[syntaxing]

Any tips on how to run your own server safely? I get all paranoid because I’m terrible with security.

[scaladev]

https://github.com/trailofbits/algo

https://github.com/StreisandEffect/streisand

[jfim]

Just as a thing to keep in mind, if you're using Algo (or any other vpn software) with a commercial cloud provider, you'll hit more captchas and blocks than usual. For example, going to walmart.com will give a captcha page before being allowed on their website. Some websites will return HTTP 403, and some will just timeout.

[fmajid]

https://github.com/fazalmajid/edgewalker/

(I'm biased, of course, being the author).

[joveian]

I use a Debian OpenVZ based VPS for this and uninstall or disable any services except the one I want (surprisingly this isn't the default :(, check what is listening with "ss -l46n"). The advantage of OpenVZ is that kernel patching is the job of the provider, so if you only have one service listening remotely then you should be ok as long as that service is ok.

I use SSH so far since WireGuard isn't supported yet. I also configure SSH to only allow the type of connection I want to use: public key authentication only, ports 80 and 443, plus (on both local and remote sides):

  Ciphers=chacha20-poly1305@openssh.com
  KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org
  HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
  MACs=hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com

Install unattended-upgrades and edit /etc/apt/apt.conf.d/50unattended-upgrades as desired. For SSH proxy, locally set "ALL_PROXY=socks5://127.0.0.1:2000" (with DynamicForward localhost:2000 locally). Or change socks5 to socks5h if you want DNS to be handled on the remote system, however this will prevent uMatrix and other blockers from getting DNS info needed to avoid considering some 3rd party content as 1st party so it is better to set up encrypted DNS locally (I use stubby but with just the provider I want). Many applications check ALL_PROXY these days but not all and I think Firefox needs explicit settings to use the proxy.

I use ramnode.com's $15/year OpenVZ and it works great like this for getting an encrypted connection past your local ISP and/or wifi (I think they ask for everyone's ID when you start). There are issues with some websites due to the IP address, but it is not nearly as many as using an annonymous VPN from what I've heard.

[daboosh]

https://github.com/boosh/dawg

One command, and allows you to shut the server down when you don't need it. I might add support for lightsail too.

[ncmncm]

Wireguard Bounce Server setup: <https://news.ycombinator.com/item?id=25447805>

[pthreads]

Just replied to another comment. Hope that helps.

[mfcl]

By practicing. Run it anyway and get good at it.

[justusthane]

“By practicing” is not a good way to get good at security, unless you want to make potentially devastating mistakes along the way.

[mfcl]

How else can you get good at security? I guess you could read, but at some point you'll have to practice. And I never said you need to practice with sensitive information.

[3np]

It depends on what you put at stake, obviously.

[colesantiago]

or you can use mullvad.net (supports wireguard protocol)

no activity logs

does not ask for personal information

anonymous payments via cash or cryptocurrencies

no subscription

hides your device's activity.

[_-___________-_]

“No activity logs” is impossible to verify, and “hides your device’s activity” is basically untrue unless you do some gymnastics with the definitions of words.

[3np]

Absolutely true. I still vouch for Mullvad though, it’s the one VPN provider I feel I can trust to reasonable extents.

[colesantiago]

https://mullvad.net/en/help/no-logging-data-policy

[_-___________-_]

How do you verify this?