If you have been following my posts, you might have noticed a trend recently, where I am looking for self-hostable alternatives for common websites and apps that I access. And I put them all on the Tailscale network so that they are easily accessible from other devices.
Today, I stumbled upon libreddit, a self-hosted, tracker-free reddit interface. It’s important to note that this is just an interface and does not allow accessing your reddit account through it.
Installation of libreddit
The installation process was fairly straightforward: SSH into my Raspberry Pi, and use the Docker instructions on libreddit homepage. That’s it — a libreddit UI would be available on 0.0.0.0:8080 on your computer, and if the Raspberry Pi was is connected to a Tailscale network, it becomes immediately available at the Tailscale node address as well. In my case, I can access the libreddit interface at http://mew:8080 too, thanks to Magic DNS.
Setup and usage
I like how libreddit is fast on desktop and mobile views, and is configurable in many ways: wide UI, theme, sorting of posts and comments, and most importantly, supports importing of existing subreddits that you follow. Here’s a guide on that process.
Since one doesn’t have to log into their reddit account, all of libreddit settings and subreddit subscriptions are stored locally. They will be lost when browser cookies are cleared, but libreddit goes one step further in allowing one to import back settings and subreddits using a link. Look for the details at the bottom of the libreddit settings page.
Install pi-hole on Tailscale, to get ad-blocker functionality on all devices
Overall, I am very happy with libreddit. I have made it available to my friend who is on my Tailscale network as well, using Tailscale ACLs, and the subreddits/settings he configures wouldn’t be visible at my end. Likewise, he cannot see what I configure.
I am a happy DuckDuckGo user of many years. It matches all of my requirements: good results, ability to jump to the first result with a keyword (using “\”), bangs to search within particular websites and tracker-free search results.
I recently learned about Whoogle though and I had been wanting to try that for a while. It’s a self-hosted, ad and tracker-free search engine that fetches results from Google. The project promises that it’s free of cookie and IP address tracking too. It’s open source and it seems that it can be set up on any device. I have two Raspberry Pi devices at home, both connected on my Tailscale network, acting as Pi-hole nodes to block ads. One of the two Raspberry Pis also acts as my Hydroxide node to fetch ProtonMail emails.
I decided to install Whoogle on the same Raspberry Pi that runs Hydroxide. The process turned out to be really simple. Whoogle has thoroughly documented instructions to install on a Raspberry Pi with Docker; I installed using these Docker Hub instructions:
I ran into a hurdle involving a dependency’s compatibility with my Raspberry Pi image, but that was easily solvable. Once all that of was done, the Whoogle instance was available at 0.0.0.0:5000 but it was neatly exposed on the Tailscale interface too, thus being available at my Tailscale node’s IP address: 100.71.84.105:5000. Thanks to Tailscale’s Magic DNS, this instance becomes available at a readable address too: http://mew:5000. mew is the name of my Tailscale node. It’s configurable on the Tailscale admin.
Since all of my devices are connected to the Tailscale network, my Android can access it as well:
I configured access control lists on Tailscale to make this Whoogle instance available for my friends connected to the same Tailnet.
I plan on using Whoogle for a few weeks to see how it fits into my workflows. I will be missing out on some rich DuckDuckGo features like DuckDuckGo Bangs and jumping to the first result, and if it becomes too much to compromise on, I plan on going back to DuckDuckGo.
I had fun setting up Hydroxide on the Tailscale network so that I can access my ProtonMail inbox from any IMAP client. If you are not familiar with ProtonMail, it’s an encrypted email provider. Given the nature of this product, they do not offer IMAP access as other standard email providers do. Rather, they require a paid account and a connector by the name ProtonMail Bridge for desktop IMAP clients to work.
That works great for most users, but what about IMAP clients on mobile devices? Access on the mobile devices is limited to the official ProtonMail app. As a ProtonMail customer of over 3 years, I haven’t seen any significant improvements in the mobile front. They did promise an update to the ProtonMail Android app, seemingly with support for threaded conversations, but that was a long time ago.
While ProtonMail Bridge is open source, it’s limited to Windows, Mac and Linux at the moment. That’s a GUI version. ProtonMail Bridge is not available in a headless format, but it appears to be planned.
I wanted the headless version to run on my Raspberry Pi so that it’s accessible from any Tailscale-authenticated node.
In exploring for third-party Bridges, I found Hydroxide which seems open source and popular among users. It also seems to support any ProtonMail account, while the official ProtonMail Bridge is only for paid users.
Setting up the bridge
Setting up Hydroxide is rather simple, but I ran into some challenges along the way.
With this done, all that I had to do was enter my Raspberry Pi Tailscale node address as the IMAP and SMTP server on my mobile IMAP clients. The official ProtonMail Bridge documentation recommends adding a SSL exception for desktop clients. I couldn’t quite figure out how to configure a similar exception on the mobile clients. Also because both devices (my mobile device and Raspberry Pi running Hydroxide) are within the same Tailscale network, I chose to authenticate without SSL. That means my Bridge password being visible somewhere along the communication between the device and Raspberry Pi, but that’s alright as it’s a private network.
Preventing Hydroxide bridge access for others on my Tailnet
Since my friends and family use my Tailscale network (I share my pi-hole ad blocker with them) as well, I configured access control rules (Tailscale ACLs) on the Tailscale web admin.
This setup is safe in my understanding, as Hydroxide runs on a hardware that I control. And, it is available only within my Tailscale network. To authentication on this Tailscale network, one requires my approval. I use a GitHub organization as a multi-user tailnet. Even if someone manages to get in, ACLs must prevent them from accessing the Hydroxide IMAP and SMTP ports.
I am not a network engineer but enjoy hacking on things by self. Don’t treat this guide as a bulletproof workflow if you value secure, encrypted communication.
macOS Montrey and iOS 15 are the latest versions of macOS and iOS. They were announced at WWDC 2021. The public beta was released a couple of days ago, and I downloaded it as soon as they were available. I wanted to download them when the developer beta was announced, but I don’t have an Apple developer account. And, admittedly, I was worried about how developer beta may fare. Glad I decided to wait for the public Apple betas.
I am quite happy with the experience so far. I installed both betas on my personal devices and on my work Mac as well. They seem rock solid, and I don’t see a hit on battery life either, which I hear is often the case on Apple beta rollouts.
I have enabled it on my Mail app for now, but haven’t found if there are stats/analytics of how many trackers are blocked. As I am a pi-hole user, that must cover DNS-level blocks throughout my home but I am curious on seeing how this new feature complements pi-hole.
Private Relay on both Apple betas
Private Relay is Apple’s double-hop VPN-like service that prevents networks from monitoring your traffic, and prevents trackers and websites from identifying your IP addresses. It’s available on both Apple betas as of today.
My original understanding was that this is basically Apple-backed VPN service, but that doesn’t seem to be the case.
Is it basically a VPN service?
From a technical reading (I don’t have the link to it at the moment) of this service, it appears this is a double-hop tunneling system. Think of Tor, where there are 3 hops involved — entry node, middle node and exit node.
DNS leaks with Private Relay on these Apple betas?
Private Relay has assigned me a Cloudflare and Fastly address so far. I hear there are other providers that Apple has partnered with, but my experience so far has been limited to the two of them.
I have also noticed that my pi-hole on the Tailscale network doesn’t work when Private Relay is active. That’s alright in my opinion, because the very purpose of tunneled connections is to prevent leaks to other networks. Think of using a VPN, which assigns its own DNS resolvers, vs using the one assigned by your DHCP on the router. That’s precisely what’s happening here.
Private Relay is limited to Safari. That works great for me. When I need to browse websites from my regular, ISP-based IP address, I can use a different browser like Firefox.
My pi-hole setup continues to work normally on other browsers, and other apps throughout the device.
A couple of other things that I noticed:
Private Relay on iOS 15 allows me to choose servers from the same geolocation, or from other areas of my country. That’s just a feature of iOS 15 though. I don’t see it on macOS Monterey.
Private Relay was enabled by default on my WiFi network. That wasn’t the case for a friend though.
As expected on a beta software, Private Relay disconnected a few times as I was browsing.
Hide My Email is basically an email alias service that generates new addresses on demand. These aliases forward incoming email to your primary address, thus avoiding exposure of your actual email address from spam. I am a huge fan of this concept. I use SimpleLogin already for which I am a paying customer.
It is limited to 100 aliases per account (read so on a beta thread on reddit.) That can be limiting for power users. On SimpleLogin, I have over 1000 aliases, spread across website and apps signups, newsletters, shopping and everything in betwee.
If you start using Hide My Email, consider saving them on a password manager like 1Password or Bitwarden. Otherwise, it’s very easy to lose track of your alias usage across sites.
iCloud Mail with a custom domain
This is probably my most favorite feature announced at WWDC 2021. It’s not available on the beta just yet. Fingers crossed for its availability in the next release!
Safari re-design on both Apple betas
I hate it. Multiple things about this design are distracting:
The box-like layout of the tabs resize as I change tabs.
The background of the tabs change colors depending on the website’s background color. While it seemed interesting initially, I have noticed that it comes with illegible reading, especially on my non-retina MacBook Air.
The position of the search/address bar changes every time I navigate between tabs.
I am not a fan.
Other things I noticed
I was late to learning that Shortcuts is available as well! As someone that automates a lot of things with Keyboard Maestro, I am curious to see how Shortcuts can work with it, or how it can complement the former’s features.
Universal Control is not available on this beta either. It allows one to use the same input devices (mouse and keyboard) across multiple macOS or iOS devices. I can imagine myself using my MacBook Air’s (2015 model) keyboard for MacBook Pro (2019 model). The latter doesn’t have a butterfly keyboard, which is a good thing, but I still prefer my MacBook Air’s keyboard. There is a mechanical typing sensation which makes the typing experience rich.
Tailscale has been on my mind lately. It’s a fantastic software that’s available across multiple operating systems. It allows you to set up your own VPN network that you can connect to from anywhere. I use Tailscale to host my pi-hole nodes, a web server at home and my favorite use-case today is the new Taildrop feature.
It is a p2p (peer-to-peer) file sharing system that doesn’t upload your files to the cloud. Best of all, it works between two different works (laptop on WiFi and mobile device on mobile data) as well. That’s because it runs on the top of the Tailscale network.
It costs us, effectively, nothing to run, because it’s your bandwidth (mostly LAN bandwidth), not ours. We just bust some NATs and negotiate the session. Which is why we can give Taildrop away to everybody, for unlimited use, with no file size limits, as part of the Tailscale free plan. It’s also open source.
Exit nodes are coming soon on Tailscale! I have been waiting for this functionality for a while now. I would like to run Cloudflare Warp on a Raspberry Pi, and route all devices traffic via that Pi. Super looking forward to it!