The claim
Capability was never the barrier.
Commercial security vendors sell a reasonable story: protecting a network requires a SIEM, an intrusion detection system, DNS filtering, secure remote access, virtualization, and encrypted transport — and each of those carries a license. For a school district, a nonprofit, or a rural clinic, the quotes stack into numbers that end the conversation before it starts.
This project tests the story's hidden assumption. Every one of those functions has a free and open-source implementation — in most cases the same engine the commercial products are built on. Over one summer, working evenings around a full-time lab job, I deployed the complete stack below on used hardware and a small datacenter VPS. Nothing on this page required a license, a sales call, or permission.
What it did require is the actual subject of this project: skills that are unevenly distributed, and one policy barrier nobody's marketing mentions.
The stack
Eight enterprise functions. One column of zeros.
| Function | Deployed in this build | Commercial counterpart | How the counterpart is priced | Cost here |
|---|---|---|---|---|
| Virtualization | Proxmox VE | VMware vSphere | Per-core annual subscription | $0 |
| Network security monitoring | Security Onion | Commercial NSM/SIEM suites | Per-sensor + ingest licensing | $0 |
| Intrusion detection | Suricata | Next-gen IPS appliances | Hardware + annual subscription | $0 |
| Log analytics / SIEM | Elastic (ELK) Stack | Splunk-class platforms | Priced per GB ingested, per day | $0 |
| DNS filtering | Pi-hole | DNS-layer security services | Per-user, per-month | $0 |
| Remote access VPN | WireGuard | Enterprise VPN concentrators | Appliance + per-client licenses | $0 |
| Web serving / edge | nginx | Commercial ADCs & load balancers | Per-instance subscription | $0 |
| TLS certificates | Let's Encrypt | Paid certificate authorities | Per-certificate, per-year | $0 |
| Total software licensing, entire environment | $0.00 | |||
Honesty note: free software is not a free build. This environment runs on one used server, a consumer gateway, and a low-cost datacenter VPS — a hardware footprint in the low hundreds of dollars, not the tens of thousands a licensed equivalent quotes before hardware.
Architecture
A home SOC with a datacenter front door.
The monitoring core lives on a Proxmox hypervisor at home, where it can watch real traffic. The public web tier lives on a small VPS, because — as the case study below documents — it wasn't allowed to live at home. The two halves connect over a WireGuard tunnel, which is exactly the edge-plus-core pattern commercial deployments use.
INTERNET
│
┌──────────────┴───────────────┐
│ │
┌─────────▼──────────┐ ┌──────────▼──────────┐
│ DATACENTER VPS │ │ RESIDENTIAL ISP │
│ Debian 13 │ │ inbound 80 ✗ blocked│
│ nginx + TLS │ └──────────┬──────────┘
│ 80/443 open ✓ │ │
│ honorswebsite. │ ┌──────────▼──────────┐
│ ddnsking.com │ │ UniFi gateway │
└─────────┬──────────┘ └──────────┬──────────┘
│ │
│ WireGuard tunnel │
└───────────────┬──────────────┘
│
┌──────────▼───────────┐
│ PROXMOX VE (home) │
│ ├─ Security Onion │
│ │ └─ Suricata │
│ ├─ Elastic / ELK │
│ ├─ Pi-hole DNS │
│ └─ web VM (origin) │
└──────────────────────┘
Case study
The barrier nobody sells a product for.
The plan was maximum equity: self-host everything on residential internet, total infrastructure cost near zero. DNS resolved correctly. The firewall rules were verified. The software was flawless. And certificate issuance still failed — because the ISP's residential service blocks inbound port 80, the exact port free automated certificate validation depends on.
Below is the same command, run twice. Same software, same configuration, same operator. The only variable is the network policy it ran behind.
$ sudo certbot --nginx -d honorswebsite.ddnsking.com Requesting a certificate... Certbot failed to authenticate some domains. The Certificate Authority reported these problems: Type: connection Detail: Fetching http://…/.well-known/ acme-challenge/H2kMu9K4dNm1w5oI…: Timeout during connect (likely firewall problem) Cause: ISP policy — inbound port 80 blocked on residential service.
$ certbot --nginx -d honorswebsite.ddnsking.com Requesting a certificate... Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/ honorswebsite.ddnsking.com/fullchain.pem Deploying certificate... done. Congratulations! You have successfully enabled HTTPS. Same stack. Zero modifications. First attempt.
The identical free stack that "failed" behind a residential connection succeeded, unmodified, the moment it ran somewhere policy allowed it to. The barrier was never technical.
This finding generalizes. Residential ISPs reserving inbound service ports for business-class subscriptions is an invisible tax on exactly the population this project is about: the person or small organization trying to do it themselves for free. Every workaround that exists — tunnel services, datacenter VPS hosting, relocated edges — works by moving the barrier somewhere cheaper to cross, not by eliminating it. Which is, ultimately, what every solution in the comparison table above does too.
The other cost
What "free" actually charges: expertise.
Nothing above installs itself. The honest version of this project's thesis is that FOSS converts a licensing cost into a knowledge cost — and unlike licenses, every skill this build required can be acquired for free or nearly free. Each competency below is annotated with where it actually came from.
That last annotation is the equity argument in miniature: community colleges, public cyber ranges, and open documentation form a free curriculum for this entire stack. The knowledge barrier is real — but unlike the licensing barrier, it is one a motivated person can cross without anyone's permission.
Sources
Works consulted.
- Aas, J. (2025). 10 years of Let's Encrypt certificates. Let's Encrypt. letsencrypt.org/2025/12/09/10-years
- Cloudflare. (n.d.). Cloudflare Tunnel. developers.cloudflare.com/tunnel
- Cox Communications. (n.d.). Internet ports blocked or restricted by Cox. cox.com — blocked ports
- Cybersecurity and Infrastructure Security Agency. (n.d.). No-cost cybersecurity services & tools. cisa.gov — no-cost services
- University of Michigan. (2019). How Let's Encrypt doubled the internet's percentage of secure websites in four years. news.umich.edu