Field Tactics & Buying Guides
Tactical field guides and head-to-head buying decisions. VPS routing, protocol selection, browser hardening, residential egress, and the trade-offs behind each.
14 of 14 modules published
Xray Reality vs WireGuard: when to use which
Two protocols, two threat models. WireGuard hides what's in the pipe. Reality hides that there's a pipe at all.
DMIT Tokyo Premium vs AWS Lightsail Tokyo: when CN2 GIA actually matters
Two Tokyo VPS providers, two completely different products. The spec sheet won't tell you why one of them costs 3x more — the routing will.
How to buy a CN2 GIA VPS when DMIT Tokyo is sold out
DMIT Tokyo Premium is the consensus pick for CN2 GIA, and it's sold out most of the time. Here's the priority list for getting on the route anyway.
Routing self-hosted egress through a residential proxy
How to chain a self-hosted egress stack through a residential proxy using SOCKS5 or HTTP CONNECT, and what that does and does not actually buy you.
Domain fronting in 2026: mostly dead, not actually gone
What classic domain fronting is, why big clouds shut it down, where it still appears, and why ECH or MASQUE are not the same thing.
Browser fingerprint hardening with Firefox, arkenfox, and uBlock Origin
How to reduce browser fingerprinting with sane Firefox settings, arkenfox, uBlock Origin, and Tor Browser when you actually need stronger cover.
JA3 and JA4 TLS fingerprints, explained
How JA3 and JA4 fingerprint the TLS ClientHello, what they're good for, and why they are correlation signals rather than identities.
Pi-hole plus DoH for a home network in 2026
How to run Pi-hole with dnscrypt-proxy for encrypted upstream DNS, and why most old cloudflared proxy-dns guides are stale after February 2, 2026.
OpenWrt privacy router without breakage theater
How to build an OpenWrt privacy router with WireGuard, policy-based routing, explicit DNS handling, and fewer leak-prone shortcuts.
Tor for technical users who keep asking for Tor over WireGuard
What Tor actually does, why Tor Browser discipline matters, when bridges help, and why stacking WireGuard on top usually solves the wrong problem.
Active probing defense for proxy and tunnel operators
How active probing works, why handshake secrets are not enough, and what obfs4, ScrambleSuit, and REALITY teach about blending into normal traffic.
sing-box config reference for sane self-hosted routing
A practical sing-box configuration guide covering route.final, rule-sets, DNS rule deprecations, selector, URLTest, and tun loop prevention.
Cloud GPU rental privacy considerations
What renting a GPU actually reveals about you, what providers can see at each layer, and the mitigations that change one threat without changing the others.
Kernel-level packet filtering: XDP and eBPF basics
An operator-first introduction to XDP and eBPF packet filtering: where XDP sits in the path, what the actions mean, and when it beats nftables or tc.
Need this curriculum applied to your network?
Custom training, downloadable companion assets, network architecture review, and on-call deployment help land inside our consulting engagements.
See engagements