The Private Network Backbone – WireGuard & Routing

This chapter explores one of the most important steps in the entire infrastructure: the moment when all individual machines — Edge, Home, laptops, mobile devices — were merged into a single private network.

That network became the backbone of the entire architecture. It made everything secure, structured, predictable and future-proof.

At the heart of that design is WireGuard.

1. Why a private backbone was needed

As the number of services grew, several problems became clear:

• direct exposure of services was unacceptable
• public IPs on HOME devices were impossible
• NATs created inconsistencies
• remote access needed to be stable everywhere
• routing had to be unified
• security needed to be enforced at one point — the Edge

This led to one principle:

Build a private overlay network.

Route everything through it.

Expose nothing.

WireGuard was the perfect tool.

2. The backbone topology

To keep everything anonymized, this chapter uses alias networks:

• 10.A.A.A/24 → private WireGuard network
• 192.B.B/24 → anonymized LAN
• Edge VPS → public gateway node
• Home Server → compute node
• Clients → laptop, phone, remote nodes

The topology:

┌────────────────────┐ │ Public Internet │ └───────────┬────────┘ │ (public IP) Edge VPS WireGuard: 10.A.A.1 │ ┌──────────────┴──────────────┐ │ │ Home Server (10.A.A.3) Clients (10.A.A.x) LAN: 192.B.B.13 Laptop / Phone / Remote

All internal traffic flows through this encrypted mesh.

3. The Edge VPS as the central hub

The Edge VPS — already acting as a secure gateway — became the WireGuard hub.

Why hub-and-spoke?

• predictable routing
• simpler firewall
• no complex peer-to-peer mesh
• no need for direct links between clients
• central point for monitoring and access control

All peers connect directly to the Edge. The Edge forwards packets only where they belong.

This created a clean design:

Client → Edge → Home Home → Edge → Internet Internet → Edge → Home (through Traefik)

Simple. Elegant. Secure.

4. Routing: how packets flow

The backbone relies on strict routing rules:

🠒 All internal traffic uses WireGuard

• clients route 10.A.A.0/24 through the tunnel
• clients optionally route LAN (192.B.B.0/24) through Edge → Home
• no client ever reaches HOME directly via WAN

🠒 Edge is the forwarding point

• allows packets between WG peers
• forwards only the private subnet
• drops everything else

🠒 HOME sees clients as local overlay nodes

For example:

Client IP: 10.A.A.4 Home IP: 10.A.A.3 Edge gateway:10.A.A.1

This isolates all flows while keeping the system extremely flexible.

5. Firewall design

The firewall was simplified drastically by using WireGuard:

On EDGE:

• allow only:
• SSH (restricted)
• HTTPS (Traefik)
• WireGuard UDP
• RustDesk relay ports
• allow forwarding between:
• WireGuard → HOME
• HOME → WireGuard
• drop everything else

On HOME:

• allow only:
• WG from Edge
• responses to WG clients
• LAN cannot be reached directly unless allowed
• no public ports open

On clients:

• no exposure
• only outbound traffic through WG

This created a zero-trust environment with minimal attack surface.

6. Why WireGuard was the right choice

WireGuard delivered exactly what the infrastructure needed:

✔ Lightweight

Runs on VPS, HOME, mobile devices, routers.

✔ Extremely fast

Near-native throughput.

✔ Cryptographically modern

Short key exchange, minimal overhead.

✔ Simple configs

Clear AllowedIPs = clear routing.

✔ Perfect for “overlay architecture”

Internal services stay offline. The tunnel becomes the only path in.

WireGuard became the backbone not by preference, but by necessity.

7. What the backbone enabled

Once the private network was in place, everything else became possible:

• Sim AI running privately on HOME
• n8n automation controlling both Edge and Home
• WordPress and Hugo running locally yet accessible publicly
• Pi-hole DNS available to all clients
• secure reverse proxying (Edge → Home → Services)
• remote maintenance of all nodes
• one identity for every device (permanent WG IPs)

The infrastructure became a living organism — linked by a clean, minimal WireGuard spine.

Conclusion

The private backbone transformed the architecture from “collection of servers” into a coherent system.

WireGuard provided:

• unified routing
• encryption
• predictable addresses
• private segmentation
• secure access
• clean integration between EDGE and HOME
• foundation for automation and AI

This is the layer that holds everything together.