Well yes I know, but there is a difference between using a domain bound to me as a person and a random string of numbers that changes every 5 minutes

Ok I can understand awareness. This whole time I've been thinking, Plex started in 2008 and 'Plex Hate' followed about two years into it's existence and has perpetuated itself for these 15 +/- years now. So I'm wondering, if during this time, anyone's personal narrator went off in their head with something like:

Hey bro....you know we're gonna have to dismount.

Awww maaan!

Yeah, I know it's your little honey hole but we're going to have to marry it if this keeps up.

Perhaps I misread the tone of the article.

The iOS app is the exception for now but with the CLI and the core libs being open source it’s at least not off the table to make an alternate iOS client I’d say.

I am a newbie so I am not sure I understand correctly. Tell me if my understanding is good.

Your Pi-Hole act as your DNS, so the VPS use the pi-hole through the tunnel to check for the translation IP, as set through the DNS directive in the wg file. For example, my pi-hole is at 10.0.20.5, so the DNS will be that address.

On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)

So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.

So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.

Does that make sense?

Nerds stop recommending corporate crap: challenge: impossible

Or get something like a rapsberry-pi (second hand or on a sale). I have netbird running on it and I can use it to access my home network and also use it as tunnel my traffic through it.

I decided to experiment a bit with Headscale when the wg-easy v15 update broke my chained VPN setup. Got it all set up with Headplane for a UI, worked amazingly, until I learned I was supposed to set it all up on a VPS instead and couldn't actually access it if I wasn't initially on my home network, oops.

I might play around with it again down the road with a cheap VPS, didn't take long to get it going, but realistically my setup's access is 95% me and 5% my wife so Wireguard works fine (reverted back to wg-easy v14 until v15 allows disabling ipv6 though, since that seemed to be what was causing the issues I've been seeing).

My entire setup might not be your entire setup, I have the basic functionality of connecting multiple systems into one mesh network. That's all I needed so it's all I did.

the VPS uses the pi-hole through the tunnel

The VPS is Pihole, the dns for the server side is 127.0.0.1. 127.0.0.1 is also 10.x.x.1 for the clients, so they connect to that as the dns address.

server dns - itself

client dns - the server's wg address

On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)

Only if your router/firewall can directly connect to wg tunnels, but I went for every machine individually. My router isn't aware I host anything at all.

So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.

Pihole (in my case) can't see 192.x.x.x hosts. Use 10.x.x.x across every system for continuity.

So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.

Allowed ips = 10.x.x.0/24 - only connects the clients and server together

Allowed ips = 0.0.0.0/0 - sends everything through the VPN, and connects the clients and server together.

Do the top one, that's how TS works.

Thanks for the info, I appreciate it.

What you want to look at is the size of the hate and the material reasons for it. And that's fairly difficult to measure if you're not paying close attention. Plex hate has been growing dramatically over the last few years because they materially changed their service. They began collecting data some time ago and now they are selling it unless you go and opt out. So the hate is much larger and louder for that reason. For me those last changes were the straw that made it clear we're just one small push for profit away from my sailing habits getting sold to the American copyright lobby. So I'm currently trialling Jellyfin.

In addition as some have highlighted Jellyfin is markedly different from Plex or Emby in that it's open source and if something happens to it, forking is the way out, which already happened since Jellyfin is a fork of Emby. Migrating from one open source project to its fork is usually trivial compared to migrating from a proprietary service to another one. And there's no reasonable chance of my data ending up in the RIAA/MPAA's hands. So the Plex -> Jellyfin switch everyone is doing is not merely switching to another horse. It's more like switching to completely different vehicle that you can maintain indefinitely.

E: This process we currently call "enshittification" (not a new process) has now been experienced by wide swaths of people where previously only a small minority understood it. I think that drives faster and wider reaction to these patterns as they're now very familiar. I think that's a good thing. I used to give corporations more benefit of the doubt and think in balance but then I did not understand why they do what they do. Now I do and the benefit of the doubt is gone unless there's something material to support it. Like having open source clients.

It's more common with mobile-based connections like satellite connections or mobile-LTE data based connections, I believe.

Or be like me stuck in the 2000s using OpenVPN still in 2025 lol

there’s no reasonable chance of my data ending up in the RIAA/MPAA’s hands

Well, I have had dealings with the RIAA back in the pre-Napster era when audio on the internet had not really come into it's own and most people associated audio on the internet with GeoCities midis....pretty crappy stuff. I ran a fairly successful, fully liscensed, internet radio station with a company called the IM Radio Networks. They along with Phillips created one of the world's first bookshelf stereos that could 'tune in' internet radio as well as AM/FM. Even went to Washington with others to plead our case before a hearing that included Senator Leahy. Yeah, the RIAA are a bunch of reactive assholes and have never been proactive since AM radio first crackled into people's homes.

I used to give corporations more benefit of the doubt and think in balance

I've always figured that if it was offered for free on the internet, there were always going to be strings and at some point I'd have to do something different to achieve the same results I was looking for.

Chances are you've had the same public IP for a long time. Mine hasn't changed in 2 years.

I mean is anything iOS really open source?

@chronicledmonocle @Vinstaal0 I used to work for a dial-up ISP. Every IP is registered to an account, if you're going through your ISP (as opposed to, say, coffee shop or hotel wifi). Though the people who have the information are different (ICANN/registrar vs your internet provider), there's no anonymity in your home IP address even with CGNAT.

We've implemented netbird at my company, we're pretty happy with it overall.

The main drawback is that it has no way of handling multiple different accounts on the same machine, and they don't seem to have any plans for ever really solving that. As long as you can live with that, it's a good solution.

Support is a mixed bag. Mostly just a slack server, kind of lacking in what I'd call enterprise level support. But development seems to be moving at a rapid pace, and they're definitely in that "Small but eager" stage where everything happens quickly. I've reported bugs and had them fixed the same day.

Everything is open source. Backend, clients, the whole bag. So if they ever try to enshittify, you can just take your ball and leave.

Also, the security tools are really cool. Instead of writing out firewall rules by hand like Tailscale, they have a really nice, really simple GUI for setting up all your ACLs. I found it very intuitive.

I didn't really get the allure of it TBH. For most home-based nerds a simple Wireguard host (or OpnSense, OpenWRT etc running such) should be fine, and there are better options for commercial from better-known vendors in the network security space

Used to run OpenVPN. Tried Wireguard and the performance was much better, although lacking some of the features some might need/want fit credential-based logins etc