// WELCOME TO BUILDER'S JOURNAL
Most people rent their infrastructure. Cloud DNS, cloud VPNs, cloud everything. When the provider goes down, so does their network. I got tired of that, recently the 99% uptime average has even dropped and people are “fine” with this new “normal” since AI became the norm. I started pondering on building software for a device that most in tech has laying around or is able to get their hands on.
I'm Torean. I'm building Tunneld, an open source edge gateway that turns a cheap ARM64 SBC into a sovereign zero trust network. No cloud dependency. No rented intelligence. Just your hardware, your rules, your subnet.
This newsletter documents the build, the decisions, the failures, and the things that actually work. Every issue covers something real across homelab, networking, privacy, and local AI.
// WHY I BUILT TUNNELD
I had a drawer full of SBCs going nowhere. Raspberry Pi 3B, NanoPi Neo Zero 2s, a Neo 3, devices I had bought for projects that never stuck.
The problem was not the hardware. It was that nothing gave it a purpose worth keeping. Every homelab project I tried was either too temporary to maintain or too complex to trust or just plain, install and forget (to even run updates in time). I wanted something that would actually run permanently, mission critical infrastructure on dormant silicon that also gave me a reason to involve myself in it’s day to day.
So I built Tunneld. The path to get here was not straight. It started with a DNS sinkhole, then a wrapper for Cloudflare Tunnels, then zrok for identity-based sharing, then a WiFi-first gateway model with Nginx proxying backends across control planes (Distributed Tunneld instances). Each step taught me something the last one could not. Iptables. BEAM fault tolerance. How DNS actually propagates. Why bufferbloat is a thing. What zero trust actually means at the packet level. Reverse proxies. Fibre runs with media converters. It was and still is a constant up hill climb..
Every iteration added some ideas, stripped something away. All of which moves me towards a device that can have software installed and you just have a device that makes resources accessible and all owned by you while having some fun little case studies to experiment along the way.
Right now Tunneld runs as a WiFi-first gateway, bridging upstream WiFi and provisioning a private subnet for everything behind it. That is changing. Over the next few weeks WiFi is being deprecated in favour of a dual NIC approach (WiFi consistency and the pains of what it takes to make it work well, wasn’t worth it), turning any ARM64 SBC with two network interfaces into a proper edge relay node. Cleaner, faster, and far more reliable than radio-dependent routing. There is also a significant code removal effort underway, cutting the surface area down to what actually matters for the edge use case.
The longer term picture is a slim, self-hosted stack. Dual NIC SBCs. Fibre runs with media converters (personal upgrade to my current stack). Self-hosted relay infrastructure. Dormant silicon becoming permanent, sovereign edge nodes that you own end to end. More detail on where that is heading will come in future issues.
Take any ARM64 SBC with dual NIC, run the installer, and it becomes a zero trust edge gateway. It provisions a private subnet, handles DNS, routes traffic through WireGuard, and exposes services through identity-based tunnels, no open ports, no exposed IPs.
That is what this newsletter is. Every issue documents something real, a decision made, a problem hit, a thing that finally worked after a few attempts. No filler. Under 5 minutes every time.
If the updates aren’t around Tunneld, it will be around anything interesting I found, worth looking into, what I possibly tested / removed and why etc
Next issue: The hardware I run, the devices on the subnet, and what their purpose currently is on my network (or what the plan is for them in future).