Running a personal exit node for safer coffee-shop Wi-Fi

I do not trust coffee-shop Wi-Fi. I also do not fully trust hotel Wi-Fi, airport Wi-Fi, public hotspots, or any open network I do not control.

That does not mean I think those networks are malicious. It means I do not want my laptop's traffic exposed to whatever happens to be sitting on the same network.

For years, my answer was a commercial VPN — NordVPN, Mullvad, ExpressVPN, depending on which one I'd most recently been annoyed at. It worked, but it also moved trust from the coffee shop to the VPN provider.

Eventually I realized I already owned a better exit point for my threat model: the desktop in my home office, sitting on a 1 Gbps fiber connection and idle most of the day.

This post is about using that desktop as my personal exit node with HostAnywhere's Internet Gateway feature.

What Internet Gateway does

Internet Gateway is HostAnywhere's name for the "route all my outbound traffic through another peer" pattern. If you've used Tailscale, this is the same idea as Exit Nodes. In our model:

• You designate one mesh peer as an Internet Gateway.
• Other peers in the mesh can opt to route their 0.0.0.0/0 traffic — meaning everything that isn't already on the mesh — through that gateway peer.
• The gateway peer NATs the traffic onto its own internet connection.

Result: my laptop in a coffee shop sends every packet (except mesh-internal ones) over the encrypted mesh to my home desktop. Home desktop NATs onto my fiber. The coffee shop sees an encrypted tunnel from my laptop, not the websites, DNS queries, or services behind it.

Three-slot priority, automatic failover

The thing I've grown to love about this feature isn't the basic "tunnel through home" — that's table stakes. It's what happens when home goes down.

In the dashboard, you can configure three Internet Gateway slots: Primary, Secondary, Tertiary. Your client devices fall through them in order:

• Primary: my home desktop (1 Gbps fiber, low latency).
• Secondary: my parents' house in another city (a Raspberry Pi 4 plugged in by their router, running as a gateway).
• Tertiary: an old Mac mini at a friend's place across the country (his idea, since he liked having access to a US-East exit).

If home's fiber goes down at 2 AM, my laptop notices within about 10 seconds and starts routing through my parents' Pi. If both home and parents are out (regional power outage), it falls to the friend's Mac mini. I rarely notice the transition — a tab might take a half-second longer to load.

The 3-slot priority + automatic failover is the part that I think actually changes the user experience versus traditional commercial VPNs. With NordVPN, if "my" server goes down, I either get a connection failure or I'm silently sent to whatever server has capacity. With my own gateways, I know exactly where my traffic is exiting and exactly what the backup paths are.

Setting it up

What you need:

• A HostAnywhere account on the Developer plan or higher (Internet Gateway, like VPN Gateway, isn't on Free).
• A device you own at home that's always on. A desktop is fine. A Mac mini is great. A Raspberry Pi 4 is enough for a single user. An older laptop with the lid closed works too.
• That device needs a reasonable internet upload speed — your gateway upload is the ceiling for your laptop's download when routed through it. I have 1 Gbps symmetric fiber, so this isn't a constraint. If you have 20 Mbps up, your laptop will see 20 Mbps down through the gateway.

Steps:

1. Install the HostAnywhere agent on the gateway device. Sign in.
2. In the dashboard, open the device settings, find the "Internet Gateway" option, toggle it on.
3. In your network-level settings, assign this device to the Primary slot (or Secondary / Tertiary, depending on which one you're setting up).
4. On your client device (laptop, phone), toggle "Use Internet Gateway" in the app. It picks up the network's gateway configuration and starts routing.

You can verify it's working by visiting any "what's my IP" service — you should see your home IP, not the coffee shop's.

What this protects you from, and what it doesn't

Honest about the threat model.

What it does:

• Encrypts traffic across the untrusted local Wi-Fi before it exits from your chosen gateway.
• When full-tunnel routing is enabled, the coffee-shop network no longer sees your DNS queries or destination sites directly.
• Gives you a stable, predictable exit IP — useful for services that geofence or rate-limit by IP.
• Lets you use hardware you control as the exit point instead of a commercial VPN provider.

What it does not do:

• It does not make you anonymous to websites you visit. Those sites still see whatever cookies, logins, and fingerprints your browser sends.
• It does not hide traffic from the ISP serving your gateway device. If your gateway is a home desktop, that's your home ISP. If your gateway is a cloud VM, that's the cloud provider's network.

What if I want to appear from a different country?

The home-desktop gateway is built for "safer Wi-Fi from a fixed location" — your traffic exits from wherever the gateway lives. If you want to appear from a different region — say, watching geo-fenced content while traveling, or testing a service from another country — you can add another Internet Gateway in that region.

A small Linux VM (around $2/month, for example on Oracle Cloud) works as a gateway and gives you a stable exit IP in the geography you choose. Spin one up in Frankfurt for a German exit, Mumbai for an Indian exit, Ashburn for a US-East exit. Use HostAnywhere's 3-slot priority to switch between regions, or have separate gateways for separate use cases.

See our docs for a walkthrough video on bringing up a cheap Linux VM on Oracle Cloud as an Internet Gateway.

Personal Internet Gateway is for the case of: "I want my real laptop to safely use the network I'm currently on, with my traffic exiting from hardware I control — at home, or in any geography I choose."

Bandwidth honesty

The bandwidth math:

• My home gateway: 1 Gbps symmetric. Bottleneck is the laptop's Wi-Fi.
• My parents' Pi (Secondary): 200 Mbps cable internet, maybe 20 Mbps up. Fine for browsing, marginal for video calls, useless for streaming 4K.
• Friend's Mac mini (Tertiary): 500 Mbps fiber. Good fallback.

I've found that the worst-case experience (Secondary kicks in during a home outage, and I'm on a Zoom call) is fine. Audio stays clear, video drops to 480p. Better than the alternative of being unable to use the coffee-shop Wi-Fi at all.

What I run

The current setup, in case it's useful:

• Home desktop: i7 with 32 GB RAM, runs as Primary gateway. 1 Gbps fiber. Idle CPU usage with gateway active: under 2%.
• Parents' Raspberry Pi 4: $35 hardware, plugged in by their router. Runs as Secondary. It sits quietly next to their router, and they don't have to manage it. The side benefit they appreciate: I can fix their printer remotely now.
• Friend's Mac mini: M1, runs as Tertiary. He gets to use my fiber as his gateway when he travels, so we're square.

Total cost over a year: $0 incremental hardware cost because I already owned the devices, plus $9/month for the HostAnywhere plan I was already using.

The bigger win is not just cost. I no longer pay for a separate commercial VPN provider, and my traffic exits from hardware I control. As a side benefit, because traffic exits from my normal home IP, fewer services treat it like generic VPN traffic.

Try it

Try HostAnywhere Free at hostanywhere.io — connect up to 10 devices with no credit card. Upgrade to Developer when you're ready to enable Internet Gateway.