Intro¶

This short guide presents one of many ways to structure small to medium home and enterprise IP networks. A special focus lies on low complexity, support for privacy preserving technology and good network and endpoint security. Especially:

The network works with end-to-end encrypted connections without modifications on the endpoints (no mandatory proxies, no custom certificate authorities).
The network works regardless of whether endpoints use their own stub resolvers or third-party DNS services, it works for validating resolvers (DNSSEC) and it works for endpoints and applications using DoT and DoH (no split horizon DNS).
The network allows endpoints to make use of IPv6 privacy extension or similar anti-tracking measures.