Since remote work became a global standard, transitioning from the office to the home environment has brought massive challenges. During the pandemic, we decided to work from home for an entire year, which served as a testing ground for our infrastructure. Whether you are an agency, an architectural studio, or a software firm, you face two main problems: data security and productivity.

When large corporations tackle this, they throw immense amounts of money at it. They buy bulky enterprise hardware, pay hundreds of euros monthly for various VPN licenses, and keep office computers running 24/7. We wanted a corporate-level security infrastructure with zero monthly license costs and a smart ecological approach where hardware runs only when genuinely needed.

Global Standards vs. Our Ecosystem

Feature	Corporate Standard	Our Approach
Gateway (Router)	Enterprise hardware with expensive recurring licenses.	pfSense – World-class open-source software running on a Mini PC.
VPN Access	Outdated IPSec clients that throttle connection speeds.	WireGuard / Tailscale – The fastest cryptographic protocols.
Energy Management	Computers run 24/7. Massive energy waste.	Computers sleep. Woken up with a click via UpSnap.

Step 1: The Brain - Choosing the Right Hardware

A standard consumer router cannot handle complex firewall rules or advanced VPN encryption. For a stable environment, you need a Mini PC with at least two physical LAN ports (one for your ISP WAN, one for your internal LAN). This allows the Mini PC to act as a physical gateway.

Here are our top recommendations for reliable, multi-port hardware:

HP ProDesk 600 G4 SFF (i5-8500) – Our primary choice. It’s robust, easily expandable with a low-profile multi-port NIC, and costs roughly €200 refurbished.
Dell OptiPlex 7060 Micro – If you can find the version with an optional second NIC or use a M.2 to Ethernet adapter.
Protectli Vault / Topton Fanless PC – Dedicated firewall appliances that come with 2, 4, or even 6 Intel LAN ports out of the box.

Our infrastructure logic: The Mini PC acts as the gatekeeper for all traffic.

Step 2: Virtualization with Proxmox

Instead of installing an OS directly on the metal, we use Proxmox VE. Proxmox is a Type-1 hypervisor based on Debian. It allows you to partition your hardware into multiple Virtual Machines (VMs).

Proxmox dashboard showing our virtualized environment.

This is crucial because it gives us flexibility. If our VPN server crashes, the firewall remains untouched. We can take snapshots before making changes, allowing us to "time travel" back if something breaks. It turns a single physical box into a full data center.

Step 3: pfSense and the Dynamic IP Challenge (DynDNS)

Our primary VM is pfSense. It handles the "heavy lifting" of networking. However, most office internet connections use a Dynamic IP, meaning your public address changes every few days. This makes connecting from home difficult since you don't know "where" the office is.

To solve this, we use DynDNS (Dynamic DNS). Services like No-IP or DuckDNS provide a static hostname (e.g., our-office.ddns.net) that always points to your current public IP. pfSense has a built-in client that automatically notifies the DynDNS provider the second your IP changes. It’s like a phonebook that updates itself every time you change your number.

Step 4: Secure Tunnels - WireGuard vs. Tailscale

For the connection itself, we rely on WireGuard. It’s significantly more efficient than OpenVPN or IPSec. For users who want a "zero-config" experience, Tailscale is the way to go. It builds a mesh network that bypasses NAT and firewalls automatically, requiring zero port forwarding on your router.

Step 5: Docker and UpSnap - Energy Intelligence

Alongside the firewall, we run a VM dedicated to Docker. We use Docker Compose to deploy UpSnap.

Actual UpSnap interface showing our managed office devices.

To maximize energy savings, we configured a Windows Task Scheduler on every office PC. At exactly 18:00, a script triggers "Sleep" mode. When a team member needs access, they log into UpSnap via VPN and hit "Wake". The Mini PC sends a Magic Packet (Wake-on-LAN), and the computer is up in seconds.

Step 6: High-Performance Remote Access - Beyond RDP

While Microsoft RDP is our daily driver for standard office tasks like emails and documentation, it has limitations when it comes to high-fidelity graphics or video playback. RDP is optimized for sending UI drawing commands, which makes it incredibly lightweight but "laggy" for video. For creative professionals, we need something better.

That is where Sunshine + Moonlight comes in. This combination is a game-changer for high-performance work:

Sunshine (The Server): This application runs on your office workstation. It captures your screen and uses the workstation's GPU (NVENC, AMF, or QuickSync) to encode the stream in real-time. This offloads the work from the CPU, ensuring the computer remains responsive even during a 4K stream.
Moonlight (The Client): This is the application you run on your home PC, laptop, or even tablet. Because it decodes a video stream rather than raw UI commands, you get a crisp, 60FPS (or even 120FPS) experience with virtually zero input lag. It feels as if the office PC is physically connected to your home monitor.
The Use Case: This setup is indispensable for video editing in Premiere Pro, 3D modeling in Rhino/AutoCAD, or any task where "smoothness" is non-negotiable.

For quick remote support or when we need to help a team member without a complex VPN setup, we use RustDesk. It is the best open-source alternative to TeamViewer or AnyDesk. The best part? You can host your own RustDesk Relay Server on Docker within your infrastructure, ensuring that your remote support traffic never leaves your control and is not subject to commercial licensing limits.

Finally, for those who need pixel-perfect accuracy and advanced USB redirection (like using a specialized drawing tablet remotely), NoMachine remains the king of high-fidelity remote desktop protocols, especially in mixed Windows/Mac environments.

Step 7: Cloud Data Management - Dropbox and Alternatives

Infrastructure is useless without seamless data access. For our team, Dropbox is the backbone of file management. It provides a real-time synchronization layer that is virtually transparent to the user.

The workflow is simple: as soon as a team member saves a file on their office workstation, Dropbox detects the change and immediately uploads it to the cloud. This file is then instantly available on their home computer, mobile phone, or via a web browser. This ensures that we always work on the most recent version of a project, eliminating the "which file is the latest?" headache.

For teams that prefer total data sovereignty, there are excellent self-hosted alternatives that you can run on your own Docker infrastructure:

Nextcloud: The most popular open-source platform. It’s more than just file sync; it’s a full suite with calendars, contacts, and document editing.
OwnCloud: A reliable, security-focused alternative that is great for large file libraries.
Seafile: Known for its extreme performance and reliability in handling large numbers of small files.

System Drawbacks and Room for Improvement

No system is perfect. Here is how we plan to improve our setup:

Single Point of Failure: Everything runs on one Mini PC. If the hardware dies, we lose everything. Solution: Implement a High Availability (HA) cluster with two identical Mini PCs.
Manual Updates: We currently update Docker containers manually. Solution: Integrate Watchtower to automate container updates.
ISP Reliability: We only have one internet provider. Solution: Use pfSense's Multi-WAN capability to add a 5G backup modem for 100% uptime.

Innovation isn't just about new tools; it's about combining existing ones to solve real-world problems like energy waste and data security.

Remote Work: Technical Approach