Networking

A browser-based and CLI tool for generating WireGuard configurations compatible with Cloudflare WARP. The application generates keypairs locally in the browser or CLI, registers them with Cloudflare’s WARP API, and outputs a complete WireGuard configuration file with QR code for easy mobile import. All processing happens client-side with no server-side storage. Configuration options include DNS server selection, MTU adjustment, allowed IPs, and persistent keepalive settings. A command-line shell script is also available for terminal-based workflows. ...

Got a bunch of MikroTik switches running SwOS or SwOS Lite with no good way to manage them centrally? This library has you covered. Built by reverse engineering the SwOS HTTP API, it provides complete programmatic access to all switch features. Works with both SwOS and SwOS Lite, supports everything from port configs and PoE to VLANs and SNMP settings. Comes with a CLI tool for quick lookups and a full Ansible module for managing your entire switch fleet through YAML playbooks. Compatible with CRS305, CRS310, CRS326, CSS610 and other SwOS-based switches.

Drouter provides dynamic route injection for Docker containers through label-based configuration. The systemd service monitors Docker containers and automatically configures static routes in their network namespaces without requiring elevated privileges within the containers themselves. The system uses Docker labels to specify routing rules and applies them automatically when containers start or stop. This enables complex networking setups where containers need custom routing tables while maintaining security by avoiding privileged container execution for network configuration tasks.

When working with Docker containers on complex networks, you often need to add static routes so containers can reach networks that aren’t directly connected to their default gateway. This becomes especially important when using macvlan network drivers where containers get their own IP addresses on your physical network. I’ve just released drouter, a lightweight systemd service that solves this problem by automatically injecting routes into Docker containers based on simple labels. The Problem Consider this scenario: you’re using a macvlan network driver so your containers get real IP addresses on your network (say 192.168.1.0/24). Your router is at 192.168.1.1, but you have additional internal subnets like 10.0.0.0/8 that are reachable through a different gateway at 192.168.1.254. ...

ARIN IPv4 Wait-list Tracking analyzes ARIN’s IPv4 address wait-list and provides statistical insights into wait times and allocation patterns. The Python-based system tracks historical data on IPv4 block requests and clearances to estimate processing times for different network block sizes. The web dashboard displays real-time analytics including current wait-list sizes, estimated wait times for /22, /23, and /24 blocks, and historical trends in IPv4 address allocation. This tool helps network administrators understand IPv4 scarcity patterns and plan address allocation strategies as IPv4 exhaustion continues.

Adtran 411 Security Audit Adtran produces equipment for fiber ISPs. I was provided an Adtran 411 by my current ISP for Internet access and decided to take a deep look into it. Hardware The Adtran 411 is a small GPON fiber ONT (Optical Network Terminal) designed to give symmetrical gigabit fiber Internet to SOHO users. It connects to the ISP via a GPON uplink and provides the user a normal ethernet RJ-45 connector to plug their router into and a RJ-11 port for a landline to be tunneled over VOIP. ...

VLAN Scout discovers active VLANs and their configurations through passive monitoring and active probing. The tool identifies VLAN segments by analyzing network traffic and attempting connections across different VLAN IDs. The implementation supports multiple discovery protocols including DHCP, IPv6 neighbor discovery, LLDP, and CDP. VLAN Scout can operate in both passive monitoring mode to observe existing traffic and active probing mode to test VLAN accessibility and configuration.

Tunneling WireGuard over TLS using SNI Domain Fronting There are numerous ways to get unrestricted egress on a restricted network. Here I will demonstrate how to use socat to tunnel a UDP connection over a TLS tunnel with a faked SNI domain in order to bypass network restrictions. This technique works on a restricted network that allows outbound TLS traffic to at least a single domain, but only checks the domain in the TLS Client Hello SNI field, and not the destination IP address. I have found this to be a common setup on many captive portal or restricted networks making use of a DPI firewall to block all other network traffic. ...

When creating a socket unless manually specified, the OS will automatically determine the source address to use. However, the OS’s default choice may not always be desired. Source Address Selection allows for influencing the sources address chosen by the OS. What is Source Address Selection? When a host with multiple routable IP addresses sends a packet to another host, it needs to determine which of its local addresses to use as the source “from” address. ...

Caddy Signal Proxy implements a Signal TLS proxy using the Caddy web server and the caddy-l4 plugin. The configuration enables Signal messaging clients to connect through a TLS proxy for improved privacy or to bypass network restrictions. The deployment uses Docker Compose with a minimal configuration that can be integrated into existing Caddy setups. The proxy handles TLS termination and forwarding for Signal’s messaging infrastructure, requiring only a domain name configuration to operate.

When running a network with its own ASN, you will likely end up spending some time working with BGP. Knowing how your peer networks connect can help with your own network planning. BGP.Tools is a service that maps out different networks and the routes between them by having networks opt to provide bgp.tools with a BGP session sharing their exportable routes. This guide will walk you through setting up a BGP.Tools session with a Mikrotik router running RouterOS 7. ...

Portquiz tests outbound TCP and UDP connectivity to remote hosts by attempting connections across specified port ranges. The tool identifies which ports can successfully establish connections through network infrastructure such as firewalls, NAT devices, and proxies. The program can detect deep packet inspection (DPI) filtering and other network-level blocking mechanisms. It supports testing individual ports or scanning complete port ranges, with cross-platform compatibility across Windows, macOS, and Linux systems.

Caddy Dynamic RemoteIP is a Caddy web server module that provides dynamic IP address matching capabilities. The module implements the http.matchers.dynamic_remote_ip matcher, which allows matching requests based on remote IP addresses that are dynamically sourced from configurable modules. Unlike static IP matching, this module enables real-time IP range updates through pluggable IPRangeSource implementations. This is useful for scenarios requiring dynamic access control based on changing IP ranges, such as cloud provider IP lists or threat intelligence feeds.

An opkg repository that builds Tailscale combined packages for OpenWrt devices, specifically providing a backport of Tailscale for OpenWrt 19.07. The project addresses the lack of official Tailscale packages for older OpenWrt versions by providing a flexible build system that generates installable packages across multiple hardware architectures. The repository includes automated build scripts that create opkg feed and package files, allowing users to easily install and configure Tailscale on their OpenWrt 19.07 devices. This enables secure mesh networking capabilities on legacy router firmware, making it simple to connect older OpenWrt devices to a Tailscale network for remote access and site-to-site connectivity.

DNS2mDNS bridges traditional DNS queries with multicast DNS (mDNS) resolution for .local hostnames. The service allows devices that don’t natively support mDNS, such as many Android devices and Windows systems, to resolve local network hostnames through standard DNS queries. The Go implementation acts as a DNS server that intercepts queries for .local domains and forwards them to the mDNS system, then returns the results via standard DNS responses. This enables seamless local hostname resolution across mixed network environments with Docker deployment support.