Overview
Cloud Bunker: Deployed Pangolin on a remote VPS to act as the hardened ingress point. All public traffic hits the VPS, not the home network.
NetBird Mesh: Established an encrypted P2P WireGuard mesh between the VPS and on-premise hardware—creating a private lane invisible to the public WAN.
"Drop All" Policy: The home firewall is configured to reject all incoming WAN traffic, accepting requests only via the authenticated NetBird interface.
The Challenge: Fighting Data Entropy
Standard home-hosting (Nginx + Port Forwarding) is a security liability—exposing a home IP, enabling lateral movement, and constantly fighting CGNAT restrictions.
Broadcasting a home IP on ports 80/443 invites constant bot-scanning and DDoS risks. Standard home-hosting is a security liability, not a feature.
If a standard reverse proxy is compromised, the attacker is already inside your local network. There is no perimeter to fall back on.
Traditional port forwarding is often blocked or throttled by ISPs at the carrier-grade NAT layer, making reliable remote access a constant nightmare.
The Solution: Non-Destructive Virtualization
Re-engineered the network stack with a VPS-to-Mesh pipeline: a cloud edge for public ingress, an encrypted P2P tunnel for internal routing, and a "Drop All" firewall for the home perimeter.
Deployed Pangolin on a remote VPS to act as the hardened, public-facing ingress. All external traffic terminates at the VPS—my home hardware never appears on the public internet.
Established a P2P WireGuard mesh using NetBird. This creates an encrypted "private lane" between the VPS and on-premise hardware, bypassing CGNAT entirely.
The home firewall is configured to drop all incoming WAN traffic. It only accepts requests arriving through the authenticated NetBird interface—total lateral movement prevention.
Zero open ports on the local network. Zero home IP exposure. Full global accessibility with identity-aware routing enforced at the VPS level before traffic ever reaches the tunnel.