Good, that’s probably the best you can do, I’m not an expert. I also meant, do you have a bulletproof upstream or are they going to terminate your service if you sent too many hacks?

There are a few monero vpns on kycnot.me… You should consider listing there when you feel ready.

Curious about your upstream… Are they going to send takedown letters for torrent seeding? Are you ready for users to hack with your exit nodes and get blacklisted?

This is the catch-22: non-kyc (anonymous) proxies get abused/blacklisted and become useless for anonymous browsing.

I think I have the same protectli as you and it is awesome. Need it for my 2.5gb uplink. I use openwrt on it… Didn’t really like opnsense. I am more used to linux than bsd.

I host lots of services and get bombarded by scrapers, scanners, and skids both at home and on my VPSs.

I use ipset for the usual blocklists which I download regularly. I also have tarpits on 22/tcp (endlessh). I pipe the IPs from the endlessh logs into fail2ban which feeds the ipsets. I have ipset blocks and fail2ban on my home firewall and all VPSs and coordinate over mqtt. So any fail2ban trigger > mqtt > every ipset block. Touch my 22/tcp anywhere and you get banned instantly everywhere. The program I use for this is called vallumd and it runs on openwrt.

I also put maltrail everywhere but I’m not totally sure how to interpret and respond to the results. Probably will implement a pipe from maltrail to my mqtt > blocklist setup.

I don’t do any network-level adblocking… Might be a future project.