Schedule a review
← All tracks
Track 07

Self-Host Build Path

End-to-end build playbook for your own privacy infrastructure. Endpoint hardening, firewalls, leak prevention, OPSEC sign-off — every step after the VPS is provisioned.

12 of 12 modules published

7.1

Self-hosted WireGuard on a $5 VPS in 2026

End-to-end setup with hardened sysctl, multi-client config, DNS hygiene, and the $5 VPS providers actually worth using in 2026.

6 min read
7.2

SSH hardening for VPN gateways and bastion hosts

A practical OpenSSH hardening guide for public gateways and bastions, including forwarding policy, PerSourcePenalties, session limits, and safe rollout habits.

7 min read
7.3

Linux sysctl reference for network-facing servers

A practical sysctl baseline for public Linux hosts, VPN gateways, and Docker boxes, with the knobs that matter and the ones that break routing when you cargo-cult them.

8 min read
7.4

Choosing between nftables, iptables, and UFW in 2026

A practical firewall decision guide for Linux operators: when nftables is the right default, when UFW is still enough, and why Docker keeps iptables syntax relevant.

7 min read
7.5

fail2ban and CrowdSec for VPN servers

How to choose between Fail2Ban and CrowdSec on public VPN gateways, when one tool is enough, and how to avoid two intrusion tools fighting over your firewall.

6 min read
7.6

Chrony time sync for cryptographic correctness

How to configure chrony so TLS, DNSSEC, NTS, and other crypto-sensitive services stop failing for stupid clock reasons after boot and drift.

6 min read
7.7

IPv6 leak prevention for VPN users and operators

Why IPv6 leaks happen on dual-stack systems, when disabling IPv6 is only a workaround, and how to fix the problem properly.

7 min read
7.8

WebRTC IP leaks: root cause and real fixes

Why WebRTC reveals IP information, what STUN and TURN have to do with it, and how to fix the leak without hand-waving.

6 min read
7.9

DoH vs DoT: where each encrypted DNS transport leaks

DNS over HTTPS and DNS over TLS both encrypt queries, but they fail differently. This is the operator's comparison of where each one leaks.

8 min read
7.10

Disabling and replacing weak crypto algorithms server-wide

How to remove weak SSH-era crypto safely, where system-wide crypto policy really applies, and how to verify you modernized the server instead of just breaking access.

6 min read
7.11

Auditing your network exposure with Nmap and ss

How to audit Linux network exposure the sane way: join local listener inventory from ss with remote reachability checks from Nmap instead of trusting only one view.

7 min read
7.12

Network OPSEC checklist for engineers

DNS leaks, IPv6 leaks, mDNS, NetBIOS — the things that betray your real network identity before encryption matters.

4 min read
For teams and consultants

Need this curriculum applied to your network?

Custom training, downloadable companion assets, network architecture review, and on-call deployment help land inside our consulting engagements.

See engagements