Void auth, or kanidm look like easier alternatives.
Journalists communicating with sources in censored regions
Whistleblowers sharing information securely
You and your peer agree on an encryption key (any string).
This is unacceptably unsecure for the usecases you mention. There is a reason why the most secure messaging apps don’t use symetric encryption, don’t use passphrases, and they also possess forward secrecy.
It’s pointless to push this as a censhorship circumvention method when many other methods exist that already do so 10x better, in a secure way, over decentralized, hidden and unblockable infrastructure. (Tor’s meek-azure bridges use microsoft’s infrastructure, which nobody is able to block because everybody depends on it, even China).
I appreciate the project, and I am always happy to see people learning, progressing, and publishing their results, but you need to be honest about the weaknesses of your software compared to established solutions. It’s not impossible for you to one day produce a secure messaging app, but today is not the day. Right now, using this is just a fast way to get killed.
Also try wireguard over port 53. Often (udp) traffic to port 53 is unblocked because it’s needed for DNS.
What is special about this setup is that it can sometimes get around captive portal wifi.
hides as regular HTTPS traffic so it’s not blockable by Firewalls
From OP’s post, of course. If OP does not need to evade firewalls that are that aggressive, then they should have settled for a less stealthy VPN solution, as many of these HTTPS proxy solutions have performance and usability (can often only proxy TCP traffic) tradeoffs.
Perhaps they have already tried the wireguard on port 443 solution, and it didn’t work for them. My high school would auto detect and block wireguard to any port. Perhaps they are in a similar situation.
Many of the prominent https VPN protocols are for evading the great firewall of China. OP had that as a requirement, so it is not an unreasonable assumption.
If you are evading less locked down firewalls, then you don’t need as stealthy VPNs.
Yes because they are all designed to evade the great firewall of China, which automatically catches almost all other VPN’s and proxies.
Github is blocked in China. The fact that these repos are on Github and Chinese is proof of their effectiveness.
If you are not a Gitea customer, you are not being informed of security updates in a timely manner:
Gitea repeatedly makes choices that leave Gitea admins exposed to known vulnerabilities during extended periods of time. For instance Gitea spent resources to undergo a SOC2 security audit for its SaaS offering while critical vulnerabilities demanded a new release. Advance notice of security releases is for customers only.
https://forgejo.org/compare-to-gitea/#security
Also, ForgeJo was promising federation which is still a WIP several years later.
Oh no, it doesn’t do the big feature™. I guess it’s unusable now.
I wish people would realize that software still works and is excellent even without the various flagship features. I use Kubernetes on a single node. I know there are people who use matrix without federation and e2ee because it’s actually a really good chat app, it just struggles with the performance demands of federation, and the e2ee ux isn’t quite there yet.
Yes. But this is a lot. It may be easier to use Forgejo’s built in migration tools, to copy over repositories along with their issues and other info. You would have to rebuild the admin parts of the site, like “organizations” and user privileges. (Well if you are using oauth and mapping users from oautb groups then you don’t…). And I don’t know if it’s automated for a many, many repos. But it’s just a click click click in the gui.
I remember there was a tool, I think it was related to forgefed, that could do batch repo migrations via the cli. I can’t find it anymore though.
It’s not quite a VPN, but it is very resistant against blocking:
https://github.com/pgautoupgrade/docker-pgautoupgrade
Or if you are on k8s, you can use cloudnativepg.
https://wiki.hackerspaces.org/List_of_Hacker_Spaces
Also check out meetup.com for linux user groups and other events.
Also check out meshcentral. Important thing aboout meshcentral is that it lets you hijack the users screen, show you can show them step by step through things. RDP doesn’t do that, it kicks the other user out.
By the way: https://en.wikipedia.org/wiki/Shadow_IT
So, my high school used to have a domain/ip whitelist. The trick to get around whitelists is to take advandage of the fact that whole subdomains or cloud providers would be included in the whitelist.
Any duckdns subdomain, or anything hosted on many cloud providers would be unblocked.
So holy unblocker has a one click deploy, which can deploy to PaaS sites which would usually have their entire ip address space and subdomains included in the whitelist.
You should probably migrate now, forgejo is currently a soft fork that is fully compatible, but in the future they are planning to hard fork and not be compatible. Well, they are in the process of doing so right now.
Second comment, but also check out midpoint by evoloum: https://docs.evolveum.com/iam/
It is a modern web frontend on top of Active Directory.
Use an Identity Provider (IDP)*. Other people have mentioned LDAP, which can play this role.
Use groups within the IDP to declare who has what privileges.
Apps using the IDP for auth can read the groups and allow/deny permissions based on groups.
*Or Identity and Access Management if you are in the cloud ig.
For open source solutions, I would recommend:
These three solutions all have invites, ldap, and can act as oauth providers. (Oauth is single sign on), which are the features I want. There are also integrated, including it all in the one app.
There is also LLDAP, which is a web ui for ldap, and then you could use a service that connects to that, like authelia or keycloak, to add oauth on top.
No, Socks5 does not work for this usecase. You don’t get permissions to run it locally via crostini (or use crostini in general) and the relevant proxy settings are locked in the chromebook settings. In addition to this, it is too easy to fingerprint, and some of the more aggressive setups will catch it and block it. For example, my high school would autodetect wireguard and then kick you off of the network for 10 minutes if you attempted to connect.
The way forgejo actions works, is that it is not a universal thing for every repo. Each repo, can have it’s own forgejo actions instance connected to it, running stuff.
The big benefit of that, is that you can make users bring their own actions servers, and not bother to deploy your own.