I used it for a project once. It is good, but make sure you have tested backup and restore (from scratch) before you need it. I found that to be a bit more problematic than usual server business. (but that was 6 years ago)

I second the use of nftables instead. Optimally with a pre-made role like this one: https://galaxy.ansible.com/ui/standalone/roles/ipr-cnrs/nftables/documentation/

absolutely, love it! but that one was high school. if we start with that then the flood gates are open. (and I can name a hundred recommendations)

agreed, that’s the best of 'em!

got something specific in mind, right?

this could be interesting if “collaborative” meant that different instances could federate

Ran into the real ip problem too in prod where we needed ip6 too and the podman version is too old to have anything newer. But running the proxy with network=host and anything behind is listening on 127.0.0.1:x is working well so far. It’s not so elegant as it could be, but it works smoothly.

The raw ovpn and wg config files do integrate well into most(?) network manager GUIs now. But for me auto-connect only worked well there with ovpn and not wg for some reason. It’s quicker to switch than with systemd imo.

I’m sure they quitely deleted those stolen credentials afterwards…