Introduction

You've got Proxmox running at home, tucked in a closet or sitting on a shelf under the router. It works great when you're on the couch. Then you leave the house and realize you have no way to check on your VMs, restart a stuck container, or grab a file off your NAS from your phone.

The instinct a lot of people have here is to just forward port 8006 on their router straight to the Proxmox host and call it done. Don't do that. It's the single most common security mistake new Proxmox users make, and it's also the easiest one to avoid once you know what to do instead.

This guide covers the three realistic ways to reach your Proxmox VE box from outside your home network, ranked from "takes two minutes" to "takes twenty but you'll never think about it again." Everything here was tested on Proxmox VE 9.0, though none of it is version-specific — it'll work the same on 8.x.

What You Will Learn

  • Why exposing port 8006 directly to the internet is a bad idea
  • How to use an SSH tunnel for quick, one-off remote access
  • How to set up Tailscale for always-on access with zero port forwarding
  • How to lock the Proxmox web interface down to trusted networks with pveproxy access lists
  • Which method fits a homelab, and which fits something more serious
  • Common mistakes and errors people run into with each approach

What Is This Feature?

Proxmox's web interface is served by a process called pveproxy. It listens on TCP port 8006 and handles every click you make in the browser — starting a VM, uploading an ISO, checking node stats, all of it goes through this one daemon. It's already using HTTPS out of the box, with a self-signed certificate Proxmox generates during install.

Remote access, in the context of this article, just means being able to reach that port 8006 interface (and SSH, if you need a shell) from somewhere that isn't your home Wi-Fi. There are a few tools that make this possible without just throwing the door open to the internet:

  • VPN (Virtual Private Network) — software that creates an encrypted tunnel between your device and your home network, so your phone or laptop behaves as if it's sitting on your LAN even when you're on a coffee shop Wi-Fi.
  • WireGuard — a modern, lightweight VPN protocol built into the Linux kernel. It's fast, has a tiny codebase (easier to trust), and is what most current VPN tools, including Tailscale, are built on top of.
  • Tailscale — a mesh VPN service built on WireGuard that handles the hard parts (key exchange, NAT traversal, firewall punching) for you. You install an agent, log in, and your devices can see each other — no router configuration required in most cases.
  • SSH tunnel — a way of routing a single connection (like your browser's traffic to port 8006) through an existing SSH session, so nothing has to be opened on your router except port 22.

Why Would You Use It?

Because the alternative is bad. Shodan and Censys — search engines that continuously scan the entire internet for open ports — index tens of thousands of exposed Proxmox web interfaces at any given time. If port 8006 is open to the world, someone will find it, usually within hours, and start trying default credentials and known exploits against it.

Even with a strong root password, an exposed management interface is a bigger attack surface than it needs to be. Every authentication bug, every TLS misconfiguration, every brute-force attempt is now something you're exposed to 24/7. None of that risk buys you anything — you get the exact same functionality by putting a VPN or tunnel in front of it, with almost no extra effort day to day.

There's a convenience angle too. Once you've got Tailscale or a proper VPN set up, accessing Proxmox from your phone while you're at work is no different from being on your home network. You stop thinking about it entirely, which is really the goal.

Prerequisites

  • A working Proxmox VE 8.x or 9.x install with root SSH access
  • A phone or laptop you want to use for remote access
  • About 10 minutes for the SSH tunnel method, or 20 minutes for Tailscale
  • A free Tailscale account if you're going that route (email sign-up, no credit card)
  • Basic comfort running commands in a terminal — nothing advanced, just copy and paste

You do not need a static public IP, a domain name, or a router that supports advanced firewall rules for either method below. That's part of the appeal.

Step-by-Step Tutorial

Method 1: SSH tunnel (fastest, best for occasional access)

If you already have SSH access to your Proxmox node from outside your network — say, through a VPN you use for other things, or because port 22 is forwarded on your router — you can tunnel the web GUI through that same connection without opening port 8006 at all.

  1. From your laptop, open a terminal and run:
ssh -L 8006:localhost:8006 root@your-proxmox-public-ip
  1. Leave that terminal window open. It's holding the tunnel active.
  2. In your browser, go to https://localhost:8006.
  3. Accept the self-signed certificate warning (this is expected — it's the same cert you'd see on the LAN) and log in as usual.

Close the terminal and the tunnel disappears with it. Nothing stays open. This is a good habit for a quick check-in, but it's clunky if you want to reach Proxmox several times a day from your phone — SSH clients on mobile can do it, but it's not exactly one-tap.

Method 2: Tailscale (best for regular, always-on access)

Tailscale is the option I'd point most homelab users toward in 2026. It's free for personal use up to 100 devices, and it sidesteps router configuration almost entirely by using NAT traversal — a set of techniques that let two devices behind separate home routers find a direct path to each other without either router needing a forwarded port.

  1. On your Proxmox host, add the Tailscale repository and install the package:
curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.noarmor.gpg | tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list | tee /etc/apt/sources.list.d/tailscale.list
apt update && apt install tailscale
  1. Bring the connection up and authenticate:
tailscale up

This prints a URL. Open it in any browser, log in with Google, Microsoft, GitHub, or email, and approve the device. It takes about thirty seconds.

  1. Install the Tailscale app on your phone or laptop from your platform's app store and sign into the same account.
  2. Run tailscale ip -4 on the Proxmox host to get its Tailscale IP — something like 100.101.102.5.
  3. From your phone, on any network, browse to https://100.101.102.5:8006. You're in.

That IP stays the same as long as you don't remove and re-add the device, so it's worth bookmarking. If you want a name instead of a number, Tailscale's MagicDNS feature (enabled from the admin console at login.tailscale.com) gives every device a hostname like proxmox.your-tailnet.ts.net automatically.

Lock the web interface down further with pveproxy

Whichever method you pick, it's worth tightening pveproxy itself so it only answers to addresses you actually trust — your LAN and your VPN range, say, and nothing else. Edit /etc/default/pveproxy:

ALLOW_FROM="192.168.1.0/24,100.64.0.0/10"
DENY_FROM="0.0.0.0/0"
POLICY="allow"

Restart the service for it to take effect:

systemctl restart pveproxy

This says: deny everyone by default, except the two ranges listed in ALLOW_FROM (your home subnet and Tailscale's CGNAT range in this example). Even if something goes wrong with your VPN setup down the line, pveproxy itself won't answer requests from a random IP on the internet.

Commands Explained

  • ssh -L 8006:localhost:8006 root@ip — opens an SSH connection and forwards local port 8006 through it to port 8006 on the remote side. The -L flag stands for "local" port forwarding.
  • tailscale up — authenticates this machine to your Tailscale network (called a "tailnet") and brings the encrypted mesh connection online.
  • tailscale ip -4 — prints this device's IPv4 address on the tailnet, which stays stable and is what you'll actually browse to.
  • systemctl restart pveproxy — reloads the Proxmox web proxy so changes to /etc/default/pveproxy take effect immediately.
  • ALLOW_FROM / DENY_FROM — apache-style access control lists inside pveproxy's config, evaluated before a request ever reaches the login page.

Common Errors

"Connection refused" when SSH tunneling — either port 22 isn't actually reachable from outside (check your router's port forwarding rule and that sshd is running), or a local firewall on the Proxmox host is blocking it. Run ss -tlnp | grep :22 on the host to confirm sshd is listening.

Tailscale device shows as offline — usually means the tailscaled background service isn't running. Check with systemctl status tailscaled and start it with systemctl enable --now tailscaled if it's stopped.

Browser says "Unable to connect" after locking down ALLOW_FROM — you locked yourself out. If you still have local console or LAN access, edit /etc/default/pveproxy back to a working state and restart pveproxy. This is exactly why you test the ALLOW_FROM change from a network you know is in the list before disconnecting from anything else.

Self-signed certificate warnings — expected behavior, not a bug. Proxmox generates its own certificate on install. You can replace it with a real one via Let's Encrypt if it bothers you, but it doesn't affect the security of the tunnel or VPN layer at all.

Troubleshooting

If Tailscale connects but the Proxmox page just spins and times out, double check you're using https:// and not http:// — pveproxy only speaks HTTPS on 8006, and a plain HTTP request to that port will just hang rather than redirect.

If SSH tunneling works from a laptop but not from a phone SSH client, the app's port-forwarding UI is usually the culprit — most mobile SSH clients bury local forwarding under an "advanced" or "port forward" section rather than exposing it as a normal option. Termux on Android and Blink Shell on iOS both support it, but the exact menu differs from app to app.

If you're on a hotel or airport Wi-Fi and nothing connects, some public networks block outbound UDP entirely, which breaks WireGuard-based tools like Tailscale. Tailscale falls back to a relay (DERP) server in that case, which is slower but usually still works — if even that fails, the SSH tunnel method uses plain TCP and tends to get through more restrictive networks.

Best Practices

  • Never forward port 8006 (or 22, ideally) directly to the internet without something in front of it.
  • Prefer Tailscale or a proper VPN over SSH tunneling if you're going to need remote access more than once or twice a month — the setup cost pays for itself fast.
  • Set ALLOW_FROM in pveproxy even after adding a VPN, as a second layer that doesn't depend on the VPN software behaving correctly.
  • Use SSH key authentication instead of passwords if you're forwarding port 22 for tunneling — it closes off the most common brute-force path entirely.
  • Keep a note of your Proxmox host's LAN IP somewhere offline, in case your VPN setup ever breaks and you need local console or LAN access to fix it.

Frequently Asked Questions

Is it safe to just change port 8006 to something else and forward that instead?

No. Renaming the port doesn't hide it — automated scanners probe every port, not just 8006. It might cut down on the least sophisticated bots, but it does nothing against a targeted attempt.

Does Tailscale see my Proxmox traffic?

No. Tailscale's control server only handles key exchange and device coordination — the actual traffic between your devices is end-to-end encrypted via WireGuard and, in most cases, travels directly between them without touching Tailscale's servers at all.

Can I use this same setup for SSH into my VMs, not just the Proxmox host?

Yes. Once your phone or laptop is on the same Tailscale network as your Proxmox host, you can reach any VM or container with a Tailscale client installed the same way, using its tailnet IP.

What if my home internet doesn't have a static IP?

It doesn't matter for either method in this guide. SSH tunneling works against whatever your current IP is (you'd just need dynamic DNS if you want a stable hostname), and Tailscale doesn't care about your public IP at all.

Is a reverse proxy with a real domain name a better option?

It's a valid option if you already run one for other services and want a proper TLS certificate on the Proxmox GUI, but it's more setup for less benefit than Tailscale if remote access is your only goal. It's really solving a different problem.

Conclusion

Reaching your Proxmox box from outside your house doesn't have to mean exposing it to every scanner on the internet. An SSH tunnel gets you in for a quick check with nothing left open afterward, and Tailscale gets you a connection that just works, every time, without touching your router's configuration.

Pick whichever matches how often you actually need access — and either way, take the five minutes to set ALLOW_FROM in pveproxy. It's the kind of small step that costs you nothing today and saves you a bad morning later.