Management

Secure Remote Access to Proxmox VE

Learn how to securely access your Proxmox VE server remotely using VPNs, reverse proxies, Cloudflare Tunnel, SSH tunneling, API tokens, and two-factor authentication.

ProxmoxR app icon

Managing Proxmox? Try ProxmoxR

Monitor and control your VMs & containers from your phone.

Try Free

The Challenge of Remote Proxmox Access

By default, the Proxmox VE web interface listens on port 8006 and is only accessible from your local network. This works fine when you are physically present, but modern infrastructure management demands remote access. Whether you manage a homelab from the office, administer client servers across cities, or need to respond to emergencies while traveling, you need a secure way to reach your Proxmox nodes from anywhere.

The key word here is secure. Simply forwarding port 8006 on your router and calling it done is a recipe for disaster. The Proxmox web interface is a high-value target — it provides full control over your hypervisor, virtual machines, and potentially your entire network. This guide covers every proven method for secure remote access, from VPNs to Cloudflare Tunnels.

Option 1: VPN Access

A VPN is the gold standard for remote access. It creates an encrypted tunnel between your device and your network, making it appear as if you are physically connected to the local network. Once connected, you can access Proxmox's web UI, SSH, and API just as you would locally.

WireGuard (Recommended)

WireGuard is the modern choice: fast, lightweight, and easy to configure. It is built into the Linux kernel since version 5.6 and works beautifully on mobile devices.

# Install WireGuard on a Debian/Proxmox host
apt-get update && apt-get install -y wireguard

# Generate server keys
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key

# Create server configuration
cat > /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = 10.10.10.1/24
ListenPort = 51820
PrivateKey = $(cat /etc/wireguard/server_private.key)
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o vmbr0 -j MASQUERADE

[Peer]
PublicKey = CLIENT_PUBLIC_KEY_HERE
AllowedIPs = 10.10.10.2/32
EOF

# Enable and start WireGuard
systemctl enable --now wg-quick@wg0

On your phone, install the WireGuard app, import the client configuration, and connect. You can now access the Proxmox web UI at https://10.10.10.1:8006 or use ProxmoxR to manage your cluster through the VPN tunnel with a native, touch-optimized interface.

OpenVPN

OpenVPN is the older, more established option. It is more complex to set up but has broader compatibility with corporate firewalls since it can run over TCP port 443. Consider OpenVPN if WireGuard is blocked on your network.

# Quick OpenVPN setup using the community install script
wget https://git.io/vpn -O openvpn-install.sh
bash openvpn-install.sh

Option 2: Reverse Proxy

A reverse proxy sits between the internet and your Proxmox server, handling SSL termination, access control, and optional authentication. This is useful when you want to access Proxmox via a domain name with a proper SSL certificate.

Nginx Reverse Proxy

# /etc/nginx/sites-available/proxmox
upstream proxmox {
    server 192.168.1.10:8006;
}

server {
    listen 443 ssl http2;
    server_name proxmox.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/proxmox.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/proxmox.yourdomain.com/privkey.pem;

    proxy_redirect off;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass https://proxmox;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Traefik

If you are already running Traefik as your reverse proxy, adding Proxmox is straightforward. Traefik handles Let's Encrypt certificate generation automatically and has excellent Docker integration.

Option 3: Cloudflare Tunnel

Cloudflare Tunnel (formerly Argo Tunnel) creates an outbound-only connection from your network to Cloudflare's edge. This means you do not need to open any inbound ports on your firewall — the tunnel reaches out to Cloudflare, and Cloudflare routes traffic to your Proxmox server.

# Install cloudflared
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared-linux-amd64.deb

# Authenticate with Cloudflare
cloudflared tunnel login

# Create a tunnel
cloudflared tunnel create proxmox-tunnel

# Configure the tunnel
cat > ~/.cloudflared/config.yml <<EOF
tunnel: YOUR_TUNNEL_ID
credentials-file: /root/.cloudflared/YOUR_TUNNEL_ID.json

ingress:
  - hostname: proxmox.yourdomain.com
    service: https://localhost:8006
    originRequest:
      noTLSVerify: true
  - service: http_status:404
EOF

# Create a DNS record and run the tunnel
cloudflared tunnel route dns proxmox-tunnel proxmox.yourdomain.com
cloudflared tunnel run proxmox-tunnel

The advantage of Cloudflare Tunnel is that your Proxmox server has zero inbound ports exposed. The downside is that your traffic passes through Cloudflare's network, which may not be acceptable for all use cases.

Option 4: SSH Tunneling

SSH tunneling is the quickest ad-hoc method for remote access. If you already have SSH access to your Proxmox node, you can create a tunnel in seconds:

# Create an SSH tunnel from your local machine to Proxmox web UI
ssh -L 8006:localhost:8006 root@your-proxmox-ip

# Now access Proxmox at https://localhost:8006 in your browser

This is ideal for one-off access but is not practical as a permanent solution since the tunnel must be manually established each time.

API Tokens for Remote Tools

When using remote management tools — scripts, automation platforms, or mobile apps like ProxmoxR — API tokens are the preferred authentication method. They are more secure than passwords because they can be individually revoked, scoped to specific permissions, and do not expose your admin credentials.

# Create an API token for remote tool access
pveum user token add admin@pve remote-access -privsep 0

# The output will show the token value — save it securely
# Format: PVEAPIToken=admin@pve!remote-access=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

# To create a privilege-separated token with limited access:
pveum user token add admin@pve monitoring-only -privsep 1
pveum aclmod / -token 'admin@pve!monitoring-only' -role PVEAuditor

ProxmoxR supports API token authentication natively, letting you connect to your cluster without storing your admin password on your phone. If your phone is compromised, you simply revoke the token from any Proxmox node without affecting other access methods.

Two-Factor Authentication

Regardless of which remote access method you choose, two-factor authentication (2FA) adds a critical security layer. Proxmox VE supports TOTP (Time-based One-Time Password) and hardware security keys (FIDO2/U2F).

# Enable TOTP for a user
pveum user modify admin@pve -tfa type=totp

# The web UI will display a QR code to scan with your authenticator app
# After setup, every login requires both password and TOTP code

When using 2FA with remote access tools, note that API tokens bypass the TOTP requirement (they are a separate authentication mechanism), which is another reason to prefer tokens over password-based authentication for tools and apps.

ProxmoxR for Secure Mobile Access

All the remote access methods above work for browser-based access, but the Proxmox web UI was not designed for mobile screens. ProxmoxR solves this by providing a native mobile interface that connects directly to the Proxmox API over any of the access methods described above.

ProxmoxR works over:

  • Direct local connections when on the same network
  • VPN tunnels (WireGuard, OpenVPN) for secure remote access
  • Reverse proxies with proper SSL certificates

The app supports API token authentication, handles self-signed certificates gracefully, and provides full management capabilities including monitoring, power control, console access, and firewall management — all optimized for touch and mobile screen sizes.

Security Checklist

Before enabling remote access to your Proxmox server, review this checklist:

  1. Never expose port 8006 directly to the internet without a VPN, reverse proxy, or tunnel in front of it.
  2. Use strong, unique passwords for all Proxmox accounts.
  3. Enable two-factor authentication on all accounts that use password-based login.
  4. Use API tokens for tools and apps instead of storing passwords.
  5. Keep Proxmox updated — security patches are released regularly.
  6. Monitor access logs at /var/log/pveproxy/access.log for suspicious activity.
  7. Use fail2ban to block brute-force login attempts.
  8. Restrict API access by IP if your remote IPs are predictable.

Recommendation: For most users, a WireGuard VPN combined with ProxmoxR provides the best balance of security, convenience, and functionality. The VPN ensures encrypted access, while ProxmoxR gives you a mobile-optimized management experience that the web UI simply cannot match on a phone.

Take Proxmox management mobile

All the features discussed in this guide — accessible from your phone with ProxmoxR. Real-time monitoring, power control, firewall management, and more.

Download ProxmoxR — Free Trial

Related Articles

Management

How to Monitor Proxmox VE Performance

 Management

Managing Proxmox from Your Phone: Complete Guide

 Management

Why the Proxmox Web Interface Is Terrible on Mobile
ProxmoxR

Manage Proxmox from your phone

Monitor, control, and manage your clusters on the go.

Download for iOS Download for Android

Free 7-day trial · No credit card required