Skip to main content
Brimham Rocks, Yorkshire, UK

Comparison of remote service access services

Generic image
This is a new website and is under active development. There will be some odd-looking layouts and colours while this is happening. Please bear with me and check back again to see any updates.
Article Status
Incomplete (Expect further updates)
Disclaimer
Information provided here is only my own view. It must not be treated as professional guidance. In addition, you should not treat anything on this page as a professional recommendation.

Specifically, I take no responsibilities for issues or loss if you use this information.

NOTE
This article is currently a stub and will be expanded as time permits.

In this article (which I will likely update from time-to-time), I will cover the following remote service access tools:

Please let me know if there is another service you think should be covered here.

Cloud services

These are services run by 3rd-party vendors that you configure for your own use. The important thing to remember is that you MUST trust the vendor because they are acting as a man-in-the-middle between your Internet-connected users and your private services.

Also note that these are not VPN’s in any traditional sense. They all use a small server service that runs in your local network that facilitates access. As such, they also do not require local firewall changes. This makes them typically much easier to set up than on-premise services.

Cloudflare Zero Trust/Cloudflare Access

Website, Documentation.

For what it is worth, this is the service I use personally.

Cloudflare Zero Trust is a full edge-security solution that includes a number of components: Zero Trust Network Access (ZTNA), Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), Firewall as a Service, WAN as a Service.

This product is significantly more comprehensive than the other products mentioned here. However, it can also be a little more complex to set up. But it provides a comprehensive, integrated edge security service for connecting private networks/apps to the Internet.

Not all of the components need to be configured in order to implement remote service access, mostly just the ZTNA and SWG. Without configuration, many of the other features have sensible defaults so you still benefit from CF’s extensive threat management.

Free tier:

Paid tiers: Pay-as-you-go US$7 per user per month. Contract plans.

Identity Providers with free tiers: Auth0 (25k monthly active users, supports passkeys)

Tailscale

Website, Documentation.

Node-RED contributor Bart Butenaers has a good write-up of using Tailscale with Node-RED.

Free tier:

Paid plans: US$5 per month Personal+ (6 users), $6 per user per month Starter, $18pu/pm Premium, Enterprise.

Like Cloudflare Zero Trust, Tailscale does not handle user identities directly, you use an external identity provider.

NGROK

Website, Documentation.

Quote
Your app’s front door. All-in-one API gateway, Kubernetes Ingress, DDoS protection, firewall, and global load balancing as a service.

Free tier is easy to set up but is really only suitable for testing and development.

Free tier:

Paid Plans:

Zerotier

Website, Documentation.

Quote
Connect all of your devices on a single network that you provision and control.

Promotes the service as 2-way IoT connectivity, SD-WAN (campus, branch sites, etc) and VPN.

Free Tier:

Paid Tiers: US$5 per month (+$2 per authorised device) Essential plan, Commercial plans.

Twingate

Website, Documentation.

Quote
Keep private resources and internet traffic protected with Zero Trust security tools built for the modern world of work.

Free tier:

Paid tiers at US$5 or $10 per user per month

Holesail

Website

Free, open source.

Quote
Enabling you to create Peer-to-Peer network tunnels securely on your local network.

On-premise services

On-premise services are applications you run on your own site and infrastructure as opposed to running in a vendor cloud platform.

Virtual Private Networks

VPN’s connect two or more TRUSTED networks together into a single network. It is considered “virtual” because the VPN is overlayed on one or more UNTRUSTED network (typically the Internet).

The critical thing to remember about VPN’s is that the whole network can only ever be as secure as the WEAKEST link.

For example, if you extend your VPN to a laptop and that laptop is left exposed somewhere or is compromised by malware, your whole network is potentially exposed.

For this reason I strongly advise avoiding VPN’s unless you really know what you are doing and have the resources to properly configure and maintain both the network and all of the devices connected to it.

Proxy and security services

TBC

Headscale/Ionscale

These are on-premise versions of the Tailscale cloud service.

Headscale
An open source, self-hosted implementation of the Tailscale control server
Ionscale
A lightweight implementation of a Tailscale control server

Headscale: Website

Ionscale: Website