Yes, a plain Debian 12 or Fedora Server install on cheap x86 hardware, or a Raspberry Pi 5, makes a better router than most consumer gear. It often beats boxes that cost twice as much. You need two network interfaces, a few config files, and about two hours. The result is a gateway with a real stateful firewall via nftables , proper DNS and DHCP from dnsmasq , and traffic shaping that works through CAKE SQM. Every config is plain text you can track in Git.
Networking
WireGuard Site-to-Site VPN: 400-500 Mbps on Raspberry Pi
To connect two remote LANs over WireGuard
, you configure a WireGuard peer on one gateway device at each site, set AllowedIPs to include the remote site’s subnet, enable IP forwarding on both gateways, and add routing so LAN clients send cross-site traffic through the tunnel. Once configured, every device on either LAN can reach devices on the other LAN transparently - no VPN client installation on individual machines. A single UDP port open on at least one side is all you need.
Tailscale Mesh VPN with WireGuard: 100 Devices, Zero Config
Tailscale builds a private WireGuard
-based mesh VPN across all your devices with almost no setup. You install the client on each machine and sign in with your identity provider. Every device then gets a stable 100.x.y.z IP that works no matter the NAT, firewalls, or network changes. Tailscale
v1.96 adds ACL tags for per-device policy, exit nodes, subnet routers, and MagicDNS for hostname lookups. For homelabbers, it is the easiest way to link a server, cloud VPS, phone, and laptop into one network.
Why Is My USB-C Charger So Slow? Understanding USB Power Delivery
USB Power Delivery (USB-PD) is supposed to be the universal charging standard that ends cable chaos. In practice, plugging in the wrong cable or charger gives you a device that charges at 5W instead of 100W - or refuses to charge at all. The root cause is almost always one of three things: a cable rated below what the device needs, a charger that advertises high wattage but only supports a narrow set of voltage profiles, or confusion between USB-PD and the half-dozen proprietary fast-charging protocols that coexist with it.
Production Docker with Traefik v3.6: Auto TLS, 30K RPS
Run Traefik
v3 as a Docker container to build a production-ready stack. It discovers services through Docker labels and handles Let’s Encrypt
TLS certificates automatically. You won’t need separate Nginx configs because everything lives in one docker-compose.yml file. This setup gives you a self-managing reverse proxy for multi-service deployments.
Key Takeaways
- Traefik automates service discovery using Docker labels to build routes instantly.
- Native Let’s Encrypt support handles SSL certificates without manual Certbot configuration.
- A built-in web dashboard provides real-time visibility into your routing health.
- Middlewares enable easy setup of security headers, rate limiting, and compression.
- The single-binary architecture handles over 30,000 requests per second on modest hardware.
The current stable release as of early 2026 is Traefik v3.6.x, with v3.7 in early access. All examples in this guide target the v3.x line.
Wildcard SSL Certificates with Let's Encrypt and DNS-01
A wildcard SSL cert for *.example.com from Let’s Encrypt
covers every one-level subdomain. You get one through the DNS-01 challenge, or, since February 2026, through the new DNS-PERSIST-01 challenge that skips per-renewal DNS edits. One wildcard cert replaces the per-service certs you’d otherwise juggle behind your reverse proxy.
Key Takeaways
- One wildcard cert covers every one-level subdomain under a domain, replacing dozens of per-service certs.
- Only DNS-based challenges (DNS-01 and DNS-PERSIST-01) issue wildcards; HTTP-01 and TLS-ALPN-01 won’t work.
- The newer DNS-PERSIST-01 challenge lets you authorize once and skip DNS edits on every renewal.
- Certbot and acme.sh both automate the DNS challenge through provider-specific plugins or tags.
- Systemd timers handle the 90-day renewal window cleanly, with deploy hooks to reload your reverse proxy.
Why Wildcard Certificates and When You Need Them
If you run three subdomains, single certs work fine. Each one gets its own HTTP-01 challenge, Certbot handles renewal, and life is simple. Once you pass 10 or 15 subdomains, the chore list grows. Every new service needs its own cert request, its own renewal entry, and its own way to break. A wildcard cert folds all of that into one.
Botmonster Tech




