Galaxus, the Swiss e-commerce giant behind Digitec, has decided to stop outsourcing the “nervous system” of their company to large network and managed services providers. Instead of paying expensive licenses, accepting rigid contracts, and relying on proprietary hardware, the company has chosen a more demanding but much freer path: building their own fully open source-based network infrastructure.
The result is a production-ready architecture — not just a laboratory experiment — that today connects around 30 locations — warehouses, stores, offices, and public clouds across Europe — through encrypted peer-to-peer tunnels. And most importantly: everything is under the direct control of the engineering team, with no intermediaries or invisible chains.
From Big Tech comfort to the decision to take control
For years, Galaxus depended on the same elements as much of the industry:
- Public clouds with limitations and rising costs.
- Proprietary networking equipment with renewal licensing requirements.
- Traditional VPNs that are inflexible and hard to scale.
- Managed services that, under the promise of convenience, often impose their own rules.
With more locations, more connectivity providers (fiber, copper, mobile), and heavy usage of multiple clouds — Azure, Google Cloud, Hetzner, and on-premise servers — that model began to feel limited. Contractual dependencies reduced agility and made projects costlier; what used to take weeks now involved planning for years.
Facing this scenario, the internal infrastructure team, Planet Express, asked a tough question:
“Does it make sense for the fabric connecting the entire company to depend on closed contracts, licensed hardware, and providers setting the pace?”
Their answer was a resounding no. And from there, the new network design was born.
Building a corporate backbone with open components
The project that Galaxus has brought into production over the past two years leverages a set of well-known open-source technologies trusted by the sysadmin and open source communities.
1. Standard hardware, no black boxes
For physical site points, they use MinisForum MS-01, small devices with Intel Core i9 processors and two 10 Gbit/s SFP ports. These mini-PCs serve as network nodes capable of connecting directly to internet provider lines and moving traffic at 10 Gbit/s without relying on expensive, closed-box routers.
Even the physical mounts for these devices — with the company logo — are 3D printed in-house, highlighting the philosophy of total control: from hardware to software.
2. Virtualization and routing system
On top of this hardware, they deploy:
- Proxmox VE as the hypervisor, creating a small “network cloud” at each location, enabling emergency access if a virtual machine fails.
- OpenWRT as the operating system on routers, running as virtual machines inside Proxmox. Millions of home routers run on OpenWRT derivatives; Galaxus applies that same reliability in the corporate environment.
3. Peer-to-peer VPN with Tailscale and Headscale
The real sovereignty leap happens at the connectivity layer:
- Tailscale manages encrypted tunnels between sites and clouds, turning each router or server into a node of the private network, without issues with NAT, changing IPs, or complex firewall rules.
- Instead of relying on Tailscale’s managed service, Galaxus uses Headscale, a self-hosted and compatible control plane that defines which node can talk to which. It doesn’t route traffic but controls the topology.
In this way, the company has a fully encrypted end-to-end meshed network, where the red lines on the internal diagram represent direct VPN connections between warehouses, offices, and public clouds, whenever security policies allow.
4. Automation at scale: Terraform + Ansible
With nearly 30 locations, no one wants to manually configure each gateway. To avoid this, Planet Express supports all infrastructure as code:
- Terraform creates and destroys gateway instances both in Proxmox and across different cloud providers.
- Ansible, with Jinja2 templates and YAML files, applies configuration to all routers and nodes with a single run.
The company has decided to release their Ansible framework for OpenWRT on GitHub, inviting other teams to reuse, adapt, and improve the solution. It’s not just an internal project but a contribution to the open ecosystem that got them here.
Less dependency, more options
This new approach is not just an exercise in tech style; it has direct business impacts:
- Galaxus can move build pipelines or workloads across Hetzner, Azure, Google Cloud, or their own servers based on price, capacity, or proximity to users.
- They’re free from contracts forcing them to keep specific hardware or services simply because “the license is paid.”
- New sites or clouds can be integrated in weeks — or days — maintaining a homogeneous network model.
In practice, the peer-to-peer network is already transmitting critical traffic: from order and label data to Wohlen warehouse, to real-time API calls in Azure and Google while users browse the store.
Digital sovereignty: trusting your own engineers
The core message is clear: Galaxus prefers to trust its own developers rather than Big Tech’s convenience. Where others accept black boxes and long-term contracts, the Swiss company bets on understanding, controlling, and evolving every layer of its network.
This is not a free ride: building and maintaining such infrastructure requires internal talent, automation discipline, and greater responsibility. But in return, Galaxus gains:
- Strategic independence from specific vendors.
- Improved bargaining power by not relying on a single platform.
- Technical transparency, understanding firsthand how each component works.
Previous initiatives, like the company’s Linux thin clients, fit this same logic. These devices continue to grow in number — about 640 active users — and their GitHub repository still receives updates.
For the company, the conclusion is simple: taking on technical responsibility multiplies the freedom to decide and improves economic conditions. What was once considered “too complex” is now, thanks to open source ecosystems and automation, a real option for organizations aiming to reduce dependence on closed-source providers.
Frequently Asked Questions
What is meant by “digital sovereignty” in the context of corporate networks?
It’s the organization’s ability to control its technological infrastructure: choose providers, move workloads, audit security, and avoid contractual or technical dependencies that limit decision-making. In networks, it means not tying oneself to proprietary hardware or managed services that can change terms or prices unilaterally.
What open source software components does Galaxus use in its new network?
The architecture combines several open technologies: Proxmox VE as hypervisor, OpenWRT as routing OS, Tailscale as VPN client, Headscale as self-hosted control plane, and Terraform + Ansible for automating deployment and configuration of gateways and nodes.
What advantage does Headscale offer over Tailscale’s managed service?
Headscale allows maintaining the same network model as Tailscale but gives full control over data, authentication, and policies. Not relying on an external SaaS service helps the company avoid unilateral changes in prices or conditions and reduces the exposure of sensitive metadata about their internal topology.
Can a small or medium-sized enterprise replicate a similar approach as Galaxus?
Yes, on a smaller scale. The same pattern — standard hardware, OpenWRT, Tailscale/Headscale, Proxmox, and automation with Ansible — can connect offices, remote workers, and cloud servers. The key is starting small, documenting the architecture from the beginning, and treating infrastructure as code so that expanding from 3 to 10 sites is just repeating the same pattern, not redesigning everything from scratch.
via: digitec.ch