Internet facing logon platform to your SoHo


May 26, 2022
There are a number of ways you can expose your desktops or servers or routers or monitoring systems to the internet and thus be able to access them from anywhere.
Among those I know of and have used in the past the simplest is probably RDP on a custom port and with some additional security like a vpn tunnel and / or MFT, like Duo. Many NAS have inbuilt options to access them outside your network and probably most routers and monitoring systems have ways of doing this with some additional configuration, plugins and what not.

My question is whether there is a way to tie a few or all resources /devices together granting you access to everything in your network behind a secure logon? As if you were on you home desktop through which you manage it all anyway? I guess you could just RDP that desktop and problem solved of course, but if you wanted it accessible and presented via a web interface on a sub of a site you own? Kind of a SoHo Portal to your lan?

Does it make any sense?


Active Member
Apr 21, 2017
RDP on custom port is useless, scanners like Shodan will find it anyway, fast. Will only keep away Stupid. Last time that worked was 2005.

I recommend to setup internal DNS correctly and then just use OpenVPN into your LAN, with DNS going over entirely or per over your DNS, so you can browse everything and it will just work.

Never open up any ports other than VPN without also configuring fail2ban.

If you want to avoid VPN, stuff like nginx reverse-proxying is possible, but very tricky to set up correctly, without holes. It will also expose your containers or whatever to the internet directly. Not recommended, ever. In 2022 it is all about reducing attack surface.

I once implemented and improved upon a custom solution based on a separate username/password scheme, some special sauce in openresty which is nginx+Lua, and a script, which will present a login interface. Only if you enter correct credentials will it give you a temporary cookie that will allow you to even reach a service inside. No cookie, back to that login page, no exceptions, and the internal service is shielded from any access whatsoever. Thing is I never published it. It is raw, and I have too little time to even answer questions about it.
  • Like
Reactions: BoredSysadmin


Active Member
Jul 25, 2018
With the above, you don't need to expose anything to the public with a simple mesh via Tailscale as an example or with a centralized solution like NetMaker/Nebula/Zerotier.


Well-Known Member
Feb 15, 2017
I use sshuttle in linux to basically VPN in over ssh and I can hit all my internal IP's ports just fine remotely once the connection is established.

  • Like
Reactions: gb00s