Q-feeds

Q-Feeds delivers curated indicators of compromise (IPs and domains) on a schedule. The OPNsense plugin is purpose-built to consume the IP feeds, and the official documentation assumes you’ll feed the domain side into Unbound. If you’re running AdGuard Home as your primary DNS resolver instead of Unbound — as I am — that integration path doesn’t apply directly, and you have to wire the domain feeds in manually. A two-layer threat intelligence setup is only as good as the DNS path that feeds it. This post walks through wiring Q-Feeds into OPNsense (IP layer) and AdGuard Home (DNS layer), and then — the part that turned out to matter most — actually forcing every device on the network to use that DNS path, instead of just offering it. ...

May 7, 2026 Â·  25 min

Mosh FIDO2 / Yubikey Fix

Problem When using mosh with a FIDO2-backed SSH key (sk-ed25519 / sk-ecdsa, e.g. YubiKey), the touch prompt is never shown. The YubiKey blinks — meaning it received the signing request — but the terminal hangs silently until timeout. This affects any tool that invokes SSH as a subprocess without a proper controlling TTY, including mosh and ansible. Root Cause Mosh calls SSH internally with the -n flag: ssh -n -tt -S none -o ProxyCommand=... <host> -- mosh-server new ... The -n flag redirects SSH’s stdin from /dev/null. libfido2 needs a real /dev/tty to print the touch prompt. With -n in effect, the signing request reaches the YubiKey hardware (hence the blinking) but the prompt is swallowed and there is no way to respond. ...

March 6, 2026 Â·  7 min

Mosh - The SSH Replacement You Didn't Know You Needed

If you’ve ever had an SSH session freeze mid-command because you switched from Wi-Fi to mobile, or lost your work because a hotel network dropped for three seconds, Mosh is the tool that fixes all of that. What is Mosh? Mosh (Mobile Shell) is a remote terminal application that replaces SSH for interactive sessions. It uses SSH only for the initial authentication handshake, then hands off to its own UDP-based protocol (SSP — State Synchronization Protocol) for the actual terminal session. ...

March 6, 2026 Â·  5 min · 
TL;DR
  • Mosh replaces SSH for interactive sessions, using UDP so it survives roaming and network drops.
  • Open UDP ports 60000-61000 on the server; auth still piggybacks on SSH.
  • On macOS, fix the PATH in ~/.zshenv so non-interactive SSH can find mosh-server.
  • Pair it with tmux for a session that survives almost anything short of a server reboot.

Kea DHCP to Unbound DNS Registration

Features Smart Update Logic: Intelligently handles dual-stack environments. It preserves existing IPv4 records when adding IPv6 (and vice versa), eliminating race conditions. Automatic PTR Generation: Automatically generates reverse DNS (Pointer) records in both standard and in-addr.arpa formats. Persistence & Repair: Includes rc.syshook.d scripts to ensure patches survive OPNsense firmware updates and system reboots. Dedicated Logging: Writes detailed, timestamped activity logs to /var/log/kea-unbound.log with automatic rotation via newsyslog. Smart Hostnames: Automatically generates hostnames from MAC addresses or DUIDs if the client device does not provide one. Non-Destructive: Uses OPNsense’s native hook system to inject configuration safely without modifying core system files. Prerequisites Before installing, ensure the following services are enabled in OPNsense: ...

February 7, 2026 Â·  4 min

Ubiquiti U5G Max GRE Tunnel with OPNsense

If you’ve ever had your internet go down in the middle of a video call, you know the pain. I decided to fix that by adding LTE failover to my OPNsense router using a Ubiquiti U5G Max. The U5G Max exposes its cellular WAN through a GRE tunnel, which means you don’t need a UniFi gateway to use it — any router that supports GRE can take advantage of it. This wasn’t entirely straightforward. OPNsense refuses to assign an IP to a GRE tunnel interface through the GUI, there are MTU issues that silently break web browsing, and there’s a system setting that’s disabled by default without which failover simply won’t trigger. This guide covers everything I learned getting it working — the final, tested configuration with all the gotchas addressed. ...

February 3, 2026 Â·  20 min

Magic Wormhole

Magic Wormhole: A Deep Dive into Secure, Simple File Transfer Core Architecture The Protocol Stack Magic Wormhole operates on a multi-layered architecture: 1. The Mailbox Server (Rendezvous Server) A WebSocket-based relay that facilitates initial connection establishment Default public server: ws://relay.magic-wormhole.io:4000/v1 Stores encrypted messages temporarily Never sees plaintext data Can be self-hosted for increased reliability 2. The Transit Relay Handles actual data transfer when direct peer-to-peer connections fail Used when both peers are behind NAT Default server: tcp:transit.magic-wormhole.io:4001 All data passing through is end-to-end encrypted 3. Connection Negotiation The tool attempts multiple connection strategies in parallel: ...

November 19, 2025 Â·  10 min

Caddy vs Nginx

After migrating a production Hugo site from Nginx to Caddy with Cloudflare integration, I’ve experienced firsthand why Caddy represents the future of web servers. Here’s an in-depth look at why Caddy outshines Nginx across multiple dimensions. Table of Contents Automatic HTTPS: The Game Changer Configuration Simplicity Security Out of the Box Modern Protocol Support Certificate Management Developer Experience Performance and Efficiency Cloudflare Integration Error Handling and Debugging Real-World Migration Example When to Choose What Conclusion Automatic HTTPS: The Game Changer Caddy’s Approach Caddy’s most revolutionary feature is automatic HTTPS. When you configure a domain, Caddy: ...

November 18, 2025 Â·  16 min

Crowdsec IPDEX on OPNsense

Here are a few steps on how to install GO on @opnsense and @Crowd_Security IPDEX a simple CLI tool to gather insight about a list of IPs or an IP using the CrowdSec CTI (Cyber Threat Intelligence) API. Check an IP’s reputation using CTI Scan IP or log files and display detailed reports Run CrowdSec Search Queries Keep a local history of reports for later inspection - All scanned IPs are cached for 48 hours. Many thanks to the developer for the tool ...

May 16, 2025 Â·  5 min