Most active commenters
  • bluGill(5)
  • EvanAnderson(4)

←back to thread

Just want simple TLS for your .internal network?

(github.com)
246 points nh2 | 19 comments | 18 Oct 24 06:10 UTC | HN request time: 2.109s | source | bottom
1. bluGill ◴[22 Oct 24 12:51 UTC] No.41913725[source]
Looks good, but I want to MitM my network. I want youtube.com to redirect to my internal server that only has a few approved videos. My kids do some nice piano lessons from youtube, but every time I let them they wait until I'm out of the room and then switch to something else. There are lots of other great educational videos on youtube, but also plenty to waste their time on. (I want this myself as well since I won't have ads on my internal youtube server - plus it will add an extra step and thus keep me from getting distracted to something that isn't a good use of my time to watch))
replies(3): >>41914060 #>>41914606 #>>41916523 #
2. EvanAnderson ◴[22 Oct 24 13:29 UTC] No.41914060[source]
> Looks good, but I want to MitM my network.

Increasingly that kind of requirement puts you in the same camp as oppressive nation states. Being a network operator and wanting to MitM your DNS makes you a political actor. Devices you paid for, but don't actually own, will end-run your efforts by using their own hard-coded DNS servers. (See https://pc.nanog.org/static/published/meetings/NANOG77/2033/...)

replies(4): >>41914284 #>>41915594 #>>41916597 #>>41919020 #
3. bluGill ◴[22 Oct 24 13:53 UTC] No.41914284[source]
Fortunately I own my firewall. Though mostly I'm talking about linux machines that I own and control the software on.

Though I fully understand I'm in the same camp as oppressive nation states. But until my kids get older I'm in charge, I need to set them up for success in life, which is a complex balance of letting them have freedom without allowing them to make too many bad decisions. Not getting their homework done because they are watching videos is on bad decisions I'm trying to prevent.

replies(2): >>41915926 #>>41916070 #
4. andiareso ◴[22 Oct 24 14:21 UTC] No.41914606[source]
What services are you self hosting for local YouTube? Right now I just hand pick videos and they get lifted by my plex server, but having a nice route to my internal YouTube will be great for when my kids get to that age!
replies(1): >>41914621 #
5. bluGill ◴[22 Oct 24 14:23 UTC] No.41914621[source]
I'm looking for an answer to that. https://invidious.io/ looks like what I want, but I haven't tried it to see.
6. tredre3 ◴[22 Oct 24 15:56 UTC] No.41915594[source]
> Devices you paid for, but don't actually own, will end-run your efforts by using their own hard-coded DNS servers.

Not just devices, Jetbrains software has hardcoded DNS too. I've had to resort to blocking its traffic entirely because of the sheer number of servers and ports it tries in order to work around my DNS blocking, now I allow traffic only during license/update checks. I'm sure other large vendors do something similar.

https://intellij-support.jetbrains.com/hc/en-us/community/po...

7. throwway120385 ◴[22 Oct 24 16:24 UTC] No.41915926{3}[source]
Importantly, this is a reasonable thing to do because sites like Youtube are designed to draw their attention away from whatever important thing they're doing so that Youtube can serve them advertisements. So anyone thinking a parent trying to control what their kid watches is oppressive somehow is pretty deeply in the wrong. As a parent myself I would consider doing this to keep my son from falling into the traps that are set by giant multinational internet companies like Google to get him to form habits around Google instead of habits around what he wants or needs out of life.

So really instead of thinking about this like "parents are acting like nation states" I think it's much better to think of it like "parents are countering corporate nation states."

replies(1): >>41916006 #
8. EvanAnderson ◴[22 Oct 24 16:31 UTC] No.41916006{4}[source]
It's totally reasonable. My position is that I think network operators and owners should be able to do that they want. I was just pointing out that virtually any time a network operator or owner wants to control the traffic in their network a certain crowd comes out of the woodwork and decries abuse by bad actors.
replies(1): >>41920425 #
9. EvanAnderson ◴[22 Oct 24 16:38 UTC] No.41916070{3}[source]
> Fortunately I own my firewall.

I was thinking more about embedded devices that people buy but don't own (Chromecast devices, "Smart" home doodads, etc). You can stick them in a VLAN and filter their access to the Internet but they're inscrutable inside and have opaque, encrypted communication with their "mother ship".

I think your goal with your kids is laudable. I do the same thing. It limits the ability to use off-the-shelf devices and software, and I'll get more flak about it as my daughter gets older and is excluded from the "social" applications that I can't allow her to use because they're closed-source and not able to be effectively filtered. I'll burn that bridge when I get there, I suppose...

10. lenova ◴[22 Oct 24 17:26 UTC] No.41916523[source]
Out of curiosity, which software/app are you using to MitM on your home network?
replies(1): >>41917485 #
11. recursive ◴[22 Oct 24 17:32 UTC] No.41916597[source]
Parents are the oppressive nation-states of their families.
12. bluGill ◴[22 Oct 24 18:57 UTC] No.41917485[source]
Currently I'm not. I would like to, but I'm not sure how to make it work. If I have a youtube video that I downloaded, I can make youtube.com point to my own web server, but everything after the domain needs to point to the correct things to make it play and I'm not sure how to do that (I also haven't looked).
replies(1): >>41917689 #
13. ndriscoll ◴[22 Oct 24 19:18 UTC] No.41917689{3}[source]
You'll probably have an easier time blocking youtube (or the Internet in general) on the devices in question and running something like Jellyfin locally to serve your library.
replies(1): >>41918045 #
14. bluGill ◴[22 Oct 24 19:54 UTC] No.41918045{4}[source]
The hard part is my kids' online piano lesson embeds youtube videos for the lesson. they have enough other content that I paid for an account for my kids, but the videos direct to youtube not someplace they host which means I can't block any of youtube. This is a common way to do things - my kid's school often sends them to some youtube video for some lesson.

Of course once you finish one youtube video it switches to a "you might want to watch next" which is not the educational content I want them on.

replies(1): >>41919908 #
15. mannyv ◴[22 Oct 24 21:40 UTC] No.41919020[source]
With mikrotik and presumably other vendors you can force dns to your dns. I do this so i can pi-hole everything and see what sneaky things devices are doing.
replies(1): >>41919816 #
16. EvanAnderson ◴[22 Oct 24 23:25 UTC] No.41919816{3}[source]
Sort of. That doesn't help if they're doing DoH and you're unwilling to MitM all the SSL (and, if you are, then you have to worry they've pinned certs).
replies(1): >>41920310 #
17. ndriscoll ◴[22 Oct 24 23:43 UTC] No.41919908{5}[source]
If you control the client (e.g. you can use librewolf), then you could do something like this greasemonkey script to rewrite youtube iframes into a locally hosted video file with the same name as the youtube video id:

https://gist.github.com/ndriscoll/2f1c98a125c0d4a4f6f993e077...

The event listener might have an annoying perf impact, and if the sites with the embed don't use javascript to build the page, you might be able to leave it off.

18. mannyv ◴[23 Oct 24 00:37 UTC] No.41920310{4}[source]
Luckily DoH doesn't seem to be implemented by devices yet. And I could do MtM, because most devices don't really seem to verify their tls certs.

One day they will do both, but that day is probably far away.

And they are on my network, so if they don't function without their own DNS that's OK by me.

19. int_19h ◴[23 Oct 24 00:51 UTC] No.41920425{5}[source]
Size and scope matters. Large network operators that have a de facto monopoly on Internet access in many places should absolutely not be able to do what they want, but this is a function of their market power, not something inherent to any network operator.