Behind Private Cloud Infrastructure ?
Yundera is not just a hosting product — it’s a technical foundation for self-sovereign cloud services. At its core lies NSL.SH, our open infrastructure layer that provides secure networking, dynamic domain routing, and scalable deployment. In this article, we’ll explain how NSL.SH works, where it's hosted, why we made specific technical choices, and how we plan to evolve the platform.
What is NSL.SH?
NSL.SH (Network, Storage, Liberty) is the technology framework that powers every Yundera instance. It includes containerized tools for dynamic DNS, encrypted networking, domain provisioning, and application access.
Instead of building yet another SaaS dashboard, we focused on providing an invisible infrastructure layer that allows anyone to deploy and manage self-hosted apps with ease. NSL.SH supports features like:
- Automatic domain assignment (yourname.nsl.sh)
- Secure tunneling and encryption for app access
- Docker-based CasaOS packaging via CasaIMG
- Dynamic reverse proxy configuration
- Remote and local network fallback options
This abstraction layer simplifies operations while still giving developers and sysadmins full control of their data.
Hosting Infrastructure: Why Scaleway in Europe?
All Yundera deployments are hosted on Scaleway, a European cloud provider. We deliberately chose Scaleway for several reasons:
- Geographic jurisdiction: As a French provider, Scaleway ensures that all data resides within the European Union and is protected under GDPR.
- Sustainability: Scaleway operates data centers powered by hydroelectric and renewable energy sources, aligning with our environmental responsibility goals.
- Infrastructure quality: Scaleway provides bare-metal, virtual instances, and object storage with strong uptime SLAs and low-latency networking across European zones.
By building on top of Scaleway, we combine regulatory compliance, low environmental footprint, and cloud-native reliability.
Technical Roadmap
Short-Term Goals (0–6 Months)
1. Full VPN Mode for UDP/TCP Support
Current tunnel implementations handle HTTP/HTTPS traffic. We are now implementing full VPN support using WireGuard, which will allow tunneling of UDP and TCP protocols while preserving IP-level obfuscation. This will support more advanced use cases, such as self-hosted media streaming (Jellyfin), real-time tools (like WebRTC), and AI APIs.
2. Customization & Security Hardening
We plan to offer users more granular control over server security. Planned features include:
- Integration of Fail2Ban for brute-force mitigation
- Enhanced SSH protection and rate limiting
- Optional firewall templates depending on user exposure level
3. Improved Domain Management Tools
We're simplifying the custom domain onboarding process. Users will be able to:
- Point their domain via a simple DNS CNAME or A record
- Verify domain ownership through DNS or HTTP validation
- Automatically generate SSL certificates using ACME and DNS challenge
4. Multi-Subdomain Support
Currently, users are provisioned a single nsl.sh subdomain. Our roadmap includes support for managing multiple subdomains per user — useful for managing distinct services like media.nsl.sh, cloud.nsl.sh, or ai.nsl.sh.
Mid-Term Goals (6–12 Months)
1. Security Audits and Penetration Testing
We aim to validate our stack through formal third-party audits. This will include:
- Manual penetration testing
- Code review of the NSL router and CasaIMG bootstrapping logic
- Continuous integration of static security analysis
2. Scalability Improvements
We are optimizing routing infrastructure to scale horizontally. This includes:
- Rate-limiting support via reverse proxy headers
- Edge cache coordination between NSL nodes
- Load balancing logic for containerized endpoints
Long-Term Goals (12+ Months)
1. Advanced Privacy Features
We are researching zero-knowledge routing protocols, where DNS requests can be resolved through decentralized trust without leaking metadata to NSL routers. This would enable strong privacy protections even from us, the infrastructure provider.
2. Domain Diversity and Custom TLDs
To reduce dependency on a single root domain (nsl.sh), we plan to introduce alternative free TLDs — such as *.lib.sh, *.xnode.net, or region-specific domains — giving users more choice and redundancy.
3. Community Governance & Non-Profit Transition
We are committed to transparency and decentralization. Our vision is to transition NSL.SH into a non-profit foundation that manages the project via community contributions, public decision-making, and peer-reviewed development standards.
This will ensure the long-term neutrality and resilience of the infrastructure.
Open Source Components
CasaIMG — Containerized CasaOS Distribution
CasaIMG is a Docker-based image of CasaOS, modified to:
- Support declarative configuration via environment variables
- Integrate cleanly with Mesh Router’s DNS system
- Automatically expose apps to subdomains without user intervention
- Package updates into predictable release cycles
Repository: CasaIMG GitHub
Mesh Router — Secure Domain Routing Engine
Mesh Router is a DNS-aware, container-native router that:
- Registers, provisions, and proxies custom subdomains
- Encrypts routing data using WireGuard
- Provides API-based routing for dynamic services
- Integrates with Cloudflare and LetsEncrypt for HTTPS termination
Repository: Mesh Router GitHub
Why Open Source?
We chose open source because it is the only model that aligns with our values:
- Security through transparency — users can audit, verify, and trust the code
- Sovereignty — no reliance on closed systems or third-party vendors
- Community evolution — contributors can propose features, file issues, and fork projects
Rather than create another black-box cloud, we want to make infrastructure that people understand, control, and evolve.
How to Contribute
We invite developers, testers, writers, and security researchers to join us:
- Clone our repos and explore the architecture
- File feature requests or report bugs
- Help test new modules in staging
- Participate in discussions about future protocol designs
Get started at:
Together, we can build a private cloud that is open, secure, and resilient by design.
Technical - How Yundera actually works ? Open Source?