My homelab setup without public internet exposure - Always-on WireGuard with split tunneling

Welcome • User Guide
ToS • Privacy • Canary
Donate • Bugs • License

©2026 Poal.co

1.3K

•

My homelab setup without public internet exposure - Always-on WireGuard with split tunneling (giuliomagnifico.blog)

From the post:

>This post explains how I operate my homelab with no public WAN exposure, using WireGuard to stay permanently connected to my home network from all my devices, while only routing selected subnets instead of all traffic. Why this matters Simply because any publicly exposed service increases the attack surface, even when protected by TLS, authentication layers or access control lists. By avoiding WAN exposure entirely, the homelab behaves like a private network extension rather than a public service, thus from the outside, nothing exists.

Archive: https://archive.today/n5DpN From the post: >>This post explains how I operate my homelab with no public WAN exposure, using WireGuard to stay permanently connected to my home network from all my devices, while only routing selected subnets instead of all traffic. Why this matters Simply because any publicly exposed service increases the attack surface, even when protected by TLS, authentication layers or access control lists. By avoiding WAN exposure entirely, the homelab behaves like a private network extension rather than a public service, thus from the outside, nothing exists.