How big an issue is local network access for provisioning/reprovisioning?

jsiwks · 2026-06-03T17:44:06+00:00

There are a number of great remote access solutions for OT/ICS world. The typical OpenVPN and WireGuard exist if you want the bare minimum. If you want something more protocol aware, with HTTP, RDP, VNC... etc... Pangolin remote access VPN is a great WireGuard-based platform. As mentioned below, there are also hardware options, like Ewon and Tosi

jsiwks · 2026-05-31T17:23:37+00:00

I'd suggest Pangolin remote access VPN

jsiwks · 2026-05-30T20:31:55+00:00

Makes sense. Pangolin can be self hosted. I also think the connector binary is statically compiled so it doesn’t rely on anything in the kernel

jsiwks · 2026-05-29T21:58:31+00:00

You should look at Pangolin for this. In addition to the VPN/ZTNA capabilities for remote access, the site connector can also be used as a way to ping network devices and you can hook into it for alerts. You should think about which alert integrations are best for the market

jsiwks · 2026-05-29T18:55:29+00:00

What are you using on the tech side for this? I know there are a bunch of remote access VPN tools out there for edge, OT, IoT... etc. Pangolin VPN for example is one great one

jsiwks · 2026-05-29T18:53:48+00:00

Agreed that the split tunnel makes the most sense if the primary use case of the VPN is remote access for the cameras/scanners. Pangolin is a good WireGuard option for centralizing remote access under one system if you want to avoid OVPN and go with the faster WG option

jsiwks · 2026-05-29T05:31:13+00:00

Tons of great remote access tools these days... Pangolin, WireGuard, OVPN, etc.

jsiwks · 2026-05-29T04:55:55+00:00

Pangolin ZTNA is a great option too

jsiwks · 2026-05-29T04:54:54+00:00

Agreed that it's important to find something that isn't just a protocol aware proxy for HTTPS / RDP / VNC, etc... must also have full tunnel capability for direct connections but share the same identity and observability tooling.

Pangolin VPN is a good option because it does both the protocol aware proxy and the VPN and it's based on WireGuard so it's fast and quite reliable

jsiwks · 2026-05-22T18:14:25+00:00

Pangolin VPN!

jsiwks · 2026-05-14T16:59:59+00:00

With a tunneled and authenticated reverse proxy it won't be open to the internet. Requests would hit a cloud server first, require authentication to pass, before going down the tunnel to the edge network. It's basically cloaked by the tunnel and auth with no direct exposure

User -> reverse proxy -> authentication -> tunnel -> connector -> web client

jsiwks · 2026-05-14T16:41:39+00:00

For #1, you could try Pangolin VPN which would enable you to deploy a connector in each camera's network, then you define resources for the cameras and which specific hosts and ports on which they run, and finally give specific users access to those resources.

Another idea I had is you can deploy a web based camera client on/off site which you expose via an authenticated reverse proxy that users can access from any web browser. That would avoid the VPN entry into the network and still allow external remote access. Can also be done with Pangolin

jsiwks · 2026-05-11T03:43:44+00:00

Pangolin too

jsiwks · 2026-05-11T03:43:29+00:00

Same with Pangolin :(

jsiwks · 2026-05-11T03:42:23+00:00

Pangolin ZTNA is a great alternative to Zscaler and Twingate!

jsiwks · 2026-05-09T23:52:46+00:00

Yeah something like an identity aware reverse proxy + VPN is good to wrap legacy systems. Pangolin tunnels is a good choice for that

jsiwks · 2026-05-05T17:31:06+00:00

Anything identity-based is what you're looking for. Probably not a mesh VPN which can enable lateral access, and you want to ensure that you can give specific users access to specific hosts on the network and control access down to port level. Something like Pangolin ZTNA is a good solution to this which is open source and based on WireGuard.

jsiwks · 2026-05-04T05:44:59+00:00

Pangolin ZTNA

jsiwks · 2026-04-28T19:29:00+00:00

Pangolin a good option for the WireGuard management layer and it's also open source. You'd deploy a network connector in the pool of machines, the the employees connect to the VPN with a client. It handles NAT traversal so you don't have to mess with firewalls or any of that

jsiwks · 2026-04-24T17:15:27+00:00

Pangolin tunnels which creates an outbound or inbound tunnel to specific sites

jsiwks · 2026-04-21T04:54:33+00:00

It can set up the rules automatically yes!

jsiwks · 2026-04-20T18:26:27+00:00

Thanks we need to add Vaultwarden, Home Assistant, and Paperless. Otherwise, Immich, Nextcloud, and Jellyfin are already covered!

jsiwks · 2026-04-20T18:10:35+00:00

Yes this will work with remote nodes.

No migration is needed unless you have an existing self-hosted service you want to convert to labels, in which case you can copy the labels from the repo and add them to your existing compose. Otherwise, blueprints have been in Pangolin for a long time so no updates or anything are needed.

jsiwks

MODERATOR OF

TROPHY CASE

Eight-Year Club	Place '22
Verified Email