https://blog.abellana.work/ An engineer's build log — real infrastructure and systems work (clients and identifying details kept out) and the labs I build to go deeper. The why behind the systems, not just the what. en-us Sat, 13 Jun 2026 16:57:14 GMT https://blog.abellana.work/posts/remote-access-cutover-without-downtime/ https://blog.abellana.work/posts/remote-access-cutover-without-downtime/ Sat, 13 Jun 2026 12:00:00 +0000 The new mesh works — now move real people onto it without a bad day. This part is the discipline that makes a migration boring: a parallel pilot, simplified onboarding, wave-by-wave cutover with the old VPN as a live safety net, and backups you've actually restored. https://blog.abellana.work/posts/remote-access-routes-and-policy/ https://blog.abellana.work/posts/remote-access-routes-and-policy/ Thu, 11 Jun 2026 12:00:00 +0000 An authenticated peer that can't reach anything is useless. This part turns the gateway into a routing peer, advertises the internal network, pushes internal DNS, and replaces 'connected = full access' with default-deny, group-based policy. https://blog.abellana.work/posts/remote-access-self-hosted-netbird-gateway/ https://blog.abellana.work/posts/remote-access-self-hosted-netbird-gateway/ Mon, 08 Jun 2026 12:00:00 +0000 Now the WireGuard control plane. This part stands up self-hosted NetBird on a DMZ gateway, fronts it with Caddy issuing TLS via DNS-01, points it at our SSO for auth, and adds a coturn relay for the peers that can't connect directly. https://blog.abellana.work/posts/remote-access-identity-spine/ https://blog.abellana.work/posts/remote-access-identity-spine/ Thu, 04 Jun 2026 12:00:00 +0000 Before the mesh can ask 'who are you?', something has to answer authoritatively. This part stands up Keycloak as the SSO front door and federates the existing directory read-only — adding MFA without migrating a single user account. https://blog.abellana.work/posts/remote-access-why-replace-the-vpn/ https://blog.abellana.work/posts/remote-access-why-replace-the-vpn/ Sat, 30 May 2026 12:00:00 +0000 The old OpenVPN setup wasn't broken — it was a pile of per-user certificates and a manual onboarding ritual. Here's the case for replacing it with a self-hosted WireGuard mesh tied to our identity provider, and the one rule that makes the swap safe.