Encrypted Transport
IPsec, OpenVPN, WireGuard, Tor, sing-box / Xray, Tailscale mesh, mTLS / zero-trust — protocol designer's view, not user's.
7 of 7 modules published
IPsec, the original VPN
IPsec from first principles: ESP vs AH, transport vs tunnel mode, IKEv2's role, why it dominates enterprise gateways and why everyone else fled to WireGuard.
OpenVPN, the friendly compromise
Why OpenVPN lasted so long: TLS in user space, TUN vs TAP, UDP vs TCP, and the flexibility costs that newer tunnels tried to remove.
WireGuard from first principles
Why WireGuard looks the way it does: Noise_IK, cryptokey routing, cookies, timers, and the design tradeoffs behind the modern minimalist VPN.
Tor, onion routing, and circuit-level anonymity
Tor from the transport up: cells, telescoping circuits, guards, exits, directory authorities, and why Tor is not just a VPN with extra hops.
sing-box and Xray architecture
How sing-box and Xray actually work: inbounds, outbounds, routing, DNS, transport modules, and why these systems are frameworks, not one protocol.
Tailscale and WireGuard mesh
How WireGuard mesh VPNs actually work: coordination planes, node keys, NAT traversal, relays, subnet routers, and identity-based policy.
mTLS and zero-trust transport
Mutual TLS, workload identity, SPIFFE/SPIRE, and why transport authentication is necessary but not sufficient for zero-trust systems.
Need this curriculum applied to your network?
Custom training, downloadable companion assets, network architecture review, and on-call deployment help land inside our consulting engagements.
See engagements