Secure remote access options for SolarWinds Orion
Last updated: 2026-05-24
Comparing the practical options for reaching your SolarWinds Orion server from a phone — corporate VPN, Cloudflare Tunnel, Tailscale, ZeroTier, WireGuard. Tradeoffs and recommendations.
The single most important rule for SolarWinds Orion is don't put it on the public internet. The Orion Web Console has a history of CVEs that, while patched promptly, sit on top of a Windows IIS deployment with credential-based auth. Public exposure puts a credential-cracking target on the internet in front of an asset that's an authoritative view of your network.
That's true whether or not you use PocketNOC. PocketNOC just makes the question explicit: if the Orion Web Console shouldn't be on the public internet, how does the app on my phone reach it? This post compares the five options that actually work, with honest tradeoffs.
Option 1: Corporate VPN
What it is: The VPN your company already runs — IPSec, OpenVPN, SSL VPN appliances from Cisco, Palo Alto, Fortinet, Check Point, Pulse Secure, or similar.
Pros:
- You probably already have it.
- IT already has policy, monitoring, and revocation processes around it.
- No new vendor to evaluate.
Cons:
- VPN clients on phones have historically been unreliable in the background. Sessions drop when the phone sleeps; reconnection takes 10-30 seconds.
- Often routes all phone traffic through corporate, which slows browsing and burns battery.
- Some legacy VPN gateways don't have a modern mobile experience.
When to pick it: Default answer if you have a competent corporate VPN with a modern mobile client. The "you already have it" advantage is real.
Option 2: Cloudflare Tunnel
What it is: Outbound-only tunnel from your network to Cloudflare. The Orion server (or a separate Linux box in the same network) runs the cloudflared daemon, which establishes an outbound connection to Cloudflare's edge. The phone connects to a public hostname (e.g. orion.yourcompany.cloudflareaccess.com) which Cloudflare routes through the tunnel back to your Orion server.
Pros:
- No inbound firewall rules. The tunnel is outbound-only from your network.
- Cloudflare Access policies layer on top (require SSO, MFA, IP ranges, device posture).
- Works on any network the phone can reach Cloudflare from — captive Wi-Fi, hotel internet, anywhere.
- Free tier is generous; Access pricing is reasonable.
Cons:
- Adds Cloudflare as a path-side dependency. If you cannot tolerate that, this isn't for you.
- Requires a Cloudflare account and a domain in Cloudflare DNS.
When to pick it: You don't have a corporate VPN, you want zero inbound firewall changes, and you're OK with Cloudflare in the data path. Detailed walkthrough: /docs/cloudflare-tunnel.
Option 3: Tailscale
What it is: Mesh VPN built on WireGuard with a managed coordination plane. Install the Tailscale agent on the Orion server and on the phone; they get private IPs on the same "tailnet."
Pros:
- Trivial to set up. Auth via Google / Microsoft / GitHub / Okta / SAML.
- Background performance on mobile is good — Tailscale designed for always-on phone use.
- ACLs let you scope what each device can reach (e.g. phone can only reach Orion's SWIS port, nothing else on the tailnet).
- Free tier covers up to 100 devices.
Cons:
- Tailscale's coordination plane sees device identities and routing metadata (but never your data).
- New vendor to evaluate.
When to pick it: You don't have a corporate VPN and you're not opposed to a SaaS coordination plane. The setup time is the lowest of these options. Walkthrough: /docs/tailscale-setup.
Option 4: ZeroTier
What it is: Software-defined networking with a Layer 2 overlay. Similar to Tailscale in shape but with L2 capabilities and a different security model.
Pros:
- L2 overlay supports protocols Tailscale's L3 model doesn't (you'd know if you needed this).
- Self-hostable controller available (open-source).
- Free tier covers up to 25 devices per network.
Cons:
- Slightly less polished mobile experience than Tailscale.
- Smaller user base; less third-party tooling.
When to pick it: Same niche as Tailscale, plus L2 requirements or self-hosted-controller preference. Walkthrough: /docs/zerotier-setup.
Option 5: Self-hosted WireGuard
What it is: Run your own WireGuard endpoint on a Linux box. Phone connects directly to your endpoint with no third-party in the middle.
Pros:
- Zero third-party dependency.
- WireGuard is fast and battery-efficient on mobile.
- Open standard; no vendor lock-in.
Cons:
- You manage key distribution, rotation, and revocation by hand.
- You operate the endpoint server.
- No built-in ACL / identity layer; you build it yourself or live without it.
When to pick it: You're in a regulated environment that can't tolerate any third-party coordination plane (Tailscale, ZeroTier, Cloudflare). Or you have one engineer and prefer minimal moving parts. Walkthrough: /docs/wireguard-setup.
Comparison
| Setup time | Background mobile reliability | Inbound firewall changes | Third-party in path | |
|---|---|---|---|---|
| Corporate VPN | (already done) | Variable | (already done) | (your vendor) |
| Cloudflare Tunnel | 30 min | Excellent | None | Yes (Cloudflare) |
| Tailscale | 10 min | Excellent | None | Yes (coordination) |
| ZeroTier | 20 min | Good | None | Yes (coordination) |
| Self-hosted WireGuard | 1-2 hours | Excellent | One UDP port inbound to endpoint | No |
Recommendation
If you already have a corporate VPN with a working mobile client, use it. Don't add a new dependency to solve a problem your existing infrastructure already solves.
Otherwise, default to Tailscale. Lowest setup time, best mobile experience, generous free tier, sane ACL model.
Pick Cloudflare Tunnel if you want to use Cloudflare Access policies (SSO, device posture, MFA) as the auth layer, or you want zero inbound firewall changes and aren't going to set up a phone VPN client.
Pick self-hosted WireGuard if your environment can't tolerate any third-party path. The maintenance cost is real but bounded.
Don't pick "expose Orion to the internet with strong passwords." It's the wrong shape of risk for the value of what's being protected.
Closing
PocketNOC works against all five options — the app doesn't care how the phone reaches the Orion server, only that it does. We document the four non-VPN options in /docs because corporate VPN is a per-customer thing that we can't write a universal guide for, but the others are.
The one common thread: never put Orion on the public internet, no matter which mobile tool you end up using.