The routers or computers you are using for this have to support forwarding traffic. With Linux this is pretty straight forward for other OSes I’m not sure how easy it is.

You can get around this by having tailscale installed on the default gateway (router) of each network. It might be quite a pain for OP to change routers at each location. On the plus side, OpenWRT has some other cool features like PXE booting.

Here is an article about tailscale on an OpenWRT router.

I use a smart watch for contact less payments ¯\_(ツ)_/¯

I wish I had setup an identity management system sooner. Been self-hosting for years and about a year ago took the full plunge into setting up all my services behind Authentik. Its a game changer not having to deal with all the usernames and passwords.

In a similar vein, before Authentik, I used Vaultwarden to manage all my credentials. That was also a huge game changer with my significant other. Being able to have them setup their own account and then share credentials as an organization is super handy.

Hurting people is wrong and should be avoided at all costs. Nothing cool about that.

But when a tank is also full of fuel and ammo, the boom is much bigger lol

I got lucky and shot around 15 to 20 for training. I lost track after 10. Some missilemen never get the chance to shoot one.

Interestingly, I had that kill zone question asked to me by another higher up (different job) and it took me a long time to come to a conclusion. The kill radius is actually not defined in the manuals. There are zones for the shooter to ensure you don’t get hit with back blast, but usually it’s assumed that the vehicle you hit will be destroyed.

Edit:

To explain further, the missile doesn’t hit the target. It flys above it and uses the munroe effect to cause an implosion (not an explosion) that makes the vehicle explode from the inside out. First munroe charge punches a hole into the vehicle, second charge gets sucked in and blow it up from inside. YouTube munroe effect to see how that shape charge works.

People who play War Thunder want to know lol you can actually find cut outs that show the internals online. The TOW has been around for awhile.

But the wires were for X and Y navigation. Theres an IR beacon that flashes out the back of the missile. The camera sees the beacon and when you move the controls the missile will follow. Theres a Russian T90 tank that has a defense system that spoofs the beacon. Looks like headlights, called the Shtora-1 check it out.

Wire was made out of the thinnest, strongest metal I’ve ever seen. It would cut your boot if you snagged it and pulled, but it could be cut with scissors.

If you lost a wire the missile would go erratic and would lose control depending on which wire was lost. Really depened on what youre trying to shoot over if you broke a wire. Can’t shoot over buildings.

My favorite fact though, it flys above the tank! Search YouTube for a slow mo and you’ll see what i mean. Explodes from above.

Naw, that shit was super strong. If you caught your boot and pulled it would slice clean into your boot. But it was fragile enough to be cut with scissors. A little thicker than a strand of hair.

This is not new tech. We have been using wires like this in the battlefield since the 70’s. I was a TOW gunner and shot plenty of missiles that have a wire like this drone. Except, ya know it’s a missile and it moves significantly faster. TOW stands for Tube launched Opitically Wire guided missile.

Ask away if you wanna know anything about em.

The rules still apply to the host, just not inside the container. Docker is just ignoring the rules. If you block all ports but then have port 81 open like you do in that section of docker compose, you would think that UFW would block docker but thats not the case. Going to http://yourip:81/ will show then NPM gui, even if you specifically use ufw to block 81. If you only expose port 80 and 443, you should be fine. Your NPM container would have to be compromised then they would have to break out of the container.

Also I think your issue is with your DNS. You should have an A record for the IP pointing to example.com and then a CNAME record pointing to sub.example.com

Docker completely ignores UFW rules. If you check your ip tables you’ll see docker rules are put in before UFW. For the 504 though, it sounds like traffic is not getting to NPM. Have you routed ports 80 and 443 to the docker container?

I use headscale on a VPS as an ingress point into my network and I love it. On top of headscale, I use two instances of traefik to make my network. I have one instance of traefik running on the vps which runs a couple of services that I want running 24/7(headscale-ui is nice). It pulls a subdomain certificate for TLS. So any services under say *.vps.example.com get routed to the VPS.

Then I have a wildcard TCP rule pointing the rest of the network traffic to my home server through headscale. My home server is running another instance of traefik where all my services are running. This pulls another wildcard cert for the rest of the *.example.com subdomains.

Cool thing about this setup is I can now have my DNS server rewrite *.example.com to my servers LAN IP. Now when my device is home, it works even when WAN is out. But when I’m out and about, it hits the public DNS and goes through my VPS. With traefik I can write a not !ClientIP rule and essentially block the VPS. Now I can host a service at home but also block it from being accessed from the public. But if I need access to the LAN remotely, I can just use a tailsacale client and get into headscale and see everything.

Its an odd network, but it’s super flexible and works very well for my use case. If you have any questions I’d love to help you set something like this up :D