This page is part of my digital garden.

This page might be unfinished or have typos. These pages are meant as part of a public living notebook to be edited over time. For more, visit the page explaining the concept of a digitial garden.

Networking

Some Links:

TCP/IP

  • TCP IP illustrated Volume 1 (2nd Ed) by Kevin Fall

Bufferbloat

tc_cake

tc_cake is a relatively recent queue discipline added to the kernel. You can enable it by loading the sch_cake kernel model.

You can set it as the default queue discipline by configuring your kernel as such:

sysctl -w net.core.default_qdisc cake

Thunderbolt

If you have a proper Data USB-C Thunderbolt cable (very specific. not usually the charging cable which comes with ipad/mbp/mba/etc) you can just literally hook up two computers and they can connect IP over Thunderbolt.

Now you can get roughly 10GiB network speeds without crazy hardware. So if you need to do some big transfer or get a faster connection you can simply do that via a Thunderbolt cable.

VPNs

tl;dr: You should use Tailscale. VPN services can be useful, but are not perfect. Tor is also not perfect

What is a VPN?

A VPN is one of a couple things:

  • Software servers and clients which help create private connections between networks
  • The network created by that software

A private network is usually like the network inside your home which otherwise, by default, is inaccessible from the outside (even if inside you can access things outside). A Virtual Private Network (VPN) creates a software based version of this private network which is often used for remotely accessing a Private Network (such as your home or office).

Examples of VPN software or VPN-like software:

  • Wireguard
  • Tailscale (uses Wireguard)
  • OpenVPN
  • Tor
  • IPSec
  • SSH Tunnels
  • Stunnel

Why VPNs?

Inside your private network there is a limited number of devices with visibility on the packets flowing and what they contain. Usually only your Router or Router+Modem have this access and you are in control of them. You can also replace them somewhat easily. On the open internet however there are many routers and switches which make up the connections on the internet and inspecting packets is an important part of security, ad profiling, and intelligence gathering on the web.

Besides that because of Cell Phones and etc we are constantly moving around. While maybe before we could use IP addresses for security that’s no longer good enough because our IPs are being constantly changed as we change networks or cell towers.

Plus putting things like web servers on the internet without something like IP Address Blocking makes it so anyone can attempt to access it, brute force passwords, spam it to fail (DoS/DDoS), or exploit it to get access to the underlying system (SQL Injection, RCE, etc.). Software has bugs and using firewalls to prevent access in the first place makes it much easier to secure without needing to throughly scrutinize every piece of software.

VPNs use encryption to allow us to securely send data to/from our private networks over possibly hostile public networks. It also acts as a way to authenticate and authorize access to services in our private networks from anywhere without needing to open them up to everyone.

Zero Trust Networking (No VPNs)

VPNs can be annoying sometimes and part of that is that they need to be configured, updated, and sometimes lead to a sense of false security. Just because it’s behind a VPN doesn’t mean the computer connected couldn’t be compromised and giving access to attackers. That’s why you’ll still need things like HTTPS/TLS and passwords for things inside your private network.

Zero Trust Networking is the idea that we should maybe use VPNs where it makes sense, but still act as if the servers were public. In this paradigm even private networks are treated as public and servers use cryptography inside of them to authenticate and authorize every other computer talking to it. This can be kind of overwhelming to setup and maintain.

Thankfully there are tools out there like Tailscale which provide solid building blocks to enable creating a true Virtual Private Network of all your devices from anywhere. Installing and authenticating Tailscale on every device lets that device join your network and use Tailscale to figure out the best path between each device. Tailscale piggy-backs off the security of things like Google or Microsoft accounts for authenticating users and then uses Wireguard to secure the traffic between devices. Tailscale manages expiring devices regularly, rotating their encryption keys, and deploying ACL rules to each device to control who can access what; even inside the virtual network they are authenticated into.

VPN Services

Tailscale is not a VPN service. The provide infrastructure for securing and managing a private network(s), but a VPN Service typically means a service that lets you access the internet via a VPN which hides your traffic from the company/service providing you internet. For example: Comcast/Xfinity, AT&T, or T-Mobile.

They allow you to access public servers on the internet, but over their connections so it looks like you’re where their servers are. It also means only the VPN Service can see what you’re doing because between your computer and the VPN Service everything is encrypted.

If the VPN Service does not log which connections were made by you, or meant for you, then in the future if someone was watching the traffic coming out of the VPN Service’s servers it would be very difficult to attribute that to you. This is what makes VPN Services attractive for privacy reasons, but is also why they make for great targets.

It’s difficult-to-impossible to know if a provider is both actually not logging and also not accidentally logging in some other way.

Last updated on