Use wireshark and listen on your ethernet interface. When you use tailscale, are the packets coming in/out from the tailscale server IP or the VPN ip? Check through the ip route routing table and figure out which pathway a packet will take in each use case. Might need to add a route exception specifically for the tailscale server IP to go out on the ethernet device.

PostUp = ip route add 100.64.0.0/10 dev tailscale0

Looks like you need to stick this line in the tailscale service file, since it’s the only time that the existence of the tailscale0 device is guaranteed. If you don’t want to modify the service file inside the package, could you write your own systemd service file and include the tailscale service as a prerequisite?

Also make sure that when you start the VPN first and then tailscale, you don’t get a double tunnel situation where tailscale goes out through the VPN (unless that’s what you wanted).

That allows sending packets inside the VPN tunnel, but the outer envelope packets still need to be able to reach the VPN server.

sudo ufw default deny outgoing

I’m guessing this would block the VPN packets themselves as well.

Yep, that’s how the calculation goes! You only need mssfix on the innermost tunnel, and the outer tunnel will stay under the limit naturally. Mssfix only works on TCP, so it wouldn’t work on the VPN packets themselves anyway, inside the outer tunnel. OpenVPN/wireguard use UDP. By the way, does Discord use UDP at all? I don’t know what’s the proper way to limit the size of UDP packets in a situation where pathway mtu discovery is the problem/issue. I only know the trick with TCP and clamp-mss. Is there a way to tell discord to force use TCP only? Also, can you be sure that Discord service itself doesn’t block your commercial VPN?

Not sure what your setup is trying to do, but I run a double tunnel, and it is not usable without clamping the mss! Even when I set the correct link mtu, I still see in wireshark that the envelope IP packets get fragmented. The packets still get delivered, which is good in a way since it lets many internet services work albeit at half the speed, EXCEPT that most (but not all) TLS connections fail to progress past the handshake. It is as if TLS is trying to squeeze an entire certificate into a single packet and refuses to work if that packet gets fragmented, even if all the fragments arrive intact. This fails silently, with the browser window just spinning forever for example.

However if I set mtu AND clamp mss like this:

ip link set tun1 mtu 1420
ip link set tun2 mtu 1340
iptables -t mangle -A FORWARD -o tun2 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -i tun2 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Then the packets do not get fragmented, every service including TLS works perfectly, and I get 90% of full tunnel-less bandwidth. I use wireguard, not OpenVPN, and testing with wireshark shows that a single wireguard wrapper is about 80 bytes. The iptables --clamp-mss-to-pmtu option is equivalent to OpenVPN’s mssfix option if I recall.

IMHO if you don’t have a globally-reachable address or forwarded port, you are not really a participant of the internet, you are just a receptacle xD

One service I never see mentioned is OVPN. They have a 1-to-1 feature parity with mullvad and were an easy drop-in replacement when mullvad closed their ports:

• wireguard
• port forwarding
• no usernames/emails/registration, only account numbers
• crypto payments/cash in the mail
• same price as mullvad
• multiple device keys
• multihop
• no bandwidth limits
• setup guides
• status dashboard

I used mullvad for years, sad to see them go, and all my scripts basically worked without any change other than the server addresses/public keys. Only downside is they don’t have as many users so not as many servers. I wish more people would join up so I get more IPs to choose from :D

By some argument, section 103 of the DMCA (which is what grandparent post is referring to) does make it illegal to even talk about DRM circumvention methods.

illegal to: (2) “manufacture, import, offer to the public, provide, or otherwise traffic in” a device, service or component which is primarily intended to circumvent “a technological measure that effectively controls access to a work,” and which either has limited commercially significant other uses or is marketed for the anti-circumvention purpose.

If youtube implements an “access control measure” by splicing the ads with the video and disabling the fast-forward button during the ad, and you go on a forum and say “Oh yeah, you can write a script that detects the parts that are ads because the button is disabled, and force-fast-forwards through those”, some lawyer would argue that you have offered to the public a method to circumvent an access control measure, and therefore your speech is illegal. If you actually write the greasemonkey script and post it online, that would definitely be illegal.

This is abhorrent to the types among us for whom “code IS free speech”, but this scenario is not just a hypothetical. DMCA has been controversial for a long time. Digg collapsed in part because of the user revolt over the admins deleting any post containing the leaked AACS decryption key, which is just a 32-digit number. Yet “speaking” the number alone, aloud, on an online platform (and nothing else!) was enough for MPAA to send cease and desist letters to Digg under DMCA, and Digg folded.

Physical players disconnected from the internet can still receive offline firmware updates included on the discs themselves. The moment you insert a new disc, it automatically executes BD+ code that in theory could patch the firmware to blacklist an arbitrary old disc that you own. This has never yet happened with a previously-legal disc, but then again for example Amazon has never deleted purchased copies of the 1984 book from customers’ kindles, until one day when it did.

a standalone drive

Another cool/scary feature of the BluRay spec is offline firmware updates (called BD+). Any disc can contain code that runs automatically and can patch the player firmware or execute arbitrary functions. So if you have an older hacked player and you insert a newer disc into it, the AACS Consortium has the ability to brick it. Or if you “own” an older disc but the Consortium starts to dislike it for some reason (maybe they discovered that the disc was printed by a pirate publisher, or maybe there was a retroactive licensing dispute), they can include code on every newly published disc that blacklists the old disc. Even with a standalone player that you never connect to the internet, the moment you insert any new disc into it, your old “problematic” disc will be unplayable. This has never yet happened with a previously-legal disc AFAIK, but it is possible within the spec. Every player manufacturer must obey the spec and implement the BD+ virtual machine in order to be allowed to read AACS content. And if you hack your player to ignore BD+ code, then the newer disc will not play because its content may be scrambled in a way that only the custom BD+ code included with it can unscramble.

FYI, the magic about:config key that you need to set to false is “keyword.enabled”. After that Firefox will finally stop using any non-url string as a search query and will instead say say “Hmm. That address doesn’t look right. Please check that the URL is correct and try again.”

I am still sad Hitachi was too embarrassed to carry on the legacy of its name and sold off the Magic Wand brand to its subsidiary manufacturer. Hitachi, the brand name was a compliment to you, not a liability! You lost out.

Thank you for your detailed input!

It’s not even a platonic ideal - it’s drawing a supply/demand curve and thinking you understand how prices work in a market economy.

You got me 😁. I love drawing supply-and-demand curves. Seems pretty hopeless then if to even begin to understand how to vote “correctly” you need 5 years of game theory PhD. Hearing someone say “just trust me bro, the optimal strategy is that one” is not good enough. Voting was supposed to be for the masses…

drop everything to just start suing states and protesting for voting rights

I could get onboard with ranked-choice voting. My city used IRV for our latest mayoral primary election, and even though none of my ranked candidates won, I felt extremely satisfied that at least my voice was finally being heard. When a literal police-mayor got elected (winning primary by only 7000 votes), I had the comfort of full knowledge that this was not due to any spoiler effect on my part, but solely simply due to more people voting for him. If we’d campaign for ranked-choice voting in federal elections - presidential primaries and general - we can eliminate all the above hand-wringing. The Democratic party should be totally on board with this since they could finally get the Green protest vote.

So I am proposing that the Democratic party is acting irrationally and suboptimally, but you claim that the Democrats are acting most optimally, and it is the fringe left that is acting irrationally instead by refusing to accept a unfair split against all game theory guidance, causing all of us to eat shit (despite them making up only low single digits). Yet if the Democrats are so rational, how come they keep losing? Shouldn’t they have found an optimal strategy to get around the irrational ultimatum of the left? Yet here we are.

the most a third party is going to do is shave off a few percentage points, resulting in the main party losing

If the third party can force the main party to lose, then it holds ultimatum power and game theory rules apply. The main party irrationally keeps rejecting the ultimatum and as a result keeps losing. To execute the threat of the ultimatum even after the unfair split has already been offered is the paradox of game theory. You have to appear credible enough to carry out such a threat, but the only reliable way to appear credible is to actually follow through on such threats every time.

The Democratic party keeps losing and shifting right because it acts irrationally and fails to execute optimal game theory strategy. It could have offered the left a fair split and we could have all had guaranteed single-payer medical care, food, and housing, but instead none of us will have women’s rights, and the immigrants and gays among us will be herded into cages.

Am I the only one for whom "open"subtitles.org hasn’t worked in years? I literally cannot find the download button, like in those okboomer memes. Never used the API. Switched to subscene.com and haven’t had problems since.

more evidence we need Civics back in our schools

Maybe we need more math as well - have you heard of the Ultimatum Game? Sometimes the rational strategy is to reject unfair split offers, even if that makes it a guarantee that you both get nothing.

I know traditionally the dream fantasy of book readers has been to own an expansive physical library, with shelf after shelf full of book spines, but I just could never get into it. I’m a data hoarder, not an object hoarder! All my books are digital, mandatory in plaintext DRM-free format, sorted and backed up. I find joy in the knowledge that everything I have ever read is instantly grep’able, ageless, and can fit in my pocket (on a thumbdrive) wherever I go.

I do prefer to read on e-ink as well, because the device is lighter than any book, guaranteed to fit in my pocket, can hold multiple books, and gives me control over font size. The only downside is when the battery gets old it needs more frequent recharging. A paper book will not refuse to work for lack of power!

The full formula is (F-32)*(5/9).

I have difficulty multiplying by 5/9 in my head, so the quick-and-dirty option is to subtract 32 and simply divide by 2.

50F - 32 = 18, divide by 2 = 9C (compare to actual value: 10C)

Buying gas is way cheaper than buying electricity; however, if your electric grid contains any significant portion of carbon-zero producers (hydro, nuclear, solar, wind), using electric space heater will emit less CO2 than gas furnace, for the same amount of heating. If you care at all about CO2 that is. This is the main reason why burner heaters have been so difficult to replace - we thought we could price our way out, let market forces pull us gently into a renewable future without having to make personal sacrifices, but gas is just so much cheaper it’s tough to give up.

An electric heat pump will just about break even on cost with gas, while giving even greater CO2 savings. Annoyingly, a gas-powered heat pump will still be cheaper.