I’m not clear about your setups at all sites. In the details for case 4 there’s a Firestick (customized Android) connected to WG (WG running on the Firestick?) but in your summary there’s a laptop in case 4 and the Firestick isn’t mentioned.
I suspect at least part of the problem is that Android does not tunnel hotspot client traffic. It provides Internet but not WG connectivity. Only the phone’s apps will be able to connect through the WG tunnel.
Running Mint for apps like Jellyfin and Icecast that aren’t critical, and Debian for apps like Frigate that are. Mint is easier to manage and more convenient, but Debian is amazingly reliable. Docker is used for everything.
Consider adding Wireguard or similar for anywhere access. I have Tasker automatically connect whenever I’m not on home wifi so everything is always available without having detectable open router ports.
I’ve had a doctor literally come out into the waiting room and sit down and talk golf and stocks with someone for 30 minutes during my appointment time. Other times I’ve been the first appointment in the morning and the doctor has come in 30-40 minutes late anyway. A couple of times I could hear them in the hallway having a friendly chat with someone about something that has nothing to do with patients or the practice. None of my doctors are part of private equity companies and all have 20 minute appointment times.
There’s no question that many doctors are decent, but a full 50% of them are below average.
Roku tries to monitor HDMI activity on Roku TVs so they know exactly what’s being watched at all times. They also insert ads into the menu on a regular basis and sometimes force install apps. Adguard Home has blocked the vast majority of the ads on screen, but from what I’ve found the menu ads can’t be blocked.
If I had Fire TV and it’s as bad as you say it would have been binned long ago.
You didn’t mention it can also recognize and identify wildlife, trash cans, lawnmowers, license plates, delivery truck companies, and even faces.
Avoid Roku devices. Roku had an OK remote and decent UI, but the company has thoroughly enshittified it and turned it into an “advertising everywhere all the time” platform. There is a Jellyfin app that works well though.
I’ve been using Frigate for years. The built in object detection (without subscription) is excellent and very near 100% accurate. Initial setup was somewhat of challenge though. It’s free (donations encouraged) or a low cost subscription for more advanced detection.
As interesting as this is, users are still subject to the whims of a corporation that can completely change their policies each time a new executive is hired.
There’s a graveyard somewhere for apps and services that were free or low cost (and without ads) until the company decided to change their model to restrict or eliminate free usage. Teamviewer, Dropbox, RealVNC, Google Drive, Amazon Prime (ad free) Videos, Duolingo, Youtube, Zoom and Evernote are examples that lots of individuals use.
I’ve personally been bitten by this often enough to avoid any corporation’s “free” service whenever possible.
If you’re not dealing with CGNAT, Dynamic DNS (DDNS) is relatively easy to set up, doesn’t require a VPS and is designed specifically for dealing with changing IP address endpoints.
Instead of connecting using your (sometimes changing) IP address, you use a URL that dynamically updates when your IP changes. For instance, with DDNS you would access your home network using mynetwork.ddnsservice.com. The DDNS service returns your current IP and your connection can complete. Most routers have built DDNS clients that update the DDNS service when your home IP changes.
There are various DDNS services out there, but I like DuckDNS. It’s free (or you can choose to donate), easy to set up and has worked flawlessly for me for years.
Battery charge limit will allow you to set it to stop charging at partial charge. Doing so greatly increases the battery lifespan and can reduce possible fire risk even further while still leaving far more backup time than a UPS would provide.
See if that laptop model allows you to limit the battery charge. If the battery’s still holding a charge, isn’t swollen, and is kept at room temperature you have about a 1 in a million chance of a battery fire.
Parking your car in your garage has hundreds of times more fire risk.
Try testing TLP in battery mode even if you’re not using a laptop. You can configure all kinds of things to your liking with it.
I tried it out a few years ago and none of my server apps showed any noticeable decrease in performance with it running, but my power monitoring plug did show a reduction in power consumption. I ended up leaving it enabled all the time.
I set up KeepassKC with Syncthing temporarily years ago while looking for other options. To my surprise it’s worked so well there’s been no reason to change to anything else.
The database file is always backed up to multiple devices. With Syncthing file versioning turned on older backups are available if that file gets corrupted, but in 8+ years I’ve never had to use one of those older backups.
Initially I was using Syncthing discovery servers which allowed syncing from anywhere, but I’ve since moved away from that. Now everything is run locally and I use Wireguard to connect to my home network when I’m away.
I’d get that old Pi running with a cheap SSD, set up Wireguard (or just use the Syncthing discovery servers), put it on a shelf and forget about it. It’ll probably run for years with minimal attention.
Many of the prominent https VPN protocols are for evading the great firewall of China. OP had that as a requirement
OP said exactly the opposite. Where the fuck do you get this stuff?
Thanks for the link. Will take a look.
Who said anything about China?
OP: “I don’t need strong censorship resistance; it just has to work in offices and hotel WiFis.”
I’ve run Wireguard on 443 (on my router) for exactly that purpose and never had a problem, even when my standard WG port was blocked by some businesses. I’ve since had to move to port 587 due to router conflicts and it’s worked fine so far too.
The battery drain on Android is negligible (at least for my uses) and WG is activated by Tasker whenever my home wifi is out of range. From what I can see WG is configurable via Docker compose.
I’ve been using Linux for years, but on my hardware I’ve never been able to get Ubuntu to work reliably. I now only use it when booting from a USB for backups, but even on a relatively recent Dell laptop with Intel graphics the GUI crashes constantly. IMO it isn’t worth the trouble, but of course someone here will be oh-so offended by that.
After trying dozens of distros I went back to Mint because it just works.
They’re not the only ones. Foscam demanded I fill out and sign an extensive multi-page developer’s agreement before providing 2 HTTP commands to control the siren and light.
What are the tunnel subnets? Are you using a reverse proxy to access local devices, or DNS rewrites?
I’d start by looking for subnet overlap somewhere.