S7/PLC Remote Access Without Open Ports

Securely maintain Siemens S7 plants remotely? WZ-IT builds sovereign remote management platforms - PLC and HMI reachable in the browser, without a single open port at the plant.

S7/PLC remote access without open ports works by never exposing the controller to the internet. Instead of forwarding a port on the plant router, the site builds an outbound WireGuard tunnel to a central gateway - no inbound port, no port forwarding. The service technician reaches HMI and controller only through that gateway: the HMI clientless in the browser (Apache Guacamole/VNC), the TIA Portal access through the same encrypted tunnel. This replaces hardware routers like Ewon, IXON or Secomea with a sovereign, self-hosted and vendor-independent platform.

The problem: PLCs and HMIs do not belong on the internet

A PLC is not a hardened web server. Siemens S7 communication (S7comm and S7commPlus) runs over ISO-on-TCP per RFC 1006 on TCP port 102; STEP 7, the TIA Portal and WinCC all address the controller over exactly this port (S7comm, Wireshark wiki). Forwarding that port to the internet makes the controller reachable worldwide - and automated scanning services find such hosts within minutes.

Vendors and agencies warn against this consistently. In every ICS advisory, CISA recommends minimizing the network exposure of control systems, ensuring they are not accessible from the internet, and isolating them behind firewalls from business networks (CISA advisory Siemens SIMATIC, 2026). HMIs are affected too: the built-in VNC (Remote Framebuffer, RFC 6143) is unencrypted out of the box and must never sit directly on the network. An open port 102 or 5900 is not convenience - it is an entry point.

The solution: outbound WireGuard tunnel instead of a port forward

The key is the direction of connection setup. With an outbound tunnel the site initiates the connection - not the internet to the site. WireGuard is ideal for this: a lean, modern VPN protocol, part of the mainline Linux kernel since version 5.6 (2020), with fixed modern cryptography (Curve25519, ChaCha20-Poly1305) and UDP only.

This leaves no inbound port open at the plant router:

• The site actively builds the tunnel outward to a central concentrator.
• PersistentKeepalive keeps the connection open through NAT and firewall.
• Only the central concentrator needs a reachable UDP endpoint - the plant itself does not.
• The internet-facing attack surface on the controller is therefore zero.

How to connect a plant step by step in outbound-only mode is shown in the article on WireGuard site connectivity. The tunnel is the transport layer; everything else - HMI image, engineering access - runs encrypted inside it.

HMI in the browser: Guacamole and VNC without a client

Over the tunnel the technician reaches the HMI without installing local software. A clientless gateway like Apache Guacamole (version 1.6.0, published 22 June 2025, Apache License 2.0) builds the VNC session server-side and renders the panel image as HTML5 (canvas and WebSockets) in a normal browser tab. Siemens Comfort Panels expose a VNC server on port 5900 through the built-in Sm@rtServer; operator panels from B&R and Beckhoff as well as SCADA software bring VNC too.

The flow: technician logs in to the Guacamole portal (TLS, MFA), picks the machine, Guacamole builds the VNC session over the WireGuard tunnel on port 5900. The panel image arrives as a stream in the browser, input goes back the same way - and every session can be recorded and replayed in the browser. Details are in the article VNC in the browser.

TIA Portal and engineering access over the tunnel

A pure view of the HMI is enough for operation and diagnostics. For real engineering - downloading blocks, online diagnostics, force tables - the TIA Portal needs access to port 102 on the PLC. Over the tunnel there are two clean ways:

1. Engineering VM at the site (recommended): A Windows VM with the TIA Portal sits near the plant inside the OT segment. The technician operates it clientless via RDP through Guacamole. The S7 traffic (port 102) never leaves the local OT network - only the RDP image travels the tunnel. This is auditable, low-latency and decouples the engineering version from the technician's hardware.
2. Routed workstation subnet: Via AllowedIPs the OT subnet is routed into the tunnel so the TIA Portal on the technician laptop reaches the PLC directly on port 102. Flexible, but the engineering tool then runs outside the controlled zone.

Either way: port 102 stays in the internal OT segment, and access is authenticated, role-based and logged. That fits the zones-and-conduits model of IEC 62443, which treats remote access as a controlled conduit with VPN and MFA - not as an open path.

Ewon, IXON, Secomea - and the sovereign alternative

Hardware routers like Ewon (with the Talk2M cloud), IXON or Secomea solve the same base problem with an outbound tunnel - but into the vendor's cloud and bound to their hardware. For a single machine that is quick to install. Across multiple sites, with your own audit and sovereignty requirements, the dependency becomes the problem.

The sovereign alternative reverses the dependency: WireGuard and Guacamole are open source, the tunnel to the plant terminates on your own EU infrastructure, and there is no path that must traverse an external SaaS provider. The building blocks and how they form a platform are described in the overview Secure remote maintenance of machines and plants.

Legal context: NIS2 and IEC 62443

Secure, logged remote access is now a regulatory matter for many operators. The German NIS2 implementation law (NIS2UmsuCG) came into force on 6 December 2025 and requires, among other things, risk management, access control, MFA and logging; the original BSI registration deadline (6 March 2026) was extended to 31 July 2026 due to low registration numbers. IEC 62443 provides the technical frame with its zones-and-conduits model and the requirement to route remote access through controlled conduits.

The setup described here - no open port, encrypted tunnel, browser gateway with RBAC and audit - covers these expectations technically. This article is general information and not legal advice. We are engineers, not lawyers - the legal assessment of an individual case belongs in qualified hands.

How WZ-IT does this in practice

We build sovereign remote management platforms where PLC and HMI access is bundled through a browser portal: WireGuard connects the sites outbound, Guacamole serves VNC and RDP over TLS, every session is role-based and logged. For ABCO Water Systems in Australia we operate exactly this remote access to distributed water treatment plants including HMI operation in the browser - without individual VPN clients, without open ports at the plants, with a central audit trail.

Want to set up your S7/PLC remote access without open ports, or replace a hardware router? Get to know us.

Related articles in the cluster

• VNC in the browser: HMI remote access without a client
• WireGuard site connectivity
• Secure remote maintenance of machines and plants
• NIS2-compliant remote access