If you don’t mind I am curious to hear your reasons.

For the same reasons KeePassXC encrypt their databases and Signal got backlash for storing encryption keys in plaintext. Encryption doesn’t protect against everything, but it is a big deterrent against many attacks.

I edit notes using vim or vscodium.

You should probably try moving away from this practice. First, this leaves your notes vulnerable as they are not encrypted at rest. Second, those programs are not designed for private notes, meaning there is the potential for various leaks to happen that you may not even be able to catch (temporary system files, etc.). Using a dedicated notes editor (like Joplin) means you are using something designed to keep your notes confidential.

Disclaimer: In the case of Joplin specifically, the developers take issue with implementing encryption at rest. Their philosophy is “If your computer’s disk is encrypted, then all your notes are already encrypted at rest.” This is flawed thinking for many reasons that I won’t get into here.

I would recommend Joplin, for these reasons:

1. It’s digital (of course)
2. It’s cross platform: iOS, Linux, Windows, macOS, and Android
3. It’s fully open source
4. It supports end-to-end encrypted syncing with different providers: Joplin Cloud, Dropbox, OneDrive, File system (for things like Syncthing), Nextcloud, WebDAV, S3 (Beta), and Joplin Server (Beta)
5. It supports markdown editing

When looking for software in general, write down what you are looking for and what your requirements are. Then, consider if there are any conflicting requirements (e.g. “I want my handwritten notes to be transcribed, but I don’t want any kind of handwriting recognition”). From there, you can make tough decisions or find a compromise. Then, think about any problems that may arise in the future. Do you plan to switch operating systems to something like GrapheneOS? Do you want to move away from cloud storage altogether? From there, you can get a good idea of what to look for. Good luck!

Lemmy is open source, maybe someone could make a JavaScript-free frontend?

Some things simply cannot be done without JavaScript, as unfortunate as that is.

Most Lemmy instances already work without JavaScript, but if you want a more friendly experience without JavaScript, you can browse using https://old.lemmy.world/

A brief internet search shows that surprisingly, hosting Jellyfin on OpenWRT should work…

I still find it hilarious that since dd-wrt and OpenWrt are just… Linux, you could install Super Mario Bros on there. I checked, nobody seems to have tried.

I’ve never used tailscale, I’m afraid. Normally I would say: just use whatever seems easier to set up on your device/network; however, note that tailscale needs a “coordinate server”. No actual traffic ever goes through it, it just facilitates key exchanges and the like (from what I understand), but regardless, it’s a server outside your control which is involved in some way. You can selfhost this server, but that is additional work, of course…

Ah, that make sense. Is Wireguard P2P?

Glad I could help, after being so unhelpful yesterday :)

Don’t beat yourself up, you were fine. Because I’m big on privacy, when I ask for help I have a bad habit of leaving out the “why” behind my choices, so it’s understandable that people weren’t happy with what I needed.

Eh… Marriage is not really common in either of our families. We agreed to go sign the papers if there ever is a tax reason, lol. Sorry if that’s a bit unromantic :D Nice rings though ^^

I need to go make a petition to raise taxes then! /s

You both are perfect for each other, so don’t screw it up!

Once I finally ditch iOS for good

I had that feeling for all too long. It’s so refreshing to break free. Word of advice: make sure to switch over your Signal account to make your new phone as an owner

You planning on GrapheneOS?

I’ve been able to use Proton for torrenting, although at abysmal speeds. I don’t acquire many new videos, so this isn’t an issue quite yet. When I have more money I will absolutely be switching to Mullvad VPN.

THIS

While I would make the modification to use Android’s Private Space instead of a work profile (or Shelter instead of Insular), this was such an obvious solution, and I feel stupid for not seeing it. I might use Wireguard instead of Tailscale, I don’t know yet, but thank you! Consider yourself an outside the box thinker!

We all got hung up on trying to fix Proton, when Android was the issue here!

Hi again.

Hi there!

Set up ProtonVPN on the raspberry pi.

I’m actually surprised nobody suggested simply using the Pi with OpenWrt as my own router. Though, that would make it hard to host Jellyfin.

Nots that this requires you trusting the pi to the same degree that you trust your phone.

For the most part, I trust the security of my Pi. I can hold it in my hand and see every line of code, after all!

Devices which you take with you, like your phone, unfortunately will loose internet connectivity when you leave your home until you switch off Wireguard, and switch on Proton, and not be able to connect to Jellyfin when you return home, until you switch them back.

I plan to post a tutorial about how to securely host Jellyfin. Another user gave a solution to this problem that I absolutely love, and I’ll showcase it there. I don’t want to spoil it :)

Could you explain Wireguard vs. Tailscale in this scenario?

Thank you all so much for your help! This is likely the solution I will go with, combined with another one, so again thank you so much!

P.S. I don’t care if you wrap an ethernet cord around her finger, get going!

OP, I have been facing the same situation as you in this community recently. This was not the case when I first joined Lemmy but the behaviour around these parts has started to resemble Reddit more and more. But we’ll leave it at that.

I’ve noticed that behavior is split between communities. Lemmy gets a bit weird because communities are usually hyper-specialized, and sometimes instances themselves cultivate different cultures (e.g. lemmy.ml is usually for privacy enthusiasts, since that’s where c/privacy is hosted). That, with the addition of specific idols for each community (e.g. Louis Rossmann for the selfhosted community) affects how each community behaves. That’s my theory, anyways.

I am interested in the attack vector you mentioned; could you elaborate on the MITM attack?

Basically the “this website is not secure” popup you see in your browser is sometimes due to the website using a self-signed cert. There’s no way to verify that that cert is from the website itself or from an attacker trying to inject their own cert, since there’s no CA attached to the cert. If an attacker injects their own self-signed cert, they can use that to decrypt your HTTPS traffic (since your browser will be encrypting using their cert) and then forward your traffic along to the real website so that from your perspective (minus the warning screen) nothing is wrong. I’m oversimplifying this, but that’s basically how it works.

Unfortunately, if you don’t have control over your network, you cannot force a DNS server for your devices unless you can set it yourself for every individual client.

I forgot to mention in this post, but because of browser fingerprinting reasons I don’t want to use a custom DNS. Thanks for the suggestion though!

Thank you for this!

Is OPNsense like dd-wrt or OpenWrt?

The thing is (and this is by no means a knock on you) if you are doing pen testing then you definitely need to increase your knowledge on networking.

I have background in Wi-Fi hacking and LAN attacks, and I understand the structure of networking (LAN, WAN, layers of the internet, DNS, CAs, etc.). My head starts to hurt when RADIUS is involved, ad hoc networking (which I understand the concepts of, just not how it works. I want to learn this first), mDNS, and other complicated topics. I’m trying to push past those mental roadblocks and learn as best I can, but it’s a tricky topic!

https://wiki.freeradius.org/

There’s something to check out just to get some concepts. You can do plenty of things to harden your security that could give you the comfort you need without defaulting to encrypted connections over LAN.

Thank you! I’ll definitely check this out. You’ve been a huge help!

I’m interested in you and your girlfriend’s thoughts on my new post about this issue.

P.S. She’s a keeper. Marry her already!

Although not ideal, I would be willing to pay for ProtonVPN (or another) if that’s what is required. If I did have LAN connections, what are my options? Eventually I will get a more trustworthy router, but I still don’t want to trust it by sending data in plaintext, even if I can control it and enable port forwarding.

Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption.

For real though, if you think someone is (or might be) listening in on your local network, i.e. have physical access or compromised one of your machines, then the Jellyfin traffic is the least of your problems. Pick your battles. What’s the worst that could happen here - someone gets to know your favorite show?

A bad router + bad ISP combo means I get ratted out for copyrighted material (that I don’t have… I only host creative commons videos on my Jellyfin server, of course…)

This is fair, and does solve the problem. I didn’t explicitly state that I needed it to be convenient, so you’re right. Having one network that is LAN only and switching to it to use Jellyfin, and having a second network that is WAN only and using ProtonVPN there would probably be the most secure setup. Unfortunately, it still doesn’t solve the issue of encryption in transit over the LAN, but that might be fixable with Tailscale. The LAN could even be ethernet-only, to mitigate wireless attacks.

That makes me wonder if there’s a way I could simply plug an ethernet cord from my phone to the airgapped Pi and use it that way. Is that possible? Surely it is. Could ProtonVPN be used on the phone even while the phone is connected physically to the Pi?

Just out of curiosity, why is your network not a trusted party?

Part of my threat model is essentially “anything that can connect to the internet poses a security risk”. Since networks are the literal gateway to the internet, it is reasonable not to trust them. Routers don’t run as secure operating systems as Qubes OS, secureblue, or GrapheneOS. If a malicious party found a way to connect to the network, all unencrypted activities can be intercepted. If the router itself has malicious code, any unencrypted traffic can be sent to a third party. Those are just the basics, but trying to put band-aid solutions on a fundamentally broken system is a losing battle.

GrapheneOS distrusts networks as much as possible, so I do too. Even if I own the network, I am not a network engineer, so the chances of fault are high. In the simplest case, the network is a gateway to all activity that happens on the LAN, and it only takes one zero day to make that happen. The best mitigation is proper encryption and no self-signed certificates (where possible).

No, it can run along anything, as long as you don’t conflict the IP space assigned to a VPN.

I tried Tailscale on Android, and it isn’t working because it requires the active VPN slot occupied by ProtonVPN.