antipaucity

I maintain (to greater or lesser extents) 3 blogs currently:

• https://blog.warrenmyers.com
• https://paragraph.cf
• https://antipaucity.com

I keep the first and last segmented so I can more easily find things I’ve written or reposted about Christianity, religion, and the Bible, and everything else. The middle one I keep to demo the WordPress plugin I wrote – Paragraph.

But keeping them going is hard.

Keeping any some going is hard – which is why my eponymous domain warrenmyers.com has been an alias to antiquity.com for quite some time now. Sure, there are still some things findable directly off my domain, but you have to know where and what they are 🙂

How do you, if you run a blog or other website, keep up with putting stuff there?

It was nice knowing you. No really. It was.

I don’t say that because I found anything wrong in the fediverse.

Nope.

It’s entirely because a recent apt update not only broke my sweetree.ga instance, it irrecoverably broke it.

Guess I’ll have to use that domain somewhere somehow somewhen else.

Maybe I’ll try you again in a couple years.

After months years of threatening, I’ve finally removed one item from my round tuit plate: https://sweetree.ga is the latest Mastodon instance in the fediverse.

There are still a few bugs to iron-out of this instance, but it’s live, and I’m – once-again – tooting.

Come follow me – @warrenmyers@sweetree.ga

In the coming days, fully-automated registrations will be live .. mail settings are wonky right now, but I can manually approve anyone who’d like to join my instance.

Passwords should never expire: https://www.sans.org/security-awareness-training/blog/time-password-expiration-die

Passwords should not be changed often: https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html

Password “complexity” is – mostly – a joke: https://www.xkcd.com/936

You have been breached: https://blog.augustschell.com/passwords-passphrases-complexity-length-crackability-memorability-data-breaches

Passphrases are better than passwords – and https://password.ga will generate them for you (it will also generate random passwords that pass complexity requirements)

Use a password manager of some kind

A Polish gentleman was walking through Krakow one afternoon, and found a curious object covered in dust and grime.

As he was cleaning it, out popped a genie.

“I am the Genie of the Lamp™. I will grant you 3 wishes. Choose wisely.”

The gentleman asked, “3 wishes? Any 3 wishes?”

“Yes, any 3 wishes you choose.”

The gentleman thought for a moment and said, “I wish for the Mongol invasion of Poland.”

To which the genie replied, “The Mongol invasion of Poland? With Ghengis Khan and the Mongol Hordes? You’re Polish, you know – are you sure?”

“Yes, quite sure.”

“OK. Give me a few minutes.”

Up from the ancient battlefields, graveyards, and mausoleums across Asia rose Ghengis Khan and the Mongol Hordes. Sweeping across the steppes of Asia. Havoc! Bedlam! Death! Destruction everywhere! Into Poland! Leveling everything in their path.

And back to their resting places went the Mongol Hordes.

“Phew – that was probably the biggest wish I have ever granted. Are you satisfied, sir?”

Looking around decimated Krakow, the gentleman replied, “not bad, genie, not bad.”

“What do you desire for your second wish, master?”

“Easy – the Mongol invasion of Poland.”

“You want..the same wish. Again‽”

“Yes – is that against the rules?”

“Well…no. But. Well. OK. If you insist, sir.”

Up from the ancient battlefields, graveyards, and mausoleums across Asia rose Ghengis Khan and the Mongol Hordes. Sweeping across the steppes of Asia. Havoc! Bedlam! Death! Destruction everywhere! Into Poland! Leveling everything in their path.

And back to their resting places went the Mongol Hordes.

“I have never been asked for the same exact wish twice in a row before, master. How did that suit you?”

With barely a stone left atop another, the man said, “Genie – that was better than the first time.”

“Thank you, master – I live only to please.”

“Genie, I know what I desire for my third wish.”

“Yes, master?”

“The Mongol invasion of Poland.”

“…AGAIN‽”

“Yes – unless wishing for the same thing three times in a row is against the rules.”

“Master, you must be the most peculiar possessor of the lamp I have ever had. As you wish, sir.”

Up from the ancient battlefields, graveyards, and mausoleums across Asia rose Ghengis Khan and the Mongol Hordes. Sweeping across the steppes of Asia. Havoc! Bedlam! Death! Destruction everywhere! Into Poland! Leveling everything in their path.

And back to their resting places went the Mongol Hordes.

“Sir, I must ask – I have been in this business a very long time. Why, praytell, did you wish for the Mongol invasion of Poland – and why did you wish for it three times?”

The Polish gentleman replied, “that’s easy, genie – every time the Mongols invade Poland, they invade Russia. Twice.”

_{^{I don’t know the original author – but I’ve found this hilarious since I first heard it probably 10 years ago or more}}

It would seem I have configured OpenVPN, Squid proxy, and, to a lesser extent, Pi-hole well – none of the major sites that report IP, DNS, and other connection-related security issues find anything out of the ordinary when I’m either running “just” proxied, or VPN, or VPN+proxy.

You should check yourself hereon:

1. https://ipleak.net
2. http://ip-check.info/?lang=en (ironic this site isn’t serving itself over https)
3. https://doileak.com
4. https://whatismyip.com
5. https://browserleaks.com/ip

And, of course, if you just want to see what your pubic IP address is, go hit my service – IPv4.cf

About 2 years ago, I started running Pi-hole as a DNS resolver and ad-blocker. Then last year, I ditched it.

After seeing a recent post by Troy Hunt, though, I thought it might be worth revisiting..but I needed a better way to control how it worked.

Enter OpenVPN – a service I already run on three endpoints. Here’s what I did:

Install Pi-hole per the usual (curl -sSL https://install.pi-hole.net | bash if you’re feeling brave, curl -sSL https://install.pi-hole.net, inspect, then run, if you’re feeling a little more wary).

This time, though, I set my upstream DNS providers to Cloudflare (1.1.1.1) and Quad9 (9.9.9.9) instead of Freenom and Google.

I also did a two-step install – once with Pi-hole listening on the primary network interface on my OpenVPN endpoint (ie the public IP), and then, once I made sure all was happy, I flipped it to listen on tun0 – the OpenVPN-provided interface. This means Pi-hole can only hear DNS queries if you’re connected to the VPN.

Why the change from how I’d done it before? Two reasons (at least):

First, if you leave Pi-hole open to the world, you can get involved in DNS amplification attacks. That is muy no bueno.

Second, sometimes I don’t care about ads – sometimes I do. I don’t care, for example, most of the time when I’m home. But when I’m traveling or on my iPhone? I care a lot more then.

Bonus – since it’s only “working” when connected to my VPN, it’s super easy to check if a site isn’t working because of Pi-hole, or because it just doesn’t like my browser (hop off the VPN, refresh, and see if all is well that wasn’t when on the VPN).

Changes you need to make to your OpenVPN’s server.conf:


push "dhcp-option DNS 10.8.0.1"


This ensures clients use the OpenVPN server as their DNS resolver. (Note: 10.8.0.1 might not be your OpenVPN parent IP address; adjust as necessary.) Restart OpenVPN after making this change.

My setupVars.conf for Pi-hole:


PIHOLE_INTERFACE=tun0
IPV4_ADDRESS=10.8.0.1/24
IPV6_ADDRESS=
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=false
WEBPASSWORD=01f3217c12bcdf8aa0ca08cdf737f99cd68a46dbdc92ce35fd75f39ce2faaf81
DNSMASQ_LISTENING=single
PIHOLE_DNS_1=1.1.1.1
PIHOLE_DNS_2=1.0.0.1
PIHOLE_DNS_3=9.9.9.9
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSSEC=false
CONDITIONAL_FORWARDING=false


I tried getting lighttpd to only listen on on port 443 so I could use Let’s Encrypt’s SSL certs following a handful of tutorials and walk-throughs, but was unsuccessful. So I disabled lighttpd, and only start it by hand if I want to check on my Pi-hole’s status.

Speaking of which, as I write this, here is what the admin console looks like:

Hope this helps you.