I Gave a Contractor SSH Access to My Home NAS Without Opening Router Ports — Here's How

I recently ran into a common remote-access problem.

A contractor I hired for a two-week migration needed SSH access to a NAS in my basement. The NAS hosted a staging copy of a client database. It was too sensitive to move to a cloud VM, but I also did not want to spend time shipping hardware, configuring a bastion host, or exposing SSH directly to the internet.

The obvious options all had trade-offs.

Opening port 22 on my router would expose a real SSH endpoint to the public internet. It would also create another cleanup task at the end of the contract: remember to remove the port-forwarding rule.

A VPN into my home network felt too broad. The contractor only needed access to one NAS on one port, not my entire home LAN, including personal laptops and other devices.

A cloud bastion host would work, but it meant provisioning a VM, configuring SSH proxying, securing the instance, and remembering to tear it down afterward.

Cloud tunneling tools can be useful, especially for web applications, but I wanted something simpler for this case: one contractor, one device, one port, for two weeks.

What I wanted was narrow access:

• SSH to one NAS
• TCP port 22 only
• No router changes
• No public SSH exposure
• No broad VPN access to the whole network
• Easy removal when the engagement ended

This is exactly the kind of problem I built HostAnywhere to solve.

The setup

The full setup took about eight minutes.

1. Install the HostAnywhere agent on the NAS

I installed the HostAnywhere Linux agent on the NAS and signed in once.

After joining my HostAnywhere network, the NAS received a private mesh IP in the 100.64.x.x range. This address is part of CGNAT space and is not routed on the public internet.

The agent runs as a system service, so it stays connected across reboots.

2. Invite the contractor to my HostAnywhere network

Next, I invited the contractor as a member of my HostAnywhere network.

She did not use my account, password, or credentials. She created her own HostAnywhere account, accepted the invite, and joined my network with her own identity.

That distinction matters. The contractor had her own identity, her own device, and her own membership in my network.

3. Install the HostAnywhere agent on her MacBook

She installed the HostAnywhere agent on her MacBook and signed in using her own account.

Once connected, her laptop also received a private 100.64.x.x mesh IP and became a peer in my HostAnywhere network.

At this point, both devices were part of the same private mesh — but that alone did not mean she could access everything.

Access still needed to be explicitly allowed.

4. Create one Access Control rule

In the HostAnywhere dashboard, I created one rule:

Allow tag:contractor to reach tag:nas on tcp/22

I tagged her device as:

contractor

I tagged the NAS as:

nas

That single rule allowed her MacBook to reach the NAS only on TCP port 22.

Nothing else on my network was exposed to her device. She could not access my other laptops, phones, servers, or services. She had access to exactly what she needed: SSH to one NAS.

5. Connect with standard SSH

She connected using normal SSH:

ssh [email protected]

There was no SSH wrapper, no custom proxy command, and no special client-side configuration.

The NAS still used its normal SSH authentication. Her SSH key authenticated her at the application layer, while HostAnywhere controlled whether her device could reach the NAS at the network layer.

What happened when the work was done

Two weeks later, the migration was complete.

I removed her from the HostAnywhere network with one click.

The Access Control rule still existed, but the contractor tag no longer matched any active device, so the rule no longer granted access to anything.

There were no router changes to undo.
No firewall rules to clean up.
No cloud VM to deprovision.
No public SSH endpoint to close.
No long-term network access left behind.

Most importantly, the NAS was never reachable from the public internet during the engagement.

SSH remained private. The only path to the NAS was through the HostAnywhere mesh, and that path was controlled by policy.

What this approach gives you

The most important benefit is that access becomes specific.

Instead of thinking in terms of "give someone VPN access," the model becomes:

Who should access what, on which port, and for how long?

For this case, the policy was simple:

contractor → nas → tcp/22

That was the whole access model.

If I hire another contractor later, I can tag their device as contractor and reuse the same rule.

If I add another NAS, I can tag it as nas.

If I want to temporarily allow access to a dev server, I can add another narrow rule and remove it when the work is complete.

No router configuration.
No broad network trust.
No permanent open holes.

The mental model

The key shift is moving away from broad remote access.

Traditional remote access often starts with network-level decisions:

Open this port.
Forward this router rule.
Give this person VPN access.
Create a bastion host.

HostAnywhere starts from the access decision:

Who should reach what?

In this example:

The contractor should reach the NAS on SSH.

That becomes a simple policy:

Allow tag:contractor to reach tag:nas on tcp/22

Everything else remains blocked.

That is the access model I wanted: narrow, temporary, identity-aware, and easy to remove.

What HostAnywhere is

HostAnywhere is a secure access platform for connecting devices and services without router configuration.

You install one agent on each device — macOS, Windows, Linux, iOS, or Android — and manage access from a central dashboard.

HostAnywhere can be used to:

• Create a private device mesh
• Expose local services with secure public URLs
• Connect devices across home, office, and cloud environments
• Control access using users, devices, tags, ports, and policies
• Enforce posture-based access with integrations such as CrowdStrike Falcon and Microsoft Intune

For homelabs, it helps avoid opening router ports.

For teams, it provides a cleaner way to grant access to private resources without giving everyone broad VPN access.

For contractors, it makes temporary access easier to grant and easier to remove.

Try it

You can try HostAnywhere at:

https://hostanywhere.io

The free tier includes enough capacity for a small homelab or a simple contractor access workflow.

If you have a NAS, dev box, Raspberry Pi, or private service that someone needs to reach temporarily, this setup should take only a few minutes:

1. Install the HostAnywhere agent on the private device.
2. Invite the contractor.
3. Tag both devices.
4. Create one Access Control rule.
5. Let them connect using the private mesh IP.

No router changes.
No public SSH exposure.
No broad VPN access.
No cleanup checklist after the project ends.