The IncogNET thread - Discussion, news and updates.

ServerBachelor · March 5

@MatthewM said:
Looks like the downtime has returned..... 5 different outages today in BG.

I'm not having issues in BG at this moment.

Nekopara · March 5

@MatthewM said:
Looks like the downtime has returned..... 5 different outages today in BG.

yep...

ServerBachelor · March 5

@Nekopara said:

@MatthewM said:
Looks like the downtime has returned..... 5 different outages today in BG.

yep...

Yep SSH is refusing for me

slowservers · March 6

I'm curious if at least one VPS on the host can provide sar logs that include the downtime.

Connection refused for SSH is weird. I would expect no response, or most likely no handshake.

ServerBachelor · March 6

@slowservers said:
I'm curious if at least one VPS on the host can provide sar logs that include the downtime.

Connection refused for SSH is weird. I would expect no response, or most likely no handshake.

Sometimes I get no response. Other times SSH refused.

forest · March 6

@ServerBachelor said:

@slowservers said:
I'm curious if at least one VPS on the host can provide sar logs that include the downtime.

Connection refused for SSH is weird. I would expect no response, or most likely no handshake.

Sometimes I get no response. Other times SSH refused.

Connect over VNC and run tcpdump while trying to establish an SSH connection.

forest · March 6

Steal is even worse now, hovering at 70%. The Tor process, which normally takes under 50% CPU to relay ~50 Mbps, is taking 99% of the CPU to relay only 2 Mbps.

ServerBachelor · March 11

@ServerBachelor said:

@MannDude said:
Ok, sorry about the Bulgaria incident. This falls on me since the weekends is generally my time to keep an eye on things.

Got the downtime alert but overlooked it by mistake. Been moving to a new home and between packing, going back and forth across town, and other personal life stuff didn't notice until I sat down at my desk and saw the tickets. That is 100% on me.

I've updated how alerts are delivered so they spam us every 30 minutes until resolved. Also working on some better monitoring for individual VM resource consumption since a few VMs in Sweden still like to jump up and use a metric shit-ton of CPU for an amount of time that would be considered abuse. VirtFusion is great but it really lacks internal monitoring like Virtualizor has. Going to review this in more detail ( https://github.com/noxitylabs/virtfusion-cpu-abuse-detector ) and see about some alert delivery via webhooks (Slack, Telegram, SMS, etc)

Anyhow, credit (+1 week) has been applied to everyone already on the impacted hypervisor today. I think there was 3 or 4 people with lifetime plans on this hypervisor, I've added +256MB RAM to your VPS but you need to reboot for it to take effect.

Thanks, I see the free week in BG.

As compensation for the hypervisor issue in Sweden, support offered 512 MB extra RAM on my lifetime plan per ticket #0217Y55Y7. I'm mentioning this again since extra RAM was already applied for Bulgaria lifetime plans, but I understand if persistent hypervisor issues mean that RAM cannot be applied at this moment.

We don't actually have or advertise an SLA of any sort, but when stuff like this happens, especially when things are basically "our fault" (as the case for the slow response today), it only seems fair to compensate.

Incognet has been consistent about this and I commend you and the team for that.

Ticket as been fulfilled as @MannDude was waiting for everything to stabilize. I can report that conditions have stabilized for me. New YABS

# ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #
#              Yet-Another-Bench-Script              #
#                     v2025-04-20                    #
# https://github.com/masonr/yet-another-bench-script #
# ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #

Wed Mar 11 11:48:47 PM GMT 2026

Basic System Information:
---------------------------------
Uptime     : 0 days, 0 hours, 12 minutes
Processor  : AMD EPYC 7402 24-Core Processor
CPU cores  : 1 @ 2794.748 MHz
AES-NI     : ✔ Enabled
VM-x/AMD-V : ✔ Enabled
RAM        : 2.4 GiB
Swap       : 512.0 MiB
Disk       : 29.9 GiB
Distro     : Debian GNU/Linux 12 (bookworm)
Kernel     : 6.1.0-43-amd64
VM Type    : KVM
IPv4/IPv6  : ✔ Online / ✔ Online

IPv6 Network Information:
---------------------------------
ISP        : IncogNet LLC
ASN        : AS40663 IncogNet LLC
Host       : Incognet LLC
Location   : Stockholm, Stockholm County (AB)
Country    : Sweden

fio Disk Speed Tests (Mixed R/W 50/50) (Partition /dev/vda3):
---------------------------------
Block Size | 4k            (IOPS) | 64k           (IOPS)
  ------   | ---            ----  | ----           ---- 
Read       | 178.20 MB/s  (44.5k) | 1.71 GB/s    (26.8k)
Write      | 178.67 MB/s  (44.6k) | 1.72 GB/s    (26.9k)
Total      | 356.87 MB/s  (89.2k) | 3.44 GB/s    (53.8k)
           |                      |                     
Block Size | 512k          (IOPS) | 1m            (IOPS)
  ------   | ---            ----  | ----           ---- 
Read       | 2.01 GB/s     (3.9k) | 2.03 GB/s     (1.9k)
Write      | 2.12 GB/s     (4.1k) | 2.17 GB/s     (2.1k)
Total      | 4.14 GB/s     (8.0k) | 4.21 GB/s     (4.1k)

iperf3 Network Speed Tests (IPv4):
---------------------------------
Provider        | Location (Link)           | Send Speed      | Recv Speed      | Ping           
-----           | -----                     | ----            | ----            | ----           
Clouvider       | London, UK (10G)          | 1.59 Gbits/sec  | 1.32 Gbits/sec  | 24.7 ms        
Eranium         | Amsterdam, NL (100G)      | 1.63 Gbits/sec  | 1.34 Gbits/sec  | 23.8 ms        
Uztelecom       | Tashkent, UZ (10G)        | 1.51 Gbits/sec  | 1.06 Gbits/sec  | 70.1 ms        
Leaseweb        | Singapore, SG (10G)       | 687 Mbits/sec   | 679 Mbits/sec   | 242 ms         
Clouvider       | Los Angeles, CA, US (10G) | 1.16 Gbits/sec  | 538 Mbits/sec   | 148 ms         
Leaseweb        | NYC, NY, US (10G)         | 1.52 Gbits/sec  | 879 Mbits/sec   | 94.3 ms        
Edgoo           | Sao Paulo, BR (1G)        | 721 Mbits/sec   | 385 Mbits/sec   | 218 ms         

iperf3 Network Speed Tests (IPv6):
---------------------------------
Provider        | Location (Link)           | Send Speed      | Recv Speed      | Ping           
-----           | -----                     | ----            | ----            | ----           
Clouvider       | London, UK (10G)          | 1.61 Gbits/sec  | 1.30 Gbits/sec  | 25.2 ms        
Eranium         | Amsterdam, NL (100G)      | 1.62 Gbits/sec  | 1.32 Gbits/sec  | 23.9 ms        
Uztelecom       | Tashkent, UZ (10G)        | 1.55 Gbits/sec  | 1.13 Gbits/sec  | 70.1 ms        
Leaseweb        | Singapore, SG (10G)       | 654 Mbits/sec   | 681 Mbits/sec   | 242 ms         
Clouvider       | Los Angeles, CA, US (10G) | 1.15 Gbits/sec  | 456 Mbits/sec   | 148 ms         
Leaseweb        | NYC, NY, US (10G)         | 1.53 Gbits/sec  | 1.12 Gbits/sec  | 93.9 ms        
Edgoo           | Sao Paulo, BR (1G)        | 704 Mbits/sec   | 326 Mbits/sec   | 217 ms         

Geekbench 6 Benchmark Test:
---------------------------------
Test            | Value                         
                |                               
Single Core     | 1089                          
Multi Core      | 1118                          
Full Test       | https://browser.geekbench.com/v6/cpu/17011000

YABS completed in 17 min 36 sec

forest · March 12

@ServerBachelor said: Ticket as been fulfilled as @MannDude was waiting for everything to stabilize. I can report that conditions have stabilized for me. New YABS

I'm still experiencing high CPU steal, 20-30% in the last 24 hours. Perhaps we are on different SE nodes?

ServerBachelor · March 12

@forest said:

@ServerBachelor said: Ticket as been fulfilled as @MannDude was waiting for everything to stabilize. I can report that conditions have stabilized for me. New YABS

I'm still experiencing high CPU steal, 20-30% in the last 24 hours. Perhaps we are on different SE nodes?

Ran top and watched for a few minutes. Steal never rose above 1%; usually just went to 0.3% every few seconds. It's possible we're on different SE nodes, but we'll need @MannDude to verify.

MannDude · March 12

@forest said:

@ServerBachelor said: Ticket as been fulfilled as @MannDude was waiting for everything to stabilize. I can report that conditions have stabilized for me. New YABS

I'm still experiencing high CPU steal, 20-30% in the last 24 hours. Perhaps we are on different SE nodes?

Shoot me a ticket or PM with the server IP.

forest · March 12

Issue has been resolved! It was residual throttling that hadn't yet been removed. It was removed and CPU steal is now well under 1% again!

forest · March 14

@MannDude Is there any chance you could run a recursive DNS resolver on your host nodes and have it listen on the gateway so VPSes can use it? That would allow Tor exit operators to significantly improve DNS privacy. Operators cannot run it on their assigned IP because some nameservers will block Tor exits, so operators are forced to either purchase a second costly IPv4 just for DNS, or send their DNS queries to upstream, centralized services.

A simple Unbound config in /etc/unbound/unbound.conf that provides a DNS server with caching with a 300 second TTL, strong anti-poisoning techniques, access control so only hosts on that node can use it, and a privacy-preserving local root zone (RFC 8806) would be:

server:
    outgoing-interface: 2001:db8:36ee:14::/64
    outgoing-interface: 203.0.113.125
    interface: 127.0.0.1
    interface: 203.0.113.1
    access-control: 127.0.0.1/32 allow
    access-control: 203.0.113.0/24 allow
    prefer-ip6: yes
    rrset-cache-size: 256m
    msg-cache-size: 128m
    neg-cache-size: 32m
    cache-min-ttl: 300
    prefetch: yes
    prefetch-key: yes
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

auth-zone:
    name: "."
    master: f.root-servers.net
    master: k.root-servers.net
    master: l.root-servers.net
    master: j.root-servers.net
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes
    zonefile: "/var/lib/unbound/root.zone"

Then all you have to do is have cloud-init put nameserver 203.0.113.1 in /etc/resolv.conf in the VPS guests (and nameserver 127.0.0.1 on the host node itself) and everyone, including Tor exit operators, get fast, private DNS.

In this example, 203.0.113.1 is the gateway that each VPS uses, 203.0.113.125 is a clean IP address on the node (e.g. the node's own IP, not assigned to any VPS), and 2001:db8:36ee:14::/64 is a routed IPv6 subnet with no Tor exits on it.

MannDude · March 15

@forest said:
@MannDude Is there any chance you could run a recursive DNS resolver on your host nodes and have it listen on the gateway so VPSes can use it? That would allow Tor exit operators to significantly improve DNS privacy. Operators cannot run it on their assigned IP because some nameservers will block Tor exits, so operators are forced to either purchase a second costly IPv4 just for DNS, or send their DNS queries to upstream, centralized services.

A simple Unbound config in /etc/unbound/unbound.conf that provides a DNS server with caching with a 300 second TTL, strong anti-poisoning techniques, access control so only hosts on that node can use it, and a privacy-preserving local root zone (RFC 8806) would be:
server:
    outgoing-interface: 2001:db8:36ee:14::/64
    outgoing-interface: 203.0.113.125
    interface: 127.0.0.1
    interface: 203.0.113.1
    access-control: 127.0.0.1/32 allow
    access-control: 203.0.113.0/24 allow
    prefer-ip6: yes
    rrset-cache-size: 256m
    msg-cache-size: 128m
    neg-cache-size: 32m
    cache-min-ttl: 300
    prefetch: yes
    prefetch-key: yes
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

auth-zone:
    name: "."
    master: f.root-servers.net
    master: k.root-servers.net
    master: l.root-servers.net
    master: j.root-servers.net
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes
    zonefile: "/var/lib/unbound/root.zone"
Then all you have to do is have cloud-init put nameserver 203.0.113.1 in /etc/resolv.conf in the VPS guests (and nameserver 127.0.0.1 on the host node itself) and everyone, including Tor exit operators, get fast, private DNS.

In this example, 203.0.113.1 is the gateway that each VPS uses, 203.0.113.125 is a clean IP address on the node (e.g. the node's own IP, not assigned to any VPS), and 2001:db8:36ee:14::/64 is a routed IPv6 subnet with no Tor exits on it.

I used to but Tor bitched to us about filtering ads. It was the same blocklist we used for VPN, was just ads, trackers and malicious (malware, known phishing, etc) URLs. I couldn't be bothered to setup DNS without filtering for Tor only.

Exits can't have ad blocking DNS apparently so will set something up eventually. 👍

brueggus · March 15

@forest said: @MannDude Is there any chance you could run a recursive DNS resolver on your host nodes and have it listen on the gateway so VPSes can use it? That would allow Tor exit operators to significantly improve DNS privacy.

Shameless plug: There are dnscry.pt relays available in Amsterdam, Liberty Lake and Allentown which don't support plain DNS but DNSCrypt, DoT and DoH, if that helps.

concept · March 15

@forest said:
Is there any chance you could run a recursive DNS resolver on your host nodes and have it listen on the gateway so VPSes can use it? That would allow Tor exit operators to significantly improve DNS privacy. Operators cannot run it on their assigned IP because some nameservers will block Tor exits, so operators are forced to either purchase a second costly IPv4 just for DNS, or send their DNS queries to upstream, centralized services.

That could be a way but tor exit relays generate a lot of dns requests which can cause issues for the dns server if it's unable to handle the load/traffic and of course less centralization. I would prefer just running one myself.

forest · March 15

@brueggus said:

@forest said: @MannDude Is there any chance you could run a recursive DNS resolver on your host nodes and have it listen on the gateway so VPSes can use it? That would allow Tor exit operators to significantly improve DNS privacy.

Shameless plug: There are dnscry.pt relays available in Amsterdam, Liberty Lake and Allentown which don't support plain DNS but DNSCrypt, DoT and DoH, if that helps.

I prefer DoT and, if I need to, would use dns.sb which is a privacy-friendly provider. However that, and DNSCrypt, send the queries to a third party anyway. If the resolver is run on the same node that the exit is hosted on, then it's not being sent to any entity that doesn't already run the exit.

@concept said:

@forest said:
Is there any chance you could run a recursive DNS resolver on your host nodes and have it listen on the gateway so VPSes can use it? That would allow Tor exit operators to significantly improve DNS privacy. Operators cannot run it on their assigned IP because some nameservers will block Tor exits, so operators are forced to either purchase a second costly IPv4 just for DNS, or send their DNS queries to upstream, centralized services.

That could be a way but tor exit relays generate a lot of dns requests which can cause issues for the dns server if it's unable to handle the load/traffic and of course less centralization. I would prefer just running one myself.

Unbound is highly optimized and can handle a tremendous rate of queries. Nothing a Tor exit could do would be able to overload it, and its caching would actually reduce total traffic compared to every VPS simply having 8.8.8.8 in their resolv.conf. Centralization, if it's not centralized to a third party, can actually help as a network-level adversary can no longer determine which lookup came from which exit.

I do run Unbound myself on all my exits, personally, but that requires a second IPv4 which is expensive.

concept · March 15

@forest said:
I do run Unbound myself on all my exits, personally, but that requires a second IPv4 which is expensive.

If you are running only a couple exits having it run locally like mentioned in Tor docs is fine but if you are running a lot of them like some of the bigger operators are then, I would spin up a vps just for dns and it can be used across all the exits.

MannDude · March 16

Hello,

You are receiving this email because you have an active LEGACY VPS in our Liberty Lake, Washington location. Please read this message carefully—it contains important information about planned downtime for your VPS due to upcoming maintenance.

Q: What is a “LEGACY” VPS? A: Any VPS with the (Legacy) tag on your invoice or in your client area. These are the VPS plans we offered and sold generally before 2025 (though a few may have been sold in 2025). If you manage your VPS from this URL: https://control.incogvps.com:4083 — then it is a Legacy VPS.

Q: What exactly are you doing, and why? A: Legacy VPS plans run on Virtualizor, a virtualization platform that was once popular among providers like us. Over the past couple of years, a competing solution has matured significantly and become suitable for production use. We’ve been using this newer platform (VirtFusion) for all new VPS orders since late 2024 / early 2025. It has proven more stable, is backed by a smaller but highly competent team, and we trust it more for long-term security and reliability. Because of this, we will soon migrate your VPS to a new hypervisor running VirtFusion.

Your impacted VPS IP(s): xx.xx.xx.xx

Q: What about downtime? How long will my VPS be offline? A: Unfortunately, there is no live-migration option between the two platforms, so this is a manual process performed one VPS at a time. Downtime varies depending on the VPS: most customers see around 1 hour, though smaller VPSes may come back much faster and larger ones could take longer. The process involves powering off your VPS on the old platform, copying the disk image to the new hypervisor, then powering it on again. After it boots, there may be a short period where you can access it via SSH/RDP/etc. but cannot yet control it from either panel (old or new) while we finish the manual API/data entry to make it manageable from your IncogNET portal. (Read more: here)

Q: When will this happen? A: We plan to start on Wednesday, March 18th. There is no fixed schedule—we have hundreds of Legacy VPSes in Liberty Lake to migrate manually. We don’t know exactly when yours will be processed, and if you have multiple VPSes there, you might receive separate notifications days or even a week apart.

Q: Will my VPS specs/resources change? A: No. You will keep exactly the same resources (CPU, RAM, disk, etc.) you have now, even though these Legacy plans are no longer offered on our website.

Q: I have other Legacy VPSes in different IncogNET locations. When will those be migrated? A: We’re starting with Liberty Lake, then likely moving to Amsterdam next. Kansas City, Missouri and Allentown, Pennsylvania (our smallest POPs) will probably be done last. Our Bulgaria and Sweden locations are already 100% on VirtFusion—no migrations needed there.

In closing, we sincerely apologize for the inconvenience and planned disruption this will cause. We truly believe the switch to VirtFusion will provide better long-term stability and allow us to focus on delivering more consistent, reliable service by retiring support for two separate platforms.

Thank you for your understanding,

IncogNET

NOTE: Do not respond to this email, this is an unmonitored inbox. For questions, please use our helpdesk here: https://portal.incognet.io/

Been using VirtFusion for long enough now that it's time to bite the bullet and force all old legacy users to it.

If you are in LIBERTY LAKE, WA and want to migrate yourself, let me know. Will be happy to not have to manually do it for you. I'll create a new VPS for you of the same specs as your old one and let you manually migrate the data before I terminate your old legacy VPS. There will be an IP change with this method. I can reassign your old IP back to you after the migration, if you want. If you migrate yourself so we don't have to do it for you I'll give you $5 account credit just as a "thank you" for saving us some time.

MannDude · March 17

Scheduled backups are coming soon. Probably be an opt-in at a slightly increased cost, but for those who want to stick to manually triggered offsite backups you should now have the option for 5 backup/restore slots instead of the previous 3.

Getting a new NA and EU backup server online right now to accommodate this.

VirtFusion · March 17

@MannDude said:
Scheduled backups are coming soon. Probably be an opt-in at a slightly increased cost, but for those who want to stick to manually triggered offsite backups you should now have the option for 5 backup/restore slots instead of the previous 3.

Getting a new NA and EU backup server online right now to accommodate this.

I recommend waiting on this. We are about to release v7, which includes a completely new backup and restore system. It features incremental backups with deduplication and is significantly better. Unfortunately, it is not backwards compatible.

MannDude · March 17

@VirtFusion said:

@MannDude said:
Scheduled backups are coming soon. Probably be an opt-in at a slightly increased cost, but for those who want to stick to manually triggered offsite backups you should now have the option for 5 backup/restore slots instead of the previous 3.

Getting a new NA and EU backup server online right now to accommodate this.

I recommend waiting on this. We are about to release v7, which includes a completely new backup and restore system. It features incremental backups with deduplication and is significantly better. Unfortunately, it is not backwards compatible.

I'll wait

forest · March 18

@concept said:

@forest said:
I do run Unbound myself on all my exits, personally, but that requires a second IPv4 which is expensive.

If you are running only a couple exits having it run locally like mentioned in Tor docs is fine but if you are running a lot of them like some of the bigger operators are then, I would spin up a vps just for dns and it can be used across all the exits.

I plan on doing that with DoT eventually, although only for my European servers as that is where most of the exits are. Exits outside of the EU would have too much latency to round-trip DNS there.

MannDude · March 19

@forest said:

@concept said:

@forest said:
I do run Unbound myself on all my exits, personally, but that requires a second IPv4 which is expensive.

If you are running only a couple exits having it run locally like mentioned in Tor docs is fine but if you are running a lot of them like some of the bigger operators are then, I would spin up a vps just for dns and it can be used across all the exits.

I plan on doing that with DoT eventually, although only for my European servers as that is where most of the exits are. Exits outside of the EU would have too much latency to round-trip DNS there.

You'll be happy once we get our Tor stuff updated, I think.

Unrelated: Virtualizor to VirtFusion migrations are a PITA. Slow going. Slowly but surely. Haven't lost any data yet. * knock on wood *

MannDude · March 19

Actually, the Virtualizor to VirtFusion migration isn't that bad. It's tiring, as it's all manual tasks and data-entry, but for the curious.

Just going one node at a time. On WA-09 right now.
Viewing the list of active VMs on that.
Find the WHMCS profile for the service that corresponds with the VM that is about to get moved.
Open the Virtualizor's VM profile / settings page.
Remove the Virtualizor data in the WHMCS profile and change the package in WHMCS to the closest VirtFusion package (I didn't add all the legacy plans to WHMCS, but they exist in Virtfusion)
Click "create" so it creates the VM slot in VirtFusion
Go to VirtFusion and change the package to match whatever the legacy one was.
Double check the old VM's Virtualizor settings (OS Type mainly). Make sure VirtFusion matches as close as possible.
Create an empty VPS in VirtFusion. Once done, power it off.
Power off the old Virtualizor VPS. The customer's downtime begins now.
Convert the old Virtualizor VPS disk image from a .raw file to a qcow2 .img file ( qemu-img convert -f raw -O qcow2 ) with a .img filename that matches the new one created in VirtFusion (ex: abcd1234-69b0-0bs1-bd2c-f51ecd8db9d1_1.img )
rsync that new .img to the storage directory on the target VirtFusion hypverisor, overwriting the one created with the base OS install.
Power the new VM on.
By default it has the wrong IP assigned to it.
Remove the wrong IP and add the right IP.
Reboot again.
Ping check, if it works, then it works. The customer's downtime ends now. (7-15 minutes in most cases)
Delete the Virtualizor VM. (The .raw -> qcow2 .img file remains as a temporary backup if needed, but access is removed from Virtualizor now).
Double check things in WHMCS and update the IP shown in the profile since it will auto-fill with the original, wrong, IP that was originally assigned to the temporary placehold VirtFusion VPS.
Repeat hundreds of times.

Fun times.

zed · March 19

@MannDude said: Repeat hundreds of times.

If only you had a bunch of interns to handle grunt work!

Neat to see the work checklist though, thanks for the insight.

ShadowLurker · March 19

VirtFusion should make a big red migrate button.

ChrisMiller · March 20

@ShadowLurker said: VirtFusion should make a big red migrate button.

100% Agree! @VirtFusion Can this be a thing?

forest · March 20

@MannDude said: Repeat hundreds of times.

Sounds like the kind of thing you could automate.

MannDude · March 20

@forest said:

@MannDude said: Repeat hundreds of times.

Sounds like the kind of thing you could automate.

The filetype conversation and migration of disk images can be automated with ease but needs to be done after WHMCS does stuff. Seems like a nightmare to automate based on three different products needing to do tasks back and forth and manually just feels safer at the moment and the only way to minimize downtime.

VirtFusion is aware of their position in the market and the desire for such a tool, knowing of an possible influx of Virtualizor refugees is possible. I've waited in the hopes something official may come out. In the end the safest method to do this now seems to be how I'm doing it. I'm not going to vibe code something that will require days of testing and may break stuff nor do I want to setup safe test environments for such a tool. I just want to migrate things one at a time for now, at my own pace.

Howdy, Stranger!

Categories

In this Discussion

The IncogNET thread - Discussion, news and updates.

Comments

Howdy, Stranger!

Quick Links

Categories

In this Discussion

The IncogNET thread - Discussion, news and updates.

Comments