I’m looking for the best and most secure way to access my Proxmox server remotely. I have one mini PC running Proxmox, so it should be something that doesn’t need a different device. I want to ensure that the connection is very secure and reliable, but I also need something that’s relatively straightforward to set up.
What are your recommendations for accessing Proxmox from outside my local network? I’ve heard about using a VPN like Tailscale or WireGuard.
Ideally, I wouldn’t want to open any ports on my router. So:
I would probably prefer the Cloudflare secure tunnel because I already use it for Home Assistant, and I don’t use Plex, so the user policy won’t affect me. But some say it’s insecure. Security is important, so I’m not sure.
WireGuard on its own is great if you have a public IP that you can tie to a domain name (either by a free dynamic dns provider or a domain you own and can create a record like WireGuard.yourdomain.com to point to your public IP). WG-Easy is a great implementation. You will need to open a port on your router and forward it to your listening WireGuard instance. Because of the way WireGuard works, this is far less “risky” than forwarding ports for other services.
Tailscale is even easier to set up and is as secure as whatever authentication provider you use for it. It uses WireGuard for its actual VPN connectivity. It can be used without opening any ports on your router.
Whatever you do, don’t expose your proxmox webUI port externally. Use one of the above options to get into your network externally and then access things from there.
I’d use Tailscale. I don’t personally install Tailscale on my proxmox machines. I leave my pc on at home and I RDP into it from my laptop since they’re both on my tailnet. Once I’m in my pc I can connect to proxmox bc I’m on a local device. You could do the same on a windows VM instead of leaving a pc on like I do.
If you are already familiar with Cloudflare you could use a tunnel to ssh into your box. The only downside is you need as well the cloudflare software in the client side, so you can’t just ssh from any random device you find, you have to set it up properly before.
You could use as well Tailscale. It does not require to open any port and your local and remote server appear to be in the same network. It is a zero conf VPN.
I see multiple comments suggesting using Cloudflare is not secure. That suggests you’re just not using all the available tools.
A tunnel exposes a service from your LAN. Access handles the authentication.
Access allows you to granularly manage access control on any domain/subdomain proxied by Cloudflare (such as your tunnel). You can allowlist certain emails, require Gmail auth, do SSO, send a one time login code, etc.
The key is to put Access in front of whatever you expose via a Cloudflare Tunnel.
I use Twingate. Easy to setup a low maintenance lxc and the free version gives you ability to set which devices can be accessed only through a twingate connection. Helps me stop the kids from playing with my servers if they can’t access without twingate app
If you have multiple web services running at your enviroment. Maybe look into reverse proxies (nginx, haproxy, fortiweb… etc). They can be set up with client certificates.
I use Cloudflare tunnel to RDP into a gateway VM that has 2FA via Duo. VM is on a separate VLAN so you have to RDP to home network to actually get at anything. If someone tries to login to gateway VM, I get notified via 2FA request.
I posted a similar question here just last week!
In the end, I went with TailScale.
I configured it in only a couple minutes, and now when I want access to my server I just go open the TailScale app and turn on the connection. BOOM everything is now routing through my home network. No port forward required!
Best IMO, you rent a VPS that acts as wireguard gateway. You have a proxmox VM/LXC that connects to the wireguard gateway (no port forward required) and then you wireguard into the VPS, then SSH into the VM/LXC and then you’re inside your network.
cloudflared tunnel ssh browser + waf to allow your ip/isp/country only and zero trust to allow only your email to reach the ssh ui fqdn provided by cloudflare
I once moved houses, had one mini-pc in the new house with a 4g connection so I could gradually migrate services. Tailscale made it zero-config. It was insane, just as if they were in the same network. I plugged in one camera and yep, there it was on frigate just like in the old house. All without opening ports.
I use a WireGuard VPN to my Home Router, and also use the App ProxMate to check different values on iPhone. In my Opinion, the securest way to access to Proxmox remote.
Tailscale is awesome. I have a raspberry pi running it as an exit node and subnet router. It allows me to route all of my traffic through my home connection when I select the exit node and/or access my home network when I’m traveling. It’s free and works great, no need to open ports either. https://tailscale.com/kb/1082/firewall-ports
Worth noting that you can really run this on anything on your network. Proxmox VM, Synology NAS, certain routers, etc.
