Self-Hosted Infrastructure
Run your own WireGuard, Tailscale, Headscale, or sing-box stack on a $5/month VPS. End-to-end build playbooks for homelab and small-team networks.
AWS Lightsail Data Transfer Quotas: A Postmortem on Cross-Instance Pool Accounting
Five gotchas that turn an innocent Lightsail VPN deployment into a surprise bill — pool is per-region+per-bundle (not per-instance), delete+recreate inherits usage, stopped instances still bill bundle, per-instance metrics lie after delete, IPv6 sysctl doesn't catch already-up interfaces. With the kill switches, budgets, and CloudWatch alarms that would have prevented all of it.
VLESS Reality on macOS: client setup with Shadowrocket or FoxRay
Two paths for macOS — Shadowrocket on Apple Silicon (paid, system-wide) and FoxRay on any Mac (free, proxy-based). Subscription import, node switching, and egress verification.
VLESS Reality on Windows: client setup with v2rayN
Step-by-step v2rayN install, subscription import, and system-proxy vs TUN-mode trade-offs for a Reality endpoint on Windows 10/11.
Course Module 01: Threat Model and Product Selection
The first decision in any self-hosted network is what you're protecting against and which product class actually matches. Walks through hostile-public-WiFi, ISP DPI, opaque commercial VPNs, and supply-chain compromise — and what each implies for the rest of the stack.
Course Module 02: Evaluating VPS Providers for Production
What actually matters when you pick a VPS for a self-hosted network stack: logging policy, network quality, hardware, billing flexibility, ToS analysis. Comparison frame for DMIT, BandwagonHost, RackNerd, Vultr, Hetzner, Lightsail.
Course Module 03: WireGuard from First Principles
From cryptographic primitives to a working tunnel in production. Key generation, peer configuration, route table behavior, MTU tuning, persistent keepalive, and why WireGuard is the simplest production tunnel that actually works.
Course Module 04: Advanced TLS and DPI-Resistant Transport
When bare WireGuard isn't enough: how modern TLS-in-TLS transports (REALITY, Hysteria, naiveproxy) avoid statistical classification by inline deep-packet-inspection systems. Architecture, configuration, and the threat model that justifies the extra complexity.
Course Module 05: Multi-Region Egress and IP Management
From one tunnel to a multi-region stack: when to add a second node, residential vs datacenter egress, IP rotation, failover, and how to use Webshare/IPRoyal as an egress layer behind your own tunnel. Operational discipline for staying online when one provider goes dark.
Course Module 06: Monitoring, Kill Switches, and Leak Prevention
Turning a working tunnel into one that tells you when it's broken. Prometheus and Grafana for tunnel health, DNS/IPv6/WebRTC leak prevention, kill switch via firewall, alerting that doesn't lie about silent failure modes.
Course Module 07: Maintenance Playbook
The unglamorous work that keeps a self-hosted privacy stack alive past month three. Patching cadence, key rotation, peer churn, certificate renewal, log retention, decommissioning. The boring playbook that separates a hobby project from a daily-driver.
How to buy a CN2 GIA VPS when DMIT Tokyo is sold out
DMIT Tokyo Premium is the consensus pick for CN2 GIA, and it's sold out most of the time. Here's the priority list for getting on the route anyway.
DMIT Tokyo Premium vs AWS Lightsail Tokyo: when CN2 GIA actually matters
Two Tokyo VPS providers, two completely different products. The spec sheet won't tell you why one of them costs 3x more — the routing will.
Cloud GPU rental privacy considerations
What renting a GPU actually reveals about you, what providers can see at each layer, and the mitigations that change one threat without changing the others.
IPsec, the original VPN
IPsec from first principles: ESP vs AH, transport vs tunnel mode, IKEv2's role, why it dominates enterprise gateways and why everyone else fled to WireGuard.
OpenVPN, the friendly compromise
Why OpenVPN lasted so long: TLS in user space, TUN vs TAP, UDP vs TCP, and the flexibility costs that newer tunnels tried to remove.
sing-box and Xray architecture
How sing-box and Xray actually work: inbounds, outbounds, routing, DNS, transport modules, and why these systems are frameworks, not one protocol.
WireGuard from first principles
Why WireGuard looks the way it does: Noise_IK, cryptokey routing, cookies, timers, and the design tradeoffs behind the modern minimalist VPN.
Self-hosting behind Cloudflare Tunnel without a public port
How to use Cloudflare Tunnel for published apps and private-network routes, when to use Access, and where Tunnel stops being the right tool.
Multi-hop WireGuard without routing yourself into a loop
How to build a multi-hop WireGuard cascade with policy routing, network namespaces, and fail-closed behavior instead of cargo-cult tunnel stacking.
OpenWrt privacy router without breakage theater
How to build an OpenWrt privacy router with WireGuard, policy-based routing, explicit DNS handling, and fewer leak-prone shortcuts.
Pi-hole plus DoH for a home network in 2026
How to run Pi-hole with dnscrypt-proxy for encrypted upstream DNS, and why most old cloudflared proxy-dns guides are stale after February 2, 2026.
Routing self-hosted egress through a residential proxy
How to chain a self-hosted egress stack through a residential proxy using SOCKS5 or HTTP CONNECT, and what that does and does not actually buy you.
sing-box config reference for sane self-hosted routing
A practical sing-box configuration guide covering route.final, rule-sets, DNS rule deprecations, selector, URLTest, and tun loop prevention.
Tailscale vs Headscale: which control plane should you trust?
A blunt comparison of Tailscale and Headscale for self-hosted private networks, including Tailnet Lock, OIDC limits, exit nodes, and control-plane tradeoffs.
Self-hosting Vaultwarden without making it fragile
How to deploy Vaultwarden behind a reverse proxy, lock down signups and admin surfaces, handle WebSocket logging safely, and back it up properly.
Self-hosted WireGuard on a $5 VPS in 2026
End-to-end setup with hardened sysctl, multi-client config, DNS hygiene, and the $5 VPS providers actually worth using in 2026.