Own your infrastructure.

Kiwi Network is a privacy-first, self-hosted setup for individuals, SMBs, and public offices — built on open-source and Linux.

One WireGuard entry point. Everything else behind the VPN.

Read the Docs View on GitHub

Public Internet

WireGuard (UDP)

kiwi-master Entry Point

VPN Tunnel

kiwi-node Services

kiwi-workstation Desktop

What you get

A minimal attack surface with maximum flexibility.

kiwi-master

The hardened public entry point. Only WireGuard is exposed to the Internet.

wg-easy (WireGuard server)
gluetun (upstream VPN / double-hop)
pihole (DNS filtering)
Optional Tor proxy

kiwi-node

Private services reachable only via VPN or LAN. Never publicly exposed.

Nextcloud (AIO)
Vaultwarden
Reverse proxy (NGINX)
Docker services

kiwi-workstation

Daily driver OS for users and operators. Easy onboarding, safe defaults.

Fedora Silverblue / Bluefin DX
Immutable base
VPN-first workflows
Simple updates & rollback

Network Architecture

How traffic flows through a Kiwi Network deployment.

Internet

Remote User

Blocked Traffic

WireGuard UDP ✓

HTTP/HTTPS ✗

kiwi-master (VPS/Cloud)

wg-easy :51820/udp

pihole DNS

gluetun upstream

Encrypted VPN Tunnel (10.x.x.x)

kiwi-node (Home/Office)

Nextcloud

Vaultwarden

NGINX

+ more

kiwi-workstation

Desktop

Laptop

Mobile

Allowed (WireGuard only)

Blocked (everything else)

Internal VPN traffic

Federation (Planned)

Connect multiple Kiwi Networks for secure collaboration.

Company A

master

node node

VPN Link + Federation

Company B

master

node

Nextcloud Federation

Share files and calendars across organizations without exposing services publicly.

Controlled Access

Define exactly which services and users can communicate between networks.

End-to-End Privacy

All inter-network traffic travels through encrypted VPN tunnels.

Ready to get started?

Check out the documentation or explore the source code on GitHub.

Read the Docs View on GitHub