Also, unrelated, I just decided I don't like the sentiment of "PiMyProjectName" branding. I know most projects don't just run on a Pi, and that the intent is to say "you can self-host thing", but at this point if you want to run a home server sort of thing, just buy some cheap 100-200 dollar minipc thing. That's how much you'd pay for a Pi now anyway, and it comes with such great features as:
* just establishing an ssh connection doesn't take multiple seconds
* the ethernet doesn't go over a usb hub
* it doesn't run on an sd card that is going to fail within a year
I'm pretty dismissive of ARM chips for homelab stuff at this point. There's super cheap minipcs with "real" processors that will just destroy even an expensive ARM board.
Pi's shine with their ability to run both a real/full Linux and also do gpio type stuff that otherwise is usually an arduino board. I don't have anything against low-level programming but damn is it just a lot more fun to do in python. I love the Rpi zero w 2 products for this, just enough juice to run wifi and a python loop, plus the gpio pins. Too bad they've been sold out for literally years.
What is conveniently overlooked in these neverending^1 HN comments that dismiss RPi as "inferior" is that (a) RPi is a brand, (b) people are familiar with and trust the brand and (c) when everyone is doing their projects on the same hardware it avoids compatibility disclaimers like "This is project is tested on X. It may or may not work on Y." It obviates consideration of "hardware compatibility". With the RPi people know exactly what hardware to buy.
Even if the hardware is overpriced or underpowered, synergies are created when everyone is using the same hardware. IMHO, one cannot discount the value of that, but these comments downgrading the RPi aways do. Of course there are better choices for hardware than the RPi, and perhaps without the supply issues, but good luck getting everyone to buy the same thing so that projects do not have to account for "hardware compatibilty".
There are a few suppliers, but the 4x Intel NICs open up lots of possibilities. They're very lower power, but still fast enough to handle a lot of traffic.
I run VMWare ESXi on mine and use openwrt for my router on two ports and then a general purpose server in another VM.
I have a couple of N5105 boxes I got off of Amazon on sale, but I haven't put them into use, yet.
I've never bought off of AliExpress. I'm in the U.S. Do people take precautions when ordering from them? I'm not so worried about the products, themselves. I'm worried about the use and security of my financial data.
Worried as in, I just don't know whether they are safe stewards. No experience, no one to ask. Except maybe you guys. Give them my credit card #? Generate a one time #? PayPal?
Sorry to go a bit OT, but this is yet again where I've been tempted to order from them.
I buy from AliExpress often. Most recently a batch of anodized metal business cards, before that a bunch of home automation sensors. I could get the same sensor from Amazon for a lot more money, I did get one for a test piece before buying 16 of them.
My experience has always been a good one. Just be prepared to wait a while for delivery, the business cards were about three weeks.
Why stop at reinstalling the OS? You also need to throw away the PC in the dumpster of another neighborhood or city and at least use an angle grinder on the NIC and SSD. Don't forget to wipe off the fingerprints beforehand.
It's more that all the instructions you'll find assume raspberry pi os as it is the hardware. If there was more diversity of OS in everyday use you might see more fragmentation.
One of the other aspects of the RPi I think deserves more credit is the ability to easily boot into a variety of OS. Ideally I prefer to boot from USB or the network, but SDCard is still better than nothing. For some strange reason people try to use an SDCard in r/w mode after boot, treatng it like primary storage. IME, that is a recipe for failure. I prefer to boot to RAM. Then I might mount external storage device if I need it, but certainly not an SDCard.
Now, maybe the setup I choose is more difficult on one OS than on another. This is where RPi shines, IMO. As a project creator, I can use an OS I choose from among a variety that have been ported to the RPi, including non-popular ones, and I know every RPi user can easily run it because it's been already been pre-installed on SDCard; the RPi is not OS-specific. No pre-installtion of OS! (This pre-installation practice enabled Microsoft to stifle competition and hold back progress in computing for decades.)
Prior to RPi, many SBC only had GNU/Linux as an OS choice because that's what's popular. For example, prior to the RPi port running Plan9 required careful hardware purchasing choices. Choosing RPi, a well-known brand, is arguably much easier.
The Pis shine primarily in terms of power consumption, under load, a mini PC could cosume 50W, where a Pi (and other ARM boards) will do an absolute maximum of 15W. And if you have multiple devices that run 24/7, that could be a significant saving
Like others have said, the PCs you're looking at might be mini in form factor but specced more traditional desktops. There there are plenty of mini PC options that compete at 15 watts and lower range. One example I use is https://www.amazon.com/Computer-Windows-Dual-Band-Bluetooth-.... This gets you built in 128 GB eMMC, dual display output, more USB 3, about the same overall CPU performance but significantly higher single core scores, an open native SATA slot,
Similarly there are boards even cheaper than this passively cooled, and will pull less than 15 watts under load as measured from the wall while being in a preassembled case.
The best part is it's easier to scale to your needs. E.g. if a single $200 box can get the latest generation CPUs that will absolutely demolish these cheap ARM boards in perf/watt, come with PCIe m.2 drives, support higher RAM limits, and have GPUs that are more on the usable side of things. As a result it can do the work of multiple devices (if you don't need them to be physically separate of course) and will last significantly longer in terms of usability.
Wattage for the whole thing is as mentioned, TDP of just the CPU is 4 to 6 watt (configurable). This particular one has a fan which will kick in if you run it hard for long periods, for truefanless I'd suggest the B1 instead. Or if you go for the splurge you can knock cTDP down and still run circles around the pi in performance.
It'll run anything but if you want to avoid paying the "windows tax" out of principal the best way I've found is to buy one from Ali Express or the like. If you're in the market for the slightly higher end options they also have more varied fabless systems there too. Most of the stuff you find on Amazon is geared towards your average consumer looking for a cheap PC so come with Windows.
I've been using a few mini PCs for things where I needed a headless system, but wanted x86_64 and a little more performance and reliability than a Pi, I settled on N3350 devices like the N4 by TrigKey or the Beelink T4.
Everything I need is supported by Ubuntu server. Excellent little machines.
The trouble there is if you're actually compute bound, the Pi's performance is also a lot worse, and if you're not, you should be comparing the idle power consumption. There are plenty of PCs that idle at under 10W.
PCs also support arbitrary amounts of memory, so you can often avoid needing multiple devices by using virtualization.
Also, if you start piling up PIs because one won't have enough compute power and memory, you are likely to habe a lower electric footprint with a single nuc and virtualization or containers.
Just have to pay attention and be picky while shopping for the mini pc. Yes most of them are way over 15W but you can find them under 15W. My Quieter3Q for instance is fanless & runs on a Celeron in just 15W. I love it, but one annoyance is, it does not come back on by itself after a power interruption.
Additionally, my home Pi4 sits in a metal case that acts as a heat sink so I don't have to use a fan at all. That translates to:
- additional energy savings
- more or less eliminated need to clean out dust or eventually replace a fan
- no fan noise, a massive boon if you live in a small apartment and don't have a closet or basement you can toss the server into for noise insulation
I suppose if I did serious number crunching on my home server, I'd need something beefier... but I've been running a VPN, a Minecraft server, a streaming media server, and a DNS server on my Pi4 for more than 3 years now. Only during media scans do I feel any slowness.
If you need to pull 50W from a mini PC constantly, you probably can't run that same load (without horrible latency, throughput and stability issues) on a 15W ARM SBC to begin with.
But the Pi also needs to run much longer under full load to achieve the same as a modern mini PC, so it might be still canceled out in terms of total power use.
Raspberry Pi chip sets are always older (less efficient lithography/structure size) ones, as they take over the ones currently being phased out for industrial use (so they get them cheap).
Those have a hard time to compete with e.g., a modern Intel N100 CPU which has a TDP of 6W but at the same time 4 cores with a max freq. of 3.5 GHz and can even use DDR5 (or LPDDR5 for low power) and is available in many form factors, often fanless with a metal body as cooler at about 150€ (if lucky) to 200€ and those models then even including (often multiple) 2.5Gb Ethernet ports and NVMe M.2 slot.
That makes it at least for me an easy choice, and I am indeed looking out for using less power but still getting stuff done somewhat quickly.
Indeed. You can build a power saving PC with eg a used Fujitsu D3401 board and a used Skylake or Kaby Lake CPU, or just get a used Esprimo P756/757 tower (E90+ for lower idle power) for 100 bucks or less. Those should idle at ca 15W (without spinning HDDs). And you can put in 4+ SATA HDDs, which is way more reliable than using an USB enclosure. Works great as an Ubuntu/ZFS server or with unRAID. Beats any Synology NAS in almost every metric.
I bought a P765 tower last week for EUR 90 (incl shipping) off a German eBay listing (commercial, so I can even deduct VAT). Not sure about other parts of the world, sorry!
The Pi 4's Ethernet is pci-e now, and its USB3 ports are as well. The USB2 ports are still terribly inefficient.
About 8 years ago, I switched my home server from a pi to an Intel baytrail based system. I put it all together myself in a cube shaped case. It is passively cooled and runs off a 12V 2A power brick. I filled the space for the PSU with two 3.5" hard drive hot swap bays. I keep one drive in and synchronized to my desktop over the network, and pop another one in when it's time to make a cold backup. It's served me very well.
This looks great, thank you! My current home router(s) fortunately support Wireguard natively, but I'll look into this if I'm ever again forced to use a shitty CPE.
> I'm pretty dismissive of ARM chips for homelab stuff at this point. There's super cheap minipcs with "real" processors [...]
What makes an ARM SoC a "non-real processor"? I'm typing this on a laptop with an ARM CPU, and it's the fastest hardware I've ever worked on.
Sure, some stuff doesn't run on ARM, but a lot does. Plus, you can get decent ARM processors for cheap, whereas for the same price the best you'd get would be a Celeron.
> it doesn't run on an sd card that is going to fail within a year
The Raspberry Pi Compute Module 4 has variants with eMMC, which is better than using an SD-card.
Additionally, there are adapters to use NVMe drives and you can boot from them. I’ve done so with a few RPi CM4, to varying degrees of luck. One of them works perfectly, another one did not. Currently waiting for more of the same adapter I used for the first one and hopefully this will allow the additional ones to work as well as the first one is doing.
I’ve been curious about the performance gap here – you can open htop on a pi 4 and see that CPU utilization is relatively low, ~33% out of 400%, something like that, and yet some operations seem like they take 5-6x longer than they ought to on a “normal” computer.
Is it all down to the file system? Is the CPU just in interrupt overload all the time? I wish I had a better understanding of the issue here.
CPU load metrics are averages, typically over e.g. a second. Many operations take less time than that. If something takes 300ms on a Pi and 50ms on a PC, the Pi is six times slower in observed latency but will still only show <33% CPU utilization when averaged over a second. Some of the metrics are over even longer periods of time. The Linux load average metrics are 1 minute, 5 minute and 15 minute. You can have your ssh handshake take 20 full seconds with a CPU core at 100% and still see a 0.33 load average. And having three more cores available does nothing even when the system is busy if the application is single-threaded.
The small boards also typically have much slower I/O and less memory. On a PC with 16GB of RAM running as a server, usually the whole OS will end up cached in memory. A Raspberry Pi with less RAM is more likely to have to evict from the page cache, and then read it back from a slow SD card.
Yeah, I agree, I am a geek though and wanted a linux machine with arm so I could do some assembly hacking on it (nothing serious). Just the general geek factor I think makes a lot of people buy it.
I use the Argon case with ssd over usb, since the sd cards failed like after 2 weeks. For me it is perfect, I get to host all my minimal things (vpn, ssh over it, host photos, videos, run a few services) and it is like super energy efficient, although that efficiency is more of an ego boost than actual use.
I think there are a lot of atom mini pcs which have normal ethernet and m2 connectors that are a better alternative.
The VIM1S seems almost perfect for home use, too bad it's only got a 100mbit network interface. The Nanopi R6S is more interesting but the price is crazy, it's over 200 euro on Amazon. Then again, the raspberry pi is also over 150 euro, i wish these SBCs would not be so damn expensive.
> just establishing an ssh connection doesn't take multiple seconds
That's almost certainly power saving on the WiFi. Annoying but fixable. Seems to be on by default, and a `/sbin/iwconfig wlan0 power off` line in rc.local should fix it.
I bought a used Lenovo mini-pc for ~$40 and it is significantly more capable/reliable than the Pi 3 it replaced. If I need non-server stuff (I2C, GPIO) I stick to microcontrollers now.
The cheapest M2 Mini is $600. That's generally overkill for personal servers. They also have an unknown reliability record, and the older Mac Minis had a tendency to eat storage devices by limiting "fan noise" until temperatures were at the upper threshold of the spec. In the new ones the storage is permanently attached, which is... worrying.
One of the better options if you don't need a lot of internal storage is old laptops. They're cheap, low power, have a built-in monitor and keyboard and you don't need a separate UPS (who cares if the internal battery "only" lasts an hour).
The Mac Mini is pretty tempting, but I wanted something even lower-power. 15W is possible for Celeron mini pcs. They are around. I ended up getting a Quieter3Q which is a Celeron-based 15W, fanless and cheaper than a Mac Mini.
Before going to a long 3 month trip to Asia last year, I installed WireGuard on my Raspberry Pi 1 (original model B from 2012) which was running at home in US. I found PiVPN to be the easiest way to install Wireguard. I didn't know if I even needed a VPN but I was glad, and I was able to use internet as if I were at home. It was weird, but a lot of sites are blocked oversea, even though it shouldn't. For example, I couldn't access Homedepot.com. I also couldn't make payment to my Target card as the website refused connection. Apparently a lot of US business sites refuse to connect from oversea IP because of too many hacking attempts, or they just don't want to deal with it. Anyway, I was glad I had set up a VPN before I left for the trip.
Also, the original Pi (2012) was able to run Wireguard well enough for light VPN, although I didn't push it too much since I didn't use it for anything heavy like video streaming.
> Apparently a lot of US business sites refuse to connect from oversea IP because of too many hacking attempts, or they just don't want to deal with it.
Yes, and it's infuriating. For example, it was (and probably still is) impossible to access the NY MTA's OMNY portal from many, but curiously not all, European countries. The OMNY system itself works using foreign cards, but this makes it very annoying to download receipts for expense reports.
Another fun one was not being able to cancel some streaming service from outside of the US due to the service geoblocking their account management site as well. I actually had to use a VPN to cancel!
> Apparently a lot of US business sites refuse to connect from oversea IP because (...) they just don't want to deal with it
I am French. What I find fascinating is that there are local US newspapers (that server a tiny community) that went through the effort to do a geoblock from the EU and put a page along the lines "we cannot be compliant to Privacy laws in the EU so we must block you".
Why do they care at all? How is the EU law relevant to their small, local business?
Large companies are different - there could be some litigation against their footprint in the EU etc. - but for thosewho just live in the US (or anywhere outside the EU) going the extra mile to block because of non compliance is really weird.
It's just a lot simpler to block than having to keep up with laws in other countries for businesses who don't even do business in those countries. It's not like it's hard or time consuming to implement, and cheaper than your other suggestion further down of consulting a lawyer every time one of these pops up, like "do I have to annoy my customers with these stupid cookie popups every time they visit?" Why should I have to spend a dime for something that is external to my company, has nothing to do with it, and have to constantly keep on top of it? We don't even sell our services there. Why should I even waste the bandwidth? Our firewalls are sure a lot less active, as well. Why should I waste time answering emails from people we don't sell to? It's better to just not get them. I guess my question to you is why do YOU care if they're accessible or not? If a (local) business really just wants to sell within their own (local) country (or even smaller municipality such as state/county/city), is there something wrong with blocking everything outside it out and just not worrying about it?
> It's just a lot simpler to block than having to keep up with laws in other countries for businesses who don't even do business in those countries.
Exactly, except that it is just simpler to do nothing.
Do you (I assume you are not in either of the countries I give an examples, nor travel there) worry about laws in, say, China when you state "Taiwan is an independent country", or Russia when you say "Russia invaded Ukraine", or North Korea when you say "NK is a tyranny", or France when you say "Retirement should be at 60 and not 64". No. Because the local laws that forbid these statements are, well, local. Nobody cares outside of these countries. They could send you letters informing that you did wrong and that you have to pay 1M USD and you would just put that to trash.
> I guess my question to you is why do YOU care if they're accessible or not? If a (local) business really just wants to sell within their own (local) country (or even smaller municipality such as state/county/city), is there something wrong with blocking everything outside it out and just not worrying about it?
I do not care - it is just that I ended serendipitously on a few of these places and was wondering why they care (I would not care about the cookie law in Zimbabwe or Patagonia if I had a web site).
Our hacking attempts dropped by approx 85%, and we use less bandwidth. There are other benefits to blocking traffic to places where you don't do business.
> They could send you letters informing that you did wrong and that you have to pay 1M USD and you would just put that to trash.
I think it's just better to not get those letters in the first place (any more than spam phone calls or texts) and have to waste time reading them, or having to possibly consult an attorney over them to see if they have merit. It's just not something I want to be bothered with, nor should I. It has nothing to do with the company, what we do or our customers.
> Do you (I assume you are not in either of the countries I give an examples, nor travel there) worry about laws in, say, China when you state "Taiwan is an independent country", or Russia when you say "Russia invaded Ukraine", or North Korea when you say "NK is a tyranny", or France when you say "Retirement should be at 60 and not 64".
We don't say anything like that on our company sites.
Ah, now I remember how I got to one of these pages. I wanted to have a look at the local newspaper of Tuttle, Oklahoma because of a funny (and sad for open source devs) event that happened there in 2006: https://www.theregister.com/2006/03/24/tuttle_centos/. It was blocked for GDPR reasons (at the time at least)
Most small local newspapers are owned by huge megacorps. GDPR EU laws and some others explicitly say that they can be enforced to entities outside the EU. I don't know if it has ever been enforced, except for large multinationals.
The US does do that kind of thing though. As a dev, break some law, step foot in the US for a conference, get arrested (ex: Sklyarov 2001 case, for breaking PDF encryption).
Although for most financial things, it's common in US/CA to block non-local IPs. Heck, I was in Mexico and I couldn't login to my provincial government tax portal. There are constant security issues with those sites.
> They can tell whatever they want, but it would need to be a US court (in that case) who would do the litigation. Which they won't.
That's a pretty incomplete view of how jurisdiction works. You do probably need a US court ruling to enforce a claim against a US entity – but if that entity has any EU subsidiaries or assets, you can bet that European courts will come after those.
> Blocking for security is another thing. Maybe a good idea, maybe not - but that's another story.
As a customer/taxpayer that needs access to a service from abroad, I really don't care why I have to jump through hoops to cancel a subscription/order or pay my taxes owed.
> That's a pretty incomplete view of how jurisdiction works. You do probably need a US court ruling to enforce a claim against a US entity – but if that entity has any EU subsidiaries or assets, you can bet that European courts will come after those.
I am not sure you read my post in details - I explicitly mentioned that I am talking about local services, without any international footprint. And mentioned that in case of this footprint - yes, they will be sought after.
This is also exactly waht the US does to enforce their "extraterritoriality"
The business may be local but the owner or other management or employees may wish to keep all of their travel options wide open without fear of some obscure foreign law that might hold them individually responsible.
The golden days of global network accessibility are closing little by little.
They're maybe local services, but they're not local businesses. c.f. my post :)
And they can be enforced not only from assets, but also from travel or various financial tools at their disposal. (it would be surprising, but for many businesses, it's not worth the hassle)
I'm sure there are still some people willing to report the websites to EU commission, it's a guaranteed fine (less so a paycheque, I have no clue if the company has to comply with paying it (unless later on they want to expand to the EU))
This is a fine that the EU can issue but why would the local business care?
If I was issued a fine by the US, China, India or Japan it would directly go to the trashbin. It is their law, and their problem, not mine.
Of course this means that I will not be able to do business there, if I travel I may be in trouble etc. But again - we are talking about small local newspapers (and similar businesses).
They care because no matter how small with travel and such these days there are potential risks if they're 'found' to be non-compliant. Simpler to say "no, we can't comply" than spend time/money/risk fighting about it later.
Not that I disagree with you on the 'it seems stupid' front. But that doesn't change the risk profile for the company.
I also did something similar, plus all my home automation which is 98% local-first|only. My trip was just 3 weeks but on the first day leaving, between one plane and another, my power company had a 4hours extraordinary maintenance cut, my UPS didn't last enough and with that blackout the RPi SD card died, and I was locked out my LAN for all the trip.
Lesson learned: configure the UPS to communicate with the servers and shut them down in a controlled manner when batteries are dying.
Banning new signups/sales from overseas IPs can make sense for legal, tax, and shipping reasons – but please do provide some way for existing customers to access their subscriptions/orders/accounts from abroad. International travel is a thing.
Traffic source does not equal the geographical position of a person issuing the request. Geographical position of a person does not equal their legal status.
Blocking users on a two-level-deep assumption is wrong.
GDPR says it applies to companies outside the EU who are offering goods and services to people in the Union. One of the recitals explains that there is an intent component to this. The company had to envisage such offerings.
Even though blocking by traffic source is not always accurate, I’d expect that it would still greatly help show that the site did not envisage offering goods and services to people in the EU.
That's not how GDPR works but it is a common misconception and I can't really blame non-EU businesses for not taking the time to understand a foreign law when blocking is so easy.
What do you mean? That's pretty much how it works. You load up Homedepot website and they along with a bunch of 3rd parties that they partner with will start collecting data about you and storing it. You can't do that to someone from the EU without getting permission along with other restrictions.
For Homedepot to comply with GPDR, they would have to treat EU and non-EU users differently, or they could just block EU. Since you're not trying to sell anything to EU users, blocking them makes things easier.
I believe the California law came after the EU one. And it's still easier to just block EU traffic rather than spending several weeks implementing GDPR cookie popups.
And if you decide to treat everyone the same way, you likely end up with a higher bounce rate for the existing US customers. Hence, blocking.
GDPR doesn't care about where people are located right now. From the GDPR point of view you still have to treat EU-residents in a special way, even if they're located in US right now.
But EU has less of the leverage if company refuses to do business in EU — that's true.
> treat EU-residents in a special way, even if they're located in US right now.
This part of GDPR has always seemed completely unpracticable/unenforceable to me. How would a non-EU company even know that one of their customers is an EU resident and only temporarily visiting? Most services in the US aren't asking for my passport, at least.
Practically, I'd assume that this will be interpreted by courts to only apply to companies "intentionally doing business with/commercially targeting EU residents", which is already the case for similar scenarios (e.g. that's how, to my understanding, German law requiring all sites to provide an imprint has been interpreted by courts).
In any case, I suppose we'll have to wait for precedent; I'm not aware of any at the moment.
No, it isn't. see article 3, section 2 of the regulation. You need to offer goods or services to EU citizens for the law to be in effect. If home Depot doesn't operate in Europe, doesn't market to Europeans, doesn't ship to Europe, and doesn't offer any services to Europeans, then they are not impacted by gdpr.
The first part of section 2 says the data subjects need to be in the Union. A European moving to America and shopping at home Depot doesn't (alone) require them to be GDPR compliant.
> 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
> (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
> (b) the monitoring of their behaviour as far as their behaviour takes place within the Union
Did I quote the correct section? Doesn't collecting all the analytics fall under section B? I'm not a lawyer of course, but it seems pretty reasonable to me that if you have interest in the EU market, blocking them is easier than figuring out if GDPR applies to you or not.
Or you could just not spy on your users of course, but I guess I'm too pessimistic to see that as an option a company would choose.
It took my team six months to get our company GDPR-compliant, and that included hiring three external consultants with extensive knowledge of GDPR and its implementation across the various EU countries we did business in. We were a short-term car rental company, we did not earn money with user-tracking, advertising or selling user data. But we did process drivers licenses, user data, trip data. We had to re-write big parts of our car-tracking module because having it tied to the current driver (customer) automatically made it personal data, which can be requested on demand when the customer wants to. It also limited us on what we could log to our logging server and store in a database.
I can understand that an American company does not want to make such an investment when there is literally 0 added business value, as EU customers don't shop at that company.
So if I order something on Home Depot, the shipment is delayed, and I want to check on that (or even just find the support phone number, some sites block all HTTP requests from foreign IPs!) while I'm traveling out of country, I just don't get to do that without a VPN due to GDPR?
They are an American business that does not deal with other countries outside North America. Why would they care about the world outside of "ol' Merica?"
And they are fine with that just like large numbers of retail chains in Europe, Africa, Asia, South America, Australia, New Zealand, etc. which don't have a presence in the US or other countries outside their own or their own economic region. Home Depot does operate stores outside the US in Mexico and Canada.
Standing up and maintaining a distribution network is non trivial, especially for bulky goods that aren't practical for mail order shipping. Home Depot doesn't contract out locally sourced production like your examples do.
I don't know first hand, nor am I speaking for my employer (who happens to be one of the two companies you mentioned), but if it was me, I would assume that if my company doesn't do business outside of the United States, then may as well deny traffic for services that wouldn't be available outside of the United States, since it is more often than not problematic traffic. This means sometimes legit traffic would be inconvenienced, as you were, and sorry about that, but it is a realistic scenario that the small amount of legit pain is worth the incredibly reduced risk footprint. Of course, baddies could get VPNs, too, but that's all part of the game.
My Canadian stepfather died. Family is not close and I’m in the US. The Canadian newspaper where his obit would be doesn’t allow connections from the US.
More than a “small amount of legit pain” was the result.
Also, plenty of people live far away from family and have to deal with death (I’m in the same boat). It sucks but I’m also curious why the obit was particularly important to you because as far as I understand that’s topically just a small blurb in the newspaper? My family doesn’t do obits so I’m curious.
Not to minimize what you went through at all, but it’s interesting in today’s times how we expect so much immediacy. My immediate family escaped the USSR just before it collapsed but my dad’s was family was stuck in Russia and couldn’t leave even after it fell. My father had to deal with his brother, father, and mother dying within 5 years or so with no visits in between that time (a combination of finances + probably fear about traveling back). Comparatively I personally have a much easier time in that I at least get to see my family once a year or so. Again, in no way a comparison as dealing with loss and living far away from family is always hard. Just a reflection of how much technology has changed and made maintaining more closeness easier (eg video calling).
I am sorry for your loss, and I'm not trying to minimize your pain. This is the problem with data, it's unfeeling and cold. You and I are two customers of something companies with lots more than us, and a spreadsheet doesn't capture our pains when we feel them.
> it is a realistic scenario that the small amount of legit pain is worth the incredibly reduced risk footprint.
Well, I guess it depends on the type of attacks one experiences, but hackers and spammers who target US-based businesses are not idiots, they know how to use vpns and tor and proxies. So on a technical level you get close to nothing security-wise. You reduce a number of bots and worms randomly accessing your servers, can stop some script kiddies who don't know better and make life a bit harder to web scrapers (but not much) - and that's it.
Did you do anything to handle the event where, say, you lose connectivity and the system needs a reboot? Just curious about what would be the best way to handle that scenario.
While I didn't do this last time, in the future, I would plug the Raspberry pi to one of my smart power outlet (ie Kasa wifi power outlet) connected via HomeAssistant, so I can remotely restart it if Raspberry Pi becomes unresponsive. I also have another Raspberry Pi (again, the original 2012), so I could add redundancy by running second WireVPN on it, too.
You can have local watchdog process and reboot to failsafe configuration on next boot. You can also set a timer to do this unconditionally when trying a new network configuration.
At the price Raspberry Pis are being sold (scalped) for it's discouraging and disappointing to see content creators continually going to that well.
You can buy a travel router like the GL.iNet GL-SFT1200 (Opal) for $39.99. All of Gl.iNet's devices run OpenWRT already. Setting up Wireguard on OpenWRT is easy, and using Tailscale is even easier!
Edit: Jeff's been creating awesome Raspberry Pi content for a long time and I'm glad that he's not stopping given the current circumstances. I hope that his audience has an abundant supply of unused RPis looking to be utilized.
In Jeff's shoes I'd want to speak to those in his audience who DON'T have a Raspberry Pi and save them from paying scalpers prices until things return to normal--assuming that they ever do.
It's actually not simple currently to use Tailscale as an exit node on GL.iNet routers (due to some conflict with mwan3). That's besides the fact that the cheaper routers in their lineup are not very performant and as a sibling mentioned, not capable of running Tailscale.
Chinese manufacturing still dominates and they produce most of the routers and modems out there. If we can’t trust routers from China then virtually the entire world is compromised.
the gl-inet stuff runs OpenWRT just with another interface, you can flash with vanilla but I've never seen anything dodgy on the ones I've played with.
And then you hit CPU bottlenecks whenever you do literally anything bandwidth intensive. The limits of using hobbyist hardware, you get hobbyist level performance. A Raspberry Pi is a horrible solution for running Wireguard. You can get a tiny 1L PC running on an actual Intel or AMD processor with far more perf/$.
I'm not sure what's the max throughput is, but I just tested 50 Mbit down/80 Mbit up passthrough from a cafe Wi-Fi to my 3B with Wireguard (using wg-quick) at home. Seems enough for anything I'd use it for.
That was just my anecdotal point that a Pi can handle typical home internet speeds over Wireguard without overtaxing the CPU. IMHO, Wireguard's setup is pretty trivial as is, especially moving to it after years (decades at this point) of various OpenVPN setups that require much more tinkering. So no need for external tools. But I'm glad they exist for those who find them useful. Either way, keep up the good work with your knowledge sharing, I'm a big fan of what you do.
There are some cool HP thin clients available on eBay for a fraction of the scarce Pi these days, one of them even has an nVme slot so you can put in a real SSD. If I was doing this today I’d use one of those.
Presently my “home server” is only used for home assistant, and it runs on a 2011 MacBook Pro with a bad keyboard, running Debian. It actually runs so well on Linux that the fan doesn’t even spin, at least not audibly.
Jeff does explicitly call this out in his video, but as sibling commenters say, it's really a matter of whether that's enough for you. Even 20 Mbit symmetrical would be more than enough for me to run a stream from a Plex server while serving other web or SSH traffic easy enough. What you do say though brings up a great point though - if you ran this on a Pi and you're not getting the performance you need for your use case, check CPU utilization on the Pi, and consider running your VPN on a device with more oomph.
Wireguard doesn't use any aes cpu functions so it actually is highly performant on low end chips vs. OpenVPN. True, you're still limited by port speed and such but it's fine for most people. If you need more then you're not going to be running it on a pi (or old laptop etc) anyway.
Hey I saw you are facing some issue with reauthentication on reboot. If you are running it on a docker container then having a persistent state directory for tailscale might help (TS_STATE_DIR=/var/lib/tailscale).
I use it on my system and it works flawlessly on restarts.
I have never met Jeff (the author of this blog post), but I come across his work randomly all of the time. Jeff, if you're reading this, I've always been impressed by your efforts, you're a work horse!
Thanks! Didn't think this blog post would hit HN, but apparently it did, while I was on a flight back to the US lol. I figured most of us here are VPN'ed out.
It served me well on my trip and I was able to see all the things from local media that are geo restricted out of the US.
yes the webui now has some convenience options for generating and importing configs, but there's still a gap (as in default package installed) in client profile management or network management on cli.
When I set it up it promised a 10 minute install time. For me a fair portion of that 10 minutes was trying to work out if it was working as my line speed was higher than I thought possible.
It’s scary how quick it is to configure.
Just install tailscale on something in your home network, and start it up advertising as an exit node. On your laptop, select the exit node from the tailscale menu. Now all your internet traffic will go through that machine.
Have you tried Nebula (https://nebula.defined.net)? I set up a personal Nebula network a few months ago and have been very happy with it thus far. It has the ability to do mesh-style direct routing so you don't necessarily have to pay the out-and-back latency cost if you're connecting to a location that is closer.
The one problem I encounter with Wireguard is the use of UDP. Some publicly accessible Wifi nets at shops don't allow UDP at all, and this effectively breaks use of the VPN.
Yeah, there are utilities like setting up udptunnel or udp2raw and similar, but what a headache. I really don't agree with Wireguard's developers justification that it makes speeds terrible. Who cares? It'll be terrible using those utilities anyway. Give us the option, JFC.
VPN over TCP really is quite a bit slower than over UDP, which makes it quite undesirable for me. I think it's quite reasonable of them not to want to complicate the wg project by adding and maintaining the option of UDP over TCP. Remember, wg is supposed to be a minimal project. If you really need TCP traffic, you could always use openVPN.
With quic on the way, this problem will diminish with time anyway.
There's complicating the protocol and complicating the client. It would definitely be nice if they would add a solution to this to the official clients, particularly mobile ones. VPN over UDP is quite a bit slower than over TCP when the ISP blocks/throttles the UDP traffic...
I once used port 53 for all my communications at a hotel that was charing metering bandwidth by the gb... it was a magical weekend of DNS passthrough with video calls, etc.
This is the reason why I still stick with OpenVPN on TCP 443 for my selfhosted VPN. Yes performance suffers a bit but it works absolutely everywhere including behind campus/corp firewalls as no one blocks TCP 443. I've tried running a seperate UDP instance on a different port for situations where I need higher performance but for my use cases TCP works fine.
From my experience UDP 53 like another commenter suggested does not always work as some firewalls forcibly route all UDP 53 packets to their own local DNS server in order to prevent people from using their own.
As a bonus OpenVPN has the "port-share" option which allows you to share the port with other services like an SSL web server. SSLH is also an option if you want to host both your VPN and a HTTPS site on TCP 443.
Yeah, OpenVPN even supports authenticated web proxies, which is a really nice feature for tunneling. But I realize that I'm probably far from a typical user.
It might be more of a rabbithole, but if you're going the 'self-hosting' homelab route, I'm a big fan of OPNsense to give you more freedom and control of your network (which has support for Wireguard [0]). While ARM support is lacking, it can be run on a cheap or spare x86-64 box if you had one.
Otherwise, I really like the premise of Tailscale for quick and easy implementation.
If your main usecase is accessing Home Assistant or exposing a few HTTP endpoints from your home network, you're maybe stuck under several NATs and you don't mind Cloudflare, then I can't not recommend Cloudflare Tunnel. You just run their app on your home server, set up forwarding as if you were setting up nginx or something, click a few buttons in their GUI and your home stuff is online, on HTTPS, with DDoS protection and a nice dashboard. And you'll likely easily fit into the free tier.
If you have the same usecase but DO mind Cloudflare, you can rent a cheap server and use SSH reverse TCP tunneling (ssh -R 8080:localhost:80 proxy@example.com)
Do you have any security cameras configured in Home assistant showing a live feed? Reason I'm asking - it seems that CF has some clauses in their TOS that forbids anything but static content. So audio/video stream is a no-no. I'm also using CF tunnel. Just not for home assistant because of their restrictions. For HASS, I go through tailscale.
The article explicitly mentions this: "PiVPN, luckily, runs on any other Pi-like device, though, as long as it's running a Debian or Pi-OS-like distro. Something like a Libre Computer Le Potato should work in a pinch, without breaking the bank—though if you want faster networking, you'll have to pony up a little more cash, at least until the Pi shortage abates."
Shadowsocks is defunct now. Has been for a while; a connected server's IP can be detected and blocked within hours. That means Outline's defunct in a lot of places too. What's currently 'hot', in large part, is v2ray [1], be that vless, vmess, trojan, etc.
I'm not familiar with the software, but according to Wikipedia it's a client to connect to a SOCKS5 proxy:
> Shadowsocks is not a proxy on its own, but (typically) is the client software to help connect to a third-party SOCKS5 proxy, which is similar to a Secure Shell (SSH) tunnel.
that's oversimplification. raw socks5 is a low-level thing without encryption.
shadowsocks puts a solid cryptolayer on top of it, designed specifically to be hard to detect. its Chinese origin gives a hint here: it is created to circumvent detection by "great firewall"
outline builds a user-friendly toolset on top of it
Base wireguard is pretty easy to setup, especially with wg-quick, so idk why anything would be required to make it easier.
Also, Rosenpass is quite great and easy to use, which really improves the security further. Hopefully Rosenpass will become part of the base implementation at some point.
People keep saying this, but it hasn't been true for me. I've had to reinstall PiVPN a few times, I assume because automatic updates may have broken it somehow. I tried manually configuring wireguard every time but just could not get it to work after hours of trying. PiVPN has always been extremely easy to install and configure.
Have you tried investigating the config it produces and comparing that to what you ended up with on your failed attempts? Way back when I first started using OpenVPN installing a quick-setup in a VM was how I found a glaring mistake I'd been making (with routing, it turned out, not the OpenVPN config itself).
Not that it massively matters if you are happy with PiVPN of course, but understanding more may help you diagnose issues should PiVPN ever fail.
After skimming both the GitHub and the protocol specification for rosenpass, I still have no idea what benefit it provides on top of wireguard and therefore why I should use it.
> Rosenpass is a key-exchange protocol using techniques that are secure against attacks from quantum computers. It achieves the same security guarantees as WireGuard, using two strong post-quantum key exchange methods – Classic McEliece and Kyber.
> To use Rosenpass, you don't have to get rid of WireGuard; Rosenpass handles post-quantum security, WireGuard handles pre-quantum security and high-speed data transmission.
I saw some references to post-quantum security, but I also saw references to something called "Post-Quantum Wireguard" so it seemed like that was handled by some other project, or at best some sub-component of Rosenpass.
Wireguard has a pre-shared key that can essentially get 'added to' the base key, making it more secure. Rosenpass effectively just makes these PSKs and trades them in a way that makes it quantum secure.
Basically it should be a part of base wireguard, but for now it's a good addition.
I have a WireGuard VPN with about 250 devices, most of them POS machines in the wild. I adopted WireGuard for our first machines about half a year before the 1.0 release, so there weren't much tools yet.
I piggybacked onto the original configuration file format and built myself https://github.com/WolleTD/wg-setup, which helps me validating the correctness and uniqueness of new entries, hacks names into the entries and even updates an internal DNS zone.
I really don't have to care much for key rotation, though. As most of the devices are out of our control anyway, they aren't allowed to connect to anything inside the VPN. It's just for us to connect to them.
I use PiVPN on a Dell Wyse 3040, an absolutely pathetic thin-client I got for 67€ from Ebay, to access my home network. It's the only thing accessible from the outside world and it works pretty well. Don't remember if I've ever had issues with it.
Personally, if you're looking for "your own private" thing, I'm a much bigger fan of Tinc. The wireguards and zerotiers seem more appropriate for bigger, more corporate things?
I do wish Tinc had a slightly easier onboarding process, but once it's up, there's a great deal of stuff that I see people dealing with that Tinc users don't have to much think about, especially, e.g. the Mesh deal.
Wireguard has a dead simple onboarding process as well. For users you want to grant access - providing a QR code and them installing the wireguard client app on their mobile device is all that is needed. Also wireguard server itself is a easy setup and has very little overhead. Took me like few minutes to install and setup on a raspberry pi 3. Of course, you do have to open up a port on your router. That's the only downside. I've since switched to Tailscale for that specific reason.
If you're going this far, might as well do as the author did and add a pi-hole to the mix, issue some credentials to your phone and block ads and/or other stuff via DNS everywhere you go. I also use this to remote into my work computer from wherever I am, using my travel laptop, an iPad or even just my cell phone.
This. I started to tunnel my traffic via my Wireguard VPN (when outside) to cut these 30% of connections that are blocked by Pihole.
Pihole is really a great piece of work. It uses standard components (dnsmasq, standard lists) and does it well. I used to have it in a docker container but moved it to the ISP box when I got a new one (a French ISP called Free provides you with an Internet box that has a built-in VPN (WG or OpenVPN) and allows you to create VMs - this is where I ultimately moved Pihole because it is my DNS and DHCP server)
This is precisely what I do and it's great. Built myself a workstation desktop last year that I wanted to access remotely via an older laptop and it's worked beautifully, even when I was out in Europe for a week last summer.
I could set up pihole on my local laptop. And on my wife's laptop. And on my kids' phones. And on my work laptop. And...
Or I could just set it up on one tiny server (doesn't have to be a pi, but I happen to have one that isn't doing anything else), point my gateway at it for DNS, and give my whole family + any VPN connections filtering for free.
I keep a pi with wireguard as a way to reboot my homeserver remotely if something goes wrong. A gpio pin connected to an optocoupler acts as second power switch on the motherboard.
Works well for testing stuff remotely or messing with VPN configurations on the server itself without leaving it stranded for good.
Algo project still works well. Very quickly launch a WireGuard VPN to several popular cloud providers, or any Linux instance you already have access to, including your rPi.
Yes, I've been using this since I moved overseas. Works great, was able to add NextDNS for ad blocking.
I still find some websites will block you as your traffic will be originating from a datacenter (if going cloud option like me), but most work. I find this setup also works for some services that do not work via VPNs such as Mullvad.
If you want to talk to other devices check out the `BetweenClients_DROP` setting ("road warrior")
For me HPE ProLiant MicroServer G10+ is better solution but I couldn't find wireless pcie card that reliable could be used as AP.
I have QNAP QWA-AC2600 bought in Europe but Linux driver is crippled and sets regulatory region to US because ROM doesn't have it set properly. And there is no way to change it. Driver developers think it's a feature and won't revert it. I really appreciate that driver developers know better than me where I use hardware, but for now I don't want to use US settings in for example Poland. Or all frequencies are tagged as not for AP use. My question is, is there any pcie card that could be used as AP?
I set all of this up about 3 weeks ago. Wish I had come across this guide then! It's a great solution that has made my dev work and media consumption so much easier on the go.
One thing that tripped me up on arch linux with KDE Plasma was that importing the downloaded WireGuard configuration didn't work in NetworkManager using the gui. After a bit of tinkering, I finally discovered that you can download the conf file to your computer and then run the following command:
nmcli connection import type wireguard file [CONF_FILE]
That adds it to NetworkManager, making it easy to connect to from the gui.
Taking an opportunity here for a completely shameless plug for an enterprise-y wg based corporate VPN. Uses mTLS for device auth, wg (obvs), OIDC to authenticate users/set up firewall access (Azure AD and Keycloak tested). Runs as a redundant cluster and can be hooked in via BGP.
Very early and no docs to speak of yet, but raise an issue if interested. Works with standard WireGuard app on computers/phones, but an integrated app using the API might be in the works …
> Note: Security is a major concern here—don't set up a VPN if you don't know what you're doing. If someone gets access through the VPN to your home network, they can (and will) hack into your house!
While possible, many people already give access to their home networks via multi-homed devices they carry in their pockets everywhere they go.
Relying on anything below the application layer for security is not very good these days.
I quickly installed Outline on a free-forever Oracle VPS. This might be the best option for someone who doesn't want to buy a RPi, worry about SD card corruption, use any additional electricity at home, or spend any money. Even with the tiny free VPS provided for free, I'm getting great speeds of over 200mbps. And you can choose multiple locations to set up your free VPS.
Another simple solution I installed on my existing server in actually 5 min via docker run is https://github.com/WeeJeWel/wg-easy. The interface is very simple, and all in all it took 10 min to have the VPN up and running, download the client applications, and connect to it!
Many VPNs get around it just fine, according to the random experiences I saw online. The issue is not technical, but legal: the traffic is fingerprintable, and that the parties involved (user, ISP) are legally required to store some of the traffic, and to make that available for authorities to check later [0]. I imagine that they handle this like how they handle other law enforcement - by applying it when they feel like. So at the end of the day, don't get caught.
Wireguard is known to be fingerprintable[1]. But at this moment it is unlikely UDP traffic will be filtered by Chinese GFW[2]. But this may change any moment.
I run my own WireGuard VPN for my home devices, and I have had a hell of a time getting MDNS to work over it. I tried various reflectors and couldn't get them to work, has anyone made this simple?
I’ve recently built a VPN into my network using Cloudflare Zero Trust and Cloudflare Tunnels. Highly recommend over maintaining Wireguard or anything else. Much more comprehensive security controls.
ZeroTier kept having random disconnects, long wait times until connection is established/settled, and desktop app weirdness/inconsistencies. Have these problems been fixed? (Last used it years ago).
Yes and no in my experience. The past year I have had some trouble but the Linux clients seem to be good again. Win11 is getting worse for me unfortunately.
I use DietPi, which includes WireGuard and other things like PiHole. I've had my RPi 4 running without issue for more than 2 years, and can get 200mbps up and down.
Up until late 2014 when I occasionally worked at home, I used what I called the poor man's VPN. There was one machine at my company that I had ssh access to from outside and that could reach all the internal machines I needed. Call that machine ssh.example.com.
My requirements for comfortably working from home were:
1. Nothing special needs to be done at work. I don't have to ask for anything new to be installed there, or firewall rules to be changed, or anything like that.
2. I wanted to be able to refer to work machines by the same names they had on the internal network at work, and I wanted to access things on the same ports. A script that worked when run from my office should work with no changes when run from my living room.
3. It only needed to support host:port combinations that were explicitly specified.
Here's what I did. Let's say I've got 3 machines I need to use:
db.example.com: MySQL server
mail.example.com: mail server
web.example.com: web server
I need to use MySQL on the first (port 3306), IMAPS on the second (port 993), and HTTP/HTTPS on the third (ports 80 and 443), and I want to use ssh (port 22) on all of them.
I'd ssh to the machine at work that I have ssh access to, with my ssh config file including this:
Finally, a little ipfw fiddling on my Mac to bring it all together:
ipfw add 100 fwd 127.0.0.1,7777 tcp from any to 10.10.10.1 22
ipfw add 101 fwd 127.0.0.1,7778 tcp from any to 10.10.10.1 3306
ipfw add 102 fwd 127.0.0.1,7779 tcp from any to 10.10.10.2 22
ipfw add 103 fwd 127.0.0.1,7780 tcp from any to 10.10.10.2 993
ipfw add 104 fwd 127.0.0.1,7781 tcp from any to 10.10.10.3 22
ipfw add 105 fwd 127.0.0.1,7782 tcp from any to 10.10.10.3 80
ipfw add 106 fwd 127.0.0.1,7783 tcp from any to 10.10.10.3 443
On Linux that would have been something like this:
That worked great for several years. I've got a script that can take a list of files that describe host:port combination and generate the ssh config, hosts, and ipfw or iptabes rules so it was easy to add or remove machines.
It broke in late 2014 when I switch to MacOS Yosemite. Apple had switched to using PF in Lion in 2011 and deprecated ipfw, and removed it in Yosemite. By then we had an openvpn setup at work and I switched to using that.
Also, unrelated, I just decided I don't like the sentiment of "PiMyProjectName" branding. I know most projects don't just run on a Pi, and that the intent is to say "you can self-host thing", but at this point if you want to run a home server sort of thing, just buy some cheap 100-200 dollar minipc thing. That's how much you'd pay for a Pi now anyway, and it comes with such great features as:
* just establishing an ssh connection doesn't take multiple seconds
* the ethernet doesn't go over a usb hub
* it doesn't run on an sd card that is going to fail within a year
I'm pretty dismissive of ARM chips for homelab stuff at this point. There's super cheap minipcs with "real" processors that will just destroy even an expensive ARM board.
Pi's shine with their ability to run both a real/full Linux and also do gpio type stuff that otherwise is usually an arduino board. I don't have anything against low-level programming but damn is it just a lot more fun to do in python. I love the Rpi zero w 2 products for this, just enough juice to run wifi and a python loop, plus the gpio pins. Too bad they've been sold out for literally years.