|
|
|
|
|
|
by joveian
2001 days ago
|
|
|
I use a Debian OpenVZ based VPS for this and uninstall or disable any services except the one I want (surprisingly this isn't the default :(, check what is listening with "ss -l46n"). The advantage of OpenVZ is that kernel patching is the job of the provider, so if you only have one service listening remotely then you should be ok as long as that service is ok. I use SSH so far since WireGuard isn't supported yet. I also configure SSH to only allow the type of connection I want to use: public key authentication only, ports 80 and 443, plus (on both local and remote sides): Ciphers=chacha20-poly1305@openssh.com
KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org
HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
MACs=hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
Install unattended-upgrades and edit /etc/apt/apt.conf.d/50unattended-upgrades as desired. For SSH proxy, locally set "ALL_PROXY=socks5://127.0.0.1:2000" (with DynamicForward localhost:2000 locally). Or change socks5 to socks5h if you want DNS to be handled on the remote system, however this will prevent uMatrix and other blockers from getting DNS info needed to avoid considering some 3rd party content as 1st party so it is better to set up encrypted DNS locally (I use stubby but with just the provider I want). Many applications check ALL_PROXY these days but not all and I think Firefox needs explicit settings to use the proxy.I use ramnode.com's $15/year OpenVZ and it works great like this for getting an encrypted connection past your local ISP and/or wifi (I think they ask for everyone's ID when you start). There are issues with some websites due to the IP address, but it is not nearly as many as using an annonymous VPN from what I've heard. |
|
|