From bboard ANNOUNCE BBOARD:

TACKER:  membership (SDF Membership)
SUBJECT: network outage in second cabinet
DATE:    16-Apr-24 01:22:19
HOST:    mx

It looks that we're experience a network outage to our second cabinet
this evening.  A ticket has been opened to address the issue.

This affects ryo.sdf.org, lemmy.sdf.org and ma.sdf.org

Thank you for your patience.



<ANNOUNCE.1.0/2>(87)[ <ENTER> follow thread, (R)EPLY, (F)LAG or (Q)UIT ]

TACKER:  membership (SDF Membership)
SUBJECT: .. network outage in second cabinet
DATE:    16-Apr-24 01:59:59
HOST:    mx

Confirmed that this is only a network outage to the second cabinet and is
currently being worked on by our network service provider.  Hopefully it
will be resolved soon.  Thank you for your patience.


<ANNOUNCE.1.1/2>(6)[ <ENTER> follow thread, (R)EPLY, (F)LAG or (Q)UIT ]

TACKER:  membership (SDF Membership)
SUBJECT: .. network outage in second cabinet
DATE:    16-Apr-24 20:19:30
HOST:    mx

our network provider has reassigned our uplink port for the second cabinet
and the hosts are once against accessible.


(it even blinks! What!? Why?)

<ANNOUNCE.1> Command:

Just relaying it here.

^Note:^ ^I^ ^am^ ^not^ ^affiliated^ ^with^ ^SDF^

Both received and decoded in SatDump on Android.
The 321 composite PNG is 65MB, so I compressed it... and then Imgur compressed it even further so there's some extra compression artifacts, but anyway.

And a note: Look4Sat app seems to have wrong TLE for M No. 2-4. Thankfully there was a similar pass to one shown, just 15 minutes later and more to the west.
TLE on N2YO.com is right.

Edit: Ran the decoder again with baseband. It removed the lines from middle.

Sorry for the lazy meme, I don't know what else to make this branch diagram in.

E.g.:
https://sh.itjust.works/u/testaccount789
https://lemmy.ml/u/testaccount789@sh.itjust.works

I know in past I've successfully updated my display name, and it shows on other instances, so perhaps this problem is new to 0.19.x, but I am not at all sure about that.

First of all a disclaimer: I am not upset about the removal of manual server selection as this is a free service. They don't need to provide such services at all, so something is better than nothing.

What happened:
This morning I opened the ProtonVPN app on my phone and got greeted with a message stating free accounts can now only use automatic server selection and addition of free servers in Poland and Romania.
However, I also noticed split-tunelling is now paywalled as well.

Now, this is rather weird. Split-tunelling is already in the app and is something that works only on the client side, thus not putting any extra load on the servers. Quite the contrary, actually, as it allows some apps to not use the VPN, thus use less bandwidth.
The automatic-selection-only allows for better load balancing, so that makes sense.

Now to the workaround.
They still allow manual OpenVPN and Wireguard setup even for free accounts, at least for now.
To do so, login to ProtonVPN and go to account. There's OpenVPN credentials which are used for OpenVPN authentication. Then go to downloads, select appropriate options including the specific server and download the ovpn config file.
Client: OpenVPN for Android
This app also supports split tunneling (edit config -> Allowed apps).

ProtonVPN has an article on how to set up this app, but it's really just importing the config and adding your OpenVPN ProtonVPN credentials which you grabbed before.

First of all a disclaimer: I am not upset about the removal of manual server selection as this is a free service. They don't need to provide such services at all, so something is better than nothing.

What happened:
This morning I opened the ProtonVPN app on my phone and got greeted with a message stating free accounts can now only use automatic server selection and addition of free servers in Poland and Romania.
However, I also noticed split-tunelling is now paywalled as well.

Now, this is rather weird. Split-tunelling is already in the app and is something that works only on the client side, thus not putting any extra load on the servers. Quite the contrary, actually, as it allows some apps to not use the VPN, thus use less bandwidth.
The automatic-selection-only allows for better load balancing, so that makes sense.

Now to the workaround.
They still allow manual OpenVPN and Wireguard setup even for free accounts, at least for now.
To do so, login to ProtonVPN and go to account. There's OpenVPN credentials which are used for OpenVPN authentication. Then go to downloads, select appropriate options including the specific server and download the ovpn config file.
Client: OpenVPN for Android
This app also supports split tunneling (edit config -> Allowed apps).

ProtonVPN has an article on how to set up this app, but it's really just importing the config and adding your OpenVPN ProtonVPN credentials which you grabbed before.

Idea

There's a computer connected to the WiFi router as a client. This computer has access to internet and shares that connection over HTTP proxy. This also provides ad-blocking.
Clients connected to the WiFi router shouldn't have to configure HTTP proxy server settings, nor should they have access to the computer running the proxy server. This is done via unbridged guest VAP with "client isolation" and "net isolation".

The idea is the same as OpenVPN client setting, or rather like Matsuri proxy toolchain on Android.

The only answers I found talked about redirecting port 80 traffic to HTTP proxy via iptables, but that's not what I want. It would also only work for web traffic I believe, since it's just redirecting it to proxy, and not issuing CONNECT requests.

Specific use case

So... my phone has mobile data. It is also connected to VPN and uses NextDNS for (not only) ad-blocking. In Termux, I setup tinyproxy and also null-routed access to private IP ranges and CG-NAT:

...
#Here I am attempting to null route local IP address ranges by pointing upstream proxy option to 0.0.0.0:0 as described in tinyproxy.conf man page.
#IPv4 localhost
Upstream http 0.0.0.0:0 "127.0.0.1/8"
#IPv4 private adresses
Upstream http 0.0.0.0:0 "10.0.0.0/8"
Upstream http 0.0.0.0:0 "172.16.0.0/12"
Upstream http 0.0.0.0:0 "192.168.0.0/16"
#IPv4 CG-NAT (I am not sure this helps anything, but it doesn't hurt either)
Upstream http 0.0.0.0:0 "100.64.0.0/10"
#IPv4 link-local
Upstream http 0.0.0.0:0 "169.254.0.0/16"
#IPv6 localhost
Upstream http 0.0.0.0:0 "::1"
#IPv6 Unique Local Addresses
Upstream http 0.0.0.0:0 "fc00::/8"
#IPv6 private addresses (excl. ULA)
Upstream http 0.0.0.0:0 "fd00::/8"
#IPv6 link-local addresses
Upstream http 0.0.0.0:0 "fe80::/10"

This is fine if the phone is accessible to other hosts and setting up proxy on each host isn't a problem. For example, it's useful on a school network.
But that's not the case here.

Purpose

Forcing all users to use VPN, be subject to my blocking, and provide larger range than phone's hotspot.
Fun fact: The first thing can be achieved via hotspot on devices running PixelExperience custom ROM.

Not so possible solution

Running OpenVPN server on the phone. DD-WRT already has OpenVPN client. Unfortunately, this would require root, it seems.

Partial solution

The partial solution is connecting the router to VPN somewhat directly and also setting it to use NextDNS.

I was trying to write a guide here, but it was getting unnecessarily long.
So just TL;DR:
Setting up the router to use OpenVPN but replacing IP and port with phone's desired options, setting up the router to use only NextDNS, connecting phone to both WiFi and mobile data, forcing it to use mobile data for internet, doing port forwarding to the actual OpenVPN server using socat in Termux.

This has flaws though. I either have to setup split-tunelling for Termux, or end up with VPN-over-VPN if I also want VPN on the phone. Secondly, whatever VPN you're using may only allow limited number of clients per user.

Other use cases

Simple internet access in network where only internet access is via HTTP proxy (e.g.: campus network), connection via Tor using its HTTP proxy.

If you have any ideas, thanks. If not, still thanks as you read at least a part of this.