Any server responsible for media acquisition or automation control should be treated as internet-facing infrastructure, even if it is not directly exposed via open ports.
A VPN is not optional hardening — it is a baseline requirement for protecting identity, reducing exposure, and enforcing predictable traffic flow.
This page explains why a VPN is required, how it fits into the Trash Panda Guides architecture, and outlines best-practice VPN behavior, with NordVPN recommended as a known-good provider.
Configuration steps are intentionally covered on separate pages.
Automation and acquisition servers routinely:
Without a VPN, this traffic:
A VPN establishes a controlled, encrypted egress path that decouples acquisition traffic from your physical location and ISP identity.
This is not about absolute anonymity.
A VPN provides:
It does not:
Think of the VPN as a network boundary, not a magic shield.
In the Trash Panda Guides environment:
This creates a clear separation:
This balance is critical — especially for:
Any acceptable VPN configuration must meet the following requirements:
If the VPN drops, traffic should fail closed, not silently fall back to the WAN.
Any reputable VPN provider can work, but NordVPN is recommended because it:
NordVPN is not required — but using it minimizes unknowns.
When using NordVPN on an automation or acquisition server, the following behavioral settings are considered best practice.
These ensure the VPN is always active and traffic never escapes unintentionally.
Local resources (examples):
These must remain reachable even if the VPN is active.
DNS leaks defeat the purpose of tunneling traffic.
Consistency improves reliability and reduces unexpected failures.
Automation tools assume:
A misconfigured VPN can:
A properly configured VPN becomes invisible — exactly as intended.
This page intentionally avoids:
Those topics are covered in:
A VPN on the automation/acquisition server is:
When implemented correctly:
This is foundational infrastructure — not an optional add-on.