Using Sing Box + NetGuard.
Don’t know of any good root firewalls, that actually work, Afwall+ doesn’t even block stuff apparently.
Netbird is free, so accessing my Home Assistant container using that is better then paying for Home Assistant Cloud. Also, if I pay for Netbird, it’s cheaper. Probably won’t need to anyways.
Netbird isn’t a US company, so I trust them more then Tailscale.
Also, want to setup some kind of notification server, using Unified Push or something. Might make getting notifications better in Home Assistant. Can’t expose that to the internet with Home Assistant Cloud. And too lazy to write a script for my shared hosting to proxy it. And not searching the internet for an eternity to try and find a solution. Also, don’t know if my host would want me doing that. Not managing a VPS.
I put Netbird in a container, which is now in a Pod. I had to update Podman, by compiling it, I used distcc, so it didn’t take that long on the Orange Pi 5. Wanted the Pod= support in the quadlet systemd service file.
If using Sing Box, make sure you get the real one. There might be a fake one on Google Play Store. There’s also some site that is most likely not their site. I was looking for info on configuring it, and that shitty site was in the result.
I got it from F-Droid, you can find a link to their site on there too. If super paranoid, you can probably compile it yourself.
ntfy might not even require a public accessible URL, if using Android. It’ll be publicly accessible to me though. Also, the Unified Push site seems to say it’s hard to run your own server, doesn’t look that hard, and ntfy says it isn’t if you use ntfy.
I put Netbird in a container which is in a Pod, as I only need it for some stuff, also the host is connected to WireGuard, but only a local one.
I put Sing Box in the work profile, and setup a port forward with nobody, from src port of Home Assistant, to the same dst port, and 127.0.0.1. In Sing Box, you can override the dst IP, probably the port too. It’s using a direct inbound, the override of the dst IP goes in there, if using a direct type. Outbound is direct as well.
Too lazy to copy and paste the config in a file, and then get it on computer.
But you access it with http://127.0.0.1:8123/, at least for Home Assistant. Should work with UDP as well, but you probably don’t use http or a browser in that case.
I excluded the Sing Box app in Netguard from the rules. Probably not needed, since it’s in the work profile, but Sing Box is in the main profile, and I was messing with it in there too.
And if you can’t connect with a browser, you may need to force close it, and re open it. I used curl in Termux, and it worked, so I knew it was the browser.
Now browsing the web using port forwarding in Netguard might be a pain, if you want two VPNs, and use one for browsing. But if you have root, apparently using WireGuard with the kernel module works, even with a VPN firewall. The internet won’t tell you that either though.
[Unit]
Description=netbird pod
[Pod]
PodName=netbird
#Network=netbird.network
Network=pasta:-t,auto,--map-gw,-a,10.89.0.1,-g,10.89.0.1,-n,24
HostName=orangepi5
UserNS=keep-id
PodmanArgs=--device /dev/net/tun:/dev/net/tun:rw --sysctl=net.ipv4.conf.all.src_valid_mark=1 --sysctl=net.ipv4.ip_forward=1
[Service]
Restart=always
[Install]
WantedBy=default.target
There’s a .pod quadlet that works with Netbird if you need one. And in the .container file, make sure you add an IP to it too, using the Network option, but with a different IP. The gateway can and probably should be the same.
Accessing it using the container’s IP directly doesn’t work, but accessing it from Netbird using the gateway IP works just fine. Maybe the Pod doesn’t need an IP. But I’m too lazy to fuck with that anymore. Also don’t care.
If you aren’t running anything that requires UserNS, you can remove that. If you do need that for one of the containers, then you need to use User=root in the container for the netbird-client.
I’m not using a root container.
The eBPF or whatever might not work, but that might require root, works without it anyways.
And for ntfy, I’m not sure if I can use port 80, don’t think I can in Linux without root. But Android isn’t Linux, it sucks ass, can’t do more then one VPN easily.
And don’t ask me how to use multiple VPNs in iOS. Might not be possible at all. But the two main mobile OSes, suck ass.
And make sure you change the port in server.yaml for ntfy, if not running as root.
And that’s why eGPUs suck, knock the dock off the GPU, and you got to force shutdown the laptop. Or wait a really long time.
Well, something might be damaged on laptop or eGPU or dock. Or I guess the new cable.
But I turned it off, and then turned off eGPU and dock. Then booted live Debian and ran fsck. So if the eGPU craps out again, I guess it’s broken. I was able to get to a tty and shutdown, so the laptop itself might be fine.
Notifications not supported
Notifications are only supported over HTTPS. This is a limitation of the Notifications API.
Bummer. Guess I need to figure out how to get SSL to work with Sing Box. Might be a real pain in the ass.
Wait, that might be for web notifications. Don’t care about that.
Well laptop seems stable again. I guess if you mess the eGPU up by knocking the dock over, you have to shutdown unplug, and run fsck. Was super stable before that.
nfty works, or I assume it does, was able to make a reserved topic, and connect. Might be a while before Home Assistant is configured though. It doesn’t automatically do notifications for what I want.
Home Assistant has camera motion alerts sending to me now.
A socks proxy might work, but too much work if accessing using an IP. Too much work, cause nothing was working. Works now, and UDP works with the port forwarding in Netguard as well. So if I ever need UDP, I know what to do.
You might be able to make stuff accessible on a domain with Netbird too, but you’d probably have to pay for that. I wouldn’t bother hosting my site at home, a shitty 10 Mbps upload is the main reason. I’d also need another VLAN, just for the server, and another server. I’d use a SBC most likely. Might be a little slow, for the WordPress site, that isn’t static.