Remote Browser (no VPN?)


If you don't want to setup a VPN, or want client-less access to your LAN resources, then this might be for you...

Kasmweb is a rather funky system that manages the creation of temporary Docker images, which you can use as a "sandpit" to play with, and dispose of when finished with. Why not have a look?

As part of their project, they provide a Chrome browser image which runs Chrome under VNC (remote desktop), which you can run 'standalone' - so you can "browse" into another browser - which provides a handy use case...

If you:

  1. don't want to expose all your Docker containers to the internet (even with Traefik!)

  2. need "local" access to web accessible resources on your LAN

  3. don't want to run a VPN

  4. are a bit miffed that Guacamole doesn't provide access to web apps

...then you can create a web accessible browser which is on your LAN, and access that securely (via Traefik) - from anywhere you have an HTML-5 compliant browser :)


This article assumes you've at least setup Docker, Portainer, Traefik, piHole, oAuth and LetsEncrypt per our article!

Step 1 : Setup Kasmweb Chrome

  1. Login to Portainer

  2. Create a new Container

    1. Name it something like chrome

    2. Use kasmweb/chrome:develop-edge as the image

    3. For the Volumes mount

      • /etc/timezone as /etc/timezone

      • /etc/localtime as /etc/localtime

      • /dev/shm as /dev/shm

    4. For the Network

      • Use bridge network

      • Set the hostname to whatever you specified in 2.1 (i.e. chrome)

      • Add your domain name and DNS IP address

    5. For the Restart-Policy use unless-stopped

    6. For the Labels, use

      • traefik.enable true

      • websecure

      • chain-oauth@file, chromeauth

      • HostHeader(``)

      • chrome

      • true

      • mythicbeasts

      •[0].sans *

      • 6901

      • https

      • Additionally, there is one traefik label which is too long to fit in the table above, which is:

      • traefik.http.middlewares.chromeauth.headers.customrequestheaders.Authorization

      • and it should be given the value

      • Basic a2FzbV91c2VyOnZuY3Bhc3N3b3JkCg

    7. Click Deploy the container

Step 2 : Update Traefik config

To enable Traefik to handle the https connection from the WebVNC part of the chrome image, you need to update it's static configuration. Assuming you followed our guide, and your Traefik configuration is in TOML and your entrypoint is called websecure you should update it to look like the following:


address = ":443"



You will then need to restart Traefik, via:

docker restart traefik

Step 3 : Setup External DNS

  1. Login to your DNS provider

  2. Add an external CNAME record for pointing to your public Internet IP address

Step 4 : Test It!

  1. Browse to

  2. When prompted, use your Google account credentials

  3. Test the browser!


With the above configuration, you have:

  • Created a kasmweb/chrome container

  • Proxied it via Traefik

    • Told traefik how to connect to the WebVNC port that the container provides on port 6901

    • Told Traefik that the WebVNC connection only speaks HTTPS

    • Told Traefik to provide a basic username/password that is required by WebVNC, so you (as a user) don't see it

  • Created a "browser on your LAN, in a browser" - which doesn't need a VPN

You won't get audio, but you should be able to browse and view video etc

Other Things

If you don't want the container accessible externally, all you need do is:

  • Remove (or don't setup) the external DNS - and just setup an internal CNAME on piHole to your internal Traefik IP

  • Replace the chain-oauth@file with blockexternal@file

If you're running WireGuard or a VPN, then as long as you can resolve the internal DNS name, then this will still work.

Happy browsing! :)