Right.....

I run a Pi Hole at home which is a DNS with a massive blacklist of
3,500,000 URLs which all relate to Malvertising, Adverts trackers,
referer URLs, news aggregators like taboola and outbrain, this is so
successful that over 60% of DNS requests are blocked and web pages load
so much faster and my privacy on the web is much improved.....

See: https://ibb.co/d6mRZJg

So all my computers have the same internet experience at home via the
home DNS.

I also set up and installed a Wireguard VPN server at home and put
Wireguard on all my mobile phones. So all phones VPN back to my home and
use *my* DNS rather than a public DNS liek cloudflare or Quad9 9 or
Google's own. It does not matter if this is over Public Wifi or over the
mobile phone network.

So whenever I surf the internet on my smart phones anywhere in the
world, I get the same experience as at home. This is really useful when
the mobile data speed is not very good as I am avoiding downloading all
the ads and trackers etc.

However there are occasions where I am not at home and a smart phone
just does not cut the mustard.

So I am forced sometimes to surf the internet on a friends or family
computer and I get force fed all these unwanted adverts and trackers.

Now what I'd like to do is be able to surf the internet on any one's
computer using my own home DNS.....

Now the question is how to do this?

Please assume the following:

1. I have a static IP at home.

2. I have fibre to the home which gives me 500 Mbit UP and 500 Mbit DOWN.

3. I currently only have one port open on my fibre router for incoming
connections to my Wireguard Server. This Wireguard server holds the DNS
IP settings. There is just one port forwarding rule which forwards from
the outside world to the Wireguard VPN server. Obviously, all
connections are encrypted as the remote devices are running Wireguard VPN.

4. My friends or family will typically have Chrome or Edge or Firefox
browsers on their computers

5. Assume I will not be allowed to or cannot download and install
additional software to their computer.

I have looked into having a virtual PC, such as Shadow as I could
install Wireguard on that to connect back to home and a simple web
browser can be used to access Shadow. However, I would have to pay from
£30 a month. See https://shadow.tech/en-gb/

I've wondered about setting up a Web top server on say a Raspberry Pi 4
at home, but presumably I'd have to set up HTTPS as well for a secured
connection as I can't use Wireguard on a remote PC.

I would also have to set up a port forwarding rule for the Raspberry Pi
4. As I understand it a Web Top presents a windows or linux desktop over
a internet browser session. This would obviously be configured to use my
Home DNS.

I've heard of LogMeIn and GoToMyPC but that obviously requires a PC
powered up at home to accept remote connections? Is this secure and
could this be done on a Raspberry Pi running Linux? This would obviously
be configured to use my Home DNS.

Over to you all for discussion!

On 07/01/2022 21:48, SH wrote:
> Over to you all for discussion!

I disallow trackers, but allow quite a few ads.

This is the funding of a lot of the web sites. If everyone blocks all
their ads they'll have no revenue and shut down.

Andy

On 07/01/2022 21:53, Vir Campestris wrote:
> On 07/01/2022 21:48, SH wrote:
>> Over to you all for discussion!
>
> I disallow trackers, but allow quite a few ads.
>
> This is the funding of a lot of the web sites. If everyone blocks all
> their ads they'll have no revenue and shut down.
>
> Andy

I don't mind small and non-intrusive ads but when you have:

sky scraper ads on both sides of the webpage

ads between every single paragraph as you scroll down the page

and pop up ads that appear on top of the webpage

ads that remain at the top 1/4 of the browser window as you scroll down

is what I find very objectionable. :-)

SH <i.love.spam@spam.com> wrote:
> I've wondered about setting up a Web top server on say a Raspberry Pi 4
> at home, but presumably I'd have to set up HTTPS as well for a secured
> connection as I can't use Wireguard on a remote PC.

There's VNC in the browser:
https://novnc.com/info.html
so you could VNC back to your Raspberry Pi (or whatever) from a browser, and
then run a browser inside a browser.

I'm not 100% clear on the security of this approach (I don't know how
they're doing authentication and encryption of the websocket, although
presumably the VNC servers who integrate websocket support must have worked
that out?), but you could set firewall rules so that the Pi can't see the
rest of your network. That way if anyone compromises the Pi they can't get
anywhere else inside, they can only attack the internet.

Theo

On 7 Jan 2022 at 22:02:01 GMT, "SH" <i.love.spam@spam.com> wrote:

> On 07/01/2022 21:53, Vir Campestris wrote:
>> On 07/01/2022 21:48, SH wrote:
>>> Over to you all for discussion!
>>
>> I disallow trackers, but allow quite a few ads.
>>
>> This is the funding of a lot of the web sites. If everyone blocks all
>> their ads they'll have no revenue and shut down.
>>
>> Andy
>
> I don't mind small and non-intrusive ads but when you have:
>
> sky scraper ads on both sides of the webpage
>
> ads between every single paragraph as you scroll down the page
>
> and pop up ads that appear on top of the webpage
>
> ads that remain at the top 1/4 of the browser window as you scroll down
>
> is what I find very objectionable. :-)

IME local newspapers are worst for this to the point of making them unreadable
online.

--
Cheers, Rob

On 07/01/2022 21:48, SH wrote:

>
> I've wondered about setting up a Web top server on say a Raspberry Pi 4
> at home, but presumably I'd have to set up HTTPS as well for a secured
> connection as I can't use Wireguard on a remote PC.
>

I've installed Apache Guacamole on a Linux box that sits on the internal
lan. This works well as an RDP gateway to other PCs on the that lan, and
is very useable for me through a VPN when accessed from outside.

https://guacamole.apache.org/

Some folks have installed this OK on a Pi.

> 5. Assume I will not be allowed to or cannot download and install additional software to their computer.

It's a web server at the end of the day and will work without the VPN.

However you obfuscate the port forwarding solution you use, you are
going to have idiots attempting all sorts of nonsense to break in.

If you can install an SSL identity certificate on the users browser,
then that may be a way forward.

--
Adrian C

On 08/01/2022 08:20, Adrian Caspersz wrote:
> On 07/01/2022 21:48, SH wrote:
>
>>
>> I've wondered about setting up a Web top server on say a Raspberry Pi
>> 4 at home, but presumably I'd have to set up HTTPS as well for a
>> secured connection as I can't use Wireguard on a remote PC.
>>
>
> I've installed Apache Guacamole on a Linux box that sits on the internal
> lan. This works well as an RDP gateway to other PCs on the that lan, and
> is very useable for me through a VPN when accessed from outside.
>
> https://guacamole.apache.org/
>
> Some folks have installed this OK on a Pi.
>
>> 5. Assume I will not be allowed to or cannot download and install
>> additional software to their computer.
>
> It's a web server at the end of the day and will work without the VPN.
>
> However you obfuscate the port forwarding solution you use, you are
> going to have idiots attempting all sorts of nonsense to break in.
>
> If you can install an SSL identity certificate on the users browser,
> then that may be a way forward >

that sounds like an idea worth exploring, perhaps I could put Apache
Guacomole on the DMZ of my LAN, so the idea is that I can set up
firewall rules so that the Apache box can access the DNS on the LAN side
and accept remote conenctions from the WAN?

In fact I could replicate the DNS server so that I have two, one on the
DMZ for the Apache and leave the original on the LAN side.

On 08/01/2022 07:10, RJH wrote:
> On 7 Jan 2022 at 22:02:01 GMT, "SH" <i.love.spam@spam.com> wrote:
>
>> On 07/01/2022 21:53, Vir Campestris wrote:
>>> On 07/01/2022 21:48, SH wrote:
>>>> Over to you all for discussion!
>>>
>>> I disallow trackers, but allow quite a few ads.
>>>
>>> This is the funding of a lot of the web sites. If everyone blocks all
>>> their ads they'll have no revenue and shut down.
>>>
>>> Andy
>>
>> I don't mind small and non-intrusive ads but when you have:
>>
>> sky scraper ads on both sides of the webpage
>>
>> ads between every single paragraph as you scroll down the page
>>
>> and pop up ads that appear on top of the webpage
>>
>> ads that remain at the top 1/4 of the browser window as you scroll down
>>
>> is what I find very objectionable. :-)
>
> IME local newspapers are worst for this to the point of making them unreadable
> online.
>

yes absolutely spot on,and not only that when you look at regional news
on the BBC website, you see links for articles on the local paper....

The hyperlink has the title of the news article IN BOLD and then
underneath it has the name of the local paper hosting that article but
it does not look like a clickable link at first glance.

when you click on the atrticle title hyperlink, it takes you to

https://ct.moreover.com/?a= blah blah

rather than

http://www.name_of_local_newspaper/news/article/blah blah

The DNS I have blocks CT.moreover.com so I get a "This site can't be
reached"

I end up having to click on the 2nd hyperlink which takes me to the
front page of the local newspaper such as
http://www.name_of_local_paper.co.uk and then search for the article title.

The Independent is terrible for adverts and trackers, the Daily Mail is
not far behind either.

The worst was teh Taboola and Outbrain stuff cunningly labelled as
"Around the Web" but you get taken to sites where the article is across
multiple pages and loads of adverts and lots of multiple "Next" buttons
but only one of them actually takes you to the nexty page, the others
take you to other websites....

The WWW is really the Wild West Web!

On 08/01/2022 10:31, SH wrote:
> On 08/01/2022 08:20, Adrian Caspersz wrote:
>> On 07/01/2022 21:48, SH wrote:
>>
>>>
>>> I've wondered about setting up a Web top server on say a Raspberry Pi
>>> 4 at home, but presumably I'd have to set up HTTPS as well for a
>>> secured connection as I can't use Wireguard on a remote PC.
>>>
>>
>> I've installed Apache Guacamole on a Linux box that sits on the
>> internal lan. This works well as an RDP gateway to other PCs on the
>> that lan, and is very useable for me through a VPN when accessed from
>> outside.
>>
>> https://guacamole.apache.org/
>>
>> Some folks have installed this OK on a Pi.
>>
>>> 5. Assume I will not be allowed to or cannot download and install
>>> additional software to their computer.
>>
>> It's a web server at the end of the day and will work without the VPN.
>>
>> However you obfuscate the port forwarding solution you use, you are
>> going to have idiots attempting all sorts of nonsense to break in.
>>
>> If you can install an SSL identity certificate on the users browser,
>> then that may be a way forward >
>
>  that sounds like an idea worth exploring, perhaps I could put Apache
> Guacomole on the DMZ of my LAN, so the idea is that I can set up
> firewall rules so that the Apache box can access the DNS on the LAN side
> and accept remote conenctions from the WAN?
>
> In fact I could replicate the DNS server so that I have two, one on the
> DMZ for the Apache and leave the original on the LAN side.

Hmmmm..... Just been reading the documentation.....

It looks like I'd have to either:

have 3 Raspberry Pi's on the WAN or DMZ side where one is the Linux
desktop, one is the Gaucamole server ane one is a clone of my original DNS.

or try and fit 3 docker images on one Raspberry Pi to do a desktop, a
DNS clone and the Gaucamole docker image?

I've not used Docker, and not certain that a single R Pi can do all this
but a 3 R Pi solution is more expensive.

SH.

SH <i.love.spam@spam.com> wrote:
> Hmmmm..... Just been reading the documentation.....
>
> It looks like I'd have to either:
>
> have 3 Raspberry Pi's on the WAN or DMZ side where one is the Linux
> desktop, one is the Gaucamole server ane one is a clone of my original DNS.
>
> or try and fit 3 docker images on one Raspberry Pi to do a desktop, a
> DNS clone and the Gaucamole docker image?
>
> I've not used Docker, and not certain that a single R Pi can do all this
> but a 3 R Pi solution is more expensive.

I don't see why you need three machines. You need to run:

1. A VNC/RDP/etc server to provide the desktop you want to log in to
2. A Guacamole server to offer that on the web
3. A DNS server to do your filtering

but they can run on the same hardware. 'Server' doesn't mean 'piece of
metal' it means 'program' (aka 'daemon' for a thing that sits in the
background waiting to respond to requests).

I'm assuming you already have #3, so you can just point your new setup's DNS
at that.

For #1 and #2, I'd just run Raspberry Pi OS which provides a desktop out of
the box. Then install a VNC server on that, and then install Guacamole.
That does all the desktop stuff.

You could also run #3 on the same machine, to keep it all together.

I'm not familiar with how much CPU/RAM resource Guacamole would need, but I
don't imagine it's vast - probably a Pi 3 or 4 would be sufficient to run
everything (especially the versions with >1GB because browsers like their
RAM), maybe not a Zero/1/2.

Doing this with Docker just makes things a bit easier to manage all these
services talking together, and avoids you having to build Guacamole, but I
wouldn't learn Docker just for the sake of this project - you can just
install Guacamole natively:
https://guacamole.apache.org/doc/gug/installing-guacamole.html

You could also use a Windows/Mac/Linux machine on your network to offer #1,
if you prefer to offer that desktop experience, which would avoid Pi RAM
limitations.

Theo

On 07/01/2022 21:48, SH wrote:
> Right.....
>
> I run a Pi Hole at home which is a DNS with a massive blacklist of
> 3,500,000 URLs which all relate to Malvertising, Adverts trackers,
> referer URLs, news aggregators like taboola and outbrain, this is so
> successful that over 60% of DNS requests are blocked and web pages load
> so much faster and my privacy on the web is much improved.....

Can I go off at a tangent - please forgive me. I buy my internet
connection from Zen, which is quite a sophisticated ISP. If this is so
easy to implement, why don't Zen (or some other ISP) offer a DNS with a
similar blacklist?

Is there a market niche here?

On 08/01/2022 12:39, GB wrote:
> On 07/01/2022 21:48, SH wrote:
>> Right.....
>>
>> I run a Pi Hole at home which is a DNS with a massive blacklist of
>> 3,500,000 URLs which all relate to Malvertising, Adverts trackers,
>> referer URLs, news aggregators like taboola and outbrain, this is so
>> successful that over 60% of DNS requests are blocked and web pages
>> load so much faster and my privacy on the web is much improved.....
>
> Can I go off at a tangent - please forgive me. I buy my internet
> connection from Zen, which is quite a sophisticated ISP. If this is so
> easy to implement, why don't Zen (or some other ISP) offer a DNS with a
> similar blacklist?
>
> Is there a market niche here?
>
>

Thats an excellent question......

There are a range of free public DNS such as CloudFlare, Quad9, Google,
OpenDNS, Comodo, Level3 and many more.

Now many ISP's run a proxy DNS sitting between you and the external
public DNS.

The ISP's router default settings typically points to the Proxy DNS.

There are many reasons for this:

The ISP's can implement blocklists to block access to filesharing sites,
usually in response to a UK court order by some studio enforcing their
content rights.

Also the IWF have a list of website URLs where they are known to host
illegal content and this is used by the Major ISP to prevent access.

The Proxy DNS can also log what sites their subscribers visit, so they
can sell on data to advertisers on which sites are the most visited on a
per user basis, which websites are the most used across all customers etc.

They can also do whats called DNS hijacking where if a public DNS
returns no such webpage, you then get the ISP's own search engine
offering you alternatives rather than a Error 404 page.

Some ISP's offer child cybersafety options that limit access to sites
dealign with drugs, alcohol, gambling, suicide etc, that is done at the
Proxy DNS level.

Very often, when you get the router, it has the DNS IP addresses set up
in it or is obtained from the ISP by the DHCP daemon in the router.

If you want to do your own DNS, you need to disable the DHCP in the
router and set up your own DHCP and either point to a public DNS or your
own DNS yourself.

PiHole can do this.

Now my own DNS holds a blacklist of 3,500,000 URLs but it does talk to
an upstream public DNS if I want to access a website for the first time
(my DNS caches my searches)

I currently use CloudFlare.

there are some other public DNS that do offer child safety such as
AdGuardDNS.

SOme public DNS can offer protection against dodgy sites such as

https://www.csoonline.com/article/2876075/6-dns-services-protect-against-malware-and-other-unwanted-content.html

but again, to access these you need to change router settings....

Hope that helps?

S.

On 08/01/2022 13:14, SH wrote:
> On 08/01/2022 12:39, GB wrote:
>> On 07/01/2022 21:48, SH wrote:
>>> Right.....
>>>
>>> I run a Pi Hole at home which is a DNS with a massive blacklist of
>>> 3,500,000 URLs which all relate to Malvertising, Adverts trackers,
>>> referer URLs, news aggregators like taboola and outbrain, this is so
>>> successful that over 60% of DNS requests are blocked and web pages
>>> load so much faster and my privacy on the web is much improved.....
>>
>> Can I go off at a tangent - please forgive me. I buy my internet
>> connection from Zen, which is quite a sophisticated ISP. If this is so
>> easy to implement, why don't Zen (or some other ISP) offer a DNS with
>> a similar blacklist?
>>
>> Is there a market niche here?
>>
>>
>
> Thats an excellent question......
>
> There are a range of free public DNS such as CloudFlare, Quad9, Google,
> OpenDNS, Comodo, Level3 and many more.
>
> Now many ISP's run a proxy DNS sitting between you and the external
> public DNS.
>
> The ISP's router default settings typically points to the Proxy DNS.
>
> There are many reasons for this:
>
> The ISP's can implement blocklists to block access to filesharing sites,
> usually in response to a UK court order by some studio enforcing their
> content rights.
>
> Also the IWF have a list of website URLs where they are known to host
> illegal content and this is used by the Major ISP to prevent access.
>
> The Proxy DNS can also log what sites their subscribers visit, so they
> can sell on data to advertisers on which sites are the most visited on a
> per user basis, which websites are the most used across all customers etc.
>
> They can also do whats called DNS hijacking where if a public DNS
> returns no such webpage, you then get the ISP's own search engine
> offering you alternatives rather than a Error 404 page.
>
> Some ISP's offer child cybersafety options that limit access to sites
> dealign with drugs, alcohol, gambling, suicide etc, that is done at the
> Proxy DNS level.
>
> Very often, when you get the router, it has the DNS IP addresses set up
> in it or is obtained from the ISP by the DHCP daemon in the router.
>
> If you want to do your own DNS, you need to disable the DHCP in the
> router and set up your own DHCP and either point to a public DNS or your
> own DNS yourself.
>
> PiHole can do this.
>
> Now my own DNS holds a blacklist of 3,500,000 URLs but it does talk to
> an upstream public DNS if I want to access a website for the first time
> (my DNS caches my searches)
>
> I currently use CloudFlare.
>
> there are some other public DNS that do offer child safety such as
> AdGuardDNS.
>
> SOme public DNS can offer protection against dodgy sites such as
>
> https://www.csoonline.com/article/2876075/6-dns-services-protect-against-malware-and-other-unwanted-content.html
>
>
> but again, to access these you need to change router settings....
>
> Hope that helps?
>
> S.
>

P.S. there is no commercial incentive really for the ISP to filter out
adverts or trackers and it goes against net neutrality rules where all
IP packets from anywhere are of equal value no matter what the actual
data is within the IP packet.

Some content providers do produce so much data such as film/content
(such as Netflix!) providers that there has been hints that ISPs want to
charge the providers to reflect the extra costs of networking
instructure to handle the amount of data they have to transport over
their networks.....

On 08/01/2022 11:41, Theo wrote:
> SH <i.love.spam@spam.com> wrote:
>> Hmmmm..... Just been reading the documentation.....
>>
>> It looks like I'd have to either:
>>
>> have 3 Raspberry Pi's on the WAN or DMZ side where one is the Linux
>> desktop, one is the Gaucamole server ane one is a clone of my original DNS.
>>
>> or try and fit 3 docker images on one Raspberry Pi to do a desktop, a
>> DNS clone and the Gaucamole docker image?
>>
>> I've not used Docker, and not certain that a single R Pi can do all this
>> but a 3 R Pi solution is more expensive.
>
> I don't see why you need three machines. You need to run:
>
> 1. A VNC/RDP/etc server to provide the desktop you want to log in to
> 2. A Guacamole server to offer that on the web
> 3. A DNS server to do your filtering
>
> but they can run on the same hardware. 'Server' doesn't mean 'piece of
> metal' it means 'program' (aka 'daemon' for a thing that sits in the
> background waiting to respond to requests).
>
> I'm assuming you already have #3, so you can just point your new setup's DNS
> at that.
>
> For #1 and #2, I'd just run Raspberry Pi OS which provides a desktop out of
> the box. Then install a VNC server on that, and then install Guacamole.
> That does all the desktop stuff.
>
> You could also run #3 on the same machine, to keep it all together.
>
> I'm not familiar with how much CPU/RAM resource Guacamole would need, but I
> don't imagine it's vast - probably a Pi 3 or 4 would be sufficient to run
> everything (especially the versions with >1GB because browsers like their
> RAM), maybe not a Zero/1/2.
>
> Doing this with Docker just makes things a bit easier to manage all these
> services talking together, and avoids you having to build Guacamole, but I
> wouldn't learn Docker just for the sake of this project - you can just
> install Guacamole natively:
> https://guacamole.apache.org/doc/gug/installing-guacamole.html
>
> You could also use a Windows/Mac/Linux machine on your network to offer #1,
> if you prefer to offer that desktop experience, which would avoid Pi RAM
> limitations.
>
> Theo

Hmm.... my current Raspberry pi runs Raspbian which then gives teh full
desktop plus a browser, The pi Hole is then installed, followed by
Wireguard and followed by Ubiquiti Network Controller.

It is then run headless without a monitor to provide the DNS, VPN and
Wireless network monitoring.....

SO it does look like from what you say I could get another Rapsberryu
Pi, put Raspbian on that, followed by VNC/RDP/etc followed by Gaucamole
and followed by a clone of my own DNS and pop this on the DMZ so it
becomes completely self contained and isolated from the LAN.

I only intend to use it as a remote web browser with filtered DNS as I
have no need to anything else. If I need to do office work, I do have
O365 anyway.

I've looked around the web for a Pi 4 but they are all out of stock
everywhere :-(

p.p.s....

The comms between your PC and the public DNS is the clear, with no
encryption or user aaccount authentication.

so someone could set up a fake evil twin DNS, pretend to be a "real"
public DNS and send you DNS replies that send you to fake websites or
direct you to websites that are laden with malware or malvertising hence
compromising your machine.

You can mitigate against this by implementng DNSSEC and DoH between your
home network and a public DNS that supports DNSSEC and DoH.

Both Cloudflare and Quad9 support DNSSEC and DoH.

DoH is DNS over HTTPS.

DNSSEC is DNS Security Extensions.

On 07/01/2022 21:48, SH wrote:
> Right.....
>
> I run a Pi Hole at home which is a DNS with a massive blacklist of
> 3,500,000 URLs which all relate to Malvertising, Adverts trackers,
> referer URLs, news aggregators like taboola and outbrain, this is so
> successful that over 60% of DNS requests are blocked and web pages
> load so much faster and my privacy on the web is much improved.....
>
> See: https://ibb.co/d6mRZJg
>
> So all my computers have the same internet experience at home via the
> home DNS.
>
> I also set up and installed a Wireguard VPN server at home and put
> Wireguard on all my mobile phones. So all phones VPN back to my home
> and use *my* DNS rather than a public DNS liek cloudflare or Quad9 9
> or Google's own. It does not matter if this is over Public Wifi or
> over the mobile phone network.
>
> So whenever I surf the internet on my smart phones anywhere in the
> world, I get the same experience as at home. This is really useful
> when the mobile data speed is not very good as I am avoiding
> downloading all the ads and trackers etc.
>
> However there are occasions where I am not at home and a smart phone
> just does not cut the mustard.
>
> So I am forced sometimes to surf the internet on a friends or family
> computer and I get force fed all these unwanted adverts and trackers.
>
> Now what I'd like to do is be able to surf the internet on any one's
> computer using my own home DNS.....
>
> Now the question is how to do this?
>
> Please assume the following:
>
> 1. I have a static IP at home.
>
> 2. I have fibre to the home which gives me 500 Mbit UP and 500 Mbit DOWN.
>
> 3. I currently only have one port open on my fibre router for incoming
> connections to my Wireguard Server. This Wireguard server holds the
> DNS IP settings. There is just one port forwarding rule which forwards
> from the outside world to the Wireguard VPN server. Obviously, all
> connections are encrypted as the remote devices are running Wireguard
> VPN.
>
> 4. My friends or family will typically have Chrome or Edge or Firefox
> browsers on their computers
>
> 5. Assume I will not be allowed to or cannot download and install
> additional software to their computer.
>
> I have looked into having a virtual PC, such as Shadow as I could
> install Wireguard on that to connect back to home and a simple web
> browser can be used to access Shadow. However, I would have to pay
> from £30 a month.  See https://shadow.tech/en-gb/
>
> I've wondered about setting up a Web top server on say a Raspberry Pi
> 4 at home, but presumably I'd have to set up HTTPS as well for a
> secured connection as I can't use Wireguard on a remote PC.
>
> I would also have to set up a port forwarding rule for the Raspberry
> Pi 4. As I understand it a Web Top presents a windows or linux desktop
> over a internet browser session. This would obviously be configured to
> use my Home DNS.
>
> I've heard of LogMeIn and GoToMyPC but that obviously requires a PC
> powered up at home to accept remote connections? Is this secure and
> could this be done on a Raspberry Pi running Linux? This would
> obviously be configured to use my Home DNS.
>
> Over to you all for discussion!

Simple solution will be buy a cheap laptop set it up as you like and
take it with you and use it instead.

On 10/01/2022 08:57, Raj Kundra wrote:
> On 07/01/2022 21:48, SH wrote:
>> Right.....
>>
>> I run a Pi Hole at home which is a DNS with a massive blacklist of
>> 3,500,000 URLs which all relate to Malvertising, Adverts trackers,
>> referer URLs, news aggregators like taboola and outbrain, this is so
>> successful that over 60% of DNS requests are blocked and web pages
>> load so much faster and my privacy on the web is much improved.....
>>
>> See: https://ibb.co/d6mRZJg
>>
>> So all my computers have the same internet experience at home via the
>> home DNS.
>>
>> I also set up and installed a Wireguard VPN server at home and put
>> Wireguard on all my mobile phones. So all phones VPN back to my home
>> and use *my* DNS rather than a public DNS liek cloudflare or Quad9 9
>> or Google's own. It does not matter if this is over Public Wifi or
>> over the mobile phone network.
>>
>> So whenever I surf the internet on my smart phones anywhere in the
>> world, I get the same experience as at home. This is really useful
>> when the mobile data speed is not very good as I am avoiding
>> downloading all the ads and trackers etc.
>>
>> However there are occasions where I am not at home and a smart phone
>> just does not cut the mustard.
>>
>> So I am forced sometimes to surf the internet on a friends or family
>> computer and I get force fed all these unwanted adverts and trackers.
>>
>> Now what I'd like to do is be able to surf the internet on any one's
>> computer using my own home DNS.....
>>
>> Now the question is how to do this?
>>
>> Please assume the following:
>>
>> 1. I have a static IP at home.
>>
>> 2. I have fibre to the home which gives me 500 Mbit UP and 500 Mbit DOWN.
>>
>> 3. I currently only have one port open on my fibre router for incoming
>> connections to my Wireguard Server. This Wireguard server holds the
>> DNS IP settings. There is just one port forwarding rule which forwards
>> from the outside world to the Wireguard VPN server. Obviously, all
>> connections are encrypted as the remote devices are running Wireguard
>> VPN.
>>
>> 4. My friends or family will typically have Chrome or Edge or Firefox
>> browsers on their computers
>>
>> 5. Assume I will not be allowed to or cannot download and install
>> additional software to their computer.
>>
>> I have looked into having a virtual PC, such as Shadow as I could
>> install Wireguard on that to connect back to home and a simple web
>> browser can be used to access Shadow. However, I would have to pay
>> from £30 a month.  See https://shadow.tech/en-gb/
>>
>> I've wondered about setting up a Web top server on say a Raspberry Pi
>> 4 at home, but presumably I'd have to set up HTTPS as well for a
>> secured connection as I can't use Wireguard on a remote PC.
>>
>> I would also have to set up a port forwarding rule for the Raspberry
>> Pi 4. As I understand it a Web Top presents a windows or linux desktop
>> over a internet browser session. This would obviously be configured to
>> use my Home DNS.
>>
>> I've heard of LogMeIn and GoToMyPC but that obviously requires a PC
>> powered up at home to accept remote connections? Is this secure and
>> could this be done on a Raspberry Pi running Linux? This would
>> obviously be configured to use my Home DNS.
>>
>> Over to you all for discussion!
>
> Simple solution will be buy a cheap laptop set it up as you like and
> take it with you and use it instead.
>

Agreed...... but not everyone likes disclosing their WiFi password. :-)

However, I could perhaps consider a Pi 4 with Linux, Wireguard, RDP/VNC
and Gaucamole.

Plug that via ethernet into friends/family router and plug into wall
socket via USB-C, then go to their PC and access that Pi via a browser
and then I would have a VPN back to home and hence access to my DNS.

Pi 4's are in short supply so I have a question, can Linux be put onto a
Intel NUC?

On 10/01/2022 09:31, SH wrote:
> On 10/01/2022 08:57, Raj Kundra wrote:
>> On 07/01/2022 21:48, SH wrote:
>>> Right.....
>>>
>>> I run a Pi Hole at home which is a DNS with a massive blacklist of
>>> 3,500,000 URLs which all relate to Malvertising, Adverts trackers,
>>> referer URLs, news aggregators like taboola and outbrain, this is so
>>> successful that over 60% of DNS requests are blocked and web pages
>>> load so much faster and my privacy on the web is much improved.....
>>>
>>> See: https://ibb.co/d6mRZJg
>>>
>>> So all my computers have the same internet experience at home via the
>>> home DNS.
>>>
>>> I also set up and installed a Wireguard VPN server at home and put
>>> Wireguard on all my mobile phones. So all phones VPN back to my home
>>> and use *my* DNS rather than a public DNS liek cloudflare or Quad9 9
>>> or Google's own. It does not matter if this is over Public Wifi or
>>> over the mobile phone network.
>>>
>>> So whenever I surf the internet on my smart phones anywhere in the
>>> world, I get the same experience as at home. This is really useful
>>> when the mobile data speed is not very good as I am avoiding
>>> downloading all the ads and trackers etc.
>>>
>>> However there are occasions where I am not at home and a smart phone
>>> just does not cut the mustard.
>>>
>>> So I am forced sometimes to surf the internet on a friends or family
>>> computer and I get force fed all these unwanted adverts and trackers.
>>>
>>> Now what I'd like to do is be able to surf the internet on any one's
>>> computer using my own home DNS.....
>>>
>>> Now the question is how to do this?
>>>
>>> Please assume the following:
>>>
>>> 1. I have a static IP at home.
>>>
>>> 2. I have fibre to the home which gives me 500 Mbit UP and 500 Mbit
>>> DOWN.
>>>
>>> 3. I currently only have one port open on my fibre router for
>>> incoming connections to my Wireguard Server. This Wireguard server
>>> holds the DNS IP settings. There is just one port forwarding rule
>>> which forwards from the outside world to the Wireguard VPN server.
>>> Obviously, all connections are encrypted as the remote devices are
>>> running Wireguard VPN.
>>>
>>> 4. My friends or family will typically have Chrome or Edge or Firefox
>>> browsers on their computers
>>>
>>> 5. Assume I will not be allowed to or cannot download and install
>>> additional software to their computer.
>>>
>>> I have looked into having a virtual PC, such as Shadow as I could
>>> install Wireguard on that to connect back to home and a simple web
>>> browser can be used to access Shadow. However, I would have to pay
>>> from £30 a month.  See https://shadow.tech/en-gb/
>>>
>>> I've wondered about setting up a Web top server on say a Raspberry Pi
>>> 4 at home, but presumably I'd have to set up HTTPS as well for a
>>> secured connection as I can't use Wireguard on a remote PC.
>>>
>>> I would also have to set up a port forwarding rule for the Raspberry
>>> Pi 4. As I understand it a Web Top presents a windows or linux
>>> desktop over a internet browser session. This would obviously be
>>> configured to use my Home DNS.
>>>
>>> I've heard of LogMeIn and GoToMyPC but that obviously requires a PC
>>> powered up at home to accept remote connections? Is this secure and
>>> could this be done on a Raspberry Pi running Linux? This would
>>> obviously be configured to use my Home DNS.
>>>
>>> Over to you all for discussion!
>>
>> Simple solution will be buy a cheap laptop set it up as you like and
>> take it with you and use it instead.
>>
>
>
> Agreed...... but not everyone likes disclosing their WiFi password. :-)
>
>
> However, I could perhaps consider a Pi 4 with Linux, Wireguard, RDP/VNC
> and Gaucamole.
>
> Plug that via ethernet into friends/family router and plug into wall
> socket via USB-C, then go to their PC and access that Pi via a browser
> and then I would have a VPN back to home and hence access to my DNS.
>
> Pi 4's are in short supply so I have a question, can Linux be put onto a
> Intel NUC?

P.S. that prompts a question, how to determine the IP address of the
device I plug into a friends/familys router assuming I am not allowed to
access teh router pages or download and install Angry IP scanner?

Is there a commnd line command I can use to show a list of attached
network devices and their device IPs?

SH <i.love.spam@spam.com> wrote:
> On 10/01/2022 09:31, SH wrote:
> > Pi 4's are in short supply so I have a question, can Linux be put onto a
> > Intel NUC?

Of course. You might also look at ex-corporate mini desktops:
https://www.servethehome.com/introducing-project-tinyminimicro-home-lab-revolution/
which can be had a lot cheaper secondhand than a NUC.

> P.S. that prompts a question, how to determine the IP address of the
> device I plug into a friends/familys router assuming I am not allowed to
> access teh router pages or download and install Angry IP scanner?
>
> Is there a commnd line command I can use to show a list of attached
> network devices and their device IPs?

arp -a

should tell you the MAC address of devices on the same network segment that
your computer has talked to. At least on things with a Unixy network stack
- Windows might be different (although tools like nslookup can come over).
Although you might need admin rights to do it.

Theo

SH <i.love.spam@spam.com> writes:
> On 10/01/2022 08:57, Raj Kundra wrote:
>> Simple solution will be buy a cheap laptop set it up as you like and
>> take it with you and use it instead.
>
> Agreed...... but not everyone likes disclosing their WiFi password. :-)

If they’re letting you have access to the computer you already have
access to their network (and probably more).

> However, I could perhaps consider a Pi 4 with Linux, Wireguard,
> RDP/VNC and Gaucamole.
>
> Plug that via ethernet into friends/family router and plug into wall
> socket via USB-C, then go to their PC and access that Pi via a browser
> and then I would have a VPN back to home and hence access to my DNS.
>
> Pi 4's are in short supply so I have a question, can Linux be put onto
> a Intel NUC?

I have a NUC running Linux, it works fine.

However, the normal solution to your requirements is a laptop.

--
https://www.greenend.org.uk/rjk/

On 10/01/2022 12:42, Richard Kettlewell wrote:
> SH <i.love.spam@spam.com> writes:
>> On 10/01/2022 08:57, Raj Kundra wrote:
>>> Simple solution will be buy a cheap laptop set it up as you like and
>>> take it with you and use it instead.
>>
>> Agreed...... but not everyone likes disclosing their WiFi password. :-)
>
> If they’re letting you have access to the computer you already have
> access to their network (and probably more).
>
>> However, I could perhaps consider a Pi 4 with Linux, Wireguard,
>> RDP/VNC and Gaucamole.
>>
>> Plug that via ethernet into friends/family router and plug into wall
>> socket via USB-C, then go to their PC and access that Pi via a browser
>> and then I would have a VPN back to home and hence access to my DNS.
>>
>> Pi 4's are in short supply so I have a question, can Linux be put onto
>> a Intel NUC?
>
> I have a NUC running Linux, it works fine.
>
> However, the normal solution to your requirements is a laptop.
>

Mmnnnn. I don't disagree.....

it does mean planning ahead for unexpected needs to access internet and
lugging said laptop around.... plus I've got to secure laptop at all
times against theft.

it'd be easier that if I do need internet access, I can just hop on
someone's computer, fire up their browser and surf via my personal DNS.

Perhaps a NUC on my DMZ running linux, a clone of my DNS, RDP/VNC and
gaucamole might be a way forward as NUC seem easier to get hold of vs a
R Pi.

On 10/01/2022 09:31, SH wrote:
> Agreed...... but not everyone likes disclosing their WiFi password

Then they are not friends are family worth bothering with.

On 10/01/2022 21:48, Raj Kundra wrote:
> On 10/01/2022 09:31, SH wrote:
>> Agreed...... but not everyone likes disclosing their WiFi password
>
> Then they are not friends are family worth bothering with.
>

that may be so, but it still leaves me with a problem of being able to
use my own DNS rather than the one(s) that the friend/family's ISP is
using....

WHich bring me back to my OP. :-)

On 1/10/2022 4:21 PM, SH wrote:
> On 10/01/2022 21:48, Raj Kundra wrote:
>> On 10/01/2022 09:31, SH wrote:
>>> Agreed...... but not everyone likes disclosing their WiFi password
>>
>> Then they are not friends are family worth bothering with.
>>
>
> that may be so, but it still leaves me with a problem of being able to
> use my own DNS rather than the one(s) that the friend/family's ISP is
> using....
>
> WHich bring me back to my OP. :-)
You could walk around with one of those PC's on a flash drive. Linux
and possibly a version of Windows could be setup that way. Boot the
local PC and tell it to use the flash rather than internal hard drive.

You would preset the portable OS drive to use your VPN tunnel the same
as your cell phones. When done, remove the flash drive and reboot the
hosts PC and all would be back to "normal".

Many flash drives are now physically small enough to be placed onto a
key ring.

On 11/01/2022 04:35, GlowingBlueMist wrote:
> On 1/10/2022 4:21 PM, SH wrote:
>> On 10/01/2022 21:48, Raj Kundra wrote:
>>> On 10/01/2022 09:31, SH wrote:
>>>> Agreed...... but not everyone likes disclosing their WiFi password
>>>
>>> Then they are not friends are family worth bothering with.
>>>
>>
>> that may be so, but it still leaves me with a problem of being able to
>> use my own DNS rather than the one(s) that the friend/family's ISP is
>> using....
>>
>> WHich bring me back to my OP. :-)
> You could walk around with one of those PC's on a flash drive.  Linux
> and possibly a version of Windows could be setup that way.  Boot the
> local PC and tell it to use the flash rather than internal hard drive.
>
> You would preset the portable OS drive to use your VPN tunnel the same
> as your cell phones.  When done, remove the flash drive and reboot the
> hosts PC and all would be back to "normal".
>
> Many flash drives are now physically small enough to be placed onto a
> key ring.

Thats not a bad idea actually.... (*)

now to find a very lightweight Linux distro that boots qucikly and
allows persistence back to the USB stick.....

(*) assuming that the Bios has got USB set as a boot drive before the
HDD, if not, that the bios is not PWD protected or the owner might ask
questions as to why I need to go into the bios!