First, did you Get Off Gmail?

Second, did you consider that you could Build A $54 Fail Closed Firewall?

Third, are you ready to Pick Your Pi?

If you’re off Gmail, you’ve got yourself ProtonMail, and that comes with ProtonVPN.

And then all you need is a computer suitable for firewall duty …

Attention Conservation Notice:

More small device firewall/travel router wonkery herein. If you’re not down to tinker at least a little, just move along …

Hardware:

This Pi business is still up in the air. Raspberry Pi5 is the safe, performant buy. I’m trying to love the Orange Pi Zero 3, because $39 SBC and I am not a wealthy man, but it has thus far defied my Linux-fu. The next thing that will happen, once someone (*cough* sends me an Amazon gift card *cough*) will be one of the Banana Pi boards making its way here.

The M4 lacks onboard storage, but it offers antenna jacks, which are sub-optimal for backpack duty. The M5 has onboard eMMC storage, but lacks wifi, which is fine by me, because a USB wifi dongle is MUCH sturdier than some tiny zip tied antenna. The M6 has onboard eMMC, no wifi, and its processor is twice as capable as the M5.

I do not love the one backpack grade case available for these machines. This clearly gets hot, while the finned aluminum case I have for a Pi5 stays nice and cool.

Virtual Systems:

I haven’t said much about it previously, but I’ve been collecting virtual private servers from low cost leader Contabo. Their support is rock bottom polite “fuck you” email, and people with important things to do have come to regret choosing them. But if all you want to do is dink around with a VPS, $5.50 for an 800GB torrent seed box is not a bad price.

Let me be super clear on this - the email support is terrible, and renting a machine in Europe will be no protection against civil/criminal foolishness here, because they DO have a U.S. presence. If you need to be secure, you’re still gonna pay 10x this rate for a system in an uncooperative jurisdiction.

So while we’re aiming for home/hotel room safety, we’re gonna start with a $5.50/month Storage VPS 1 as our example system.

Why WireGuard:

VPNs were done with PPTP back in the day, or IPsec if you were patient and needed something that was actually secure. OpenVPN came along and ate both of those solutions alive, because it was 1) free and 2) much less broken.

Less broken is still pretty broken, however. PPTP and OpenVPN are still using the analog modem metaphor of the prior century. If you want into something, you have to start a process to “dial” into it. So that means either manual intervention, or configuring a system service, and these things are prone to breaking their sessions - that’s the “fail” in fail closed. We did not know how badly this sucked until WireGuard made permanent routing policy level VPNs as safe as IPsec, while being simpler than OpenVPN.

Rather than the dial up modem metaphor, WireGuard is a tiny piece of code that does one thing very well. Any destination that needs encryption is marked as such and any traffic to or from it is encrypted. You don’t have to pay attention to the state of some complex, finicky piece of software, it just runs.

When I first learned of WireGuard I was immediately impressed, it was a “unix way” tool, and I started looking for VPN providers supporting it. There were none. When Proton finally got it, I switched immediately … and then promptly switched back, because the performance was terrible. This was a function of capacity planning, not the quality of the thing. And I had ignored it ever since, because life is short and my queue is overflowing.

Then last summer TailScale Changes Everything. There’s a simple graphical front end to a mesh VPN that works on every mobile, desktop, and server. I really need to take a month and just wade through all the stuff you can do with it, but as above, life is short. So it’s cool, but I have yet to make the internet exit function do what I want, and for security from administrative fuckery it’s clear that HeadScale will be a requirement.

Task Du Jour:

So I have one of these Contabo gadgets and it’s getting a relentlessly insecure piece of software installed over Debian 12. This piece of software comes bundled WITH a firewall, but it presumes a much lower level of threat than I typically envision, and it’s complex/fiddly to deal with it. Something had to be done.

So I made a very limited network setup, nothing but Contabo’s broke ass local DNS/repo mess, a ProtonVPN WireGuard endpoint, and my house are reachable. This is from /etc/network/interfaces:

auto eth0

iface eth0 inet static

address 66.94.120.2

netmask 255.255.248.0

# gateway 66.94.120.1

dns-search invalid

dns-nameservers 209.126.70.52 209.126.70.51

up ip route replace 66.94.120.0/21 via 66.94.120.1 dev eth0

up ip route add 209.126.70.52 via 66.94.120.1 dev eth0 onlink

up ip route add 209.126.70.51 via 66.94.120.1 dev eth0 onlink

up ip route add 156.146.54.81 via 66.94.120.1 dev eth0 onlink

up ip route add 12.96.42.215 via 66.94.120.1 dev eth0 onlink

And then ProtonVPN’s web interface gave me a WireGuard configuration:

[Interface]

# Key for bucknaked

# Bouncing = 3

# NetShield = 0

# Moderate NAT = off

# NAT-PMP (Port Forwarding) = off

# VPN Accelerator = off

PrivateKey = IGxlrvFQI3AaYKEYFZqPiPbD3OZYbKEYaytRXQrnF3o=

Address = 10.2.0.2/32

DNS = 10.2.0.1

#These were added after the story was published, my bad.

PostUp = ip route add default via 10.2.0.1 dev wg0

PostDown = ip route del default via 10.2.0.1 dev wg0

[Peer]

# US-FREE#8

PublicKey = FF79Ab2FREEtsyNYxviTFREEJLuvUcoEOpl8DYbasgq=

AllowedIPs = 0.0.0.0/0

Endpoint = 156.146.54.81:51820

And that’s all there is to it. This machine boots with only the ability to talk to me, and I’ve been switching default between 66.94.120.1 and 10.2.0.1, trying to coax an install to finish, around Contabo’s customized Debian that uses their local software repos. It’d be great, if, ya know, those repos were ACTUALLY AVAILABLE, but that’s a bridge too far for our low cost leader.

Your Next Step:

OK, so this stuff WORKS and it’s REALLY SIMPLE. You can take any one of the following:

• Banana/Raspberry Pi SBC you just got.

• Contabo VPS you just rented.

• Old laptop you kept for lurking.

• Virtual Linux machine hosted on your desktop.

And just install it. There are simple guides for this simple process and you don’t have to be a Linux curmudgeon to determine if the job is done right. Can you ping whatever.com? If yes, you’re secure.

The only slight divergence here from the guides is the replacement of the default route with a static route to a single ProtonVPN endpoint.

Conclusion:

WireGuard’s ascent has been agonizingly slow to my mind, but here we finally are. You can mesh your stuff together with TailScale, or level up and roll your own with HeadScale. You can get a gratis WireGuard VPN via ProtonMail, or pay the $5/month for Mullvad.

There might be other good VPN providers out there, but there are a lot of really shitty ones. All those “top five” listicles about VPNs are a goofy pay to play market where nobody does any real evaluation. If they say they’re not logging, they’re lying. The only ones that don’t are the ones that CAN’T. Mullvad will let you pay in an anonymous fashion, as will the relentlessly feral Cryptostorm. If you’re giving up an email and a credit card, you ARE being tracked.

There are way too many poorly done services that leak, or worse that will quietly fail and switch back to passing traffic, in order to keep their support costs low(!) The legion of “free” VPNs for mobile phones are famous for doing stuff like that. There’s no excuse in 2025 to not be safe by default with VPN access that is either doing its job, or obviously not running at all.

So that’s that. Get that first cup of coffee in you, then get cracking …