](https://en.wikipedia.org/wiki/Internet_censorship_in_Indonesia#ITE_Law). Ehemmmm… Sorry for coughing suddenly*). In Indonesia *chilling effect* usually is related defamation or hate speech (*Ehemmm… sorry cough again…*).
During 2018, [police arrested 122 people for hate speech on social media](https://nasional.kompas.com/read/2019/02/15/15471281/selama-2018-polisi-tangkap-122-orang-terkait-ujaran-kebencian-di-medsos) (written in Bahasa Indonesia). There are five types of crimes, ranging from *hoaxes*, fake news, blasphemy, to defamation said **Brigjen Pol. Rachmad Wibowo** who at that time served as **Direktur Tindak Pidana Siber Badan Reserse Kriminal Polri** (*Director of cyber crime at the [Indonesian National Police](https://en.wikipedia.org/wiki/Indonesian_National_Police)'s criminal investigation agency*).
Then in 2021, the *"activation"* of [**Indonesia Cyber Police**](https://cfds.fisipol.ugm.ac.id/2021/02/05/the-existence-of-indonesia-cyber-police-what-does-it-mean-for-us-netizens/) drive civils to increasingly practice [self-censorship](https://en.wikipedia.org/wiki/Self-censorship), especially regarding [freedom of speech](https://en.wikipedia.org/wiki/Freedom_of_speech). That statement was conveyed by the Coordinator of **Komisi untuk Orang Hilang dan Tindak Kekerasan** (**Kontras**, the *Commission for Missing Persons and Acts of Violence*), **Fatia Maulidiyanti**.
Then in 2021, the *"activation"* of [**Indonesia Cyber Police**](https://cfds.fisipol.ugm.ac.id/2021/02/05/the-existence-of-indonesia-cyber-police-what-does-it-mean-for-us-netizens/) drive civils to increasingly practice [self-censorship](https://en.wikipedia.org/wiki/Self-censorship), especially regarding [freedom of speech](https://en.wikipedia.org/wiki/Freedom_of_speech). That statement was conveyed by the Coordinator of **Komisi untuk Orang Hilang dan Tindak Kekerasan** (**Kontras**, the *Commission for Missing Persons and Acts of Violence*), **Fatia Maulidiyanti**.
And in February 2022, the survey results from **Indikator Politik Indonesia** showed that 62.9% (using the *stratified random* method out of 1,200 respondents with a *margin of error* of around 2.9%) respondents agreed and strongly agreed that [the public is now increasingly afraid of expressing opinions](https://nasional.tempo.co/read/1580168/survei-indikator-politik-indonesia-629-persen-rakyat-semakin-takut-berpendapat) (written in Bahasa Indonesia).
> _"If (for example) you get terrible (fake) news, then report it to the police, in a few minutes it will be known from whom, where from, then the culprit is found and then arrested." - **Mahfud MD**_
> _"If (for example) you get terrible (fake) news, then report it to the police, in a few minutes it will be known from whom, where from, then the culprit is found and then arrested." **Mahfud MD**_
### Privacy
Actually, **Deep Packet Inspection** was initially created to measure and manage network security and protect users and prevent the spread of *malware*. However, using this technology as a surveillance tool will have a very bad impact on ~~your~~ our privacy. In addition, DPI can also be used to study the behavior or *interest* of an individual or institution from their activities on the internet which can be used for *targeted (behavioral) marketing*.
@ -167,25 +167,25 @@ Who wants their *microservices* suddenly stopped working because of this **TCP-R
## Evading censorship
To *bypass* **DNS** based censorship such as **DNS spoofing**, **DNS filtering** and **DNS redirect**; teaching *non-tech* people to use **DNS-over-HTTPS (DoH)** is quite easy. But to *bypass* **DPI** and **TCP RST attack** would be very difficult and impossible for majority *non-tech* people in Indonesia to do.
A few way to avoid censorship is use *network tunnel* to a *server* outside Indonesia, whether it's **VPN** or **SOCKS5 proxy**. Even then, the government and the ISP you use will still know that you are using a **Proxy** / **VPN**. The difference is: they only know that you are connecting to VPN / SOCKS5 servers and where the VPN / SOCKS5 server is located. Other than that, the don't know anything (only you and VPN / Server / Proxy provider know what service / host you communicate with).
A few way to avoid censorship is use *network tunnel* to a *server* outside Indonesia, whether it's **VPN** or **SOCKS5 proxy**. Even then, the government and the ISP you use will still know that you are using a **Proxy** / **VPN**. The difference is: they only know that you are connecting to VPN / SOCKS5 servers and where the VPN / SOCKS5 server is located. Other than that, they don't know anything (only you and VPN / Server / Proxy provider know what service / host you communicate with).
If you are really *concern* about privacy, choosing a **VPN provider** must also be done with quite complicated research. Lots of apps on the **App Store** offer **free VPN**, but most of them end up with selling your data.
And I hope, **QUIC/HTTP3** technology will enter a new chapter soon that *"may"* help us mitigate the impact of **TCP RST attack** a bit.
## Sources and references
- "[Indonesia: Freedom on the Net 2022 Country Report](https://freedomhouse.org/country/indonesia/freedom-net/2022)" - freedomhouse.org.
- "[State of Privacy Indonesia](https://privacyinternational.org/state-privacy/1003/state-privacy-indonesia)" - privacyinternational.org.
- NetBlocks. 2019b: "[Internet disrupted in Papua, Indonesia amid protests and calls for independence](https://netblocks.org/reports/internet-disrupted-in-papua-indonesia-amid-mass-protests-and-calls-for-independence-eBOgrDBZ)" - netblocks.org.
- "[Indonesia: Freedom on the Net 2022 Country Report](https://freedomhouse.org/country/indonesia/freedom-net/2022)" freedomhouse.org.
- "[State of Privacy Indonesia](https://privacyinternational.org/state-privacy/1003/state-privacy-indonesia)" privacyinternational.org.
- NetBlocks. 2019b: "[Internet disrupted in Papua, Indonesia amid protests and calls for independence](https://netblocks.org/reports/internet-disrupted-in-papua-indonesia-amid-mass-protests-and-calls-for-independence-eBOgrDBZ)" netblocks.org.
- Thompson, Nik; McGill, Tanya; and Vero Khristianto, Daniel, "[Public Acceptance of Internet Censorship in Indonesia](https://aisel.aisnet.org/acis2021/22)" (2021). ACIS 2021 Proceedings. 22.
- Wildana, F. (2021) "[An Explorative Study on Social Media Blocking in Indonesia](https://journal.unesa.ac.id/index.php/jsm/article/view/12976)", The Journal of Society and Media, 5(2), pp. 456484. doi: 10.26740/jsm.v5n2.p456-484.
- Paterson, Thomas (4 May 2019). "[Indonesian cyberspace expansion: a double-edged sword](https://doi.org/10.1080%2F23738871.2019.1627476)". *Journal of Cyber Policy*. 4 (2): 216234. doi:10.1080/23738871.2019.1627476. ISSN 2373-8871. S2CID 197825581.
- Bill Marczak, John Scott-Railton, Bahr Abdul Razzak, Noura Al-Jizawi, Siena Anstis, Kristin Berdan, and Ron Deibert, "[Pegasus vs. Predator: Dissidents Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware](https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/)" - citizenlab.ca.
- Bill Marczak, John Scott-Railton, Bahr Abdul Razzak, Noura Al-Jizawi, Siena Anstis, Kristin Berdan, and Ron Deibert, "[Pegasus vs. Predator: Dissidents Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware](https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/)" citizenlab.ca.
- Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert, "[Running in Circles
Uncovering the Clients of Cyberespionage Firm Circles](https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/)" - citizenlab.ca.
- Bill Marczak, John Scott-Railton, Adam Senft, Irene Poetranto, and Sarah McKune, "[Pay No Attention to the Server Behind the Proxy](https://citizenlab.ca/2015/10/mapping-finfishers-continuing-proliferation/)", Mapping FinFishers Continuing Proliferation - citizenlab.ca.
- Joseph Cox, "[British Companies Are Selling Advanced Spy Tech to Authoritarian Regimes](https://www.vice.com/en/article/4xaq4m/the-uk-companies-exporting-interception-tech-around-the-world)" - vice.com.
- Thomas Brewster, "[A Multimillionaire Surveillance Dealer Steps Out Of The Shadows and His $9 Million WhatsApp Hacking Van](https://www.forbes.com/sites/thomasbrewster/2019/08/05/a-multimillionaire-surveillance-dealer-steps-out-of-the-shadows-and-his-9-million-whatsapp-hacking-van/)" - forbes.com.
- Moh. Khory Alfarizi, Febriyan, "[Survei Indikator Politik Indonesia: 62,9 Persen Rakyat Semakin Takut Berpendapat](https://nasional.tempo.co/read/1580168/survei-indikator-politik-indonesia-629-persen-rakyat-semakin-takut-berpendapat)" - tempo.co .
- Abba Gabrillin, Krisiandi, "[Selama 2018, Polisi Tangkap 122 Orang Terkait Ujaran Kebencian di Medsos](https://nasional.kompas.com/read/2019/02/15/15471281/selama-2018-polisi-tangkap-122-orang-terkait-ujaran-kebencian-di-medsos)" - kompas.com.
- Tsarina Maharani, Dani Prabowo "[Kontras: Polisi Siber yang Akan Diaktifkan Pemerintah Berpotensi Bungkam Kebebasan Berekspresi](https://nasional.kompas.com/read/2020/12/28/14074121/kontras-polisi-siber-yang-akan-diaktifkan-pemerintah-berpotensi-bungkam)" - kompas.com.
Uncovering the Clients of Cyberespionage Firm Circles](https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/)" citizenlab.ca.
- Bill Marczak, John Scott-Railton, Adam Senft, Irene Poetranto, and Sarah McKune, "[Pay No Attention to the Server Behind the Proxy](https://citizenlab.ca/2015/10/mapping-finfishers-continuing-proliferation/)", Mapping FinFishers Continuing Proliferation citizenlab.ca.
- Joseph Cox, "[British Companies Are Selling Advanced Spy Tech to Authoritarian Regimes](https://www.vice.com/en/article/4xaq4m/the-uk-companies-exporting-interception-tech-around-the-world)" vice.com.
- Thomas Brewster, "[A Multimillionaire Surveillance Dealer Steps Out Of The Shadows and His $9 Million WhatsApp Hacking Van](https://www.forbes.com/sites/thomasbrewster/2019/08/05/a-multimillionaire-surveillance-dealer-steps-out-of-the-shadows-and-his-9-million-whatsapp-hacking-van/)" forbes.com.
- Moh. Khory Alfarizi, Febriyan, "[Survei Indikator Politik Indonesia: 62,9 Persen Rakyat Semakin Takut Berpendapat](https://nasional.tempo.co/read/1580168/survei-indikator-politik-indonesia-629-persen-rakyat-semakin-takut-berpendapat)" tempo.co.
- Abba Gabrillin, Krisiandi, "[Selama 2018, Polisi Tangkap 122 Orang Terkait Ujaran Kebencian di Medsos](https://nasional.kompas.com/read/2019/02/15/15471281/selama-2018-polisi-tangkap-122-orang-terkait-ujaran-kebencian-di-medsos)" kompas.com.
- Tsarina Maharani, Dani Prabowo "[Kontras: Polisi Siber yang Akan Diaktifkan Pemerintah Berpotensi Bungkam Kebebasan Berekspresi](https://nasional.kompas.com/read/2020/12/28/14074121/kontras-polisi-siber-yang-akan-diaktifkan-pemerintah-berpotensi-bungkam)" kompas.com.

35
content/tutorials/configure-wireguard-vpn-clients/index.md
View file

@ -37,20 +37,20 @@ authors:
- ditatompel
---
This article contains information about how to **import** your **WireGuard VPN** config to your **Android**, **iOS/iPhone**, **MacOS**, **Windows** and **Linux** machine.
This article contains information about how to **import** your **WireGuard VPN** config to your **Android**, **iOS/iPhone**, **macOS**, **Windows** and **Linux** machine.
<!--more-->
---
This article is part of [**WireGuard VPN** series](https://insights.ditatompel.com/en/series/wireguard-vpn/). If you haven't read the previous series, you might be interested to [setup your own **WireGuard VPN server** using cheap ~$6 VPS]({{< ref "/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.md" >}}) or [installing **WireGuard-UI** to manage your **WireGuard VPN server**]({{< ref "/tutorials/installing-wireguard-ui-to-manage-your-wireguard-vpn-server/index.md" >}}).
This article is part of [**WireGuard VPN** series](https://insights.ditatompel.com/en/series/wireguard-vpn/). If you haven't read the previous series, you might be interested to [set up your own **WireGuard VPN server** using cheap ~$6 VPS]({{< ref "/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.md" >}}) or [installing **WireGuard-UI** to manage your **WireGuard VPN server**]({{< ref "/tutorials/installing-wireguard-ui-to-manage-your-wireguard-vpn-server/index.md" >}}).
[WireGuard](https://www.wireguard.com/) was initially released for the **Linux kernel**, it is now *cross-platform* (**Windows**, **macOS**, **BSD**, **iOS**, and **Android**). When you buy a **WireGuard VPN** from *VPN providers*, you will usually receive a configuration file (some providers also give you **QR Code** image). This configuration file is all you need.
For Windows, MacOS, Android, and iOS, all you have to do is import the configuration file into the [official WireGuard application](https://www.wireguard.com/install/). For Linux who use `wg-quick` tool even more simpler, you just have to copy the configuration file to the `/etc/wireguard` folder.
For Windows, macOS, Android, and iOS, all you have to do is import the configuration file into the [official WireGuard application](https://www.wireguard.com/install/). For Linux who use `wg-quick` tool even simpler, you just have to copy the configuration file to the `/etc/wireguard` folder.
Even though the setup method is quite easy, I still want to write the steps on how to install or import the WireGuard configuration file here.
The WireGuard configuration file given by *VPN provider* (or your **SysAdmin**) is just a text file, usually will look like this:
The WireGuard configuration file given by *VPN provider* (or your **Sysadmins**) is just a text file, will usually look like this:
```plain
[Interface]
Address = 10.10.88.5/32
@ -73,12 +73,12 @@ Download [official WireGuard client for iOS from App Store](https://apps.apple.c
You can import configuration file by pressing <kbd>+</kbd> button from the top right of the app.
### Using QR Code
1. If your VPN provider give you **QR Code** image for your configuration, choose **"Create from QR code"** and scan your WireGuard configuration QR Code.
2. When promoted to enter **name of the scanned tunnel** ([*example image*](wg-ios1.png)), fill with anything you can easily remember. *Avoid using character other than `-` and `[a-z]`*. Your new VPN connection profile will added to your WireGuard app.
1. If your VPN provider gives you **QR Code** image for your configuration, choose **"Create from QR code"** and scan your WireGuard configuration QR Code.
2. When promoted to enter **name of the scanned tunnel** ([*example image*](wg-ios1.png)), fill with anything you can easily remember. *Avoid using character other than `-` and `[a-z]`*. Your new VPN connection profile will be added to your WireGuard app.
### Using import file or archive
1. To import configuration from `.conf` file, you need to download the configuration file to your device.
2. After configuration file is downloaded to your device, choose **"Create from file or archive"** and pick file of your WireGuard configuration file.
2. After configuration file is downloaded to your device, select **"Create from file or archive"** and pick file of your WireGuard configuration file.
_Remember to avoid using character other than `-` and `[a-z]` for the interface **"name"**_.
After your configuration was imported, simply tap **"Active" toggle button** of your desired VPN profile to **on** to connect [[*example image of connected WireGuard VPN in iOS app*](wg-ios2.png)].
@ -89,25 +89,25 @@ Download [official WireGuard client for Android from Play Store](https://play.go
You can import configuration file by pressing <kbd>+</kbd> button from the bottom right of the app.
### Using QR Code
1. If your *VPN provider* give you **QR Code** image for your configuration, choose **"Scan from QR code"** and scan your WireGuard configuration QR Code.
2. When promoted to enter **Tunnel Name** ([*example image*](wg-android1.png)), fill with anything you can easily remember. _Avoid using character other than `-` and `[a-z]`_. Your new VPN connection profile will added to your WireGuard app.
1. If your *VPN provider* gives you **QR Code** image for your configuration, choose **"Scan from QR code"** and scan your WireGuard configuration QR Code.
2. When promoted to enter **Tunnel Name** ([*example image*](wg-android1.png)), fill with anything you can easily remember. _Avoid using character other than `-` and `[a-z]`_. Your new VPN connection profile will be added to your WireGuard app.
### Using import file or archive
1. To import configuration from `.conf` file, you need to download the configuration file to your device.
2. After configuration file is downloaded to your device, choose **"Import from file or archive"** and pick file of your WireGuard configuration file.
2. After configuration file is downloaded to your device, select **"Import from file or archive"** and pick file of your WireGuard configuration file.
_Remember to avoid using character other than `-` and `[a-z]` for the interface **"name"**_.
After your configuration was imported, simply tap **"Active" toggle button** of your desired VPN profile to **on** to connect [[*example image of connected WireGuard VPN in Android app*](wg-android2.png)].
## Windows and MacOS
I'll put Windows and MacOS in the same section because importing WireGuard config on those OS is pretty simillar. After [official WireGuard application](https://www.wireguard.com/install/) for your OS is installed:
## Windows and macOS
I'll put Windows and macOS in the same section because importing WireGuard config on those OSes is pretty similar. After [official WireGuard application](https://www.wireguard.com/install/) for your OS is installed:
1. Click "**Add Tunnel**" button (or it's dropdown icon) and "**Import tunnel(s) from file...**", then pick file of your WireGuard configuration file.
1. Click "**Add Tunnel**" button (or it's dropdown icon) and "**Import tunnel(s) from file**", then pick file of your WireGuard configuration file.
2. After connected to your VPN profile, try to check your IP address. Your VPN server should appear as your public IP, not your ISP IP address.
![WireGuard VPN connected on Windows](wg-windows-connected.png#center)
## Linux
For Linux users, you need to install `wireguard` *package* to your system. Find how to install wireguard package from [official WireGuard](https://www.wireguard.com/install/) site or your *distribution* documentation page.
For Linux users, you need to install `wireguard` *package* to your system. Find how to install WireGuard package from [official WireGuard](https://www.wireguard.com/install/) site or your *distribution* documentation page.
### Using wg-quick
The easiest and simplest way to use WireGuard is using `wg-quick` tool that comes from `wireguard` *package*. Put your WireGuard configuration file from your VPN provider to `/etc/wireguard` and start WireGuard connection with:
@ -127,6 +127,7 @@ Try to check your WireGuard connection by check your public IP from your browser
> _**Note 2**: Users of `systemd-resolved` should make sure that `systemd-resolvconf` is installed._
### Using NetworkManager
**NetworkManager** on *bleeding-edge* *distros* such as **Arch Linux** has native support for setting up WireGuard interface.
#### Using NetworkManager TUI & GUI
@ -177,12 +178,12 @@ method=manual
addr-gen-mode=stable-privacy
method=ignore
```
![nmcli wireguard connection example](wg-nmcli.png#center)
![nmcli WireGuard connection example](wg-nmcli.png#center)
## Notes
- You can't connect to the same VPN server from 2 or more different devices with same key. **You every devices MUST have it's own unique key**.
- You can't connect to the same VPN server from 2 or more different devices with same key. **You every device MUST have its own unique key**.
- For some operating system such as Windows, if you can't import your WireGuard configuration file from your WireGuard app, make sure that your WireGuard configuration file is ended with `.conf`.
### Additional Notes
- If you interested to [setup your own **WireGuard VPN server** using cheap ~$6 VPS]({{< ref "/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.md" >}}),but have some technical difficulties; I can help you to set that up for small amount of **IDR** (_I accept **Monero XMR** for **credits** if you don't have Indonesia Rupiah_).
- If you interested to [set up your own **WireGuard VPN server** using cheap ~$6 VPS]({{< ref "/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.md" >}}), but have some technical difficulties; I can help you to set that up for small amount of **IDR** (_I accept **Monero XMR** for **credits** if you don't have Indonesia Rupiah_).
- To find out how to contact me, please visit [https://www.ditatompel.com/pages/contact](https://www.ditatompel.com/pages/contact).

6
content/tutorials/how-to-install-dante-socks-proxy-on-ubuntu/index.md
View file

@ -36,7 +36,7 @@ authors:
- jasmerah1966
---
This article helps you setting up and configuring **Dante** as a **private SOCKS proxy** (with authentication) on **Debian** based Linux distribution.
This article helps you to set up and configuring **Dante** as a **private SOCKS proxy** (with authentication) on **Debian** based Linux distribution.
<!--more-->
---
@ -103,7 +103,7 @@ socks pass {
From the example configuration above, **Dante** will listen to any available IP addresses on port `1080` and all outgoing traffic will be passed through `eth0` interface.
You can change the _port_ and you must adjust the `external` _interface_ with your default server interface.
You can change the _port_, and you must adjust the `external` _interface_ with your default server interface.
After adjusting the **Dante** configuration to fit with your needs, restart the service using `sudo systemctl restart danted.service` command.
@ -150,7 +150,7 @@ From the `curl` command above, your public IP address should become your proxy s
## Troubleshooting
If you cannot establish a `SOCKS5` connection to your _proxy server_, make sure the _port_ used by Dante is open. run the following `ufw` command (for Debian-based systems) to open a port from the firewall:
If you cannot establish a `SOCKS5` connection to your _proxy server_, make sure the _port_ used by Dante is open. Run the following `ufw` command (for Debian-based systems) to open a port from the firewall:
```shell
ufw allow proto tcp to any port 1080

2
content/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.id.md
View file

@ -49,7 +49,7 @@ Setelah [beberapa seri artikel tentang **VPN IPsec**](https://insights.ditatompe
- Nyaman dan terbiasa dengan Linux *command-line*.
- Pengetahuan dasar _subnetting_ di **IPv4** (_jujur saja, sayya tidak begitu familiar dengan subnetting di IPv6, jadi artikel ini hanya untuk IPv4_).
Untuk pemilihan *cloud provider* mana yang akan Anda gunakan, itu terserah Anda. Di artikel ini, saya akan mengguakan **Droplet** di [**DigitalOcean**](https://m.do.co/c/42d4ba96cc94) (*refferal link*) untuk VPN server saya. (Anda bisa mendapatkan kredit sebesar 200 dolar yang valid untuk 60 hari secara cuma-cuma dengan menggunakan *link* referensi saya).
Untuk pemilihan *cloud provider* mana yang akan Anda gunakan, itu terserah Anda. Di artikel ini, saya akan mengguakan **Droplet** di [**DigitalOcean**](https://m.do.co/c/42d4ba96cc94) (*referral link*) untuk VPN server saya. (Anda bisa mendapatkan kredit sebesar 200 dolar yang valid untuk 60 hari secara cuma-cuma dengan menggunakan *link* referensi saya).
> _**CATATAN**: Anda harus tahu bahwa **cloud provider biasanya membebankan biaya *extra* jika Anda melebihi batasan quota** yang telah mereka berikan._

41
content/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.md
View file

@ -48,27 +48,27 @@ After [series of my IPsec VPN article](https://insights.ditatompel.com/en/series
- Comfortable with Linux *command-line*.
- Basic knowledge of _**IPv4** subnetting_ (_to be honest, I'm not familiar with IPv6 subnetting, so this article is for **IPv4** only_).
It doesn't matter which *cloud provider* you choose. in this article, I will use [**DigitalOcean**](https://m.do.co/c/42d4ba96cc94) (*refferal link*) **Droplet** for my **WireGuard VPN server** (You can get your **free $200** in credit over 60 days by registering using my *refferal code*).
It doesn't matter which *cloud provider* you choose. In this article, I will use [**DigitalOcean**](https://m.do.co/c/42d4ba96cc94) (*referral link*) **Droplet** for my **WireGuard VPN server** (You can get your **free $200** in credit over 60 days by registering using my *referral code*).
> _**NOTE**: You should know that **cloud providers usually charge extra amount of `$` for every GB of overuse bandwidth**. So, know your needs and your limits!_
> _VPS server I use for this article will be destroyed when this article is published._
## Deploying your new VPS (DigitalOcean Droplet, optional)
> _If you already have your own VPS running, you can skip this step and go to next step: "[Setup your WireGuard Server](#setup-your-wireguard-server)"._
> _If you already have your own VPS running, you can skip this step and go to next step: "[Set up your WireGuard Server](#setup-your-wireguard-server)"._
1. Go to your project and **Create new Droplet**.
2. Choose **droplet region closest to you** to avoid any potential network latency. In this example, I'll choose **Frankfurt** datacenter.
3. Choose your **Droplet OS**, for this article, I'll use **Ubuntu** `22.04 LTS`.
4. Choose your **Droplet size**. I'll start with basic, **1 CPU** with **1GB of RAM** and **1TB network transfer** ($6/month).
2. Choose **droplet region closest to you** to avoid any potential network latency. In this example, I'll pick **Frankfurt** datacenter.
3. Select your **Droplet OS**, for this article, I'll use **Ubuntu** `22.04 LTS`.
4. Select your **Droplet size**. I'll start with basic, **1 CPU** with **1GB of RAM** and **1TB network transfer** ($6/month).
Adapt the VPS size to fit with your need to avoid extra charge of overuse bandwidth (1TB monthly transfer is enough for me).
![DigitalOcean VPS size](do1.png#center)
5. Set up your prefered *authentication method*, I **prefer using SSH public and private key** rather than *password auth*.
5. Set up your preferred *authentication method*, I **prefer using SSH public and private key** rather than *password auth*.
6. Set any other options as *default*. _I'm sure you **don't need backup and managed database options** for this setup_.
> _**WireGuard** did **NOT need high disk I/O, so NVMe disk is NOT necessary**._
## Setup your WireGuard Server
## Set up your WireGuard Server
> _**IMPORTANT NOTE**: Since I'm not familiar with **IPv6** subnetting, I'll only use **IPv4**._
Once your VPS ready and running, it's recommended to update your OS first using `apt update && apt upgrade` command and `reboot` your VPS.
@ -76,6 +76,7 @@ Once your VPS ready and running, it's recommended to update your OS first using
> _If you want to manage **WireGuard** peers (client) on a single server easily, you might be interested to read "[Installing WireGuard-UI to Manage Your WireGuard VPN Server]({{< ref "/tutorials/installing-wireguard-ui-to-manage-your-wireguard-vpn-server/index.md" >}})"._
### Install WireGuard
Install WireGuard using `sudo apt install wireguard` command. Once WireGuard is installed, we need to generate private and public key pairs for our WireGuard server.
> _Tips: You can create **vanity** public key address for **WireGuard** using tool like [warner/wireguard-vanity-address](https://github.com/warner/wireguard-vanity-address)._
@ -108,11 +109,11 @@ Before configuring your **WireGuard** server, you need to **decide your private
- Between `172.16.0.0` - `172.31.255.255` (`172.16.0.0/12`)
- Between `192.168.0.0` - `192.168.255.255` (`192.168.0.0/16`)
> _Tips: Avoid using your current used private IP ranges and commonly used private IP range. For example: Docker uses `172.17.0.0/16` ip range by default. If you use Docker, you must use another IP range for your WireGuard IP range to avoid conflict._
> _Tips: Avoid using your current used private IP ranges and commonly used private IP range. For example: Docker uses `172.17.0.0/16` IP range by default. If you use Docker, you must use another IP range for your WireGuard IP range to avoid conflict._
In this article, I only use **IPv4** and use `10.10.88.0/24` for my WireGuard network.
You'll also need to decide which **UDP** port WireGuard should listen to. Many *network appliance* out there (such as **Netgate**, **QNAP**, etc) set **UDP** port **51280** as their default WireGuard listen port. But, in this article, I'll use `UDP` port `51822`.
You'll also need to decide which **UDP** port WireGuard should listen to. Many *network appliance* out there (such as **Netgate**, **QNAP**, etc.) set **UDP** port **51280** as their default WireGuard listen port. But, in this article, I'll use `UDP` port `51822`.
Now, we have all (basic) required information for WireGuard server to run:
- Server Public IP: `xxx.xx.xx0.246`
@ -133,10 +134,10 @@ SaveConfig = true
```
> _**Note**: From the configuration above, notice that I pick `10.10.88.1` as my server IP address for WireGuard network._
Replace `<YOUR_SERVER_PRIVATE_KEY>`, `<YOUR_SERVER_IP_ADDRESS>`, `<SERVER_UDP_LISTEN_PORT>` with your prefered configuration.
Replace `<YOUR_SERVER_PRIVATE_KEY>`, `<YOUR_SERVER_IP_ADDRESS>`, `<SERVER_UDP_LISTEN_PORT>` with your preferred configuration.
#### Allowing IP forward
In this article, we'll allow this WireGuard server as our default *gateway* for *peers* (clients), so any outgoing network traffic (except to your **LAN/WLAN** network) can go trough this WireGuard server. If you use WireGuard as *peer-to-peer* connection, yo don't need to do this.
In this article, we'll allow this WireGuard server as our default *gateway* for *peers* (clients), so any outgoing network traffic (except to your **LAN/WLAN** network) can go through this WireGuard server. If you use WireGuard as *peer-to-peer* connection, you don't need to do this.
Edit `/etc/sysctl.conf` and add `net.ipv4.ip_forward=1` to the end of the file, then run `sudo sysctl -p` to load the new `/etc/sysctl.conf` values.
```shell
@ -166,7 +167,7 @@ Next, you need to know which network interface used by your server as its *defau
```plain
default via 164.90.160.1 dev eth0 proto static
```
Write down the word after `dev` output, that's your default network interface. We will need that infromation later. In this example, my default network interface is `eth0`.
Write down the word after `dev` output, that's your default network interface. We will need that information later. In this example, my default network interface is `eth0`.
Now add this following configuration to your `/etc/wireguard/wg0.conf` under `[Interface]` section:
```plain
@ -236,7 +237,7 @@ To automatically start WireGuard service when the system start, you can execute
## Setup WireGuard Peer (*client*)
In this section, I'll use Linux machine using `wg-quick` via `systemd` as an example to connect to our configured WireGuard server. For other method such as connecting using **NetworkManager** GUI, Different OS and mobile devices, you can read my next article: "[Configure WireGuard VPN Clients]({{< ref "/tutorials/configure-wireguard-vpn-clients/index.md" >}})".
Configuring WireGuard peer (client) in Linux using `systemd` is almost the same as setting up WireGuard server. The different is you didn't need to configure firewall and IP forward for peers. All you need to do is install WireGuard, create private and public key, configure DNS server you want to use, add start the service.
Configuring WireGuard peer (client) on Linux using `systemd` is almost the same as setting up WireGuard server. The different is you didn't need to configure firewall and IP forward for peers. All you need to do is install WireGuard, create private and public key, configure DNS server you want to use, add start the service.
### Generating Private and Public Key Pairs (Client Side)
If you already have your own WireGuard key pairs, you can use that keys, skip this step and go to the next step: "[Configuring WireGuard Peer (client)](#configuring-wireguard-peer-client)".
@ -294,7 +295,7 @@ PersistentKeepalive = 15
Replace `<YOUR_PEER_PRIVATE_KEY>`, `<YOUR_PEER_IP_ADDRESS>`, `<YOUR_SERVER_PUBLIC_KEY>`, `<YOUR_SERVER_PUBLIC_IP_ADDRESS>`, and `<SERVER_UDP_LISTEN_PORT>` with yours.
Note:
- `AllowedIPs` = `0.0.0.0/0` means all traffic will go trough that peer (in this case, our WireGuard server).
- `AllowedIPs` = `0.0.0.0/0` means all traffic will go through that peer (in this case, our WireGuard server).
You can specify / selective routing specific IP to specific peer (if you connected to multiple peers / servers).
For example, if you only want to route traffic to IP 1.0.0.1 and 8.8.4.4 using specific peer and use your current internet connection as default route, you can remove `0.0.0.0/0` and add `1.0.0.1/32,8.8.4.4/32` (separated by comma) to `AllowedIPs` value.
- `PersistentKeepalive` = `15` : How many seconds for peer send *ping* to the server regularly, so the server can reach the peer sitting behind **NAT**/firewall.
@ -304,13 +305,13 @@ For example, if you only want to route traffic to IP 1.0.0.1 and 8.8.4.4 using s
#### Adding Peers Public Key to WireGuard Server
you need to add every peers public key to WireGuard server configuration. This need to be done to allow peers connect to our WireGuard server. There are 2 ways to do this, depending on your server configuration.
If you following this tutorial with `SaveConfig = true` in the server config, you can add *peer public key* by issuing this command (in WireGuard Server):
If you're following this tutorial with `SaveConfig = true` in the server config, you can add *peer public key* by issuing this command (in WireGuard Server):
```shell
wg set wg0 peer 6gnV+QU7jG7BzwWrBbqiYpKQDGePYQunebkmvmFrxSk= allowed-ips 10.10.88.2
```
Replace `wg0` with your WireGuard server *interface*, `6gnV+QU7jG7BzwWrBbqiYpKQDGePYQunebkmvmFrxSk=` with your peer public key, and `10.10.88.2` with the IP address of that will be used by that peer.
If your WireGuard server configuration doesn't contain `SaveConfig = true` config, all you need to do is add peers informations to your WireGuard server config (`/etc/wireguard/wg0.conf`). For Example:
If your WireGuard server configuration doesn't contain `SaveConfig = true` config, all you need to do is add peers information to your WireGuard server config (`/etc/wireguard/wg0.conf`). For Example:
```plain
[Peer]
PublicKey = 6gnV+QU7jG7BzwWrBbqiYpKQDGePYQunebkmvmFrxSk=
@ -324,7 +325,7 @@ sudo systemctl restart wg-quick@wg0.service
```
### Connecting to Server
Now, our peer (client) configuration is complete. you can try to connect your device to your WireGuard server using `systemd` service.
Now, our peer (client) configuration is complete. You can try to connect your device to your WireGuard server using `systemd` service.
```shell
sudo systemctl start wg-quick@wg-do1.service
@ -343,11 +344,11 @@ To verify your configurations is properly configured, try to check your public I
![What is my IP](wg-vpn-do-ip.png#center)
## Conclusion
WireGuard is my favorite VPN protocol. It's fast and less resource usage compared with other VPN protocols. It's highly configurable and works with multiple environments. It can be used for *peer-to-peer* connection, *client-server* connection, or creating secure *mesh network*.
WireGuard is my favorite VPN protocol. It's fast and less resource usage compared with other VPN protocols. It's highly configurable and works with multiple environments. Furthermore, it can be used for *peer-to-peer* connection, *client-server* connection, or creating secure *mesh network*.
When combined with **Nginx** as *reverse proxy*, you can even exposing your local HTTP server (and mostly any services) sitting behind **NAT**/firewall to the internet.
When combined with **Nginx** as *reverse proxy*, you can even expose your local HTTP server (and almost any services) sitting behind **NAT**/firewall to the internet.
Anyway, managing large scale of WireGuard network can be very dificult. But, there are a tool to help you managing large scale WireGuard networks, such as [Netmaker](https://www.netmaker.io/).
Anyway, managing large scale of WireGuard network can be very difficult. But, there are a tool to help you to manage large scale WireGuard networks, such as [Netmaker](https://www.netmaker.io/).
### Additional Notes
- If you have some technical difficulties setting up your own WireGuard server, I can help you to set that up for small amount of **IDR** (_I accept **Monero XMR** for **credits** if you don't have Indonesia Rupiah_).

8
content/tutorials/how-to-use-git-using-ssh-protocol-for-github/index.md
View file

@ -41,7 +41,7 @@ This article may be useful for those of you who want to get started using **Git*
Git is one of the most popular and widely used _version controls_ by software developers around the world. Several _"Cloud" based version controls service build on top of Git_ such as [GitLab](https://about.gitlab.com/), [GitHub](https://github.com/), and [Codeberg](https://codeberg.org/) offer several unique features from each other. However, there is a feature that every provider definitely has, the feature is accessing and Git repositories using the SSH protocol.
The authentication process using the SSH protocol utilizes **SSH public and private keys** so you don't need to provide a _username_ or _personal access token_ every time you want to access or commit to your repository.
The authentication process using the SSH protocol utilizes **SSH public and private keys**, so you don't need to provide a _username_ or _personal access token_ every time you want to access or commit to your repository.
In this article, I want to share how to use the SSH protocol as an authentication method for a specific provider: GitHub. But before starting, make sure `git` and `ssh` are installed on your computer and of course you must have an account at GitHub.com.
@ -58,7 +58,7 @@ Change `John Doe` and `johndoe@example.com` with your name and email address.
> _**Note**: Make sure the email address matches with the email address you use at GitHub.com._
## Creting SSH key
## Creating SSH key
When you want to access your private repository or make changes to your GitHub repository using SSH, you need to use an SSH private key for the authentication process. Therefore, create an SSH key pair using the following command:
@ -120,10 +120,10 @@ Once you have your SSH key pair and SSH config file configured, it's time to add
1. Go to __"Settings"__ > __"SSH and GPG keys"__ > click on __"New SSH key"__ button.
2. Fill __"Title"__ with anything that you can easily remember to identify your SSH key.
3. On __"Key type"__ options, choose __"Authentication Key"__.
4. Finally, go back to your terminal and _paste_ content of your __SSH public key__ (in this tutorial is `~/.ssh/github_key.pub`) to __"Key"__ _textarea_. Then submit by pressing __Add SSH key"__ button.
4. Finally, go back to your terminal and _paste_ content of your __SSH public key__ (in this tutorial is `~/.ssh/github_key.pub`) to __"Key"__ _textarea_. Then submit by pressing __"Add SSH key"__ button.
![Adding new SSH key to GitHub account](github-add-new-ssh-key.jpg#center)
The configuration process is complete and you can try connecting to GitHub with `ssh -T github.com` command from your terminal. You should receive a message that your connection to GitHub was successful: "**Hi jasmerah1966! You've successfully authenticated, but GitHub does not provide shell access**.".
The configuration process is complete, and you can try connecting to GitHub with `ssh -T github.com` command from your terminal. You should receive a message that your connection to GitHub was successful: "**Hi jasmerah1966! You've successfully authenticated, but GitHub does not provide shell access**.".
Next: Read [How To Create Verified Sign Git Commit Using SSH or GPG Signature]({{< ref "/tutorials/how-to-create-verified-sign-git-commit/index.md" >}}).

12
content/tutorials/installing-wireguard-ui-to-manage-your-wireguard-vpn-server/index.md
View file

@ -43,7 +43,7 @@ To manage **WireGuard** *peers* (client) on a single server easily, you can use
[Wireguard-UI](https://github.com/ngoduykhanh/wireguard-ui) is a *web-based* user interface to manage your **WireGuard** server setup written by [ngoduykhanh](https://github.com/ngoduykhanh) using **Go** programming language. This is an alternative way to install and easily manage your WireGuard VPN server.
If you prefer to install WireGuard server *"from scratch"* and manage it manually, you can follow my previous article about "[How to Setup Your Own WireGuard VPN Server]({{< ref "/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.md" >}})".
If you prefer to install WireGuard server *"from scratch"* and manage it manually, you can follow my previous article about "[How to Set up Your Own WireGuard VPN Server]({{< ref "/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.md" >}})".
## Prerequisites
- A **VPS** (**Ubuntu** `22.04 LTS`) with Public IP address and **Nginx** installed.
@ -54,7 +54,7 @@ If you prefer to install WireGuard server *"from scratch"* and manage it manuall
In this guide, our goals:
- Server run _**WireGuard** daemon_ listen on port `51822/UDP`.
- **WireGuard UI** run from `127.0.0.1` on port `5000`.
- **Nginx** act as *reverse proxy* and serve **WireGuard UI** service using **HTTPS**.
- **Nginx** acts as *reverse proxy* and serve **WireGuard UI** service using **HTTPS**.
## Prepare Your Server
First, make sure your system is *up-to-date* and **WireGuard is installed** on your server.
@ -128,7 +128,7 @@ iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
```
The `postup.sh` bash script above will be executed when WireGuard service is **started**.
Create `/opt/wireguard-ui/postdown.sh`. and fill with this example config:
Create `/opt/wireguard-ui/postdown.sh`, and fill with this example config:
```bash
#!/usr/bin/bash
# /opt/wireguard-ui/postdown.sh
@ -204,7 +204,7 @@ sudo systemctl enable wireguard-ui-daemon.service
### Auto Restart WireGuard Daemon
Because **WireGuard-UI** only takes care of WireGuard configuration generation, you need another `systemd` to watch for the changes and restart the **WireGuard** service. Create `/etc/systemd/system/wgui.service` and fill with this following example:
Because **WireGuard-UI** only takes care of WireGuard configuration generation, another `systemd` is required to watch for the changes and restart the **WireGuard** service. Create `/etc/systemd/system/wgui.service` and fill with this following example:
```systemd
[Unit]
Description=Restart WireGuard
@ -290,9 +290,9 @@ Go to **"WireGuard Server"** page and configure WireGuard config:
- **Post Up Script**: `/opt/wireguard-ui/postup.sh`
- **Post Down Script**: `/opt/wireguard-ui/postdown.sh`
![WireGuard- UI Server Settings](wg-ui-server-config.png#center)
![WireGuard-UI Server Settings](wg-ui-server-config.png#center)
Then go to **"Global Settings"**, verify that all your config is correct (especially for **"Endpoint Address"** and **"Wireguard Config File Path"**).
Then go to **"Global Settings"**, verify that all your config is correct (especially for **"Endpoint Address"** and **"WireGuard Config File Path"**).
After that, try to **Apply** your configuration.

10
content/tutorials/misskey-nodejs-nvm-with-pm2-update-steps/index.md
View file

@ -35,21 +35,21 @@ authors:
- ditatompel
---
If you following my article about [How to install Misskey in Ubuntu 22.04 (Manual NodeJS and PM2 without Docker)]({{< ref "/tutorials/how-to-install-misskey-in-ubuntu-22-04-manual-without-docker/index.md" >}}), you may encounter some problem when trying to [update your Misskey instances](https://misskey-hub.net/en/docs/install/manual.htmlhow-to-update-your-misskey-server-to-the-latest-version).
If you're following my article about [How to install Misskey in Ubuntu 22.04 (Manual Node.js and PM2 without Docker)]({{< ref "/tutorials/how-to-install-misskey-in-ubuntu-22-04-manual-without-docker/index.md" >}}), you may encounter some problem when trying to [update your Misskey instances](https://misskey-hub.net/en/docs/install/manual.htmlhow-to-update-your-misskey-server-to-the-latest-version).
<!--more-->
This because **Misskey** is under heavy development and event *minor* update need higher version of **NodeJS**. For example, **Misskey** `13.10.3` was released in March, 25th and it works well with **NodeJS** `18.15`. Last week (May, 12th), *Misskey* `13.12.2` was released and need to be run using (at least) on **NodeJS** `18.16`. In this article, I want to share my experience how to perform an update to **Misskey instances**.
This because **Misskey** is under heavy development and event *minor* update need higher version of **Node.js**. For example, **Misskey** `13.10.3` was released in March, 25th, and it works well with **Node.js** `18.15`. Last week (May, 12th), *Misskey* `13.12.2` was released and need to be run using (at least) on **Node.js** `18.16`. In this article, I want to share my experience how to perform an update to **Misskey instances**.
## Install / update required dependencies for new version
First you need to know what is the [minimum requirement (dependencies)](https://misskey-hub.net/en/docs/install/manual.html#dependencies) for the latest *stable* version of **Misskey**, especially for **NodeJS** version and **PostgreSQL**. I'll take example of upgrading **Misskey** from `13.10.3` to `13.12.2` which have different minimum requirement of **NodeJS** version.
First you need to know what is the [minimum requirement (dependencies)](https://misskey-hub.net/en/docs/install/manual.html#dependencies) for the latest *stable* version of **Misskey**, especially for **Node.js** version and **PostgreSQL**. I'll take example of upgrading **Misskey** from `13.10.3` to `13.12.2` which have different minimum requirement of **Node.js** version.
### NodeJS
### Node.js
```shell
nvm install 18.16
use 18.16
```
Install `corepack` and enable it from your new **nodeJS** version environment:
Install `corepack` and enable it from your new **Node.js** version environment:
```shell
npm install -g corepack
corepack enable

14
content/tutorials/running-wakapi-a-self-hosted-wakatime-compatible-backend-for-coding-stats/index.md
View file

@ -40,20 +40,22 @@ authors:
- ditatompel
---
**Wakapi** is a minimalist, __self-hosted__ **WakaTime**-compatible backend for coding statistics. It's cross platform (Windows, MacOS, Linux) and can be self-hosted to your local computer or your own server, so your data is really yours. This article will guide you how to run Wakapi on Linux operating system.
**Wakapi** is a minimalist, __self-hosted__ **WakaTime** - compatible backend for coding statistics. It's cross-platform (Windows, macOS, Linux) and can be self-hosted to your local computer or your own server, so your data is really yours. This article will guide you how to run Wakapi on Linux operating system.
<!--more-->
---
## Introduction
As someone who extensively use computers on a daily basis, particularly performing server maintenance and coding, I'm always curious about what I've been working on, which projects consume the most of my time, and which programming languages I use the most. Over the past year, I've tried several services, from [Activity Watch](https://activitywatch.net/), [CodeStats](https://codestats.net/) to [WakaTime](https://wakatime.com/).
As someone who extensively use computers on a daily basis, particularly performing server maintenance and coding, I'm always curious about what I've been working on, which projects consume the most of my time, and which programming languages I use the most.
With **Activity Watch**, while the backend can be installed on a local or remote server, I found it to be somewhat _resource-intensive_. While **CodeStats** and **WakaTime** were really good, the coding statistics data was sent to their servers; this aspect was a concern for me.
Over the past year, I've tried several services, from [Activity Watch](https://activitywatch.net/), [CodeStats](https://codestats.net/) to [WakaTime](https://wakatime.com/).
With **Activity Watch**, while the backend can be installed on a local or remote server, I found it to be somewhat _resource-intensive_. While **CodeStats** and **WakaTime** were excellent, the coding statistics data was sent to their servers; this aspect was a concern for me.
A few days ago, I found a solution for that problem: [Wakapi](https://wakapi.dev/). It's an API endpoint **compatible with the WakaTime client**, and it can be _self-hosted_.
The **Wakapi server** is built using the **Go** programming language and can be run on various operating systems, including Windows, MacOS (both `ARM` and `x86_64`), and Linux (both `ARM` and `x86_64`). In this article, I want to share my experience installing and running Wakapi on a Linux server.
The **Wakapi server** is built using the **Go** programming language and can be run on various operating systems, including Windows, macOS (both `ARM` and `x86_64`), and Linux (both `ARM` and `x86_64`). In this article, I want to share my experience installing and running Wakapi on a Linux server.
## Server Installation
@ -104,7 +106,7 @@ sudo curl -o /opt/wakapi/wakapi.yml https://raw.githubusercontent.com/muety/waka
sudo chown wakapi:wakapi /opt/wakapi/wakapi.yml /opt/wakapi/wakapi
```
Then, edit the `/opt/wakapi/wakapi.yml` configuration file as needed. For instance, if I'm using the subdomain `wakapi.example.com` with **Nginx** as a _reverse proxy_ for Wakapi, I'd set the `listen_ipv4` to `127.0.0.1` and `public_url` to `https://wakapi.example.com`. Adjust other configurations such as database connection, SMTP email, etc if you need to.
Then, edit the `/opt/wakapi/wakapi.yml` configuration file as needed. For instance, if I'm using the subdomain `wakapi.example.com` with **Nginx** as a _reverse proxy_ for Wakapi, I'd set the `listen_ipv4` to `127.0.0.1` and `public_url` to `https://wakapi.example.com`. Adjust other configurations such as database connection, SMTP email, etc. if you need to.
### Creating a Systemd Service
@ -157,7 +159,7 @@ WantedBy=multi-user.target
```
Then, reload and start the wakapi service:
Then, reload and start the Wakapi service:
```shell
sudo systemctl daemon-reload

12
content/tutorials/self-hosted-ghost-how-to-upgrade-ghost-v4/index.md
View file

@ -46,7 +46,7 @@ Its a good idea to check whenever your current theme is compatible with Ghost
To see what changes are need to be made, download a copy of your theme zip file, and upload it to [GScan](https://gscan.ghost.org/) automatic theme compatibility testing tool.
GScan will provide a report on any new features in the Ghost theme API which are not being used, or any old ones you might be using which have been deprecated - so you can get everything fixed up.
GScan will provide a report on any new features in the Ghost theme API which are not being used, or any old ones you might be using which have been deprecated so you can get everything fixed up.
### Export Content and Members
Start by exporting a JSON file of all your posts from the **labs area** of Ghost Admin.
@ -65,7 +65,7 @@ sudo npm install -g ghost-cli@latest
```
### Update to the latest minor version
Now, after you upgrade `Ghost-CLI` to the lastest version, you need to update every site to the latest minor version before upgrading to major version.
Now, after you upgrade `Ghost-CLI` to the latest version, you need to update every site to the latest minor version before upgrading to major version.
**Make sure youre in your sites root directory** and then run the Ghost update command using Ghost-CLI **as your ghost admin user**.
@ -84,13 +84,13 @@ After updating your site(s) to latest minor version, you're ready to upgrade to
{{< youtube udbaAvl3s3E >}}
## v4.0 Highlight Changelog
- **Dashboard**: Get detailed insights into how content and members are performing so you can understand what's working.
- **Memberships and subscriptions** are now natively part of the core platform - no longer in beta.
- **Dashboard**: Get detailed insights into how content and members are performing, so you can understand what's working.
- **Memberships and subscriptions** are now natively part of the core platform no longer in beta.
- **Email newsletters** are now natively built into Ghost.
- Brand **new post-preview** UI, showing you what your post will look like on web, mobile, email, social and search - all in one place.
- Brand **new post-preview** UI, showing you what your post will look like on web, mobile, email, social, and search all in one place.
- Premium subscriptions with **Stripe** now work in **135 currencies**, with support for **Apple Pay**, **Google Pay**, and 0% payment fees.
- Embedded memberships and subscriptions UI, called **Portal**, which works with every Ghost theme. Past, present and future.
- Re-built the Ghost [Theme directory](https://ghost.org/themes/), including live previews and automatic installs.
- Re-built the Ghost [Theme directory](https://ghost.org/themes/), including live previews and automatic installations.
- **Performance improvement**: Front-end performance jumped by more than 50%, **overall performance** in terms of requests-per-second by 40%, reduced latency by 30%, and made serving requests after start/restart faster by 300%.
## Links and Resources

30
content/tutorials/set-up-ikev2-vpn-server-and-clients/index.md
View file

@ -49,7 +49,7 @@ Libreswan can authenticate IKEv2 clients on the basis of [X.509](https://en.wiki
- Android 4.x and newer (using the strongSwan VPN client)
- Windows 7, 8.x and 10
Because IKEv2 use key exchange and you need to import Server and Client Certificate on your machine. It will be a problem in the future to manage/revoke the imported certificate if you have multiple IKEv2 VPN servers with same root CA Common Name and client certificate username.
Because IKEv2 use key exchange, and you need to import Server and Client Certificate on your machine. It will be a problem in the future to manage/revoke the imported certificate if you have multiple IKEv2 VPN servers with same root CA Common Name and client certificate username.
This is my personal snippet to set up IKEv2 VPN server & clients for multiple servers. Basically I only add (let say) server name or node name after root CA Common Name and client certificate username.
@ -70,7 +70,7 @@ printf '%s\n' "$PUBLIC_IP"
Make sure the output matches the server's public IP. The `$PUBLIC_IP` variable is required for the next steps.
Create new `ikev2.conf` file in `/etc/ipsec.d/` directory and include them in `/etc/ipsec.conf` :
Create new `ikev2.conf` file in `/etc/ipsec.d/` directory and include them in `/etc/ipsec.conf` :
```bash
cat > /etc/ipsec.d/ikev2.conf <<EOF
@ -140,8 +140,8 @@ For Libreswan `3.18` and older:
> _You can replace Google Public DNS `8.8.8.8` and `8.8.4.4` with your server provider DNS if you want._
### Generate Certificate Authority (CA) and VPN Server Certificates
- You can specify the certificate validity period (in months) with `-v` argument. e.g. `-v 36`.
- As i mentioned above, To easily manage VPN certificates on multiple server. I've add `SERVERNAME` after `IKEv2 VPN CA` Common Name. Replace `SERVERNAME` with something you can easily remember.
- You can specify the certificate validity period (in months) with `-v` argument. e.g., `-v 36`.
- As I mentioned above, To easily manage VPN certificates on multiple server. I've added `SERVERNAME` after `IKEv2 VPN CA` Common Name. Replace `SERVERNAME` with something you can easily remember.
```bash
certutil -z <(head -c 1024 /dev/urandom) \
@ -207,7 +207,7 @@ pk12util: PKCS12 EXPORT SUCCESSFUL
You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `VPNUSERNAME` with `VPNUSERNAME2`, etc.
> _**Note**: To connect multiple VPN clients simultaneously, you must generate a unique certificate for each devices._
> _**Note**: To connect multiple VPN clients simultaneously, you must generate a unique certificate for each device._
(For macOS and iOS clients) Export the CA certificate as `vpnca_SERVERNAME.cer`:
@ -215,7 +215,7 @@ You may repeat this step to generate certificates for additional VPN clients, bu
certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA SERVERNAME" -a -o vpnca_SERVERNAME.cer
```
To check certificate database, you can run these following command:
To check certificate database, you can run these following commands:
```bash
certutil -L -d sql:/etc/ipsec.d
@ -253,13 +253,13 @@ The IKEv2 setup on the VPN server is now complete. Follow instructions below to
**Note**: If you specified the server's DNS name (instead of its IP address) for `$PUBLIC_IP` variable in first step above, you must enter the DNS name in the **Server** and **Remote ID** fields.
### MacOS Clients Configuration
### macOS Clients Configuration
Transfer both `vpnca_SERVERNAME.cer` and `VPNUSERNAME.p12` to your Mac, then double-click to import them **one by one** into the **login** keychain in **Keychain Access**.
Next, double-click on the imported `IKEv2 VPN CA SERVERNAME` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu.
![MacOS VPN CA](vpn_ca.png#center)
![macOS VPN CA](vpn_ca.png#center)
When finished, check to make sure both `VPNUSERNAME` and `IKEv2 VPN CA SERVERNAME` are listed under the **Certificates** category of **login** keychain.
- Go to **Network** section in **System Preferences**.
@ -271,7 +271,7 @@ When finished, check to make sure both `VPNUSERNAME` and `IKEv2 VPN CA SERVERNAM
- **Server Address**: Your VPN `Server IP` (or DNS name).
- **Remote ID**: Your VPN `Server IP` (or DNS name).
- Leave the **Local ID** field blank.
- Click the **Authentication Settings**... button.
- Click the **Authentication Settings** button.
- Select **None** from the **Authentication Settings** drop-down menu.
- Select the **Certificate** radio button, then select the **VPNUSERNAME** certificate.
- Click **OK**.
@ -280,9 +280,9 @@ When finished, check to make sure both `VPNUSERNAME` and `IKEv2 VPN CA SERVERNAM
- Click **Connect**.
### iOS (iPhone/iPad) Clients Configuration
Transfer both `vpnca_SERVERNAME.cer` and `VPNUSERNAME.p12` to your iOS device, then import them **one by one** as **iOS profiles**. To transfer the files, you may use AirDrop or host the files on your website, then download and import them in Safari. When finished, check to make sure both `VPNUSERNAME` and `IKEv2 VPN CA SERVERNAME` are listed under **Settings** -> **General** -> **Profiles**.
- Go to **Settings** -> **General** -> **VPN**.
- Tap **Add VPN Configuration**....
Transfer both `vpnca_SERVERNAME.cer` and `VPNUSERNAME.p12` to your iOS device, then import them **one by one** as **iOS profiles**. To transfer the files, you may use AirDrop or host the files on your website, then download and import them in Safari. When finished, check to make sure both `VPNUSERNAME` and `IKEv2 VPN CA SERVERNAME` are listed under **Settings** **General** →**Profiles**.
- Go to **Settings** **General** **VPN**.
- Tap **Add VPN Configuration**.
- Tap **Type**. Select **IKEv2** and go back.
- **Description**: enter anything you like (usually name of the VPN connection).
- **Server**: Your VPN `Server IP`.
@ -298,14 +298,14 @@ Transfer both `vpnca_SERVERNAME.cer` and `VPNUSERNAME.p12` to your iOS device, t
Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo](https://duckduckgo.com/?q=ip&ia=answer).
### Other Devices
Since I only use IKEv2 on my Mac and iPhone for work device, I can't post guide for Windows, Linux and Android here. You can follow the [guide for each OSes here](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#configure-ikev2-vpn-clients).
Since I only use IKEv2 on my Mac and iPhone for work device, I can't post guide for Windows, Linux, and Android here. You can follow the [guide for each OS here](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#configure-ikev2-vpn-clients).
## Known issues
1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP]({{< ref "/tutorials/configure-ipsec-l2tp-vpn-clients/index.md" >}}) or [IPsec/XAuth]({{< ref "/tutorials/configure-ipsec-xauth-vpn-clients/index.md" >}}) mode.
1. The built-in VPN client on Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP]({{< ref "/tutorials/configure-ipsec-l2tp-vpn-clients/index.md" >}}) or [IPsec/XAuth]({{< ref "/tutorials/configure-ipsec-xauth-vpn-clients/index.md" >}}) mode.
2. If using the strongSwan Android VPN client, you must **upgrade Libreswan** on your server to version `3.26` or above.
3. If your VPN client can connect but cannot open any website, try editing `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=` under section `conn ikev2-cp` and delete `aes_gcm-null,`. Save the file and run `service ipsec restart`.
4. Ubuntu 18.04 and CentOS users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more [here](https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460430354).
5. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router) is not supported at this time. For this use case, please instead use [IPsec/XAuth]({{< ref "/tutorials/configure-ipsec-xauth-vpn-clients/index.md" >}}) mode.
5. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g., home router) is not supported at this time. For this use case, please instead use [IPsec/XAuth]({{< ref "/tutorials/configure-ipsec-xauth-vpn-clients/index.md" >}}) mode.
## Credits
- All articles credits belongs to [Lin Song](https://www.linkedin.com/in/linsongui/) and [contributors](https://github.com/hwdsl2/setup-ipsec-vpn/graphs/contributors).

6
content/tutorials/virt-manager-sharing-data-between-host-and-guests-libvirt-virtio-fs/index.md
View file

@ -49,12 +49,12 @@ df -h | grep '/dev/sd'
/dev/sda1 511M 144K 511M 1% /efi
/dev/sdb1 916G 588G 282G 68% /mnt/hdd2
```
- `/dev/sda` 500GB SATA SSD (main host operationg system).
- `/dev/sdb1` 1TB SATA HDD mounted to `/mnt/hdd2` (which I want to share that path to Linux guests) .
- `/dev/sda` 500GB SATA SSD (main host operating system).
- `/dev/sdb1` 1TB SATA HDD mounted to `/mnt/hdd2` (which I want to share that path to Linux guests).
- `/dev/sdc1` 500GB mSATA SSD mounted to `/mnt/msata` (which I place all the VMs disks).
## Setting up guest VMs
Open **Virt-Manager** -> choose VM(s) -> **Add Hardware** -> **Filesystem**.
Open **Virt-Manager** → choose VM(s) → **Add Hardware** **Filesystem**.
Choose `virtio-9p` for **Driver**, `/path/to/mount_point/on/guest` for **Source path**, and `/mnt/hdd2` for **Target path**.