That’s simply due to the repository VSCodium uses to pull extensions from (in the name of using open source extensions). Other (proprietary) extensions can be installed by downloading the .vsx file and installing manually. In most cases, though, open source alternatives to proprietary extensions exist.

Check out VSCodium, which is open source telemetryless binaries of VSCode

Edit: Nevermind, it seems you already use it

Once I finally ditch iOS for good

I had that feeling for all too long. It’s so refreshing to break free. Word of advice: make sure to switch over your Signal account to make your new phone as an owner

You planning on GrapheneOS?

I’ve been able to use Proton for torrenting, although at abysmal speeds. I don’t acquire many new videos, so this isn’t an issue quite yet. When I have more money I will absolutely be switching to Mullvad VPN.

THIS

While I would make the modification to use Android’s Private Space instead of a work profile (or Shelter instead of Insular), this was such an obvious solution, and I feel stupid for not seeing it. I might use Wireguard instead of Tailscale, I don’t know yet, but thank you! Consider yourself an outside the box thinker!

We all got hung up on trying to fix Proton, when Android was the issue here!

OP, I have been facing the same situation as you in this community recently. This was not the case when I first joined Lemmy but the behaviour around these parts has started to resemble Reddit more and more. But we’ll leave it at that.

I’ve noticed that behavior is split between communities. Lemmy gets a bit weird because communities are usually hyper-specialized, and sometimes instances themselves cultivate different cultures (e.g. lemmy.ml is usually for privacy enthusiasts, since that’s where c/privacy is hosted). That, with the addition of specific idols for each community (e.g. Louis Rossmann for the selfhosted community) affects how each community behaves. That’s my theory, anyways.

I am interested in the attack vector you mentioned; could you elaborate on the MITM attack?

Basically the “this website is not secure” popup you see in your browser is sometimes due to the website using a self-signed cert. There’s no way to verify that that cert is from the website itself or from an attacker trying to inject their own cert, since there’s no CA attached to the cert. If an attacker injects their own self-signed cert, they can use that to decrypt your HTTPS traffic (since your browser will be encrypting using their cert) and then forward your traffic along to the real website so that from your perspective (minus the warning screen) nothing is wrong. I’m oversimplifying this, but that’s basically how it works.

Unfortunately, if you don’t have control over your network, you cannot force a DNS server for your devices unless you can set it yourself for every individual client.

I forgot to mention in this post, but because of browser fingerprinting reasons I don’t want to use a custom DNS. Thanks for the suggestion though!

Thank you for this!

Is OPNsense like dd-wrt or OpenWrt?

The thing is (and this is by no means a knock on you) if you are doing pen testing then you definitely need to increase your knowledge on networking.

I have background in Wi-Fi hacking and LAN attacks, and I understand the structure of networking (LAN, WAN, layers of the internet, DNS, CAs, etc.). My head starts to hurt when RADIUS is involved, ad hoc networking (which I understand the concepts of, just not how it works. I want to learn this first), mDNS, and other complicated topics. I’m trying to push past those mental roadblocks and learn as best I can, but it’s a tricky topic!

https://wiki.freeradius.org/

There’s something to check out just to get some concepts. You can do plenty of things to harden your security that could give you the comfort you need without defaulting to encrypted connections over LAN.

Thank you! I’ll definitely check this out. You’ve been a huge help!

Although not ideal, I would be willing to pay for ProtonVPN (or another) if that’s what is required. If I did have LAN connections, what are my options? Eventually I will get a more trustworthy router, but I still don’t want to trust it by sending data in plaintext, even if I can control it and enable port forwarding.

Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption.

This is fair, and does solve the problem. I didn’t explicitly state that I needed it to be convenient, so you’re right. Having one network that is LAN only and switching to it to use Jellyfin, and having a second network that is WAN only and using ProtonVPN there would probably be the most secure setup. Unfortunately, it still doesn’t solve the issue of encryption in transit over the LAN, but that might be fixable with Tailscale. The LAN could even be ethernet-only, to mitigate wireless attacks.

That makes me wonder if there’s a way I could simply plug an ethernet cord from my phone to the airgapped Pi and use it that way. Is that possible? Surely it is. Could ProtonVPN be used on the phone even while the phone is connected physically to the Pi?

No, it can run along anything, as long as you don’t conflict the IP space assigned to a VPN.

I tried Tailscale on Android, and it isn’t working because it requires the active VPN slot occupied by ProtonVPN.

Idk if proton allows you to download config files on a free account

I remember a time a few years ago when I managed to do something similar… I’ll look into this!

Edit: It seems so

https://protonvpn.com/support/vpn-config-download/

https://protonvpn.com/support/wireguard-configurations/

Thank you! I’d like to avoid extra costs, since I already have the Pi on hand, but when I have the money I will switch to a proper server.

Okay, so you might be unfamiliar with networking

I’m familiar with some parts of networking, but selfhosted VPNs are something I am unfamiliar with, so thank you for helping me out!

No need to use Tailscale if you’re just using your Wi-Fi or Ethernet.

I want it to be encrypted during transit, even if it is over the LAN.

Tailscale/Headscale creates it’s own VPN network which will need its own IP space.

This is what I was afraid of, because this means it probably can’t run alongside ProtonVPN, since it would fill up the VPN slot on Android, right?

If so, it means we’ve come full circle. Unless there is a way to use Tailscale alongside ProtonVPN or a way to get Jellyfin clients to trust self-signed certificates, I don’t see any other option than buying a domain and exposing the server to the internet. Am I missing something?

The only other providers I would use are Mullvad VPN or IVPN, both of which are paid.

I agree it is ridiculous.

I wish it were that simple, but as I mentioned that would require paying for ProtonVPN to allow LAN connections (which isn’t the worst thing in the world, but I’d prefer to avoid subscriptions where possible) and clients don’t allow self-signed certificates.

I know. It’s very unfortunate, but I understand why.

You don’t need a VPN for LAN connections.

ProtonVPN by default blocks LAN connections, and can only be changed using their paid tier.

You want to use it only locally (on your home), but it can’t be a local-only instance.

By “local-only” I meant on-device

You want to e2ee everything, but fail to mention why.

Privacy and security.

There is no reason to do that on your own network.

Networks are not a trusted party in any capacity.

I do not know why you want to use a VPN and what you want to do with it. Where do you want to connect to?

A VPN such as ProtonVPN or Mullvad VPN are used to displace trust from your ISP into your VPN provider and obscure your IP address while web browsing (among other benefits that I don’t utilize).

What is the attack vector you’re worried about? Are there malicious entities on your network?

These are good questions but not ones I can answer briefly.

Alright, I’m slowly learning, bare with me here:

• ProtonVPN is always-on and blocks connections without VPN
• Jellyfin and Headscale are hosted on the Pi (or does Headscale need its own server?)
• Tailscale and a Jellyfin client are installed on the phone

Then:

• Will that will run fully on the LAN?
• Will it be encrypted during transit?
• Does ProtonVPN need to allow LAN connections?