Cmd+Delete The Internet
Hello again! Insert generic “gosh I should blog more” here.
Today is more of a technical discussion. I mean it isn’t I’m not dropping code, but it’s more about what I’ve done regarding an ongoing pain in my ass. Which is of course, the internet.
Why do you hate the internet?
I mean I don’t, the internet as a connective technology is pretty game changing for life on earth let’s be fair. Just in terms of telecommunications alone it’s had a staggering impact. I can work from home! Like actually work! Man go back and tell people in the 70s that was 50 years away and they’d be like “woah nuts”. Or their chronologically equivalent statement.
Hang on…
Hey Qwen3, translate “woah that’s nuts” into 70’s slang
…
Okay so apparently “Woah that’s nuts” is 70’s slang. Uhhhhh…
Disregarding that disturbing fact, the problem I have is that the modern internet is basically a dead mall centralised around a handful of boring sites that all seem to be decidedly user unfriendly. Sure they’re easy to use (TikTok just needs you to swipe!) but also they’re all built around psychological abuse and make you feel icky. Plus you waste a ton of time! Where did the cool “all the knowledge in the world is out there” vibe go? Where did all the small websites go? I go to them sure, but most people I know don’t. Most of the messages I get are Facebook reels or YouTube shorts… I don’t want to go to either of those places, they’re time sinks and I don’t want to be there. I got useful things to do, you know?
I mean I assume you know, you’re here reading some blog post on a tiny site that refuses to play the SEO game.
I have people I care about I would like to protect from the deleterious effects of living on the modern surface web. I’d love to show them an internet that is full of wonder and clever ideas, and I want them to see cyberspace as I do: An inherently creative place where your mind is the limit. Heck it might be therapeutic for a bunch of em. But how do we achieve this?
Well, the answer I came to is “First absolutely, then you think about it and build something realistic”. Let’s talk about that.
The Total Internet Occlusion Project
The Total Internet Occlusion Project (or TIO as I refer to it) is/was a plot to do to the internet what Mr Burns does to the sun in Who Shot Mr Burns.
Don’t think about that too hard I’m sure this will anger very few people. And I don’t think they have access to weapons. Guns at least… they probably have knives.
The idea was simple: Segment the entirety of the inner network from the outer network via middleboxes I control. Use TLS interception and strict firewalling to enforce arbitrary policy, and use that to blackhole everything I want to remove from my digital life. The idea is for minimal crossover to the internet.
The original plan was actually insane, and involved building a proxy that when a request arrived it would curl the page, strip out anything I don’t want, and project the result back to the client. Sadly too many applications simply assume that HTTPS is more dynamic than that, and in ways you don’t immediately expect. That part died very quickly.
Before we go much further, let me tell you about the current state of the TIO project.
Death Star Plans: Do Not Steal
TIO is in essence one major thing:
- Surveillance Capitalism Bad.
Which breaks down to:
- Self Host what you can
- Pay for what you can’t/won’t
This results in an aggressive self hosting posture with an even more aggressive traffic blackhole-ing strategy. I don’t trust me with not going to websites by force of will, so I make it actually hard to bypass those rules for myself. I also make it near impossible for those applications to interfere with other things I use, either by blackhole-ing everything about them when they are detected or by self hosting something that lives entirely within the walls of the network. Let’s talk about the core components of that network:
The Dominion
The TLD dominion is recognised inside my network as the space that hosts all my stuff. Not a real TLD, and IANA does not believe it is, but I run my own DNS internally (we’ll get to that) and it recognises dominion.
The Dominion hosts services that most people just take for granted on the internet. File servers for sharing with others, media servers that store my music and video libraries, a git server/codeforge/cicd, the aforementioned DNS server, several networking appliances, a whole dang LLM server and attendant application stack, time capsule servers for MacOS, a SearXNG server, this blog server — and a couple other things I forget right now.
These are all hosted across two Proxmox hosts and one converted Arch Linux gaming rig (though I am planning to convert this to two FreeBSD hosts running Bastille in future, maybe that’s already happened). One Proxmox host is an old gaming laptop with a dead GPU, and the other is an office server I got for $50 at auction once. What I hope to convey is that compute is cheap if you know where to find it.
Most of the time when I open a browser, I’m actually going to one of the Dominion servers. When I leave, it’s usually to go read someone’s blog (trust me I spend so much time personally living on the small web now it’s fantastic). Sometimes though, I have to go find stuff out in cyberspace that I don’t want to visit myself. I have tools to minimise this.
Believe it or not, LLM tech has been really good for this. I can run the local models (at the moment we’re running a set of Qwen 3.6 models, with a couple of Qwen 3 mini-models for utility functions) with access to ephemeral selenium driven browsers that bypass the other constraints I’m about to tell you about. Because this behaviour all collapses to behind one IP, determining the difference between everyone that uses the network and the autonomous browsing agents is basically impossible. This way I can have dumb robots go collect stuff from the web I don’t want to look at myself. They even use the SearXNG instance to perform searches, it’s so neat.
App Land
If I’m not using the web directly, I’m using apps locally to interface with the web. This is basically the aforementioned LLM space for questions like “Does restaurant have holiday hours on their socials?” as well as chat things (Discord, mostly due to network effects. But I do run Cinny for Matrix, and those are on the whole very nice spaces to be in. I also run Mattermost both as an app and a server because it has some very cool extensibility options that work well for push notifications to my devices — and also because work uses it).
I also run Ivory as my sole social media application. You will note two things:
- That’s Mastodon! It’s designed to resist any corporate takeover. Just go have a look at how Threads by Meta is working out. Spoiler alert: Like garbage.
- Ivory is an app you pay for. The business case does not require nor do they want to add advertisements.
Speaking of paying for things: Apple. Yes Apple. I run MacOS as a daily driver for human to computer interaction (Ivory probably gave that away).
Look it’s better than being on Windows. I also pay for Apple One, so I get music, news, a whole bunch of ad free mobile games… and this covers nearly everything I do on my phone. Why don’t I just get social media apps cause they’re so fun? Well:
Gravastar
Gravastar is a home made C++98 replacement for Pihole that works faster, updates more frequently, has better capacity for custom home DNS records (you can do MX and TXT!), uses DoT for upstream by default, is slightly more defensive in how it handles DNS requests, and is just really damn cool.
You can get it here, so long as GitHub is actually up. This is a mirror of the repo on my home hosted Git forge. It’s usually a little behind the development HEAD, but it’s always a release I’m happy with.
Gravastar on my network has an aggressive policy. Any server that has even a whiff of the smell of adtech gets blackholed. This means many an email has images that categorically will not load on my devices. Some blogs are on servers and services that are considered tainted and I simply cannot go there without asking one of the LLMbots to screenshot it for me.
The boundary firewall on my network broadly blocks HTTP/S and DNS outbound, which restricts all DNS internally to via Gravastar. There is no bypass to policy. Even MacOS and iOS devices which try to load balance between multiple known DNS servers to ensure that a single DNS failure doesn’t muck up your web experience have no choice but to obey Gravastar policy.
But, what about DoH? Surely things like Chrome can defeat this system?
Magic Isle
You may note that the Australian Govt has decided (like several other governments) to do age assessment to get to certain websites. I don’t like that idea.
Well, I don’t mind it, so long as it’s a zero-knowledge attestation that keeps all the identifying info with the government that has it anyway, and keeps all of the “where you are going” info away from them. The Govt can only know who you are, the website can only know if you’re an adult or not and which web page you are visiting, and never shall the twain meet. This is totally doable, if a bit weird.
This is not what has been done.
SO, Magic Isle is a TLS intercepting proxy with a policy engine that forwards through a Wireguard VPN that changes it’s end server every few hours based on a whitelist of locations that do not currently have age gating laws.
Apart from distributing traffic around the internet, Magic Isle has two important jobs:
- Block anything that should have been blocked by Gravastar.
- Block DoH endpoints.
This makes sure that resilient approaches to establish connection with blacklisted websites and application backends will be defeated, and also means I don’t have to worry about geoblocking in general.
However, what about when I’m away from home?
Inverse Gateway
The public internet obviously does not have these kinds of controls, so we have a solution for that. Inverse Gateway is a multi-protocol gateway into the Dominion that has ZeroTier, Tailscale, Shadowsocks, and Cloak support.
Basically, ZeroTier and Tailscale are the main routing approaches. They are both super cool and super useful, and they also allow for killswitching on public WiFi — or frankly any network — so nothing gets out and violates policy.
When those fail, we can use Shadowsocks, or if there are real blocking attempts at play we use Cloak, which I have talked about before.
Basically: Policy is aggressive and multilayered, it is technically hard to break policy, and it applies globally regardless of network conditions. The internet is obscured and filtered to my liking. It’s Pretty Dang Cool.
Anyway there is no such thing as the perfect plan, let’s talk about problems:
Problem 1: Apple TV is the Best TV but also it Needs Me To Chill Out
I hate smart TVs. I know, I can hear it:
Oh my god we get it, you hate new things
Not so imaginary reader! I just don’t like smart TVs. Seriously the number of these things that just have the smallest processor they could get running the most bloated AndroidTV versions is ridiculous. I’ve seen these things take minutes to boot up. I don’t want cool image processing on the TV either, and I sure as hell don’t want frame interpolation. Can a screen just be a screen please? I don’t have a need for any of this… can’t I just have like, a dumb TV?
Apparently we don’t sell those anymore.
Anyway the AppleTV is basically the go for TV experiences due to the high level of Apple Ecosystem in the household. When you’ve got an iPhone and an iPad and a MacBook and a Mac Mini you might as well get an AppleTV so that everything just works. Also it’s specced for the hardware and tends to work.
Windows stopped working and nobody else in my household wants to work with the arcane Linux or BSD environments I set up so Apple it is. “It’s okay, it’s still BSD-like!” I say, crying myself to sleep at night.
The point is everyone is happy. Until I put into place middleboxes to enforce DNS/TLS policy.
When the TV no longer works I am no longer able to do anything because the problem is now that the TV doesn’t work and everyone knows I am the only person that can get the TV to work. So now the network has a bypass for the Apple TV explicitly so that it can can bypass the whole thing. It’s basically the same policy arrangements as the ephemeral browser system for the LLMbots, but it’s just a TV.
Technically this means that the AppleTV can show me ads. However, I don’t watch anything with ads. I’ve got Nebula (11/10 you should subscribe), and the ABC iView app, and of course my own media servers. I don’t really need too much else. Maybe I watch SBS like once or twice a year for sports and Eurovision, but like that’s it.
Problem 2: MacOS Really Doesn’t Like Following Rules
So MacOS. Love that guy. Hey did you know that modern versions of MacOS don’t let you really do kernel extensions for security purposes? And also don’t really let you hook low level stuff for all applications for… security purposes?
I mean I’d buy it I know what a good rootkit can do.
However what this means is that Apple apps have Special Privileges that allow them to bypass things other programs take as gospel. For example, did you know they can bypass your VPN whenever they feel like the VPN is doing them wrong?
So Safari (yes I use Safari, I happen to like Safari now that it has actual extensions that work. Also with 100% Apple penetration using Safari is great for session persistence. Don’t tell me you don’t do the same thing with Firefox/Vivaldi/Chrome. What’s that? Safari doesn’t work with a bunch of websites? Well those websites are probably blackholed, so I don’t know what you’re talking about) will just up and use DNS outside your VPN even with a killswitch in place if the DNS server goes “What? Facebook? Never heard of him”. This is very annoying as it uses the fact that the external DNS server returns valid responses as a reason to trust that server more, and now none of my Dominion servers are visitable without plugging in an IP address (which, given the applications use dominion addresses, breaks things).
Turns out that because the networking stack is just a rip from FreeBSD though that MacOS will respect exactly one thing: PF rules. Yeah turns out that Apple systems are all wandering around with a not-really-turned-on copy of the best firewalling solution ever constructed.
I have an app I have paid for called Murus that lets me command and control that firewall. And let me tell you, it can tell MacOS to do things that MacOS really does not want to do.
See these rules right here? No QUIC tunneling, no DNS but either Tailscale’s or Gravastar directly (Tailscale of course is mirroring the Gravastar DNS server).
And there you go, now MacOS behaves.
Conclusion?
I mean this is a work in progress. I have been experimenting with hosting compressed copies of Wikipedia and the Arch Linux Wiki (amongst other things) to reduce internet accesses further. Ideally I want to be in a position where the only time I visit a website is when it’s a website built by some person. Like this one! Mastodon is super good for this, and the friends groups I have are also super into writing and sharing other people’s writings, so it’s working out great.
And my god, the reduction in stress this has brought about! You would not believe the amount of stress being on these sites causes just latently all the time. I’ve been able to deal with the nuts news cycle of 2026 easily because I’m not on the meme and outrage driven hypercycle everyone else is on! It’s calm! It’s quiet! It’s a fucking joy to not be in that space anymore.
Honestly I believe in the original idea of the Internet, that anyone could put whatever they wanted up, and it was a gateway to all the knowledge in the world. I still believe it could be that again, should we decide that the slop we’ve filled it with (and are inventing new and fantastic ways of increasing to scale geometrically) is not actually worth anything. You know what’s better than having all your photos of your kid owned by Meta on their platforms for any person to look at? Owning and operating a private and protected family/friends run server that people can do much the same thing and we can all moderate according to our community tastes. Hopefully the fact that insane setups like this can exist and work for frankly not that much in terms of infrastructure cost can inspire someone to build their own environment for their own community and soon we’ll have a bunch of happy and healthy communities using the internet like the founders intended.
The future is, hopefully, federated. Until then, my little community lives in a beautiful garden separated from the lawless wastes by high walls that are well guarded. Maybe this makes me weird. I however, could not be happier.