Yeah, I do daily VM-backups which include all of the data on syncthing. No matter what you have, you always gotta have a good backup-strategy.

I use syncthing for some of my “can-never-lose-these” files. syncthing synchronizes files between different devices. This is not an online-file-hosting thing like Google Drive or OneDrive. These files are physically present on all synchronized devices.

My server is the “main” (you can make everyone equal) syncthing every other syncthing connects to. With an established connection, files will be synchronized on participating devices. AFAIK, syncthing is compatible with Windows, Android and Linux.

This way, my important files are on my server, my smartphone, my PC and my laptop and every single one of these devices must simultaniously explode for me to lose my data. Also, it’s on docker hub

pi-hole is another great one. Local adblocker for the whole network, just set it as your DNS server or let the DHCP server propagate this DNS server to your clients. This too is on docker hub

I don’t know what stingray is, but if it needs a connection to somewhere and the protocol to connect verifies os-trusted certificates, it should be safe.

Set OPNSense default policy

As far as I remember, OPNSense has a default policy rule of “deny all incoming, allow all outgoing”. If not, this should be one of the first steps to take.

Get your own VPN

If you can, you could use your own VPN service. I run a VPS for 6 € / month. If you can get your hands on something like this and install an openvpn server, you could always use that VPN for every connection.

So even if an attacker highjacks your connection somehow, he would only be able to see encrypted content and all content will be encrypted by a server you own and can verify / trust. You could also integrate this VPN into your OPNSense, so you’ll be connected as soon as OPNSense starts up and has internet.

Regarding MITM attacks

Please someone correct me if I am wrong, but MITM attacks should generally be impossible when connecting to SSL backed connections, right?

These certificates (or rather the certificate authority the HTTPS certificates have been issued by) are generally trusted by your own operating system. Therefore, if someone wanted to highjack your connection without you getting some kind of certificate error, he would have needed to get his hands on a certificate issued by a worldwide trusted certificate authority and the address name matching the certificate.