The Matsya Tunnel

How a sealed home network serves you a page anyway.

Here is a riddle: how does a page reach you from a machine that has no open ports to the internet? The Lab sits behind an ordinary home connection — the kind where the provider quietly blocks inbound 80 and 443, and even a "static" address won't accept a connection from the outside world. By every normal rule, you should not be able to load this page at all.

The trick is to stop thinking about inbound. You can't let the world dial in — but nothing stops a machine inside the Lab from dialing out. So that's the move: a small relay on a cloud box that does have a public address and open ports, and a tiny client inside the Lab that opens a connection to the relay and holds it there. When you request this page you hit the relay; it hands your request down the already-open pipe to the Lab, and the answer comes back the same way.

That relay is Matsya — the Lab's own self-hosted tunnel. No ports opened at home, no holes poked in anyone's firewall, the link encrypted end to end, and a real certificate terminated out at the relay so the address bar stays green. From the public side it looks like an ordinary website; underneath, every byte is making a U-turn through a connection that was dialed from the inside.

It is a small idea with a large payoff: a sealed home network, and yet here you are, reading a page it is serving — on its own domain, over HTTPS, from a GPU on a desk.