28.06.2026
Self-Host RustDesk 2026: the Sovereign TeamViewer Alternative Done Right
RustDesk has made unflattering headlines repeatedly in the first half of 2026: a botnet abusing the public server, a forced login on the demo server,...
Secure, self-hosted remote maintenance for your machine fleet - from a single plant to a whole fleet. Outbound WireGuard tunnel without open ports, HMI directly in the browser, role-based permissions and a complete audit trail. A sovereign alternative to Ewon Talk2M, IXON and Secomea, GDPR and NIS2 compliant.
Commercial remote-access boxes like Ewon with Talk2M, IXON or Secomea work - but every session to your machine runs through the vendor’s cloud, on the vendor’s terms and with the vendor’s data flow. Per-device fees scale with your machine fleet, and for a critical-infrastructure plant a third party sits right inside the tunnel.
Your own remote maintenance software hands control over tunnels, permissions and data residency back to you. It builds on proven open-source components - WireGuard, NetBird and RustDesk - and fits into your existing VPN and zero-trust structures.
This page is about remote-maintenance tooling for your own machines - secure access from a single plant up to a fleet. Two related but different topics:
These capabilities are already shipping in production industrial projects we built - we adapt them to your machine fleet instead of starting from zero each time.
The device at the machine establishes an outbound WireGuard tunnel. There is no inbound firewall rule, no port forwarding and no exposed IP - from the outside there is simply no open door for an attacker. This is the same pattern NetBird and RustDesk rely on.
Technicians open the HMI in the browser - RDP, VNC and SSH run over HTML5 via Apache Guacamole. No VPN client on the laptop, no plugin, no software rollout. Works for classical VNC panels and modern web HMIs alike.
Role-based permissions per user, machine and site. Every session is logged - who, when, which plant, from which IP, optionally with session recording. This is the evidence base NIS2 and ISO 27001 audits demand.
Remote maintenance runs on your infrastructure or in an EU data center - no vendor cloud, no US SaaS in the tunnel to your plant. You keep data sovereignty, satisfy the GDPR and stay independent of a vendor’s pricing and roadmap decisions.
You are locked into Ewon Talk2M, IXON Cloud or the Secomea ecosystem and want out of the foreign cloud and the per-device fees. We build the equivalent, self-hosted solution and migrate your machine fleet site by site.
Segmented access, documented permissions, encrypted tunnels and complete logs - built for the requirements of the NIS2 directive and the industrial security standard IEC 62443 for secure remote access to OT networks.
Anywhere machines sit distributed, must be serviced, and access has to be secure and traceable, your own remote maintenance software pays off.
OEMs maintaining shipped machines remotely - from a single plant to a worldwide fleet. Response times drop, the on-site field visit is avoided in most cases, and every access is cleanly documented.
Remote access to controllers and operator panels - Siemens S7 (TIA Portal, S7-1200/1500), Beckhoff, B&R, Rockwell. Push a program, change parameters, diagnose faults, without the PLC ever being directly reachable from the internet.
Energy, water, wastewater, telecommunications. Here remote maintenance is NIS2 and critical-infrastructure relevant: documented access, complete audits and EU data residency are mandatory, not optional. We deploy on European hosting providers using open-source components.
Service teams connect to the plant from headquarters, see live data and HMI, and resolve a large share of tickets remotely. If an on-site trip remains necessary, the technician arrives with a clear diagnosis and the right spare part.
Background guides on the building blocks of this page - from access without a VPN client to NIS2 compliance.
We map controllers, HMIs, network and compliance duties and set up a pilot site with an outbound tunnel and browser access. You service the first machine securely from afar - typically within two to three weeks.
Rollout across the machine fleet, including migration from Ewon Talk2M, IXON or Secomea. Roles, permissions and audit trail are set up centrally; old and new solutions run in parallel until the handover is complete.
Optional managed-operations contract: monitoring, patch management, CVE response and onboarding of new sites. Or handover to your team with documented runbooks and handover tests.
This page covers remote maintenance software as the tooling you use to securely service your own machines - from a single plant to a fleet. A remote management platform, in contrast, is a multi-tenant system you build for hundreds of end customers who each access their own plants. Put differently: remote maintenance software is the access tooling, the platform is the multi-tenant product around it.
Yes. We build an equivalent, self-hosted solution to Ewon Talk2M, IXON Cloud and Secomea - without a foreign vendor cloud and without per-device fees. Existing remote-access boxes can in most cases be reused or replaced step by step; we migrate your machine fleet site by site, running old and new solutions in parallel during the transition.
The device at the machine establishes an outbound WireGuard tunnel to your central server. Because the connection is initiated from the inside out, no inbound firewall rule, no port forwarding and no public IP are needed. From the outside the plant is unreachable - access runs exclusively through the authenticated tunnel and the browser gateway.
It is built for it. Segmented access, role-based permissions, encrypted tunnels and a complete audit trail cover the core requirements of the NIS2 directive and the industrial security standard IEC 62443 for secure remote access to OT networks. The audit logs are exportable for your SIEM and your compliance reports.
By default in a European data center (Hetzner, IONOS, OVHcloud, STACKIT) - GDPR compliant and NIS2 ready. On request we run it fully self-hosted on your own infrastructure (Proxmox, bare metal) in your own data center. In no case do your session data pass through a foreign vendor cloud.
We start with an assessment and a pilot site that proves secure remote access on a first machine. On that basis you receive a binding fixed price for the rollout - predictable, instead of usage-based per-device licenses. We agree the concrete scope individually with you.
No risk: worst case, you leave with a clearer understanding of your project than before.

28.06.2026
RustDesk has made unflattering headlines repeatedly in the first half of 2026: a botnet abusing the public server, a forced login on the demo server,...
26.06.2026
NIS2 is no longer an announcement, it is law in force: Germany's NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) has been in force since 6...
24.06.2026
Anyone who services machines and plants remotely knows the little boxes in the control cabinet: Ewon Cosy from HMS Networks, plus the Talk2M cloud that...
23.06.2026
On 26 February 2026, the US agency CISA issued a Binding Operational Directive ordering an actively exploited FortiOS zero-day to be patched or disabled within...
07.12.2025
NetBird and Twingate are both modern Zero-Trust Network Access (ZTNA) solutions aiming to replace traditional VPNs. But while Twingate relies on a proprietary cloud solution...
Whether a specific IT challenge or just an idea - we look forward to the exchange. In a brief conversation, we'll evaluate together if and how your project fits with WZ-IT.
Timo Wevelsiep & Robin Zins
Managing Directors of WZ-IT

