And Why You Should Try It in Your Homelab with Twingate
👋 The Old Way: VPNs and Big Doors
For years, remote access meant one thing: a VPN.
You logged in once, and suddenly your laptop could see everything on the network.
That worked fine when:
• Everyone sat in the same office.
• The network perimeter was clear.
• Threats were smaller and slower.
But now?
Users, apps, and devices are everywhere — and a single stolen VPN credential can open the entire castle gate.
⸻
🔁 The New Idea: “Zero Trust”
Zero Trust means we stop assuming anything (or anyone) is safe just because it’s inside the network.
Instead, every connection:
1. Proves who it is.
2. Is checked for permission each time.
3. Gets access only to the one resource it needs.
You don’t trust by location; you trust by identity and policy.
That’s Zero Trust Network Access, or ZTNA.
🏢 How the Big Players Do It
| Platform | Who’s It For | Core Strength |
| Zscaler Private Access (ZPA) | Large enterprises | Deep policy control, integrates with corporate identity systems |
| Netskope Private Access | Mid-to-large businesses | Granular user/device posture checks |
| Microsoft Entra Private Access | Microsoft 365 & Azure users | Built-in integration with Entra ID and Defender for Endpoint |
| Cloudflare Access / Tunnels | SMBs & developers | Easy browser-based login, great for web apps |
| Twingate | Teams & homelabbers | Fast setup, free tier, identical architecture to enterprise ZTNA |
All of them follow the same model:
- A small connector sits inside your private network.
- An access controller in the cloud brokers identity and policy.
- Users authenticate to reach only approved resources.
🧩 Why Twingate Works Perfectly in a Homelab
Twingate gives you enterprise-grade ZTNA concepts without enterprise pain.
Quickstart in your lab
- Create a free account at twingate.com.
- Add a remote network called Homelab.
- Deploy the connector:
docker run -d --name twingate-connector \
--restart unless-stopped \
-e TWINGATE_NETWORK="homelab" \
-e TWINGATE_ACCESS_TOKEN="your_token_here" \
twingate/connector:latest- Install the client on your laptop and phone.
- Log in, select your connector, and connect — no router changes required.
if you don’t already have docker installed, see the Docker install guide for Ubuntu (also available for Debian and Raspberry Pi)
Congratulations: you just built a zero-trust access layer the same way large organisations do.
💡 Why This Matters for Your Career
Learning ZTNA hands-on puts you ahead of the curve.
Right now, every major enterprise is replacing traditional VPNs with zero-trust models.
By running Twingate (or even experimenting with Entra Private Access) you’re learning:
- Modern network design – identity-based instead of perimeter-based.
- Access segmentation – per-app permissions.
- Cloud identity – how SSO and MFA fit into networking.
- Policy thinking – what “least privilege” actually looks like.
When you can show you’ve deployed, tested, and monitored a real ZTNA stack — even in a homelab — you instantly stand out from paper-cert engineers.
This is the perfect project to learn not to ‘allow all’
🔍 Optional Next Steps
| Project | Skill |
| Add a second connector in Azure to link cloud + lab | Site-to-site zero-trust |
| Use Cloudflare Access for web dashboards | Compare architectures |
| Integrate MFA via Twingate’s identity provider | Identity federation |
| Monitor access logs | Intro to security operations |
Big names like Zscaler, Netskope, and Microsoft Entra Private Access prove the model.
Twingate lets you learn it right now, safely and for free, inside your own lab.
If you’re serious about modern IT or cybersecurity roles, this is one of the smartest weekend projects you can do.
Which project do you want to see us do next? Let us know on our socials
From the homelab: Why I Care About Zero Trust
Zero trust is one of those terms that gets thrown around in enterprise sales decks and vendor pitches until it loses all meaning. Here is what it actually means, stripped of the marketing, and how I use it in my own homelab alongside a traditional VPN — because the honest answer is that both have a place.
Zero Trust in Plain English
The core idea is simple: do not trust the network. Verify every connection, every time, regardless of where it comes from.
Traditional network security works like a castle wall. Once you are inside the wall (connected to the VPN, on the office Wi-Fi), you are trusted and can reach everything. Zero trust removes the wall entirely. Instead, every request to access a resource must prove who is making it, whether that device meets security requirements, and whether that user is permitted to access that specific resource.
In practice, this means:
- No implicit trust based on network location. Being on the “internal” network does not mean you can reach everything.
- Per-resource access. You get access to specific services, not the entire network.
- Continuous verification. Identity and device posture are checked on every connection, not just at login.
- Least privilege by default. Users get access to what they need and nothing more.
The opposite of zero trust is what most home networks (and many corporate networks) still do: everything behind the router is trusted, and a single VPN credential gives access to the entire internal network.
Why It Matters for Homelabs
If you never access your homelab from outside your house, you can skip this section. But most homelabbers want remote access — checking on services from work, accessing files from a phone, managing infrastructure while travelling.
The traditional approach is port forwarding or a VPN. Both have problems:
- Port forwarding exposes services directly to the internet. Every open port is a potential entry point. Bots will find them within hours.
- Traditional VPNs give full network access. If your VPN credential is compromised, the attacker can reach everything on your network — not just the service they targeted.
ZTNA solves this by giving you remote access to specific services without exposing your network. You connect to Nextcloud, but you cannot reach Proxmox. You connect to Jellyfin, but you cannot reach your NAS. Each service is individually gated.
For a homelab, this means you can safely access your services from anywhere without opening ports on your router or giving a third-party app full access to your internal network.
Twingate vs Traditional VPN — The Honest Comparison
I use both Twingate and WireGuard in my homelab, for different purposes. Here is the honest comparison:
| Feature | Twingate (ZTNA) | WireGuard (VPN) |
|---|---|---|
| Access scope | Per-service — you define exactly which resources are reachable | Full network — once connected, you can reach everything |
| Setup complexity | Very easy — Docker connector, cloud dashboard, client app | Moderate — generate keys, configure peers, manage routing |
| Port forwarding needed | No — outbound-only connections | Yes — you need to forward the WireGuard port (typically UDP 51820) |
| Third-party dependency | Yes — Twingate’s cloud brokers the connection | No — entirely self-hosted, you control everything |
| Performance | Good for individual service access | Excellent — near-native speeds, low overhead |
| Free tier | Yes — generous free tier for personal use | Free and open source |
| Identity integration | Built-in — SSO, MFA, device posture | Key-based — no native identity provider integration |
Twingate’s strength is simplicity and granularity. You define which internal resources (by IP and port) are accessible, and users authenticate through Twingate’s identity layer. No ports opened on your router, no complex routing tables, and non-technical household members can use it without understanding VPN configs.
WireGuard’s strength is sovereignty and performance. It is fully self-hosted with no third-party dependency. If Twingate’s service goes down or changes its pricing, it does not affect you. WireGuard gives you raw network access, which is what you want for full infrastructure management — SSH sessions, database access, bulk file transfers.
When to Use What
Here is how I split it in practice:
- Twingate for day-to-day remote access to specific services. Checking Nextcloud from my phone, accessing a dashboard from a work laptop, letting a household member reach Jellyfin from outside the house. Quick, easy, no VPN client configuration needed.
- WireGuard when I need full network access. Managing Proxmox, SSH-ing into multiple hosts, running Ansible playbooks against the homelab, or any situation where I need to treat my remote connection as if I were physically on the LAN.
They are not competing solutions — they complement each other. Twingate for convenience and scoped access, WireGuard for full control when you need it.
If you are just starting out and want one solution, start with Twingate. The free tier is generous, setup takes 15 minutes, and you get proper zero-trust access without opening a single port. You can always add WireGuard later when you need full network access for infrastructure management.
ReadTheManual is run, written and curated by Eric Lonsdale.
Eric has over 20 years of professional experience in IT infrastructure, cloud architecture, and cybersecurity, but started with PCs long before that.
He built his first machine from parts bought off tables at the local college campus, hoping they worked. He learned on BBC Micros and Atari units in the early 90s, and has built almost every PC he’s used between 1995 and now.
From helpdesk to infrastructure architect, Eric has worked across enterprise datacentres, Azure environments, and security operations. He’s managed teams, trained engineers, and spent two decades solving the problems this site teaches you to solve.
ReadTheManual exists because Eric believes the best way to learn IT is to build things, break things, and actually read the manual. Every guide on this site runs on infrastructure he owns and maintains.
Enjoyed this guide?
New articles on Linux, homelab, cloud, and automation every 2 days. No spam, unsubscribe anytime.