Tailscale if you use pfSense, Zerotier if you use OPNSense
I use OPNSense with Zerotier.
OPNSense as VM in Proxmox and I put all my other VMs behind the OPNSense
I run a service called “kasm workspaces”. It lets me host virtual environments and apps (like Ubuntu desktop or just a Firefox browser. They have a Ubuntu image with an OpenVPN connection built in. I have it configured to connect home on launch so proxmox and any other service that doesn’t come with a username/password (like tdarr or olivetin) can be accessed. You can add users to kasm and share with others or not.
I keep it simple. I run TailScale on my Apple TV as a subnet so I can reach anything remotely without ports open.
Wireguard is great. Been using it for years to access my LAN. Zero problems.
I use Cloudflared Tunnels paired with Access. I use Keycloak to store my creds across all applications, although you could set up another provider. GitHub, Google, Microsoft, or any generic OAuth provider.
I find that this gives me the easiest access route and a level of security that I am comfortable having. Especially because the request never hits the origin server until after Couldflare verifies the request through Access.
MikroTik + WireGuard
A tunneling service (whether traditional VPN or tailscale or CloudFlare tunnels) to a jump host.
The only way into your hypervisor host should be through the internal network. Even in a fully zero trust environment you don’t expose that management interface to the internet and in truth it should only accept connections from the jump box.
This is more effort, yes, but you did ask most secure.
I run Wireguard for all my remote access, has worked flawlessly since day 1, and noticeably faster than older protocols.
Cloudflare tunnels are a much better “zero trust” and secure method than a traditional VPN connection. It’s even free!
You just need a domain name and an agent on the box.
+1 for Cloudflare Tunnel secured with access. I also expose OIDC through the tunnel and set it as the access OIDC provider.
I do wireguard. Very secure and simple
Thanks for all the responses. After reading the comments, I will probably look into Tailscale or WireGuard. If that doesn’t work, I’ll try the Cloudflare Secure Tunnel but with zero trust enabled.
I did it the following way:
Install OpnSense in a VM and connect it to two bridge networks
Set your Upstream LAN connection as WAN and connect that to bridge 1 using iptables, so it gets passed from the host to OpnSense. Reserve port 8006 so you can manage proxmox from within LAN, otherwise it’ll only be reachable using VMs.
Connect all other VMs to the second bridge behind the OpnSense.
Configure your router to port forward all ports (those you need) besides 8006 to your proxmox machine. All that traffic should route to your opnsense from where you can reroute it as you want.
What are you using for a firewall? PFsense?
I use Cloudflare for my remote access… I have an LXC setup on a restricted VLAN and setup firewall rules to allow access to certain other parts of my network.
Originally, I had setup cloudflare so I could access the proxmox, pfsense, and all my other servers directly. But I have since moved away from that because I don’t really trust Cloudflare to have direct access and visibility to my servers…
Instead, Cloudflare has access to only one server now… a proxmox VM running KASM. Within KASM, I have setup “workspaces” that have access to all my servers. So, for example, you could setup a brave browser “workspace” that is basically a local browser within your LAN and you can use it to access all the server web portals. I have other workspaces that can access the server terminal via SSH. I even have some workspaces that can RDP into the server desktop environment.
So if Cloudflare gets compromised, they can only access KASM… which is username./password protected and 2 factor authentication enabled (via authenticator app on my phone).
A VPN works. but it is a bit of a pain, and extra complexity.
Personally i love SSH, allowing key only. dynamic port forwarding, and proxy to that port in your browser. i use foxyproxy for that.
Openvpn with pushroute to the subnet that the Proxmox management nics are.
For me Tailscale but if you have mikrotik router and iPhone, you can use Mikrotik up called “Mikrotik back to home”. It will set up wireguard VPN to your home network even without public IP adress. Just few clicks and it’s done in 2 mins top.
Cloudflare or twingate. Both are better than tailscale and zerotier imo. Twingate is easier, cloudflare more powerful.
If it is for management: simply use ssh?
Maybe I’m psychopath, but I’ve just hooked proxmox webui through reverse proxy.
Don’t worry, any login is requiring 2FA and my passwords are 30+ characters. No breach for more than 3 years.
But I know it’s not something to recommend to general public.