My homelab setup without public internet exposure - Always-on WireGuard with split tunneling

Welcome • User Guide
ToS • Privacy • Canary
Donate • Bugs • License

©2026 Poal.co

959

•

My homelab setup without public internet exposure - Always-on WireGuard with split tunneling (giuliomagnifico.blog)

From the post:

>This post explains how I operate my homelab with no public WAN exposure, using WireGuard to stay permanently connected to my home network from all my devices, while only routing selected subnets instead of all traffic. Why this matters Simply because any publicly exposed service increases the attack surface, even when protected by TLS, authentication layers or access control lists. By avoiding WAN exposure entirely, the homelab behaves like a private network extension rather than a public service, thus from the outside, nothing exists.

Archive: https://archive.today/n5DpN From the post: >>This post explains how I operate my homelab with no public WAN exposure, using WireGuard to stay permanently connected to my home network from all my devices, while only routing selected subnets instead of all traffic. Why this matters Simply because any publicly exposed service increases the attack surface, even when protected by TLS, authentication layers or access control lists. By avoiding WAN exposure entirely, the homelab behaves like a private network extension rather than a public service, thus from the outside, nothing exists.

[–] • 2 pts

Or you could just use a completely airgapped network.

Remember, what software does, software can undo. If your systems are protected by software inside of a device, there's a backdoor even if it hasn't been found yet.

link

[–] • 2 pts

This is the way. Then never upgrade shit that’s working .

link