frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Terpstra Keyboard

http://terpstrakeyboard.com/web-app/keys.htm
84•xeonmc•2h ago•25 comments

MiniMax-M1 open-weight, large-scale hybrid-attention reasoning model

https://github.com/MiniMax-AI/MiniMax-M1
196•danboarder•6h ago•42 comments

Scrappy - make little apps for you and your friends

https://pontus.granstrom.me/scrappy/
261•8organicbits•7h ago•83 comments

I counted all of the yurts in Mongolia using machine learning

https://monroeclinton.com/counting-all-yurts-in-mongolia/
97•furkansahin•5h ago•20 comments

Honda conducts successful launch and landing of experimental reusable rocket

https://global.honda/en/topics/2025/c_2025-06-17ceng.html
1128•LorenDB•22h ago•349 comments

The Grug Brained Developer (2022)

https://grugbrain.dev/
850•smartmic•16h ago•365 comments

Homomorphically Encrypting CRDTs

https://jakelazaroff.com/words/homomorphically-encrypted-crdts/
7•jakelazaroff•11m ago•1 comments

Jiga (YC W21) Is Hiring Software Engs to Make Like of Mech Engs Easier

https://www.workatastartup.com/companies/jiga
1•grmmph•1h ago

Is There a Half-Life for the Success Rates of AI Agents?

https://www.tobyord.com/writing/half-life
15•EvgeniyZh•2h ago•0 comments

Introduction to the A* Algorithm

https://www.redblobgames.com/pathfinding/a-star/introduction.html
39•auraham•1d ago•16 comments

Show HN: Lstr – A modern, interactive tree command written in Rust

https://github.com/bgreenwell/lstr
161•w108bmg•11h ago•43 comments

Building Effective AI Agents

https://www.anthropic.com/engineering/building-effective-agents
425•Anon84•19h ago•74 comments

A Straightforward Explanation of the Good Regulator Theorem

https://www.lesswrong.com/posts/JQefBJDHG6Wgffw6T/a-straightforward-explanation-of-the-good-regulator-theorem
25•surprisetalk•3d ago•3 comments

3D-printed device splits white noise into an acoustic rainbow without power

https://phys.org/news/2025-06-3d-device-white-noise-acoustic.html
175•rbanffy•2d ago•43 comments

OpenSERDES – Open Hardware Serializer/Deserializer (SerDes) in Verilog

https://github.com/SparcLab/OpenSERDES
53•peter_d_sherman•9h ago•5 comments

What Google Translate can tell us about vibecoding

https://ingrids.space/posts/what-google-translate-can-tell-us-about-vibecoding/
212•todsacerdoti•17h ago•117 comments

Preparation of a neutral nitrogen allotrope hexanitrogen C2h-N6

https://www.nature.com/articles/s41586-025-09032-9
16•bilsbie•2d ago•12 comments

Now might be the best time to learn software development

https://substack.com/home/post/p-165655726
257•nathanfig•22h ago•189 comments

Making 2.5 Flash and 2.5 Pro GA, and introducing Gemini 2.5 Flash-Lite

https://blog.google/products/gemini/gemini-2-5-model-family-expands/
335•meetpateltech•21h ago•191 comments

Why I Won't Use AI

https://agentultra.com/blog/why-i-wont-use-ai/index.html
25•milen•39m ago•7 comments

Resurrecting a dead torrent tracker and finding 3M peers

https://kianbradley.com/2025/06/15/resurrecting-a-dead-tracker.html
567•k-ian•19h ago•175 comments

Why JPEGs still rule the web (2024)

https://spectrum.ieee.org/jpeg-image-format-history
187•purpleko•22h ago•337 comments

LLMs pose an interesting problem for DSL designers

https://kirancodes.me/posts/log-lang-design-llms.html
180•gopiandcode•17h ago•113 comments

Timescale Is Now TigerData

https://www.tigerdata.com/blog/timescale-becomes-tigerdata
131•pbowyer•22h ago•96 comments

Proofs Without Words

https://artofproblemsolving.com/wiki/index.php/Proofs_without_words
68•squircle•4d ago•15 comments

Bzip2 crate switches from C to 100% Rust

https://trifectatech.org/blog/bzip2-crate-switches-from-c-to-rust/
293•Bogdanp•17h ago•136 comments

Time Series Forecasting with Graph Transformers

https://kumo.ai/research/time-series-forecasting/
106•turntable_pride•19h ago•32 comments

Locally hosting an internet-connected server

https://mjg59.dreamwidth.org/72095.html
73•pabs3•8h ago•63 comments

Dinesh’s Mid-Summer Death Valley Walk (1998)

https://dineshdesai.info/dv/photos.html
73•wonger_•13h ago•28 comments

Strangers in the Middle of a City: The John and Jane Does of L.A. Medical Center

https://www.latimes.com/science/story/2025-06-15/l-a-seeks-help-for-a-patient-with-no-name
33•dangle1•2d ago•11 comments
Open in hackernews

Locally hosting an internet-connected server

https://mjg59.dreamwidth.org/72095.html
73•pabs3•8h ago

Comments

DougN7•6h ago
Why not use a dynamic DNS service instead? I’ve been using dyn.com (now oci.dyn.com) for years and it has worked great. A bonus is many home routers have support built in.
mjg59•6h ago
I have multiple devices on my internal network that I want to exist outside, and dynamic DNS is only going to let me expose one of them
rkagerer•6h ago
If they don't all need distinct external IP addresses of their own, port forwarding is a typical approach.
mjg59•6h ago
That doesn't work well if you want to run the same service on multiple machines. For some you can proxy that (eg, for web you can just run nginx to proxy everything based on either the host header or SNI data), but for others you can't - you're only going to be able to have one machine accepting port 22 traffic for ssh.
chgs•6h ago
Select an isp that gives you multiple ip v4 addresses. Or host on ipv6.
mjg59•6h ago
Yes, if I had multiple IPv4 addresses already it wouldn't be necessary to tunnel in additional IPv4 addresses, but since I don't and since there are no ISPs who will provide that to me at this physical address, tunneling is where I am.
v5v3•6h ago
In many countries, unless you buy a business broadband package (more expensive),residential internet does not come with such options.
herbst•6h ago
You can port forward SSH to other internal machines, just like nginx + web.
mjg59•5h ago
I can port forward port 22 to a single machine. I can't proxy port 22 in a way that directs the incoming connection to the correct machine, at least not without client configuration.
koolba•5h ago
You only need one inbound machine as your bastion. Then hop from there to the rest using local address. Once you set up the proxy config in ssh it’s completely transparent.
mjg59•5h ago
Right yes but I (for various reasons) end up using a lot of different client systems and I don't want to have to configure all of them to transparently jumphost or use different port numbers and why are people spending so much time trying to tell me that I should make my life complicated in a different way to the one I've chosen?
mnw21cam•2h ago
Yeah, I currently have a VPS with various SSH port forwards allowing me to direct incoming connections of various types to my home computer which is behind NAT. It's evil and horrible and nasty for various reasons, not least of which that all your incoming connections look to your inner server like they come from the same IP address, preventing you from logging or filtering the source of any request. And you need to make sure if you forward incoming connections to your SMTP server that it doesn't think they are local trusted connections that it can relay onwards, turning your setup into an open relay.

Seriously thinking about switching to a setup similar to the article. I mean, my setup works for now, but it's un-pretty.

mvanbaak•4h ago
ipv6 has solved this. Too bad it's not yet a common thing.
messe•5h ago
Only works if you're not behind CGNAT, which has problems in and of itself. I pay my ISP an extra 29 DKK (about 4.50 USD at the moment) for a static address; my IPv4 connections and downloads in-general became way more stable after getting out from behind CGNAT.
neepi•5h ago
CGNAT is hell. Here I had to choose between crap bandwidth or CGNAT. I chose crap bandwidth.
immibis•4h ago
Hell for hosting, but if you're doing adversarial interoperability as a client, it does help you avoid being IP-banned. (At least in Western countries. I hear that Africa and Latin America tend to just get their CGNAT gateways banned because site operators don't give a shit about whether users from those regions can use their sites)
neepi•3h ago
Not quite. I'm in the UK and some of our customers get blocked by overzealous CDNs and they're all on CGNAT.
jeroenhd•20m ago
The client feature only works for websites that care about making exceptions for CGNAT users. Plenty of them simply ban the shared addresses.

That's part of the reason why countries like India are getting so many CAPTCHAs: websites don't care for the reason behind lackluster IP plans from CGNAT ISPs. If the ISP offered IPv6 support, people wouldn't have so many issues, but alas, apparently there's money for shitty CGNAT boxes but not IPv6 routers.

jaoane•3h ago
CGNAT is completely irrelevant to the average person. It’s only an issue if you expect others to connect to you, which is something that almost all people don’t need.

(inb4 but the internet was made to receive connections! Well yes, decades ago maybe. But that’s not the way things have evolved. Get with the times.)

juergbi•3h ago
Cloudflare sometimes preventing access to some sites and annoying CAPTCHA challenges due to CGNAT are relevant to the average person.

Full IPv6 support should be a requirement for both ISPs as well as websites and other servers.

jaoane•3h ago
> Cloudflare sometimes preventing access to some sites and annoying CAPTCHA challenges due to CGNAT are relevant to the average person.

They would be, but thankfully CGNAT doesn’t cause that.

messe•1h ago
It contributes to it, because now you're behind the same public IP address as X other people. You're then X-times more likely to get flagged as suspicious and need to enter a CAPTCHA X-times more frequently.
jaoane•1h ago
Cloudflare easily detects that using your discrete external port range and knows better than to show you a CAPTCHA.
jeroenhd•18m ago
It's not a direct cause, but if an IP is hitting my website with spam, I don't care if it's a spam bot or a CGNAT exit point. The only way to stop the spam is to take action against the IP address. For CGNAT customers, that means extra CAPTCHAs or worse.

You can ask your ISP for your own IPv6 subnet if you don't want to be lumped in with the people whose computers and phones are part of a scraping/spamming botnet.

thedanbob•1h ago
This is what I do, except the dynamic DNS service is just a script on my server that updates Cloudflare DNS with my current external IP. In practice my address is almost static, I've never seen it change except when my router is reset/reconfigured.
kinduff•6h ago
This is an interesting solution and wouldn't mind using one of my existing servers as a gateway or proxy (?).

Is there a way to be selective about what ports are exposed from the host to the target? The target could handle it but fine grained control is nice.

mjg59•6h ago
You could just set a default deny iptables policy for forwarding to that host, and then explicitly open the ports you want
baobun•5h ago
iptables is legacy now and if you're not already well-versed in it, better go straight to nftables (which should be easier to get started with anyway). On modern systems, iptables commands are translated to nftables equivalents by transitional package.
lazylizard•6h ago
you can also run a proxy on the vps instead of the nat.
mjg59•6h ago
Depends on the protocol. For web, sure - for ssh, nope, since the protocol doesn't indicate which machine it's trying to connect to and so you don't know where to proxy it to.
baobun•5h ago
You can still TCP proxy SSH just fine (one port per target host obv)

Certain UDP-based protocols may be hairier, though.

PhilipRoman•4h ago
Socket based proxying is better for this, since you eliminate one point from your attack surface (if your proxy server gets compromised, it's just encrypted ssh/TLS)
v5v3•6h ago
I would suggest putting a disclaimer on the article to warn any noobs that prior to opening up a server on the internet basic security needs to be in place.
politelemon•6h ago
Another alternative could be a cloudflare tunnel. It requires installing their Daemon on the server and setting up DNS in their control panel. No ports need opening from the outside in.
troupo•1h ago
I used to expose a site hosted on my home NAS through it, and now I do the same from a server at Hetzner.

Works like magic :)

jeroenhd•15m ago
The downside of the Cloudflare approach is that yet more websites are behind Cloudflare's control. The VPS approach works pretty much the same way Cloudflare does, but without the centralized control.

On the other hand, Cloudflare is a pretty easy solution against spam bots and scrapers. Probably a better choice if that's something you need protection against.

PaulKeeble•12m ago
Everyone does these days, although its really the AI scrapers you need defence from and Cloudflare isn't doing so good at that yet.
KronisLV•5h ago
Lovely write up! Personally, I just settled on Tailscale so I don’t have to manage WireGuard and iptables myself.

For a while I also thought that regular SSH tunnels would be enough but they kept failing occasionally even with autossh.

Oh and I got bitten by Docker default MTU settings when trying to add everything to the same Swarm cluster.

Daviey•5h ago
The commentents suggest Tailscale, but the author assumes this could only mean Funnel, but you could use Tailscale/Headscale for handling the wiregiard and low-level networking / IP Allocation.

Then doing straight-forward iptables or L7, or reverse proxy via Caddy, Nginx, etc, directly to the routable IP address.

The outcome is the ~same, bonus is not having to handle the lower level component, negative is an extra "thing" to manage.

But this is how I do the same thing, and i'm quite happy with the result. I can also trivially add additional devices, and even use it for egress, giving me a good pool of exit-IP addresses.

(Note, I was going to add this as a comment on the blog, but it seems their captcha service is broken would not display - so it was blocked)

zokier•5h ago
Yeah, this is the way to do this. I'm pretty sure that if you for some reason do not want to run wireguard on all your servers you could fairly easily adjust this recipe to have a centralized wg gateway on your local network instead.

I think I've seen some scripts floating around to automate this process but can't remember where. There are lots of good related tools listed here: https://github.com/anderspitman/awesome-tunneling

eqvinox•5h ago
I would highly recommend reading up on VRFs and slotting that into the policy routing bits. It's really almost the same thing (same "ip route" commands with 'table' even), but better encapsulated.
JdeBP•5h ago
This and the comments highlight how bad many ISPs in North America and Western Europe are at IPv6, still, in 2025, and the lengths to which people will go to treat that as damage and literally route around it.

One of the biggest ISPs in my country has been promising IPv6 since 2016. Another, smaller, competitor, advertised on "World IPv6 Day" in 2011 that it was way ahead of the competition on supplying IPv6; but in fact does not supply it today.

One of the answers I see given a lot over the years is: Yes, I know that I could do this simply with IPv6. But ISPs around here don't route IPv6, or even formally provide statically-assigned IPv4 to non-business customers. So I have had to build this Heath Robinson contraption instead.

mjg59•4h ago
Pretty much! My ISP was founded by https://en.wikipedia.org/wiki/Rudy_Rucker and is somewhat cheap and delightful and happily routes me a good amount of IPv6, and every 48 hours or so it RAs me an entirely different range even though I still have validity on the lease for the old one and everything breaks, so I've had to turn IPv6 off entirely (I sent dumps of the relevant lease traffic to support, they said they'd look into it, and then the ticket auto closed after being inactive for two years). I spent a while trying to make things work with IPv6 but the combination of it being broken at my end and also there still being enough people I want to provide access to who don't have it means it just wasn't a good option.
anonymousiam•4h ago
One of my places uses Frontier FiOS (soon to become Verizon again). They have zero support for IPv6, and it isn't even on their roadmap.

I use a static HE (Hurricane Electric) IPv6 tunnel there, and it works great.

The only issue is that YouTube thinks the IPv6 block is commercial or an AI dev scraping their content, so I can't look at videos unless I'm logged in to YouTube.

stego-tech•36m ago
I’m also on FiOS, and despite repeated statements to the effect I’d never get IPv6 on my (20 year) old ONT, I’ve got a nice little /56 block assigned on my kit via DHCPv6. Problem is that, as it’s a DHCP block, it changes, and Namecheap presently does not offer any sort of Dynamic DNS for IPv6 addresses.

Still, it let me tear down the HE IPv6 tunnel I was also running, since the sole reason I needed IPv6 was so our household game consoles could all play online without cursed firewall rules and IP reservations. I’m pretty chuffed with the present status quo, even if it’s far from perfect.

One other thing I’d note about OPs article (for folks considering it as a way to work around shitty ISP policies) is that once you have this up and running, you also have a perfect setup for a reverse proxy deployment for your public services. Just make sure you’re watching your bandwidth so you don’t get a surprise bill.

jxjnskkzxxhx•4h ago
> Heath Robinson contraption

Ah, I see you also watched that video yesterday on manufacturing a tiny electric rotor.

JdeBP•4h ago
I actually learned the expression when I was a child, via the Professor Branestawm books.
jxjnskkzxxhx•1h ago
Ok so this is genuinely a case of I see an expression for the first time, learn an expression it, and then see it again immediately after. Fun.
57473m3n7Fur7h3•45m ago
The Baader–Meinhof phenomenon strikes again!
Joeboy•2h ago
"Heath Robinson" is British English for "Rube Goldberg".
jxjnskkzxxhx•1h ago
TIL
jeroenhd•25m ago
I'm in western Europe and every ISP but the ultra cheap ones and the niche use case ones have stable IPv6 prefixes. Some do /48, others /56.

IPv4 is getting CGNAT'd more and more, on the other hand. One national ISP basically lets you pick between IPv4 CGNAT and IPv6 support (with IPv6 being the default). Another has been rolling out CGNAT IPv4 for new customers (at first without even offering IPv6, took them a few months to correct that).

This isn't even an "America and Western Europe" thing. It's a "whatever batshit insane approach the local ISP took" thing. And it's not just affecting IPv6 either.

PaulKeeble•14m ago
Mine officially supports it. However having configured the Prefix as they define and using SLAAC etc all my devices get their IPv6 addresses and can access the internet, I can even connect from outside the network so it all "works", but I have a bunch of issues. Neither of my ISPs defined DNS servers is available, I can't route one of the OpenDNS routers but the other works fine and then I have these periods where the entirity of IPv6 routing breaks for about a minute and then restores. Having done this with two different routers on completely different firmware now I can't help but think my official support from my ISP is garbage and they have major problems with it. I had to turn it off because it causes all sorts of problems.
anonymousiam•4h ago
I did the same thing 20 years ago, but I used vtun because Wireguard didn't exist yet. It's a cool way to get around the bogus limitations on residential static IP addresses.

At the time, my FiOS was about $80/month, but they wanted $300/month for a static IP. I used a VPS (at the time with CrystalTech), which was less than $50/month. Net savings: $170/month.

lostlogin•4h ago
> At the time, my FiOS was about $80/month, but they wanted $300/month for a static IP.

So ridiculous.

It’s fast, far quicker than I can use, and the static IP was a one off $10 or similar.

xiconfjs•4h ago
Quote from OPs ISP [1]:

"Factors leading to a successful installation: Safe access to the roof without need for a helicopter."

[1] https://www.monkeybrains.net/residential.php#residential

uncircle•3h ago
I wish I had access to a small ISP. It is comforting to know that if something goes wrong, on the other end of the line there is someone with a Cisco shell open ready to run a traceroute.
ghoshbishakh•2h ago
There are tools specifically built for hosting stuff without public IP such as https://pinggy.io
dismalpedigree•2h ago
I do something similar. I run a nebula network. The vps has haproxy and is passing the encrypted data to the hosts using sni to figure out the specific host. No keys on the vps.

The vps and each host are each nebula nodes. I can put the nodes wherever i want. Some are on an additional vps, some are running on proxmox locally. I even have one application running as a geo-isolated and redundant application on a small computer at my friend’s house in another state.

remram•2m ago
This Nebula? https://github.com/slackhq/nebula
PeterStuer•1h ago
I run a very small VPS at Hetzner with Pangolin on it that takes care of all the Traefic Wireguard tunneling to my home servers. Very easy to set up and operate.

https://fossorial.io/

thatcherc•1h ago
Cool! Do you like that approach? I've thought about setting up that exact thing but I wasn't sure how well it would work in practice. Are there any pitfalls you ran into early on? I might give it a shot after your "very easy to set up and operate" review!