Me and @WithoutFurtherRelay@hexbear.net were discussing practical aspects of hosting a Space Station 13 server. In particular, we were concerned about the risks of running internet services out of our home internet connections. It pretty much advertises the locality you live in and connects any other services/activity at the same IP address to your Hexbear identity. The usual alternative is to buy some server time from someone else with an internet connection but the costs can add up to a lot if everyone is buying server time individually for their services.

Initally, we were discussing buying some server time for our own use to proxy connections to our home network to run our game server but we thought it might be more efficient and helpful for the community to make this available to everyone here who wants to run an internet service.

Basically, the idea is that instead of exposing a service on your home IP address for everyone on the internet to see, you connect to our server and it accepts connections on its own IP address for you and proxies the traffic back to your home network. So, if you want to tell someone how to access your service, all you need to give them is our server’s IP address and a port.

Of course, this has little to no effect on people with a grand ability to surveil internet traffic (fedposting) but it would expose a lot less information to other bad actors and make running internet services easier.

There would also need to be trust between the maintainers of this proxying service (who could collect the network information and traffic of the users, for example) and the users (who could use the proxy to forward malicious traffic, for example) so we thought it would be most useful if it were a community project. Maybe some of the risks could be minimized by restrictive firewall rules like not allowing users to send traffic out to the public internet unless it were a response to incoming traffic but maybe that is a feature we want?

Anyway, what does everyone think about this idea? Is it worth exploring and implementing or is it a bad idea? Sorry if I was a bit vague because I’m still thinking about the best way to implement this idea.

  • krolden
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    It takes a lot of work and commitment to run a service like that let alone for other people. And on top of that you’d only be hiding from the low tier trackers, you really can’t hide from the feds online unless youre extremely paranoid and have some next level obfuscation going on. Feds have backdoors in the entire backbone network and have tools that can analyze traffic flows and track them to their source.

    If you’re just looking to hide from nonfeds then I’d suggest using pretty much any vpn service, possibly also using another proxy to connect to the vpn itself.

    • PaX [comrade/them, they/them]@hexbear.netOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      It takes a lot of work and commitment to run a service like that let alone for other people.

      Well, one of the simplest versions of this idea is just a server running as a Wireguard peer forwarding traffic to and from other peers from the public internet. Not too complicated to setup and maintain.

      And on top of that you’d only be hiding from the low tier trackers, you really can’t hide from the feds online unless youre extremely paranoid and have some next level obfuscation going on. Feds have backdoors in the entire backbone network and have tools that can analyze traffic flows and track them to their source.

      Yeah, it’s really difficult to hide traffic from people who control the internet infrastructure. The intent is just to hide locations and IP addresses from less resourced attackers.

      If you’re just looking to hide from nonfeds then I’d suggest using pretty much any vpn service, possibly also using another proxy to connect to the vpn itself.

      A consumer VPN wouldn’t really solve this issue. I think there might be some left still offering support for forwarding incoming connections (port forwarding) but many have shut down because people were hosting illegal/malicious content. Otherwise, consumer VPNs only forward traffic to you if you started the connection. Not useful for running internet services. And everyone would have to buy their own subscription.

      • krolden
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Well if you’re running services over the vpn then yeah I would just build your own. Ive been messing with a bunch of different mesh solutions but they all seem to have their quirks so ive gone back to a hub and spoke model.

        Theres also a bunch of residential proxy services but those charge by the gigabyte usually and come with their own set of issues. Riseup also runs a vpn service I’m not sure if they have any restrictions on port forwarding or not. Also it requires an invite, but I figure if you set one up it would also be invite based or some kind of SSO with your hexbear account.

      • footfaults [none/use name]@hexbear.net
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        just a server running as a Wireguard peer forwarding traffic to and from other peers from the public internet. Not too complicated to setup and maintain.

        Why would I trust you, a random person on the Internet, to be my trusted middlebox

        • PaX [comrade/them, they/them]@hexbear.netOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          People would have to make a decision based upon whether they prefer advertising their location to the world (and possibly other services at the same address) or trusting a intermediary with their address and traffic. I would prefer some community oversight over this service as well but idk if people are interested in that or this service at all. Maybe it’s a bad idea anyway just because of centralizing internet traffic that would have been relatively decentralized.

    • krolden
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      Tor isn’t good for any traffic beyond casual drug buying and forum posting. Also many of the exit nodes glow

    • sovietknuckles [they/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      If your goal is to not expose your IP address to anyone, sure. But if the goal is to protect the Hexbear userbase from websites that are IP grabbing, proxy is fine

    • PaX [comrade/them, they/them]@hexbear.netOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      I thought about it but sadly Tor is only really useful for non-realtime services because of latency. The biggest category of use for this service would probably be video games at this time.

      Also, running a Tor client or whatever they call it takes some setup beyond just doing web browsing.

      The intent behind this is just to not reveal people’s locations and IP addresses to the average wrecker or reactionary if they want to run a Minecraft server or something.

      • footfaults [none/use name]@hexbear.net
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        IPv6 with privacy extensions is a much more secure way to handle this, without having to trust a middleman /proxy to keep your information safe while not sacrificing performance.

        • PaX [comrade/them, they/them]@hexbear.netOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          IPv6 temporary random addresses are great but they don’t solve the issue of geolocation based on IP address. In the end, you’re still delegated a prefix by your ISP which are allocated consistently enough that addresses within subnets assigned to ISPs can be geolocated like IPv4 addresses. Also there are still many, many hosts on the internet (maybe the majority?) that don’t have IPv6 capability, sadly.