Corporate Networks
Zero-trust architecture, mesh VPNs, and secure access for distributed teams without SaaS lock-in.
mTLS and zero-trust transport
Mutual TLS, workload identity, SPIFFE/SPIRE, and why transport authentication is necessary but not sufficient for zero-trust systems.
Tailscale and WireGuard mesh
How WireGuard mesh VPNs actually work: coordination planes, node keys, NAT traversal, relays, subnet routers, and identity-based policy.
Authentik vs Keycloak for internal SSO in 2026
How to choose between Authentik and Keycloak for internal SSO, LDAP, OIDC, SAML, and self-hosted team identity.
Contractor access without a flat VPN
How to give contractors and vendors access to the resources they need without dumping them onto a broad internal network.
Headscale OIDC for small teams: the good parts and the traps
How Headscale's OIDC model works for small teams, including PKCE, filters, single-provider limits, and migration pitfalls.
NetBird vs Headscale for teams: which self-hosted mesh hurts less?
A blunt comparison of NetBird and Headscale for team networks, covering identity, routes, DNS, control planes, and self-hosting tradeoffs.
Site-to-site WireGuard for small offices: do less routing, not more
How to connect offices, VPCs, and legacy subnets with WireGuard-style routing without rebuilding the flat VPN mistakes you were trying to escape.
Split DNS for internal services without breaking laptops
How to design split DNS for internal apps, office networks, and remote teams without turning every laptop into a DNS troubleshooting lab.
Teleport application access vs VPNs for internal tools
When to put internal apps behind Teleport instead of a VPN, and where a network tunnel still makes more sense.
Zero trust for small teams without buying a whole platform
A practical zero-trust architecture for small engineering teams: mesh access, app proxies, split DNS, and short-lived admin paths.