Security

01

23 min read

Self-hosted family SFTP: exposing a NAS without port forwarding using Pangolin + Newt + SFTPGo

Four non-techy relatives need access to folders on my NAS from anywhere, simply, with a mainstream Android app. The old Internet-exposed SFTP is gone. Full story of replacing it with a Pangolin + Newt + SFTPGo stack: no public IP on the NAS, outbound WireGuard tunnel, raw TCP SFTP coming out of a 3€/month VPS Lite. Plus two hours wasted blaming my ISP when the culprit was sitting one panel over.

02

7 min read

Securing MCP API keys in Claude Code (and why it's urgent)

Your API keys are probably sitting in plain text in your mcp.json. Here's how to secure them with environment variable interpolation, a dedicated secrets file and deny rules.

03

13 min read

Internet censorship: technical solutions to stay connected

When a government blocks social media, there are technical solutions to bypass censorship. From a simple DNS change to a self-hosted VPN, an overview of methods ranked by difficulty.

04

21 min read

Sovereign VPN: Setting up your own server with Headscale in Switzerland

In this second part, we set up a self-hosted VPN with Headscale and an anti-censorship VLESS+Reality proxy (Xray) on a Swiss VPS. Both services share port 443 through nginx SNI routing.

05

7 min read

Secure remote access to your NAS with Tailscale

Setting up Tailscale as a WireGuard mesh VPN to access your NAS and entire local network from anywhere, without opening ports.

06

7 min read

Hardening your NAS Linux kernel to CIS Level 2 standards

Over 40 sysctl parameters, module blacklisting, GRUB settings and filesystem hardening to achieve CIS Level 2 security on Debian.