// A FIELD EXPERIMENT IN RUNNING YOUR OWN CORNER OF THE INTERNET
THE WHOLE
STACK,
OWNED.
This page is served from a small computer at home, through our own addresses, our own autonomous system, and our own nameservers — to learn how anycast, multihoming and BGP actually behave when you hold all the pieces yourself. Rented: wires and names. Owned: the rest.
FIG. 1 REQUEST PATH
you
│ https://www.oddie.app
▼
┌─────────────────────────────────────────────┐
│ ANYCAST 2001:df7:2b40::/48 · AS154742 │
│ BGP announces the same address everywhere; │
│ routing delivers you to the nearest edge │
└─────────────────────┬───────────────────────┘
▼
┌── EDGE SGP-01 (Flatcar) ──┐
│ caddy · TLS + cache │
│ HIT ──▶ served here ──▶ you
│ MISS │
└───────────┬───────────────┘
│ wireguard · 3 ms
▼
HOME · proxmox VM «odette-www»
a debian box next to the cat
TAB. 1 SYSTEM INVENTORY
- ROUTING
- BIRD 2 · BGP to upstream · RPKI-valid ROA · one AS of our own: 154742
- ADDRESSES
- IPv6 /48, APNIC-assigned · IPv4 /24 in transfer — v4 currently borrows the edge's address
- DNS
- Knot ·
ns.oddie.sg+ns.oddie.ch— two names, two TLDs, two registries, one anycast fleet · DNSSEC, single CSK, ECDSA P-256 - EDGE OS
- Flatcar, immutable · daemons as systemd-sysext images · a full reinstall is one pasted Ignition file, zero manual steps
- CACHE
- Caddy + Souin at the edge · TLS terminates there · the assets on this page are cache hits and never travel home
- TUNNEL
- WireGuard, edge <-> living room · the origin has no public entrance of its own
- WATCH
- Gatus on the edge · public resolvers as canaries · alerts by Telegram and mail
- THIS PAGE
- hand-written HTML/CSS · two self-hosted fonts · zero external requests, zero scripts, zero cookies
MEMO WHY BOTHER
Because the interesting parts of the internet — who may announce which addresses, why packets take the route they take, what breaks when a link dies — are invisible from inside a rented cloud. Announcing one prefix from several places and watching half the world arrive at each is the kind of lesson you can only buy with your own ASN.
Next: a second edge in Europe announcing the same /48 — then this exact URL is served from two continents and the nearest one wins. After that: the IPv4 /24 goes live, the home LAN gets real public addresses, and the last rented pieces retire.
MEMO WHAT SOVEREIGN MEANS HERE
The addresses are registry-assigned to us, not leased from a host. A provider can cancel a server; the /48 and AS154742 move to the next wire unchanged. The nameserver names live under two TLDs, at two registrars, in two jurisdictions — no single decision removes both. Keys — DNSSEC, WireGuard, TLS — are generated here and stay here.
The remainder is rented because it has to be, or because it has to be elsewhere. Transit is a relationship, not a possession — peering reduces it, nothing removes it. Every domain name is an entry in someone's registry; ours are spread across two so neither is a single point of decision. The edge VMs could become owned hardware in a rack — that swap costs money, not architecture.
1Password and Telegram stay external on purpose: the keys that restore this platform and the alarm that watches it must not share a failure domain with it. Everything else runs on machines we can touch.
TAB. 2 GLOSSARY
- AS / ASN
- A network with its own routing identity. Ours: 154742.
- BGP
- How networks tell each other which addresses live where. No central authority — announcements, trust, and filters.
- PREFIX
- A block of addresses announced as one unit. Here:
2001:df7:2b40::/48. - ANYCAST
- The same prefix announced from several places. Routing takes each visitor to the nearest copy — no load balancer involved.
- MULTIHOMING
- More than one way in. A link dies, the announcement stays, traffic reroutes on its own.
- RPKI
- A signed statement of which AS may announce which prefix. Hijacked announcements get dropped at the border.
- DNSSEC
- Signatures on DNS answers, so a resolver can verify nobody rewrote them in transit.
FIG. 2 SEE FOR YOURSELF
$ curl -sI https://www.oddie.app | grep -iE 'cache-status|x-oddie-edge' x-oddie-edge: sgp-01 cache-status: Souin; hit; ttl=…
Which edge answered you, and whether your copy came from cache. When the second edge exists, that first line depends on where you are.
FILE THE NAMESAKE
- NAME
- Odette
- ROLE
- Supervisor, machine room
- COAT
- Long-haired ginger
- ACCESS
- Root. Unrequested, irrevocable.
- NOTES
- The platform is named after her. She sits beside the servers and tolerates the fan noise. Original photograph available to cache-warm visitors: odette.jpg