All articles.
Long-form guides, redacted case notes, and protocol breakdowns from recent engagements. No fluff, no listicles.
One good post per week.
Network hardening, traffic engineering, and self-hosted infrastructure. No spam, unsubscribe anytime.
AWS Lightsail Data Transfer Quotas: A Postmortem on Cross-Instance Pool Accounting
Five gotchas that turn an innocent Lightsail VPN deployment into a surprise bill — pool is per-region+per-bundle (not per-instance), delete+recreate inherits usage, stopped instances still bill bundle, per-instance metrics lie after delete, IPv6 sysctl doesn't catch already-up interfaces. With the kill switches, budgets, and CloudWatch alarms that would have prevented all of it.
VLESS Reality on macOS: client setup with Shadowrocket or FoxRay
Two paths for macOS — Shadowrocket on Apple Silicon (paid, system-wide) and FoxRay on any Mac (free, proxy-based). Subscription import, node switching, and egress verification.
VLESS Reality on Windows: client setup with v2rayN
Step-by-step v2rayN install, subscription import, and system-proxy vs TUN-mode trade-offs for a Reality endpoint on Windows 10/11.
Course Module 01: Threat Model and Product Selection
The first decision in any self-hosted network is what you're protecting against and which product class actually matches. Walks through hostile-public-WiFi, ISP DPI, opaque commercial VPNs, and supply-chain compromise — and what each implies for the rest of the stack.
Course Module 02: Evaluating VPS Providers for Production
What actually matters when you pick a VPS for a self-hosted network stack: logging policy, network quality, hardware, billing flexibility, ToS analysis. Comparison frame for DMIT, BandwagonHost, RackNerd, Vultr, Hetzner, Lightsail.
Course Module 03: WireGuard from First Principles
From cryptographic primitives to a working tunnel in production. Key generation, peer configuration, route table behavior, MTU tuning, persistent keepalive, and why WireGuard is the simplest production tunnel that actually works.
Course Module 04: Advanced TLS and DPI-Resistant Transport
When bare WireGuard isn't enough: how modern TLS-in-TLS transports (REALITY, Hysteria, naiveproxy) avoid statistical classification by inline deep-packet-inspection systems. Architecture, configuration, and the threat model that justifies the extra complexity.
Course Module 05: Multi-Region Egress and IP Management
From one tunnel to a multi-region stack: when to add a second node, residential vs datacenter egress, IP rotation, failover, and how to use Webshare/IPRoyal as an egress layer behind your own tunnel. Operational discipline for staying online when one provider goes dark.
Course Module 06: Monitoring, Kill Switches, and Leak Prevention
Turning a working tunnel into one that tells you when it's broken. Prometheus and Grafana for tunnel health, DNS/IPv6/WebRTC leak prevention, kill switch via firewall, alerting that doesn't lie about silent failure modes.
Course Module 07: Maintenance Playbook
The unglamorous work that keeps a self-hosted privacy stack alive past month three. Patching cadence, key rotation, peer churn, certificate renewal, log retention, decommissioning. The boring playbook that separates a hobby project from a daily-driver.
How to buy a CN2 GIA VPS when DMIT Tokyo is sold out
DMIT Tokyo Premium is the consensus pick for CN2 GIA, and it's sold out most of the time. Here's the priority list for getting on the route anyway.
DMIT Tokyo Premium vs AWS Lightsail Tokyo: when CN2 GIA actually matters
Two Tokyo VPS providers, two completely different products. The spec sheet won't tell you why one of them costs 3x more — the routing will.
Cloud GPU rental privacy considerations
What renting a GPU actually reveals about you, what providers can see at each layer, and the mitigations that change one threat without changing the others.
Decoy routing and refraction networking
Telex, TapDance, Slitheen, and Conjure: how cooperative infrastructure on ordinary network paths changes the evasion game.
Hysteria and QUIC-based transports
Why QUIC became an evasive substrate, how Hysteria uses it, and what QUIC-based camouflage still leaks to modern detectors.
Operational anonymity for engineers
Compartmentation, browser discipline, transport choice, telemetry minimization, and how to turn anonymity theory into a survivable daily operating model.
Traffic shaping for camouflage
How burst scheduling, half-duplex shaping, and target-traffic mimicry try to make tunnels look like something else.
Active probing methodology
How detectors confirm suspicious endpoints with chosen inputs, from state-machine exploration to probe-resistant proxy design.
Asymmetric crypto: RSA and the discrete-log family
Public-key cryptography from first principles: what RSA actually does, why TLS 1.3 dropped RSA key exchange, and why X25519 is the engineering default in modern protocols.
Browser fingerprinting in depth
Canvas, WebGL, fonts, audio, viewport geometry, and why hiding your IP does not standardize your browser.
Deep packet inspection: pattern, statistical, and behavioral classification
How real traffic classifiers combine signatures, protocol parsing, flow statistics, and behavior after payload visibility disappears.
Digital signatures
Digital signatures from first principles: RSA-PSS, ECDSA's nonce trap, why Ed25519 is the modern default, and what verification actually proves.
DNS — name resolution end to end
DNS from first principles: zones, delegation, recursive vs authoritative resolvers, the wire format, caching, DNSSEC, DoH/DoT/DoQ, and where privacy actually leaks.
Domain fronting: the rise, fall, and remnant
How domain fronting exploited cross-layer naming, why it changed the economics of blocking, and why the classic form largely receded after 2018.
Encrypted traffic classification with ML
How feature engineering, deep learning, dataset design, and concept drift shape machine-learning-based classification of encrypted traffic.
Hash functions and message authentication
Cryptographic hashes from first principles: SHA-2, SHA-3, BLAKE3, what they each guarantee, why HMAC exists, and the length-extension trap that motivates careful MAC design.
HTTP/1.1, HTTP/2, HTTP/3 — the evolution
Why HTTP needed three rewrites in twenty years: pipelining's failure, HTTP/2's multiplexing, QUIC's leap to UDP, and the head-of-line blocking that connects all three.
The IP forwarding plane
How a router actually forwards a packet: longest-prefix match, FIB lookup, adjacency resolution, TTL/Hop Limit, fragmentation, ICMP feedback, and the data/control/management plane split.
IPsec, the original VPN
IPsec from first principles: ESP vs AH, transport vs tunnel mode, IKEv2's role, why it dominates enterprise gateways and why everyone else fled to WireGuard.
IPv6 fundamentals
IPv6 from first principles: address structure, SLAAC, Neighbor Discovery, extension headers, PMTUD, and the operational realities of dual stack.
Key derivation: HKDF and friends
Why one secret becomes many keys: HKDF extract-then-expand, PBKDF2 vs Argon2id, salts, domain separation, and the failure mode of reusing keys across contexts.
Mix networks: Loopix and Nym
From Chaumian mixes to Loopix and Nym: delay, cover traffic, Sphinx packets, and the anonymity-latency-bandwidth tradeoff.
mTLS and zero-trust transport
Mutual TLS, workload identity, SPIFFE/SPIRE, and why transport authentication is necessary but not sufficient for zero-trust systems.
NAT, NAT traversal, and the end-to-end principle
Why NAT exists, how mapping/filtering/timeouts actually behave, what STUN/TURN/ICE are for, and why CGNAT compounds the problem IPv6 was supposed to fix.
Network-level traffic analysis
NetFlow, multi-vantage correlation, BGP/routing attacks, and why where you observe traffic matters as much as what you observe.
The Noise protocol framework
Noise from first principles: handshake patterns, the state-machine triple (Cipher/Symmetric/Handshake), why WireGuard chose Noise IK, and how to read pattern notation.
OpenVPN, the friendly compromise
Why OpenVPN lasted so long: TLS in user space, TUN vs TAP, UDP vs TCP, and the flexibility costs that newer tunnels tried to remove.
OS and TCP/IP stack fingerprinting
How TCP SYN fields, TLS ClientHello structure, and HTTP/2 settings betray client identity even when the payload is encrypted.
Padding strategies and cover traffic
Constant-rate padding, adaptive padding, dummy traffic, and why hiding packet shape is harder than appending zeros.
Pluggable transports: the obfs lineage
obfs4, meek, Snowflake, and the history of transport-layer evasive design as adversaries moved from passive filtering to active probing.
Post-quantum cryptography in transit
Why TLS and QUIC are migrating to post-quantum key agreement now: ML-KEM, ML-DSA, hybrid X25519+ML-KEM, harvest-now-decrypt-later, and what 2026 deployment actually looks like.
Side channels in encrypted protocols
Compression oracles, TLS record lengths, QUIC behavior, and why encrypted protocols still leak through observable structure.
sing-box and Xray architecture
How sing-box and Xray actually work: inbounds, outbounds, routing, DNS, transport modules, and why these systems are frameworks, not one protocol.
Steganographic channels
DNS, ICMP, HTTP, and media-based covert channels; storage versus timing channels; and why protocol normalization breaks many hiding schemes.
Stream ciphers and AEAD construction
Stream ciphers, ChaCha20, GCM, Poly1305: how authenticated encryption is actually built, why nonce reuse is catastrophic, and how to choose between AES-GCM and ChaCha20-Poly1305.
Symmetric encryption, block ciphers, and AES
AES from first principles: what a block cipher actually is, why ECB is the canonical embarrassment, modes of operation, and why AES alone is not an encryption scheme.
Tailscale and WireGuard mesh
How WireGuard mesh VPNs actually work: coordination planes, node keys, NAT traversal, relays, subnet routers, and identity-based policy.
TCP congestion control
Why congestion control exists, how slow start and AIMD actually behave, what CUBIC and BBR change, and how bufferbloat ruins everything if you let it.
Threat models for network anonymity
Passive observers, active adversaries, global traffic correlation, and the vocabulary needed to reason about anonymity without hand-waving.
TLS 1.3 handshake byte by byte
TLS 1.3 from first principles: ClientHello, key agreement, key schedule, certificate authentication, 0-RTT replay caveats, and what the wire still leaks.
TLS fingerprinting in production
ClientHello structure, JA3 versus JA4, drift, ambiguity, and how production detectors really use TLS fingerprints.
TLS-in-TLS and Reality
TLS camouflage, secret-gated fallback, and why looking like HTTPS is harder than just using HTTPS.
Tor, onion routing, and circuit-level anonymity
Tor from the transport up: cells, telescoping circuits, guards, exits, directory authorities, and why Tor is not just a VPN with extra hops.
Traffic analysis fundamentals
How timing, size, and burst structure leak information from encrypted traffic, from end-to-end correlation to website fingerprinting.
UDP, the simplest transport
UDP from first principles: datagram semantics, the 8-byte header, why DNS / QUIC / RTP / metrics protocols choose it, and when 'almost nothing' is the right answer.
WireGuard from first principles
Why WireGuard looks the way it does: Noise_IK, cryptokey routing, cookies, timers, and the design tradeoffs behind the modern minimalist VPN.
Bits, signals, and the physical layer
The physical layer from first principles: bits vs symbols, line encoding, clock recovery, noise, bandwidth, and why software engineers should care.
Ethernet and MAC addressing
Ethernet frame format, MAC addressing, switching, ARP, broadcast domains, and the practical mechanics of a modern LAN.
IPv4 addressing and subnetting deep dive
IPv4 from first principles: CIDR, prefix math, route aggregation, RFC 1918, VLSM, and the subnetting mistakes operators keep repeating.
TCP at the wire level
TCP byte-by-byte: three-way handshake, state machine, sequence numbers, retransmission, window scaling, FIN vs RST. Read packet captures with confidence.
Auditing your network exposure with Nmap and ss
How to audit Linux network exposure the sane way: join local listener inventory from ss with remote reachability checks from Nmap instead of trusting only one view.
Authentik vs Keycloak for internal SSO in 2026
How to choose between Authentik and Keycloak for internal SSO, LDAP, OIDC, SAML, and self-hosted team identity.
Chrony time sync for cryptographic correctness
How to configure chrony so TLS, DNSSEC, NTS, and other crypto-sensitive services stop failing for stupid clock reasons after boot and drift.
Contractor access without a flat VPN
How to give contractors and vendors access to the resources they need without dumping them onto a broad internal network.
fail2ban and CrowdSec for VPN servers
How to choose between Fail2Ban and CrowdSec on public VPN gateways, when one tool is enough, and how to avoid two intrusion tools fighting over your firewall.
Headscale OIDC for small teams: the good parts and the traps
How Headscale's OIDC model works for small teams, including PKCE, filters, single-provider limits, and migration pitfalls.
Linux sysctl reference for network-facing servers
A practical sysctl baseline for public Linux hosts, VPN gateways, and Docker boxes, with the knobs that matter and the ones that break routing when you cargo-cult them.
NetBird vs Headscale for teams: which self-hosted mesh hurts less?
A blunt comparison of NetBird and Headscale for team networks, covering identity, routes, DNS, control planes, and self-hosting tradeoffs.
Choosing between nftables, iptables, and UFW in 2026
A practical firewall decision guide for Linux operators: when nftables is the right default, when UFW is still enough, and why Docker keeps iptables syntax relevant.
Disabling and replacing weak crypto algorithms server-wide
How to remove weak SSH-era crypto safely, where system-wide crypto policy really applies, and how to verify you modernized the server instead of just breaking access.
Site-to-site WireGuard for small offices: do less routing, not more
How to connect offices, VPCs, and legacy subnets with WireGuard-style routing without rebuilding the flat VPN mistakes you were trying to escape.
Split DNS for internal services without breaking laptops
How to design split DNS for internal apps, office networks, and remote teams without turning every laptop into a DNS troubleshooting lab.
SSH hardening for VPN gateways and bastion hosts
A practical OpenSSH hardening guide for public gateways and bastions, including forwarding policy, PerSourcePenalties, session limits, and safe rollout habits.
Teleport application access vs VPNs for internal tools
When to put internal apps behind Teleport instead of a VPN, and where a network tunnel still makes more sense.
Kernel-level packet filtering: XDP and eBPF basics
An operator-first introduction to XDP and eBPF packet filtering: where XDP sits in the path, what the actions mean, and when it beats nftables or tc.
Zero trust for small teams without buying a whole platform
A practical zero-trust architecture for small engineering teams: mesh access, app proxies, split DNS, and short-lived admin paths.
Active probing defense for proxy and tunnel operators
How active probing works, why handshake secrets are not enough, and what obfs4, ScrambleSuit, and REALITY teach about blending into normal traffic.
Browser fingerprint hardening with Firefox, arkenfox, and uBlock Origin
How to reduce browser fingerprinting with sane Firefox settings, arkenfox, uBlock Origin, and Tor Browser when you actually need stronger cover.
Self-hosting behind Cloudflare Tunnel without a public port
How to use Cloudflare Tunnel for published apps and private-network routes, when to use Access, and where Tunnel stops being the right tool.
DoH vs DoT: where each encrypted DNS transport leaks
DNS over HTTPS and DNS over TLS both encrypt queries, but they fail differently. This is the operator's comparison of where each one leaks.
Domain fronting in 2026: mostly dead, not actually gone
What classic domain fronting is, why big clouds shut it down, where it still appears, and why ECH or MASQUE are not the same thing.
IPv6 leak prevention for VPN users and operators
Why IPv6 leaks happen on dual-stack systems, when disabling IPv6 is only a workaround, and how to fix the problem properly.
JA3 and JA4 TLS fingerprints, explained
How JA3 and JA4 fingerprint the TLS ClientHello, what they're good for, and why they are correlation signals rather than identities.
Multi-hop WireGuard without routing yourself into a loop
How to build a multi-hop WireGuard cascade with policy routing, network namespaces, and fail-closed behavior instead of cargo-cult tunnel stacking.
OpenWrt privacy router without breakage theater
How to build an OpenWrt privacy router with WireGuard, policy-based routing, explicit DNS handling, and fewer leak-prone shortcuts.
Pi-hole plus DoH for a home network in 2026
How to run Pi-hole with dnscrypt-proxy for encrypted upstream DNS, and why most old cloudflared proxy-dns guides are stale after February 2, 2026.
Routing self-hosted egress through a residential proxy
How to chain a self-hosted egress stack through a residential proxy using SOCKS5 or HTTP CONNECT, and what that does and does not actually buy you.
sing-box config reference for sane self-hosted routing
A practical sing-box configuration guide covering route.final, rule-sets, DNS rule deprecations, selector, URLTest, and tun loop prevention.
Tailscale vs Headscale: which control plane should you trust?
A blunt comparison of Tailscale and Headscale for self-hosted private networks, including Tailnet Lock, OIDC limits, exit nodes, and control-plane tradeoffs.
Tor for technical users who keep asking for Tor over WireGuard
What Tor actually does, why Tor Browser discipline matters, when bridges help, and why stacking WireGuard on top usually solves the wrong problem.
Self-hosting Vaultwarden without making it fragile
How to deploy Vaultwarden behind a reverse proxy, lock down signups and admin surfaces, handle WebSocket logging safely, and back it up properly.
WebRTC IP leaks: root cause and real fixes
Why WebRTC reveals IP information, what STUN and TURN have to do with it, and how to fix the leak without hand-waving.
Xray Reality vs WireGuard: when to use which
Two protocols, two threat models. WireGuard hides what's in the pipe. Reality hides that there's a pipe at all.
Network OPSEC checklist for engineers
DNS leaks, IPv6 leaks, mDNS, NetBIOS — the things that betray your real network identity before encryption matters.
Self-hosted WireGuard on a $5 VPS in 2026
End-to-end setup with hardened sysctl, multi-client config, DNS hygiene, and the $5 VPS providers actually worth using in 2026.