Multi-Node & Team Privacy
Mesh networks, identity-aware access, and self-hosted control planes for distributed teams. The architecture once your privacy stack outgrows one endpoint.
12 of 12 modules published
Site-to-site WireGuard for small offices: do less routing, not more
How to connect offices, VPCs, and legacy subnets with WireGuard-style routing without rebuilding the flat VPN mistakes you were trying to escape.
Multi-hop WireGuard without routing yourself into a loop
How to build a multi-hop WireGuard cascade with policy routing, network namespaces, and fail-closed behavior instead of cargo-cult tunnel stacking.
Tailscale vs Headscale: which control plane should you trust?
A blunt comparison of Tailscale and Headscale for self-hosted private networks, including Tailnet Lock, OIDC limits, exit nodes, and control-plane tradeoffs.
Headscale OIDC for small teams: the good parts and the traps
How Headscale's OIDC model works for small teams, including PKCE, filters, single-provider limits, and migration pitfalls.
NetBird vs Headscale for teams: which self-hosted mesh hurts less?
A blunt comparison of NetBird and Headscale for team networks, covering identity, routes, DNS, control planes, and self-hosting tradeoffs.
Self-hosting behind Cloudflare Tunnel without a public port
How to use Cloudflare Tunnel for published apps and private-network routes, when to use Access, and where Tunnel stops being the right tool.
Teleport application access vs VPNs for internal tools
When to put internal apps behind Teleport instead of a VPN, and where a network tunnel still makes more sense.
Zero trust for small teams without buying a whole platform
A practical zero-trust architecture for small engineering teams: mesh access, app proxies, split DNS, and short-lived admin paths.
Contractor access without a flat VPN
How to give contractors and vendors access to the resources they need without dumping them onto a broad internal network.
Split DNS for internal services without breaking laptops
How to design split DNS for internal apps, office networks, and remote teams without turning every laptop into a DNS troubleshooting lab.
Authentik vs Keycloak for internal SSO in 2026
How to choose between Authentik and Keycloak for internal SSO, LDAP, OIDC, SAML, and self-hosted team identity.
Self-hosting Vaultwarden without making it fragile
How to deploy Vaultwarden behind a reverse proxy, lock down signups and admin surfaces, handle WebSocket logging safely, and back it up properly.
Need this curriculum applied to your network?
Custom training, downloadable companion assets, network architecture review, and on-call deployment help land inside our consulting engagements.
See engagements