Since 2020, home office has gone from exception to normal in SMBs. What did not normalize along with it in many companies: a well-thought-out, secure connection. Hybrid setups often grow over years, where laptops reach terminal servers via RDP through port-forwarded router ports, passwords live in Outlook notes and the managing director uses a consumer router as a VPN concentrator.
This article is a pragmatic blueprint for secure home office in SMBs with 5 to 50 employees. It does not describe the most expensive stack but the one with the best ratio of security, effort and operations for mid-market.
Threat Model: What Are We Protecting Against What?
Before picking tools, you need to know which risks are realistic:
| Risk | Likelihood | Damage |
|---|---|---|
| Laptop stolen | medium | medium-high (data leak) |
| Phishing with password theft | high | high (account takeover) |
| Malware on private PC (BYOD) | high | high (lateral movement) |
| Employee account compromised | medium | very high |
| Ransomware via VPN tunnel | medium | existential |
| Unencrypted USB stick lost | high | medium |
Protective measures map directly: device encryption, MFA, no BYOD for company access, account lifecycle, network segmentation, USB policy.
Five Pillars of Secure Home-Office IT
- Managed endpoint (company laptop, no BYOD)
- Encrypted VPN access (WireGuard on OPNsense)
- Data access via terminal server / VDI (data stays in the company)
- Strong authentication (MFA with Yubikey or authenticator)
- Password management (Vaultwarden / Bitwarden)
The five together form the stack. Individual pieces are often missing — and that is exactly where security holes appear.
Pillar 1: Managed Endpoint
A company laptop is not a luxury, it is a compliance minimum. Requirements:
- TPM 2.0 for BitLocker / LUKS and device attestation
- Full disk encryption (BitLocker with TPM on Windows, LUKS on Linux)
- Local admin account separate from the standard user account
- Patch management centrally controlled (WSUS, Intune, RMM)
- MDM or RMM for inventory, software deployment, remote wipe
In DATAZONE Control we use an RMM backend that centralizes patch status, disk health and endpoint security for all laptops. Without an RMM, you should at least check patch status manually quarterly.
BYOD position: We do not recommend BYOD for company access in SMBs. If allowed anyway, at least put private devices into their own VLAN and only allow RDP / web frontend access to company resources — no direct VPN tunnel into the LAN.
Pillar 2: VPN — OPNsense WireGuard for SMBs
WireGuard is the right standard today. Lean, fast, well auditable, cleanly integrated into OPNsense as a plugin. Setup cornerstones:
- Dedicated WireGuard interface with its own subnet (e.g. 10.10.0.0/24) — do not overlap with the LAN subnet
- One peer per employee, with a unique key
- PreSharedKey on top of the public key (defense in depth)
- Allowed-IPs limited to the company subnet — split tunneling so that private internet traffic does not flow through the company
- Firewall rules on the WireGuard interface: only allow what the employee really needs (RDP gateway, mail server)
MFA for the VPN: WireGuard itself has no MFA — the key is the key. Two paths to MFA at the VPN edge:
- Hardware token (Yubikey) unlocks the key on the endpoint — works when the WireGuard key sits in the TPM or behind Yubikey PIV
- Classic IPsec/OpenVPN with RADIUS MFA — heavier, but MFA at the tunnel itself
We prefer option 1 in practice: WireGuard plus MFA at the application endpoints (RDP gateway, Vaultwarden, mail). The VPN tunnel is just transport, strong auth lives at the services behind it.
Pillar 3: Terminal Server or VDI — Data Stays in the Company
When employees should only see data, not store it locally, a terminal server (RDS) or VDI is the most robust architecture. Upsides:
- Data does not leave the company — not even temporarily
- Patch status centralized, because only the terminal servers need patching
- Easy offboarding — disable user account, done
- Lower bandwidth needs on the home office connection
RDP gateway instead of direct RDP connections: an RDP gateway (e.g. Microsoft RD Gateway) sits in front of the terminal servers, terminates HTTPS and proxies RDP internally. The employee laptop only needs the RDP client, no extra VPN tool — if the security model allows.
Open-source alternative: Apache Guacamole as an HTML5 gateway. The remote session runs in the browser, no company data lands on the employee endpoint itself.
Pillar 4: MFA with Yubikey or Authenticator App
In 2026 MFA is not negotiable — phishing with pure password theft is daily business. Recommended hierarchy:
| MFA type | Suitability |
|---|---|
| Hardware security key (Yubikey, Token2) | Best choice — phishing-resistant via FIDO2/WebAuthn |
| Authenticator app (TOTP) | Good choice — Aegis, 2FAS, Google Authenticator |
| Push MFA (Microsoft Authenticator, Duo) | OK, beware MFA fatigue |
| SMS | Not recommended — SIM swapping is real |
Yubikey in SMB use:
- Two keys per employee: one on the keyring, one in the safe (backup)
- Main services: company Microsoft 365, RDP gateway, Vaultwarden, VPN key unlock, admin accounts
- Onboarding: hand out the Yubikey, register it, recovery codes on paper in safe
- Offboarding: collect the key, deregister in all services
Authentication provider: With multiple services, deploy an identity provider like Authentik or Microsoft Entra ID to enforce MFA centrally. One MFA setup per service quickly becomes unmaintainable.
Pillar 5: Password Manager
A password manager is not a nice-to-have in a home office setup, it is mandatory. Employees need unique strong passwords per service — without a manager they end up in Outlook notes or Excel.
Vaultwarden as a self-hosted Bitwarden server is the SMB-typical solution:
- Runs on a small VM or LXC inside the company network
- Compatible with all Bitwarden clients (web, mobile, browser extension)
- No cloud subscription, data stays in the company
- TLS reverse proxy in front (nginx, Caddy)
- Behind VPN or Authentik proxy, not public
For zero self-hosting overhead, Bitwarden Cloud or 1Password Business — both offer EU hosting and are affordable for SMBs.
Configuration Blueprint: An Employee Day
This is what the login path looks like with the stack above:
- Employee starts the company laptop
- BitLocker unlocks via TPM + PIN (disk encrypted)
- Windows login: user account + Yubikey touch (FIDO2)
- WireGuard client starts automatically — the private key is released by the TPM
- RDP client to the RDP gateway: login with user + Yubikey MFA
- Terminal server session opens — the employee works as in the office
- Browser on the terminal server reaches internal web services (mail, wiki)
- Passwords from Vaultwarden (in the browser via extension or web)
Data does not leave the company, every step has strong auth, losing a single device does not compromise the account.
Hardware Recommendations
| Component | Recommendation |
|---|---|
| Laptop | Business line with TPM 2.0 (Lenovo ThinkPad T/X, Dell Latitude, Wortmann TERRA Mobile) |
| Security key | Yubikey 5 NFC or 5C NFC — two per employee |
| Firewall | OPNsense on appropriate appliance, sized to employee count |
| RDP gateway | Windows Server with RD role or Linux + Guacamole |
| Vaultwarden host | Small Linux VM, 2 CPU, 2 GB RAM |
| Backup for VPN config | Yubikey PIN reset code in safe, OPNsense backup daily |
Onboarding and Offboarding Process
Without a documented process even the best architecture leaks. Minimal standard:
Onboarding (checklist):
- Laptop unpacked, BitLocker set up
- AD account created, placed in groups
- Yubikeys handed out, registered in AD/IdP
- WireGuard peer created, config deployed to laptop
- RDP profile set up, test connection successful
- Vaultwarden account created, initial passwords handed over
- Training: phishing, MFA behavior, USB policy
Offboarding (checklist):
- Disable AD account (do NOT delete — data must stay accessible)
- Remove WireGuard peer
- Collect Yubikey, deregister in all services
- Disable Vaultwarden account
- Mail forwarding to manager for 30 days
- Laptop collected, disk wiped or stored
- Inventory updated
Both lists belong in a wiki and are worked through on every personnel change — ideally jointly by HR and IT with a sign-off.
What We Deliberately Left Out
- ZTNA solutions (Zscaler, Cloudflare Access): expensive and often overkill for SMBs — with OPNsense VPN + IdP plus MFA you get 80% of the security gain at 20% of the cost
- EDR/XDR: relevant from 50+ endpoints, below that Defender + RMM monitoring suffices
- DLP software: high maintenance load — elegantly side-stepped by the “data stays on terminal server” architecture
Conclusion
Secure home office in SMBs is not magic, it is standard IT with discipline. The five pillars managed laptop, VPN, terminal access, MFA and password manager build the stack — connecting these five, plus a documented onboarding/offboarding process, makes the difference between a leaky “grown over time” solution and a robust setup that holds up in an ISO 27001 pre-audit.
When auditing an existing home office setup, the first question is: which of the five pillars is completely missing or only half implemented? Experience: in every second SMB, at least one pillar (often MFA, often password manager) needs follow-up.
Related Articles
More on these topics:
More articles
NetBird vs. Tailscale: Mesh VPN for Distributed Teams
NetBird and Tailscale in direct comparison: both run on WireGuard. Differences in self-hosting, license, control plane and use cases — plus a setup example with NetBird and OPNsense.
Authentik: Single Sign-On for Self-Hosted Services
Authentik as self-hosted SSO and identity provider: OIDC, SAML2, LDAP, MFA. Example setup with Nextcloud, GitLab and Vaultwarden — plus comparison with Authelia.
Disaster Recovery Plan for SMBs: What to Do on Total Server Failure
Concrete 4-phase emergency plan for SMBs facing a total server failure: detect, contain, restore, learn. Checklists, roles, restore sequence and RTO/RPO.