RouteHardenHire us
← All tracks

// track 08

Multi-Node & Team Privacy

Mesh networks, identity-aware access, and self-hosted control planes for distributed teams. The architecture once your privacy stack outgrows one endpoint.

12 of 12 modules published

  1. 8.1

    Site-to-site WireGuard for small offices: do less routing, not more

    How to connect offices, VPCs, and legacy subnets with WireGuard-style routing without rebuilding the flat VPN mistakes you were trying to escape.

    5 min read
  2. 8.2

    Multi-hop WireGuard without routing yourself into a loop

    How to build a multi-hop WireGuard cascade with policy routing, network namespaces, and fail-closed behavior instead of cargo-cult tunnel stacking.

    8 min read
  3. 8.3

    Tailscale vs Headscale: which control plane should you trust?

    A blunt comparison of Tailscale and Headscale for self-hosted private networks, including Tailnet Lock, OIDC limits, exit nodes, and control-plane tradeoffs.

    9 min read
  4. 8.4

    Headscale OIDC for small teams: the good parts and the traps

    How Headscale's OIDC model works for small teams, including PKCE, filters, single-provider limits, and migration pitfalls.

    6 min read
  5. 8.5

    NetBird vs Headscale for teams: which self-hosted mesh hurts less?

    A blunt comparison of NetBird and Headscale for team networks, covering identity, routes, DNS, control planes, and self-hosting tradeoffs.

    7 min read
  6. 8.6

    Self-hosting behind Cloudflare Tunnel without a public port

    How to use Cloudflare Tunnel for published apps and private-network routes, when to use Access, and where Tunnel stops being the right tool.

    8 min read
  7. 8.7

    Teleport application access vs VPNs for internal tools

    When to put internal apps behind Teleport instead of a VPN, and where a network tunnel still makes more sense.

    6 min read
  8. 8.8

    Zero trust for small teams without buying a whole platform

    A practical zero-trust architecture for small engineering teams: mesh access, app proxies, split DNS, and short-lived admin paths.

    7 min read
  9. 8.9

    Contractor access without a flat VPN

    How to give contractors and vendors access to the resources they need without dumping them onto a broad internal network.

    5 min read
  10. 8.10

    Split DNS for internal services without breaking laptops

    How to design split DNS for internal apps, office networks, and remote teams without turning every laptop into a DNS troubleshooting lab.

    6 min read
  11. 8.11

    Authentik vs Keycloak for internal SSO in 2026

    How to choose between Authentik and Keycloak for internal SSO, LDAP, OIDC, SAML, and self-hosted team identity.

    6 min read
  12. 8.12

    Self-hosting Vaultwarden without making it fragile

    How to deploy Vaultwarden behind a reverse proxy, lock down signups and admin surfaces, handle WebSocket logging safely, and back it up properly.

    8 min read

// for teams and consultants

Need this curriculum for your team?

Custom training, downloadable companion assets, network-architecture review, and on-call deployment help land inside our consulting engagements →