This means I don’t need to mess around with QBT’s “proxy” settings?

No, you don’t. In short, trackers will look at the source address of the incoming connection on their side, that means you VPS IP because you’re doing NAT on the VPS.

Just make sure qBittorrent is restricted to the WG interface and nothing else.

I agree with that, 100% but for the majority of the world how green it is usually depends on how far-left you are.

So… now nuclear is considered “green power”. Okay boomers.

but without nix it’s a pita to maintain through restores/rebuilds.

No it isn’t. You can even define those routing polices in your systemd network unit alongside the network interface config and it will manage it all for you.

If you aren’t comfortable with systemd, you can also use simple “ip” and “route” commands to accomplish that, add everything to a startup script and done.

major benefit to using a contained VPN or gluetun is that you can be selective on what apps use the VPN.

Systemd can do that for you as well, you can tell that a certain service only has access to the wg network interface while others can use eth0 or wtv.

More classic ip/route can also be used for that, you can create a routing table for programs that you want to force to be on the VPN and other for the ones you want to use your LAN directly. Set those to bind to the respective interface and the routing tables will take place and send the traffic to the right place.

You’re using docker or similar, to make things simpler you can also create a network bridge for containers that you want to restrict to the VPN and another for everything else. Then you set the container to use one or the other bridge.

There are multiple ways to get this done, throwing more containers, like gluetun and dragging xyz dependencies and opinionated configurations from somewhere isn’t the only one, nor the most performant for sure. Linux is designed to handle this cases.

In terms of homelab stuff, I know a lot of people appreciate the containerized approach.

What I said applies to containerized setups as well. Same logic, just managed in a slightly different way.

By “set up wireguard to route through the VPS” you mean having wireguard forward a port from the VPS to a port on the homeserver at its wireguard IP address?

Yes, he means that.

qBittorrent will still need to publish the right IP address to peers though, right? So I will need to configure the proxy VPS’s IP address in qBittorrent…

No. For most things qBittorrent does public IP detection. For the rest your VPS will be doing NAT between the WG interface and the public internet. This means your qBittorrent client sends outgoing packets with the source address of your WG private IP and then the VPS will change those to it’s public IP address.

The thing you must be careful about is that you need to restrict qBittorrent to only send and receive traffic on the WG interface, otherwise it will be using both. You can do it in the settings, but the safest way is to do it at the container setup or systemd service level and completely hide any interface that isn’t the WG one from it.

You can force all outgoing traffic to use the VPN interface via iptables/routes (meaning if it doesn’t exist or doesn’t work nothing will be able to access the internet) OR use systemd globally hide the non-VPN network interface from all services except for the VPN client.

All of that can be achieved with simple systemd or iptables/routes tweaks. You can force all outgoing traffic to use the VPN interface via routes (meaning if it doesn’t exist or doesn’t work nothing will be able to access the internet) OR use systemd globally hide the non-VPN network interface from all software except for the VPN client.

Hm, so now people suddenly notice and care about this? lol

Not specifically for amazon devices, they’ve opened up the network to “selected partners”, I believe Samsung isn’t on the list but that may happen at any point and to be fair did you read the ToS to know if they don’t have something similar already? What are their plans?

That doesn’t guarantee 100% privacy on a densely populated area anymore. Nowadays you’ve stuff like Amazon Sidewalk and who knows who’s partner and what devices are in it.

That doesn’t guarantee 100% privacy on a densely populated area anymore. Nowadays you’ve stuff like Amazon Sidewalk and who knows who’s partner and what devices are in it.

Okay, but then the TV is still running all the same spyware.

Update: just disabling wifi doesn’t guarantee 100% privacy anymore on a densely populated area. Nowadays you’ve stuff like Amazon Sidewalk and who knows who’s partner and what devices are in it.

json spec draft 7

There’s comments in the specs and a bunch of parsers that actually inore //

Yeah but at the same time you’ve ISPs that deploy routers that can initiate GRE tunnels between your network and their side for “support”.

you have to comply with police orders to moderate your platform…

Your points are fair however, where does it stop? If the police says “make it all plaintext” then what happens? It is a police request after all.

This thing where chat platforms and others “need” to comply with police / govt orders and remove content is very tricky… should platforms really censor everything the govts ask for? What if it is a group chat about a corrupt political party in power (with proof)? The govt will say it is CSAM, them Signal will shut it down and our democracies are gone.

To make it really clear: I’m not for breaking the law, and I don’t think that content should be on such platforms. The problem is that once you start removing that content the precedent will be abused to remove other actually important stuff because “it is CSAM” and the E2EE doesn’t have ways to check if is is really CSAM nor should it be the judge of the content.

And what about signal? If some gov founds a group chat they don’t like, will they take it down? How will they even know if all the contente is encrypted?

CSAM? More like copyright infringement. CSAM is the usual cheap excuse to shut down everything because of the obvious social implications.

While I don’t disagree with you, I don’t believe that if MTProto 2 was breakable govts would be putting the shit show they’re putting right now.

You should consider replacing Proxmox with LXD/Incus because, depending in your needs, you might be able to replace your Proxmox instances with Incus and avoid a few headaches in the future.

While being free and open-source software, Proxmox requires a payed license for the stable version and updates. Furthermore the Proxmox guys have been found to withhold important security updates from non-stable (not paying) users for weeks.

Incus / LXD is an alternative that offers most of the Proxmox’s functionality while being fully open-source – 100% free and it can be installed on most Linux systems. You can create clusters, download, manage and create OS images, run backups and restores, bootstrap things with cloud-init, move containers and VMs between servers (even live sometimes).

Incus also provides a unified experience to deal with both LXC containers and VMs, no need to learn two different tools / APIs as the same commands and options will be used to manage both. Even profiles defining storage, network resources and other policies can be shared and applied across both containers and VMs. The same thing can’t be said about Proxmox, while it tries to make things smoother there are a few inconsistencies and incompatibilities there.

Incus is free can be installed on any clean Debian system with little to no overhead and on the release of Debian 13 it will be included on the repositories.

Another interesting advantage of Incus is that you can move containers and VMs between hosts with different base kernels and Linux distros. If you’ve bought into the immutable distro movement you can also have your hosts run an immutable with Incus on top.

Incus Under Debian 12

If you’re on stable Debian 12 then you’ve a couple of options:

• Run the LXD version provided on their repositories: this will give you LXD 5.0.2 LTS that is guaranteed to be compatible with Debian 13’s Incus. Note that this was added before Canonical decided to move LXD in-house;
• Use the backported version as described here: https://linuxcontainers.org/incus/docs/main/installing/;
• Get the latest Incus pre-compiled from https://github.com/zabbly/incus and install as described above.

In the first option you’ll get a Debian 12 stable system with a stable LXD 5.0.2 LTS, it works really well however it doesn’t provide a WebUI. The second and third options will give you the latest Incus but they might not be as stable. Personally I was running LXD from Snap since Debian 10, and moved to LXD 5.0.2 LTS repository under Debian 12 because I don’t care about the WebUI. I can see how some people, particularly those coming from Proxmox, would like the WebUI so getting the latest Incus might be a good option.

I believe most people running Proxmox today will, eventually, move to Incus and never look back, I just hope they do before Proxmox GmbH changes their licensing schemes or something fails. If you don’t require all features of Proxmox then Incus works way better with less overhead, is true open-source, requires no subscriptions, and doesn’t delay important security updates.

Note that modern versions of Proxmox already use LXC containers so why not move to Incus that is made by the same people? Why keep dragging all of the Proxmox overhead and potencial issues?