The full writeup: one VPS sharing port 443 between a real site and a VLESS+REALITY tunnel, decoy validation, the nginx stream SNI mux, a Cloudflare-fronted CDN fallback, full sing-box client setup with TUN and mux, …
The defensive counterpart: how to catch encrypted tunnels - REALITY, VLESS-over-WebSocket, DoH, QUIC/MASQUE - with self-hosted, open-source tooling. Threat model and obfuscation levels, a controls-vs-evasions matrix, …
One VPS, one IP, port 443 shared between a real public website and a VLESS+Reality tunnel on the same TCP socket. DPI cannot split them apart because both are real TLS.
How to disable switching to Linux virtual terminals (Ctrl+Alt+F1 through F6) at the X11, Wayland, systemd-logind, kernel, and display-manager levels for kiosk and restricted environments.
Protocols that encrypt DNS queries and responses: DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ). Covers transport, ports, RFCs, a protocol comparison, and implementation examples for systemd-resolved, …
Reference for LUKS full-disk and partition encryption with cryptsetup, covering setup, key management, header backup, automated decryption, and recovery.
Practical OpenSSL reference covering key generation, CSRs, self-signed certificates, inspection, format conversion, OCSP stapling, Certbot, and x509 client authentication with CRLs.
How a client and server negotiate encryption, authenticate, and derive session keys over TLS 1.2 and 1.3. Covers cipher suite negotiation, certificate chain validation, session resumption, and JA3/JA4 fingerprinting.
Reference for managing Linux users, groups, permissions, ACLs, quotas, and authentication policies. Covers user and group operations, UID/GID ranges, sudo configuration, PAM password policies, and account auditing.