RouteHardenHire us
← All tracks

// track 07

Self-Host Build Path

End-to-end build playbook for your own privacy infrastructure. Endpoint hardening, firewalls, leak prevention, OPSEC sign-off — every step after the VPS is provisioned.

12 of 12 modules published

  1. 7.1

    Self-hosted WireGuard on a $5 VPS in 2026

    End-to-end setup with hardened sysctl, multi-client config, DNS hygiene, and the $5 VPS providers actually worth using in 2026.

    6 min read
  2. 7.2

    SSH hardening for VPN gateways and bastion hosts

    A practical OpenSSH hardening guide for public gateways and bastions, including forwarding policy, PerSourcePenalties, session limits, and safe rollout habits.

    7 min read
  3. 7.3

    Linux sysctl reference for network-facing servers

    A practical sysctl baseline for public Linux hosts, VPN gateways, and Docker boxes, with the knobs that matter and the ones that break routing when you cargo-cult them.

    8 min read
  4. 7.4

    Choosing between nftables, iptables, and UFW in 2026

    A practical firewall decision guide for Linux operators: when nftables is the right default, when UFW is still enough, and why Docker keeps iptables syntax relevant.

    7 min read
  5. 7.5

    fail2ban and CrowdSec for VPN servers

    How to choose between Fail2Ban and CrowdSec on public VPN gateways, when one tool is enough, and how to avoid two intrusion tools fighting over your firewall.

    6 min read
  6. 7.6

    Chrony time sync for cryptographic correctness

    How to configure chrony so TLS, DNSSEC, NTS, and other crypto-sensitive services stop failing for stupid clock reasons after boot and drift.

    6 min read
  7. 7.7

    IPv6 leak prevention for VPN users and operators

    Why IPv6 leaks happen on dual-stack systems, when disabling IPv6 is only a workaround, and how to fix the problem properly.

    7 min read
  8. 7.8

    WebRTC IP leaks: root cause and real fixes

    Why WebRTC reveals IP information, what STUN and TURN have to do with it, and how to fix the leak without hand-waving.

    6 min read
  9. 7.9

    DoH vs DoT: where each encrypted DNS transport leaks

    DNS over HTTPS and DNS over TLS both encrypt queries, but they fail differently. This is the operator's comparison of where each one leaks.

    8 min read
  10. 7.10

    Disabling and replacing weak crypto algorithms server-wide

    How to remove weak SSH-era crypto safely, where system-wide crypto policy really applies, and how to verify you modernized the server instead of just breaking access.

    6 min read
  11. 7.11

    Auditing your network exposure with Nmap and ss

    How to audit Linux network exposure the sane way: join local listener inventory from ss with remote reachability checks from Nmap instead of trusting only one view.

    7 min read
  12. 7.12

    Network OPSEC checklist for engineers

    DNS leaks, IPv6 leaks, mDNS, NetBIOS — the things that betray your real network identity before encryption matters.

    4 min read

// for teams and consultants

Need this curriculum for your team?

Custom training, downloadable companion assets, network-architecture review, and on-call deployment help land inside our consulting engagements →