Kiba Snowpaw

Building My Own Security Gateway: Why I Put a Server Between Me and the Internet

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Over the past few years, the internet has stopped being the free, open space many of us grew up with. Surveillance scandals, governments pushing censorship, companies treating user data as a product to be sold — it’s become clear that the people in power don’t care about protecting us. They only care about control, profit, and convenience.

And it’s not just corporations anymore. Governments have started openly pushing laws that would shatter privacy in the name of “safety.” Take the UK’s Online Safety Act — presented as a way to protect children, but buried inside it is something far darker: a mandate that would essentially force platforms to break end-to-end encryption, scanning every private message before it’s even delivered. It’s dressed up as protection, but it’s really mass surveillance in disguise.

The EU tried to push a similar measure not long ago. They wanted tech companies to scan all your messages, all your photos, all your emails for flagged content before they were encrypted. That means the system wouldn’t just be watching “criminals” — it would be watching everyone, by default. Every chat between friends. Every private picture between partners. Every voice note to your kids. The very foundation of trust in digital communication would vanish.

For me, that was the breaking point. I realized I could no longer rely on governments or corporations to guard my privacy. Because they won’t. They’ve made it abundantly clear that “safety” and “convenience” for them comes first — our rights come last.

So I decided to do something about it. Not by complaining on forums, not by signing another petition that gets ignored, but by building my own line of defense: a dedicated server PC that sits between me and the outside world, encrypting, filtering, and protecting every device in my home.

It felt empowering in a way I didn’t expect. When I hit that first successful connection through my VPN, it wasn’t just a technical win. It was like taking back a piece of myself that I thought was gone. Like boarding up the broken windows of a house I still want to live in.

This isn’t some paranoid fantasy. It’s practical, doable, and — to my surprise — it only took about two hours to set up. Two hours to shift from being a passive consumer to someone who actively shapes how they interact with the digital world. Two hours to trade frustration for control.

Now, when my devices connect, I don’t just see blinking lights on a router. I see a personal shield. A machine that answers to me, not to an ISP, not to some faceless company, and certainly not to a government agency.

And maybe that’s the point I want to leave you with: this isn’t just about technology. It’s about mindset. You don’t have to accept the internet as it’s been handed to you. You can rebuild your corner of it, protect it, and reclaim the freedom that drew us all online in the first place.

🔹 Why Bother?

Here’s the reality:

The internet we were promised — free, open, and empowering — doesn’t exist anymore. At least, not in the way it used to. Back then, you could almost believe that when you connected to a website, it was just you and the site. No middlemen, no hidden watchers, no strings attached.

But today? Every click, every Google search, every late-night rabbit hole you fall into — it’s all logged. Your Internet Service Provider (ISP) sees it. And they don’t just see it, they record it. Those records don’t sit quietly in a vault; they’re sold, analyzed, profiled, and bundled up like trading cards.

Think about it: your internet habits, the shows you stream, the medical sites you visit when you’re worried at 2 AM, even the games you play — reduced to data points. Stripped of context, stripped of humanity, turned into a product. Not you the person, but you the dataset.

And governments? They’ve figured out how to spin surveillance as a gift. “It’s for your safety,” they say. “Think of the children.”

Take the UK’s Online Safety Act. On paper, it sounds noble: protecting children from harm online. Who wouldn’t want that? But dig deeper and you see the ugly truth: the Act demands that private companies weaken or outright break encryption. That means your private chats on WhatsApp, Signal, iMessage — all of it could be scanned before it’s even encrypted.

It’s like mailing a sealed letter, only to learn that someone at the post office opens it, photocopies it, and then reseals it before delivery. Sure, your message still gets to your friend, but now a stranger has a copy. That’s what these laws propose: surveillance before privacy can even begin.

And this isn’t just a UK problem. In the EU, lawmakers tried to push through legislation that would force services to scan all private messages for “harmful content” — again, before encryption. They called it “Chat Control.” Nice branding, but the truth is chilling. Imagine pouring your heart into a diary and locking it with a key, only to find out that the locksmith read every page before handing you the key. That’s what’s on the table.

Meanwhile, big tech wraps surveillance in the warm blanket of “convenience.” They sell us devices that listen all the time — smart speakers, smart TVs, even smart fridges. They promise ease: “Don’t worry, it’s hands-free, it’s automatic, it’s personalized just for you.” But the cost is invisible: every word spoken in your living room becomes a data point stored on some company’s server.

It’s a slow erosion of privacy. Not a sudden loss, but a drip, drip, drip. Until one day you look up and realize:

  • The internet doesn’t feel like yours anymore.
  • It feels like theirs.

And that realization hit me hard.

So why bother?

Because I don’t want to live in a world where shrugging is the only option. Where we just say “that’s the price of being online”. Where the default is giving up control.

I wanted something different. Something mine.

That’s why I built my own gateway. A server that sits between me and the outside world. When my traffic leaves my home, it doesn’t leave naked, raw, and vulnerable. It leaves wrapped in encryption, filtered by rules I chose, and routed through systems that put my priorities first — not my ISP’s profit margins, not a government’s hunger for control, not a company’s thirst for data.

Will it stop everything? No. I can’t single-handedly dismantle surveillance capitalism. I can’t prevent governments from drafting laws that treat privacy like a crime.

But what I can do is refuse to be helpless. I can refuse to be the easy target, the low-hanging fruit.

It’s not about being invisible. It’s about being intentional.

Every byte of data that leaves my network now does so on my terms. And to me, that matters. Because privacy isn’t paranoia — it’s dignity. of that control. It doesn’t stop all problems, but it means your traffic no longer flows raw through systems designed to exploit you.

🔹 The Hardware Setup

When most people look at their internet setup, they see nothing but a tangle of boxes, blinking lights, and cables that “just work.” For me, it’s different. Each piece of hardware is not just a device — it’s a choice, a checkpoint, a conscious decision about who I allow to see what flows in and out of my digital life.

Here’s the chain that stands between my fingertips and the outside world:

Main PC → Switch → Server/VPN → Router (Nighthawk R8000P) → Fiber Box → Internet

At first glance, it doesn’t look unusual. But when you zoom in, it represents a total shift in control.

📦 Fiber Box → The ISP’s Gatekeeper

This is where everything begins — or rather, where my control ends. The fiber box is the ISP’s hardware. I don’t get a say in its firmware, its design, or what logging it does behind the scenes. It’s the silent gatekeeper, a reminder that no matter how much we build on our end, there’s always one piece of the chain that belongs to someone else.

Some people shrug and say, “Well, that’s just how it is.” I can’t. Every time I look at the fiber box, I think of it like the lock on a rented apartment. It’s not my lock. It’s theirs. My job is to build the walls behind it so solid that even if the lock is compromised, my home stays safe.

📡 Router → The Nighthawk R8000P

Next comes my router, the Netgear Nighthawk R8000P — one of those aggressive-looking, black, six-legged “spider” routers that looks like something out of a sci-fi movie. It’s tri-band, MU-MIMO, and capable of handling far more clients than I’ll ever need.

But here’s the catch: it’s not in bridge mode, because my ISP’s fiber box doesn’t allow it. That means it’s powerful, but still half in their hands.

I see this router as my first real layer of choice. It’s where I decide what devices are allowed to connect, what SSIDs I broadcast, and how traffic is shaped. But I don’t trust it entirely. Like all consumer routers, it’s running closed-source firmware. I have no idea what hidden processes are lurking inside.

So I treat the R8000P like a soldier in the ranks — useful, strong, but not the general. Its job is to distribute access. The real control doesn’t sit here.

🖥️ The Server PC → The Beating Heart

Behind the router is where the real magic happens: my server PC. Once a gaming rig, now repurposed as the central nervous system of my entire digital fortress.

  • CPU: Intel i7-6850k — overkill for routing, but perfect for multitasking.
  • GPU: GTX 1080 — wasted here, sure, but I secretly love the thought that my firewall has more raw graphics horsepower than most office PCs.
  • RAM: 16 GB — plenty for networking services.
  • Storage: 2 TB NVMe — blisteringly fast, no bottlenecks.
  • Network Ports: Dual NICs (WAN in, LAN out).

This box runs Ubuntu Server with a GNOME GUI. Some people swear by headless setups, but I prefer having a visual layer when I need it. It makes me feel like I’m piloting a cockpit, not just typing into a void.

Here’s what it does:

  • dnsmasq → my DNS and DHCP brain. No device in my house asks Google or Cloudflare directly. Everything asks me first.
  • nftables → the firewall and NAT enforcer. Every packet is judged before it passes. Allowed? Blocked? Logged? The decision happens here.
  • WireGuard → the encrypted tunnel to ProtonVPN. To my ISP, all traffic looks like an encrypted blob. They can measure volume, but they don’t see content.

This isn’t just a PC anymore. It’s my border guard, customs officer, and wall-builder all in one. Everything flows through it, and nothing bypasses it.

🔀 The Switch → Silent Distributor

After the server, traffic hits the switch — a PoE-capable box that quietly powers and connects my LAN devices. To an outsider, it looks boring. Just another network switch.

But here’s the difference: this switch doesn’t pass along raw ISP data. It distributes my version of the internet — filtered, encrypted, scrubbed, and made safe by the server first.

I think of it like a water main. Without the server, it would deliver whatever dirty water the ISP pumped in. With the server, every drop is purified before reaching the tap.

🖥️ Main PC (and everything else) → The Protected Endpoints

Finally, there’s me: my main PC, my phone on Wi-Fi, even the so-called “smart” gadgets scattered around the house.

Here’s the rule: none of them talk directly to the router or fiber box. Every packet, every DNS query, every sneaky “phone-home” attempt from a smart TV or IoT device is forced through the server first. No exceptions.

That’s important, because modern devices are noisy. Phones ping analytics servers even when idle. TVs check in with ad networks. Even lightbulbs try to report back to the mothership. Left unchecked, it’s a mess of data you never agreed to share.

In my setup, that noise hits a wall. The server decides what leaves, what stays, and what gets encrypted before it goes anywhere.

🔑 Why This Chain Matters

From the outside, it looks like just another home network. But to me, it’s a psychological shift. It’s a declaration.

  • The fiber box is theirs.
  • The router is shared territory.
  • The server is mine.

And that’s the point. I’ve carved out a space in the middle of this chain that belongs entirely to me — my rules, my encryption, my firewall, my choices.

It’s not just about privacy. It’s about dignity. About saying: I refuse to let my digital life be harvested without a fight.

Every time I glance at the humming server case under my desk, I don’t just see fans and silicon. I see a wall I built with my own hands. A reminder that while I can’t control the entire internet, I can damn well control the part that touches me.whole internet, I can damn well control the part that touches me.

🔹 The Software Setup

When people think about servers, they often imagine blinking racks in cold datacenters, run by faceless admins. But for me, my server is personal. I know every service that runs on it, every rule I’ve written into its firewall. It’s not just “software” — it’s a set of decisions about how I want to live online. Every package I install is a statement: I refuse to outsource my digital life to people who don’t care about it.

💿 Ubuntu Server → The Foundation

I started simple: a USB stick and Ubuntu Server. No magic, no vendor “appliances,” no mystery firmware. Just Linux, bare and honest.

I could have left it as a pure headless server — many people do. But I installed GNOME GUI anyway. Some say it’s bloated, unnecessary. For me, it’s a matter of comfort. A cockpit feels more real when you can see the instruments. Having a GUI makes the machine feel less like a headless black box and more like a workstation I can step into when I want to tweak things.

Yes, I even installed the NVIDIA drivers for the GTX 1080 inside. Completely useless for a VPN or firewall, but I can’t resist the symbolism: my “shield” has more GPU horsepower than most office PCs. That card sits there idle, a reminder that this is no ordinary router.

📡 DHCP + DNS (dnsmasq) → Owning the Flow

The next step was replacing one of the most overlooked parts of any home network: DNS.

Normally, when your phone or PC asks “Where is google.com?” it goes straight to your ISP’s resolver, or worse, directly to Google or Cloudflare. That’s like telling the post office every single letter you send, before it even leaves your house.

I wasn’t okay with that. So I installed dnsmasq.

  • My server became the DHCP brain of the entire LAN. It hands out IP addresses to every device, deciding who gets what.
  • It became the DNS gatekeeper too. No device in my home is allowed to talk to outside DNS servers. If a phone or smart TV tries to sneak around and use 8.8.8.8, the firewall drops it on the floor like trash.
  • Instead, everything has to ask my dnsmasq first. From there, I point queries upstream — not to the ISP, but to trusted resolvers I picked myself.

It feels like rerouting a river. All the little creeks (my devices) have to flow into a reservoir I control, and only then do I let that water trickle out into the wider world.

🔥 Firewall + NAT (nftables) → Writing the Rules of War

Then came the firewall. This is where things get serious.

I don’t like “allow all, block some.” That’s lazy. I went the other way: drop everything by default.

That means nothing moves unless I write a rule saying it’s allowed. No hidden exceptions. No “helpful” background services punching holes in my wall. Silence is the default.

From there, I carved narrow doors:

  • LAN → WAN only through the VPN. If my PC wants to reach the internet, it must pass through the tunnel. If the tunnel is down, the packet dies on the floor.
  • NAT masquerading. To the outside world, all my devices blur into one IP. My phone, my PC, my TV — they vanish behind the mask of the server.
  • Kill-switch rules. If ProtonVPN’s WireGuard tunnel collapses, my entire LAN goes dark. There’s no “fail open.” No leaks. I’d rather my Netflix buffer than my data slip through naked.

Configuring nftables was more than just typing rules. It was like setting house laws. Every packet that moves through my network is judged by these rules — guilty or innocent, allowed or denied. And I wrote them myself. That’s power.

🔒 VPN (WireGuard + ProtonVPN) → My Encrypted Lifeline

Finally, the beating heart of this setup: the VPN tunnel.

I didn’t want OpenVPN — it’s fine, but it’s heavy. I chose WireGuard because it’s lean, elegant, and brutally fast. One config file, one command, and the tunnel is alive.

Here’s how it works:

  1. I downloaded ProtonVPN’s WireGuard config, saved it to /etc/wireguard/wg0.conf.
  2. One command: wg-quick up wg0. The tunnel is born.
  3. I rewrote nftables rules so that the only exit door is wg0. No one leaves the LAN unless they’re wrapped in encryption.

The result? From my ISP’s perspective, all they see is a single encrypted stream going to ProtonVPN. The contents? Completely opaque. They can measure how much I send, but not what it is.

To me, that’s not just security — it’s dignity. It’s the ability to say: My life is not your product.

⚡ The Feeling of Control

Setting all this up took maybe two hours on paper. But mentally, it was like reclaiming a part of myself.

Every time I type nft list ruleset, I see more than firewall rules. I see boundaries I defined. Every time I look at wg show, I don’t just see a VPN peer — I see a lifeline I chose.

This server isn’t just software. It’s a mirror of my priorities:

  • Silence first, permission second.
  • Encryption mandatory, leaks impossible.
  • Trust no default. Decide everything.

Most people accept whatever defaults their ISP and router vendors give them. I couldn’t. Installing this stack was my way of saying: If you won’t protect me, I’ll protect myself.

And the best part? It worked. My entire LAN now flows through this fortress of code and rules. My traffic is no longer a commodity. My devices no longer chatter freely to strangers. Every packet asks permission first.

For the first time in a long time, I feel like the internet is mine again.

🔹 The Result

When I sit back and look at my setup running, it’s more than blinking lights and a hum of fans. It’s peace of mind — a reminder that I took something fragile (my privacy) and rebuilt it into something strong.

Here’s what it means in practice:

  • My ISP only sees WireGuard encryption. From their point of view, I’m just a stream of scrambled packets heading to ProtonVPN. They don’t know if I’m gaming, streaming, or reading. They don’t know what sites I visit. To them, I’m a blur.
  • Websites only see ProtonVPN’s exit node. To the outside world, I could be in Germany one day, Japan the next. My real IP, my physical location, my identity tied to a fiber line in my home — all of that is gone.
  • DNS is forced through my server. No device in my home can sneak around it. Even if some “smart” gadget tries to use Google or Cloudflare directly, nftables smacks it down. Queries are filtered, encrypted, and sent only where I allow them to go.
  • If the VPN dies, so does the internet. This is the kill switch. No “fail open,” no hidden leaks. My family might complain if Netflix suddenly buffers, but I’ll take that over our data flowing naked across the net.

And the most satisfying part? It’s not just my PC that’s protected. Every device in my house — my phone, my girlfriend’s laptop, the TV, even the dumb little smart plugs — they all pass through this wall first. They can’t escape it. They can’t betray me.

That’s power.

🔹 The Good

There are clear wins that make the hours I spent on this worth it:

Real security. I don’t lie awake at night wondering if my ISP is compiling a profile on me, or if some government database is filling with my browsing history. It’s not paranoia — it’s awareness. And this setup makes spying so much harder.

Centralized control. One box, one set of rules, and the whole house obeys. Even devices that don’t support VPNs natively are covered. Consoles, IoT gadgets, phones — all of them funnel through my fortress.

The learning curve was gold. I thought I knew Linux, but setting this up pushed me further: nftables rules, WireGuard configs, DHCP enforcement, DNS redirection. It forced me to level up in networking.

Expandable. This is just the start. I can add Pi-hole for ad-blocking, CrowdSec for intrusion detection, Grafana dashboards for monitoring. It’s not a closed system — it’s a platform I can grow.

Cost. Zero. I reused an old gaming PC. An i7-6850k and GTX 1080 may be overkill for a firewall, but why not? That’s part of the fun — my “router” is beefier than most people’s desktops.

And the feeling of knowing that every packet leaving my house obeys my rules? That’s priceless.

🔹 The Bad

I’m not going to sugarcoat it. There are drawbacks too.

⚠️ Complexity. This isn’t plug-and-play. You need Linux knowledge. If I hadn’t already messed with Garuda Linux and learned networking from gaming setups, I’d have been lost. This isn’t “for everyone” — yet.

⚠️ Hardware requirements. You need two NICs (WAN in, LAN out). Many old PCs don’t have that. You can work around it, but the simplest version requires that physical split.

⚠️ Wi-Fi headaches. A server isn’t a wireless AP. To cover Wi-Fi, you need an external access point. I’m already eyeing a Ubiquiti U7 Lite (~€100, powered by PoE). That’s another cost, another box to manage.

⚠️ VPN-blocked sites. Streaming services hate VPNs. Netflix, Disney+, banking sites — sometimes they block ProtonVPN exit IPs. That’s the tradeoff: privacy means friction.

⚠️ Maintenance. This isn’t set-and-forget. You need to apply updates, reboot occasionally, monitor logs. A commercial router hides all this — but hiding is the problem. I want to see and know.

Yes, it’s extra work. But it’s my work. And that makes it meaningful.

🔹 Why You Should Care

This is the part that goes beyond my desk. This isn’t just my little project. It’s a reflection of where we all are right now.

Governments want backdoors in encryption “for safety.”
ISPs profit from selling user data.
Big tech builds ecosystems that make tracking unavoidable.

Every one of those players has shown us the same thing: they don’t care about us.

So why should we keep trusting them blindly?

Running your own VPN/firewall gateway is more than a technical exercise. It’s a statement:

  • You want to spy? Too bad — all you see is a VPN tunnel.
  • You want to profile me? Fine, profile ProtonVPN’s exit node instead.
  • You want me to rely on your “safety”? No thanks. I’ll build my own.

This isn’t about hiding. I’m not ashamed of what I do online. It’s about control. It’s about reclaiming the dignity of saying: my data belongs to me.

And the irony? This whole setup took me less than two hours. That’s less time than most people spend binge-watching Netflix in a night. Two hours of learning, tinkering, and typing commands — for a lifetime of control.

🔹 The Mental Payoff

Here’s what I didn’t expect: the emotional impact.

Before this, I felt powerless. I knew the ISP was logging. I knew governments were pushing surveillance bills. I knew every app on my phone was phoning home. And every time I thought about it, it made me feel smaller — like I was being squeezed into a box I couldn’t break out of.

Now? The box is mine.

Every time I glance at the server under my desk, I see more than silicon. I see a wall I built with my own hands. A wall between me and them.

And that wall hums with dignity.

Because if they won’t protect us, then we protect ourselv

Leave a comment

Hey!

I’m kiba Snowpaw a Danish Furry been it for over 20 years this is about all the stuff I do and my personally opinion and evens.

Categories

Tags

animal behavior animal photography animal portraits animals animal welfare audiobook library Bird photography camera camera gear copenhagen zoo cybersecurity Danish wildlife Danish zoos data protection Denmark travel DX vs FX encryption internet freedom lens buying guide lens review long lens nature Nature photography nikon Nikon 200-500mm Nikon D7500 personal story photography photography blog Photography gear photography journey security smart audiobook player Søndermarken technology telephoto lens travel travel blog vpn VR lens wildlife wildlife photography zoo zoo photography zoo trip

Recent Posts