Full-Stack Developer specializing in performance optimization, team leadership, and end-to-end product ownership. Experienced with modern tech stacks, global remote collaboration, and delivering high-impact solutions.
You can find my social media or resume below.
Tailscale banner
Exposing Local Development Servers Securely with Tailscale Serve As developers, we often need to expose local services to other devices—whether that’s for testing on a phone, sharing work-in-progress with a teammate, or running an integration test across machines. Tools like ngrok have been the go-to solution, but there’s a simpler, more secure option if you already use Tailscale: Tailscale Serve. In this post, I’ll walk through how you can use Tailscale Serve to make a local Dockerized Rails + Ember setup available from your laptop, without editing your docker-compose.yml. ...
The Tapo C200 cameras insist on contacting public NTP servers to sync their clock. If you block them from reaching the Internet (a good idea for security), the cameras will slowly drift out of sync because they ignore the DHCP-provided NTP option. The solution is simple: run an NTP server on your OpenWrt router and transparently redirect the cameras’ NTP traffic to it. Step 1 — Enable NTP on OpenWrt Make sure your router itself syncs time and provides it to LAN devices. ...
1 What Pangolin Does Pangolin is a lightweight edge gateway built to work with Tailscale Funnel: Exposes internal services over HTTPS on port 443 Automatically issues Let’s Encrypt certificates Adds optional OAuth 2 / OIDC log-in screens Routes by hostname or path from a clean web dashboard Minimal example: 1 2 pangolin service add grafana http://localhost:3000 tailscale funnel enable grafana You can then visit: https://grafana.apps.example.com 2 The Wildcard Collision We already had Coolify managing our apps at *.example.com with its own wildcard TLS certificate. ...
TL;DR If every Real-Debrid call suddenly bombs with\ TLS connect error: packet length too long (or invalid SSL record) and you’re on a Turkish ISP, the state DPI filter is intercepting api.real-debrid.com ( 94.140.0.0/16 ). Point your client at https://app.real-debrid.com instead—or route that /16 through a VPN—and everything works again. What Happened? Early 2025: Turkey’s national content-filtering infrastructure quietly added the entire 94.140.0.0/16 range (Real-Debrid’s API/download servers) to its block list. The filter works even on port 443. When your client starts a TLS handshake, the DPI box injects a plain-text HTTP page (“Access denied”) instead of letting the SSL packets through. OpenSSL/mbedTLS instantly bails out, surfacing cryptic errors like packet length too long or invalid SSL record. The public front-end real-debrid.com lives on Cloudflare (different IPs) and still loads fine, so Real-Debrid’s own /vpn checker says “Your IP isn’t blocked,” adding to the confusion. How We Diagnosed It Test Result Interpretation curl -I https://api.real-debrid.com/rest/1.0/user TLS connect error… Remote side sent non-TLS bytes. curl -I https://app.real-debrid.com/rest/1.0/user HTTP/1.1 200 OK Alternate host works; block is IP-based. Packet capture (tcpdump -A host 94.140.4.10) Immediately shows HTTP/1.1 403 in plain text Proof the block page is injected before TLS finishes. Mobile data (no Wi-Fi) API accessible Confirms the fixed-line IP range is affected, not user accounts. 2 Ways to Solve It 1 — Switch Hostnames (fastest) Real-Debrid mirrors every API endpoint on app.real-debrid.com. Change your client’s base URL or hijack DNS (/etc/hosts, Pi-hole, OpenWrt dnsmasq). Takes under two minutes, survives router reboots, and needs no VPN. ...