If you’re running Proxmox VE at home or in a small business environment, there will come a time when you need to access it remotely — whether you’re working from home, on-site at a client, or simply away from the office. Since 2020, remote access to self-hosted infrastructure has gone from a nice-to-have to an everyday requirement for UK IT admins and homelabbers alike. The temptation is to simply forward port 8006 on your router and be done with it. Don’t. Proxmox’s web UI was not designed to be internet-facing, and exposing it directly leaves your hypervisor — and every VM running on it — vulnerable to brute-force attacks, credential stuffing, and zero-day exploits. The right approach is to keep Proxmox completely off the public internet and access it through a secure private tunnel instead. Tailscale makes this remarkably straightforward.
Why You Should Never Expose Proxmox Directly to the Internet
Proxmox listens on port 8006 using a self-signed certificate by default. Exposing this port means bots will find it within hours, log attempts will fill with credential attacks, and any unpatched vulnerability in the web UI or the underlying API becomes a direct path to root on your hypervisor. Unlike a web application with limited blast radius, a compromised Proxmox host gives an attacker access to every VM and container you’re running. There is no legitimate reason to expose it publicly — a VPN achieves everything you need without the risk.
What Is Tailscale?
Tailscale is a zero-configuration VPN built on WireGuard. It creates a private mesh network (called a tailnet) between all your devices — your Proxmox host, your laptop, your phone — without requiring you to open any inbound firewall ports or manage certificates. It’s free for personal use with up to three users, and the setup takes under five minutes. Unlike a traditional VPN, there’s no central server to manage; devices connect peer-to-peer where possible, with a relay fallback when NAT traversal isn’t possible.
Step 1: Install Tailscale on Your Proxmox Host
SSH into your Proxmox host and run the official install script:
curl -fsSL https://tailscale.com/install.sh | shOnce installed, authenticate the node and bring it up:
tailscale upThis will print an authentication URL. Open it in your browser, log in to your Tailscale account, and the node will be authorised and added to your tailnet. You can verify it’s connected with:
tailscale statusStep 2: Enable Tailscale to Start on Boot
Proxmox is based on Debian, so systemd handles service management. Tailscale’s installer registers the service automatically, but confirm it’s enabled:
systemctl enable tailscaled
systemctl start tailscaledAfter a reboot, Tailscale will reconnect automatically without any manual intervention. This is important — if your Proxmox host reboots after a power cut or maintenance window, you don’t want to lose remote access because the VPN didn’t come back up.
Step 3: Access the Proxmox Web UI via Your Tailscale IP
Once Tailscale is running on both your Proxmox host and your client device (laptop, desktop, or phone), find your Proxmox node’s Tailscale IP address:
tailscale ip -4It will be a 100.x.x.x address. Open your browser and navigate to:
https://100.x.x.x:8006You’ll still see the self-signed certificate warning — accept it, and you’re in. Because traffic travels over the encrypted Tailscale tunnel, the lack of a trusted certificate on the Proxmox side is not a security concern here; the connection is already authenticated and encrypted at the WireGuard layer. Tailscale also supports MagicDNS, which lets you use a hostname like https://proxmox:8006 instead of the raw IP — enable this in the Tailscale admin console under DNS settings.
Step 4: SSH Access via Tailscale
SSH works the same way — just use the Tailscale IP or MagicDNS hostname instead of the public IP. No port forwarding needed:
ssh [email protected]Tailscale also has a built-in SSH feature (tailscale up --ssh) that authenticates SSH sessions using your Tailscale identity rather than SSH keys, which can simplify access management further if you’re comfortable with it.
Step 5: Enable Subnet Routing to Access VMs and Containers
By default, Tailscale only gives you access to the Proxmox host itself. To reach VMs and containers running on the Proxmox network (for example, on the 192.168.1.0/24 subnet), enable subnet routing on the Proxmox node:
tailscale up --advertise-routes=192.168.1.0/24Then approve the advertised route in the Tailscale admin console under the node’s settings. On your client device, enable route acceptance:
tailscale up --accept-routesOnce enabled, you can connect directly to any VM or container on that subnet — RDP into a Windows VM, SSH into an LXC container, access a self-hosted web app — all through the Tailscale tunnel without needing Tailscale installed on each individual VM.
Step 6: Restrict Access with Tailscale ACLs
If your tailnet includes multiple users or devices, you should lock down which devices can actually reach your Proxmox node. Tailscale’s access control lists (ACLs) let you define granular policies. In the Tailscale admin console, navigate to Access Controls and add rules such as:
{
"action": "accept",
"src": ["[email protected]"],
"dst": ["tag:proxmox:8006", "tag:proxmox:22"]
}Use tags to group your infrastructure nodes and limit access to specific ports. This ensures that even if another device on your tailnet is compromised, it cannot reach your Proxmox host.
What About Cloudflare Tunnel?
Cloudflare Tunnel is a popular alternative for exposing self-hosted web UIs without opening firewall ports. It works well for standard HTTP/HTTPS applications and gives you a public URL with Cloudflare’s edge in front. However, it has a significant limitation for Proxmox: the VNC-based console in the Proxmox web UI uses WebSockets in a way that doesn’t route correctly through Cloudflare Tunnel, meaning you lose the ability to open a console to your VMs. For read-only monitoring or API access, Cloudflare Tunnel is an option — but for full Proxmox management including console access, Tailscale is the better choice. It also keeps your Proxmox UI completely off the public internet rather than just gating it behind Cloudflare’s edge.
Summary
Never expose Proxmox’s web UI directly to the internet. Install Tailscale on your Proxmox host with a single curl command, add your client devices to the same tailnet, and access everything — the web UI, SSH, and your entire VM network — through an encrypted WireGuard tunnel that requires no open inbound firewall ports. Use ACLs to restrict which tailnet devices can reach the node, and enable subnet routing to access VMs without installing Tailscale on each one. It takes less time to set up than configuring a NAT rule, and it’s vastly more secure.
Related articles: Proxmox — Complete Guide and How-To Index, Proxmox Cheat Sheet: CLI Commands for VMs, LXC and Storage, Best Hardware for a Proxmox Home Lab Server (UK), How to Set Up VLANs in Proxmox
