Remote Access

What is Apache Guacamole?

Apache Guacamole is a clientless remote desktop gateway: RDP, VNC, SSH and Telnet straight in the browser (HTML5), self-hosted and sovereign. Here is how.

VNC in the browser: HMI remote access

VNC in the browser for HMI remote access: reach Siemens, B&R and Beckhoff panels via Apache Guacamole with no client - tunneled securely over WireGuard.

Remote maintenance without a VPN client

Remote maintenance without a VPN client: clientless browser access via Apache Guacamole instead of per-technician VPN or per-device TeamViewer. Secure, central.

Self-hosted TeamViewer alternative (RustDesk)

RustDesk is an open-source, self-hostable TeamViewer alternative: your own ID and relay server, end-to-end encryption and full data sovereignty.

NIS2-compliant remote access

NIS2-compliant remote access: how NIS2UmsuCG and IEC 62443 require RBAC, MFA, full audit logging and just-in-time access - and how to implement it.

RBAC & audit for remote access

Role-based access control (RBAC) and tamper-evident audit trails for remote access: least privilege, session recording, NIS2 and IEC 62443 compliant.

What is ZTNA? (Zero Trust Network Access)

ZTNA grants per-application access instead of full network access - based on identity, device posture and context. Zero Trust Network Access vs. VPN explained.

IEC 62443 for remote access to OT

IEC 62443 for OT remote access: zones and conduits, security levels SL1-4, parts 62443-3-3 and 4-2, and what the standard concretely requires for secure access.

SSO & MFA for the remote-access portal

SSO and MFA for the remote access portal: central identity via SAML 2.0 and OIDC, MFA with TOTP, WebAuthn and passkeys, conditional access, SCIM provisioning.

Privileged access management & session recording

PAM and session recording for remote maintenance: just-in-time access, credential vaulting, four-eyes approval and SIEM export, NIS2 and IEC 62443 ready.

Remote maintenance & GDPR (data processing)

Remote maintenance and GDPR: when it is processing under Art. 28 needing a DPA, the Art. 32 security measures, plus third-country transfer and logging.

WireGuard for site connectivity

WireGuard for secure site-to-site connectivity across distributed plants: tunnels, NetBird and Headscale mesh, no open inbound port. Step by step.

What is NetBird? (Zero-trust mesh VPN)

NetBird is an open-source, WireGuard-based zero-trust mesh VPN: it connects servers, devices and sites encrypted and identity-based, without open inbound ports.

What is Headscale?

Headscale is an open-source, self-hosted implementation of the Tailscale control server: a WireGuard mesh without the Tailscale cloud, using official clients.

Expose internal services without a VPN

Expose internal web apps, dashboards and APIs securely - no open ports, no VPN for everyone. Use a self-hosted reverse proxy with an outbound tunnel and SSO.

Multi-tenant operator portal for plants

Multi-tenant operator portal for plants: separating operator, customer and end customer, per-tenant RBAC, white-label and OEM service portals explained.

OT/IT segmentation, DMZ & the Purdue model

OT/IT segmentation with a DMZ and the Purdue model for remote maintenance: jump host and browser gateway in the DMZ, IEC 62443 conduits, no direct PLC access.

SSH bastion / jump host

SSH bastion and jump host explained: ProxyJump, agent-forwarding risks, hardening with key-only, MFA and logging, when a mesh VPN (NetBird/ZTNA) replaces it.

Siemens S7 / PLC remote access without open ports

PLC remote access without open ports: never expose S7 or HMI online. Outbound WireGuard tunnel, browser HMI via Guacamole - a sovereign Ewon alternative.

NetBird vs Tailscale vs WireGuard

NetBird, Tailscale, Headscale and plain WireGuard compared: open source, self-hosting, control plane, IdP, ACLs and licenses. A sovereign decision guide.

OpenVPN vs WireGuard

OpenVPN vs WireGuard compared for businesses and site-to-site connectivity: protocol, performance, code size, security - and when to use which VPN.

Secure remote maintenance of machines & plants

Secure remote maintenance for machines and plants: WireGuard, Guacamole gateway, RBAC, full audit and NIS2 - your own platform, not a vendor cloud.