Build Log
An engineer's build log. The real infrastructure work I do — client and employer details kept out — alongside the labs I build to understand the big systems from the inside. I write up the why, not just the what.
Series
Rebuilding Remote Access
The old OpenVPN setup wasn't broken — it was a pile of per-user certificates and a manual onboarding ritual. Here's the case for replacing it with a self-hosted WireGuard mesh tied to our identity provider, and the one rule that makes the swap safe.
- 1Why we're tearing out a VPN that worksMay 30, 2026
- 2The identity spine: Keycloak in front of an existing directoryJune 4, 2026
- 3The gateway: self-hosted NetBird behind Caddy, with a relayJune 8, 2026
- 4Routes and policy: giving the mesh the keys, one team at a timeJune 11, 2026
- 5Cutover without downtime: migrating users while the old VPN stays upJune 13, 2026