The Surprisingly Messy Art of Running a Remote Proxmox Server With Zero Inbound Access

If you've ever run a homelab, you already know the truth no one likes to admit out loud: the gear is never the hard part. It's the networking — always the networking — that eventually melts your brain. And nothing proves that faster than trying to run a Proxmox host in someone else's house when you're told, politely but firmly, that you're getting no inbound access whatsoever. That's the setup one home server tinkerer found themselves in. A friend with spare space offered to host a full-on beefy machine — 16 cores, 128GB RAM, a proper little lab-in-a-box. A total win, except for the tiny detail that the friend was only offering outbound traffic, no port forwarding, no firewall exceptions, no "just crack open 8006 for me bro." So the question becomes: how do you operate a Proxmox machine you can't actually reach? Turns out, people who've done it have a lot to say, and most of it lands somewhere between surprisingly practical and weirdly creative. Networking nerds never disappoint. ## The First Instinct: "Just Use a VPN" The original plan was simple enough: install OpenVPN on the Proxmox host, connect it back home to an already-running VPN server, and call it a day. And honestly? That does work. A bunch of people do exactly that. But it was also pretty clear that OpenVPN isn't the favored flavor these days. A lot of replies essentially said: OpenVPN works, but… why do this to yourself? One commenter put it bluntly: WireGuard basically outperforms it at everything that matters — cleaner routing, better speeds, fewer headaches. Another person mentioned they migrated all their OpenVPN setups to WireGuard and haven't looked back since. And when folks in the homelab world agree on something, that's usually a sign. So the baseline became: run a lightweight WireGuard client on the Proxmox host or on a router at your friend's place, dial the tunnel straight back to your home network, and you're in. Except it's never quite that clean. ## Tiny Routers, Big Brains One of the most upvoted suggestions was to keep VPN duties off the Proxmox host entirely. If the host crashes or misbehaves, the last thing you want is for the one thing that gives you access — the VPN — to go down with it. The solution? Drop in a MikroTik box or some other tiny router that can hold a WireGuard tunnel open no matter what Proxmox is doing. Plenty of people swear by this tactic. One person said it gives them uninterrupted access even during updates or reboots, and lets them reach IPMI/iLO/DRAC when things really go sideways. Another suggested using a small GL.iNet travel router that happily pushes 500+ Mbps through WireGuard even though its Wi-Fi might not matter at all here. The logic is simple: If the hypervisor is the thing you're trying to reach, don't put your lifeline inside it. That's how you end up locked out, staring at a dead web UI with no way home. ## The Now-Obvious Favorite: Tailscale Of course, it took approximately six minutes for someone to suggest Tailscale — and then several more people came piling in with near-evangelical energy. You'd think Tailscale was a religious experience the way homelabbers talk about it. But it does make sense. No inbound access? No problem. No port forwarding? Doesn't matter. Need something you can install almost anywhere and forget about for six months at a time? Yep, that's the branding. One person even said you can test the whole thing before deploying it by turning off Wi-Fi on your phone, hopping onto your cellular network, and connecting from there just to prove everything works. It's basically the homelab version of "try it on airplane mode." Another user said they run Tailscale inside a lightweight container and simply designate it as a subnet router — which is Tailscale-speak for "everything behind me is also reachable." That allowed them to hit the Proxmox host's local IP even before the whole setup was in place. It may sound too easy, but Tailscale earns that reputation for a reason. ## Cloudflare Tunnel: The "Works From Any Browser" Trick But here's where the thread took a different turn. Not everyone can use Tailscale — one commenter said their workplace blocks it outright. That's where Cloudflare Tunnel shows up as the alternative for people who just want "give me a URL that gets to my Proxmox dashboard." It works because Cloudflare Tunnel connects outward to Cloudflare's network, so even a heavily locked-down environment can usually open the tunnel without inbound rules. With it, people set up a subdomain like: pve.example.com And suddenly they have a neat, HTTPS-protected, Cloudflare-authenticated doorway into their host. One person pointed out the nice extra layer here: Cloudflare handles authentication before the request even touches your server. If the credentials aren't correct, the attacker never gets within shouting distance of Proxmox. There's a catch, obviously — you have to trust Cloudflare with the keys to the castle. Someone else chimed in with "Pangolin is a better alternative if you don't want to trust Cloudflare," but that's a whole other rabbit hole. Still, Cloudflare Tunnel earned a surprising amount of support. ## When People Get Fancy: VXLan, NATed Virtual Networks, and Full-On Routing Some folks didn't stop at "get me into the host." They built full-blown network topologies so their remote VMs wouldn't steal IP addresses from the friend's LAN or expose themselves on a network they don't control. One user described a pretty elegant setup: Proxmox host gets one LAN IP. Everything else — VMs, containers, the whole carnival — lives behind a custom VNet using NAT. A WireGuard tunnel connects the host back home. A router on the home side knows how to reach the remote VNet, so devices at home can talk to machines at the friend's place like they're on the same network. It's a clever way to be a good guest: you don't clutter your friend's DHCP pool with a dozen weird VMs. Another person said they run an OPNSense or pfSense VM on Proxmox and let that be the VPN endpoint. It's a little ironic — running your firewall in a VM on the machine you're trying to reach — but with a stable upstream and good snapshots, it actually works. Homelab folks get creative fast. ## If You Only Take One Piece of Advice… Bring Remote Power Control There's a moment in almost every long-distance homelab story where someone quietly confesses the one time they knocked themselves completely offline because of a bad firewall rule or broken network config. And several users in the thread tried to help the OP avoid repeating their mistakes. Multiple people recommended dropping in a PicoKVM, JetKVM, Waveshare board, or some other tiny IP-KVM with an integrated power relay. It's the homelab version of hiding a spare key under a rock. You never need it until the day you absolutely need it. And when you do, it's the difference between fixing a misconfigured interface from your couch or begging your friend to go unplug and replug a machine while you sit there hoping Proxmox comes back up. If you're running a remote hypervisor, an out-of-band access device isn't optional — it's insurance. ## So What's the Right Answer? Honestly? That's the fun part: everyone has their own version of "right" here. But if you blend the most useful advice from the thread, you get something like this: 1. Put a WireGuard or Tailscale endpoint on a dedicated router at your friend's place. Keeps access alive even when the host misbehaves. 2. Only give the Proxmox host a single reserved IP on their network. Everything else should live behind a private VNet, NAT, or OPNSense/pfSense VM. 3. Add a Cloudflare or Pangolin tunnel if you want browser access without a VPN. Great for convenience, but use strong authentication. 4. And for your own sanity: install a remote KVM with power control. Because you will break networking someday. The whole process sounds complicated — and it is — but it's the kind of complexity homelabbers enjoy. It's messy, slightly over-engineered, and full of little "oh that's clever" moments, the sort of puzzle only worth solving if you love this stuff. And that's probably why threads like this are fun to read. Setting up a remote Proxmox host isn't just a technical challenge. It's a kind of collaborative art form, where half a dozen people show up with battle scars and say, "Here's how I kept my machine online. Hopefully it saves you a weekend." If anything, that's the real joy of homelabbing: not the hardware, not even the software — but the shared stories of everything that goes wrong and all the weird solutions people dream up to keep the lights on.