Remote Maintenance Without a VPN Client: Clientless Browser Access

Remote maintenance without a VPN client means your technicians no longer install VPN software or a remote-access agent on their own machine. They open a browser, sign in to a central gateway and work directly on the plant, machine or server. This is made possible by a clientless browser gateway such as Apache Guacamole (currently version 1.6.0, released 22 June 2025), which renders RDP, VNC and SSH entirely in the browser. The connection to the site runs in the background over a WireGuard tunnel set up once, not over a per-person VPN client.

The result is a different operating model: access is granted and revoked centrally, every session is logged, and there is no longer a collection of half-maintained VPN profiles spread across dozens of laptops.

What "without a VPN client" really means

Classic remote maintenance comes in two flavors, both of which scale poorly. Either every technician gets a VPN client with their own profile and key per site, or an agent like TeamViewer or AnyDesk is installed on every target device. Both create sprawl: profiles go stale, agents keep running unchecked, and during offboarding someone has to remember to clean up in many places.

Clientless access flips this around. The gateway is the only entry point. Server-side it speaks the remote-access protocols (RDP for Windows systems, VNC for HMIs and Linux desktops, SSH for the command line) and renders the session as HTML5 in the browser. Only the browser runs on the endpoint, with no plug-in, no agent and no locally stored key. That is exactly what "clientless" means.

The architecture: one WireGuard tunnel, one browser gateway

Clean remote maintenance without a VPN client consists of two clearly separated layers:

• Backend, once per site: A WireGuard tunnel connects the remote network (machine network, plant, IoT segment) to the gateway in encrypted form. WireGuard has been part of the mainline Linux kernel since version 5.6 (March 2020), is lean, built on modern cryptography (Curve25519, ChaCha20-Poly1305) and therefore both fast and easy to audit. You set up this connection once.
• Frontend, for the staff: The browser gateway publishes reachable devices as named connections. Anyone with a role sees exactly the devices they are authorized for and nothing beyond that.

The decisive point: the tunnel complexity stays in the backend. Staff never interact with WireGuard directly. We cover the pure site connectivity in more detail on our WireGuard page.

Why clientless replaces VPN and TeamViewer sprawl

The difference shows up day to day: when someone leaves or changes projects, access is gone in seconds, without anyone walking to ten laptops or twenty machines.

Security: roles, short-lived sessions, one audit trail

Clientless access is not automatically secure, but it makes security centrally enforceable. In practice this includes:

• Role-based access control (RBAC): Each role only gets the devices and protocols it actually needs, following the principle of least privilege. See the article on RBAC and audit for remote access.
• Multi-factor authentication (MFA): Enforced at the gateway, not optional on individual clients.
• Short-lived sessions: Access is time-bound and expires automatically instead of staying open indefinitely. External service providers get access only for the specific maintenance window.
• Complete audit trail: Who was on which device and when? Sessions can be logged and optionally recorded, which greatly simplifies traceability and forensics.

These properties map directly onto regulatory requirements. The German NIS2 implementation law (NIS2UmsuCG) came into force on 6 December 2025 and obliges roughly 29,500 companies across 18 sectors (threshold typically 50 employees or 10 million euros annual turnover) to adopt risk-management measures including access control, cryptography and multi-factor authentication; violations can incur fines of up to 10 million euros. The 2024 edition of IEC 62443 (IEC 62443-2-1:2024) likewise makes the asset owner responsible for standardizing, securing and documenting remote access. A central gateway with RBAC, MFA and audit meets these points far more easily than scattered VPN clients. We go deeper in NIS2-compliant remote access. This article is general information and not legal advice.

Distinction: consumer tools and hardware routers

Two alternatives come up repeatedly in the field, and both solve a different problem than a sovereign gateway:

• Consumer and helpdesk tools (TeamViewer, AnyDesk): Quick for the one-off case, but installed per device and routed through the vendor cloud. Central roles, a unified audit and data sovereignty are missing or only partially available. For regulated remote maintenance across many sites this does not scale.
• Hardware routers (Ewon Cosy by HMS Networks, IXON IXrouter): A router is installed per machine that dials outbound into the respective vendor cloud; access happens through their portal. This is robust for individual machines but ties you to proprietary hardware and a third-party cloud platform whose data is often processed outside the EU.

A WireGuard tunnel plus browser gateway combines the best of both: the one-time, robust site connectivity of the router world and the central, clientless operation, without tying yourself to a consumer cloud.

From practice

We run exactly this architecture in production. For ABCO Water Systems in Australia we maintain industrial water-treatment plants across distributed sites: HMIs and controllers are not reachable from the internet but sit behind WireGuard tunnels, and staff work role-based in the browser. For nextGYM we manage an IoT device fleet through the same clientless logic, without rolling out an agent per device.

If you want to replace VPN and TeamViewer sprawl with clean, sovereign access, we build and operate the right remote management platform for you, from WireGuard connectivity and the browser gateway to roles and audit. Book a free initial consultation.