Secure Remote Access

(HTTPS Behind Firewall/NAT Router Tutorial)

In this hands-on tutorial, we show how to access a Mako Server instance deployed within an Intranet from external location without having to use VPN or set up port forwarding. The Mako Server includes support for both automated certificate installation and remote access from within the same integrated plugin.

A free supplemental product called SharkTrustX is acting as a proxy, enabling two different network locations to communicate. See the SharkTrustX product page for an introduction to how this works.

Local HTTPS connection and remote access via SharkTrustX running on a public cloud server.

Before continuing, make sure you have downloaded the Mako Server for your platform and that you know how to start the Mako Server from the command line.

Creating the Configuration File

Start by creating a directory, and in this directory, create a new mako.conf configuration file.

Copy the following and paste the data into mako.conf:

      revcon=true -- This enables remote access

Before saving the file, change the email address and the sub-domain name "SUB-DOMAIN". The sub-domain name can for example be your full name, but make sure to only use letters, numbers, and hyphens. The email address is required when using the Let's Encrypt service, which lets us operate the server securely when we are on the same network as the server.

When you have saved the file, open a command window in the same directory as where you saved mako.conf. Now, simply start the mako server without any arguments.

ACME DNS server name:
Creating new ACME account

The above shows that Mako Server is now communicating with the online portal and Let's Encrypt. This initial operation takes roughly two minutes. You should see the following being printed just after two minutes:

ACME: renewed

The above means that you now have a secure way to access the server locally by using the domain name printed in the console.

The Online SharkTrustX Portal

The Mako Server has integrated support for, a demo portal we have set up. In the end, you would set up your own SharkTrustX server and not use our demo portal. Our demo portal is purely designed for testing/learning purposes and should not be used for deployment.

Accessing the Server Locally

Navigate to the demo portal

You should see your Mako Server listed on the page, but do not worry since only visitors from your network location can see the server. You can navigate securely (using HTTPS) to your local server by clicking the link on this page. Note that the link expects the server to listen on the default HTTPS port 443. Just add the HTTPS port number that the server is listening on to the end of the URL should the link not work; e.g. :9443.

You may have a type of DNS filtering that blocks the translation of DNS names to internal IP addresses if the domain name is not working. This must be turned off if you plan on using the domain name designed for local use. Older browsers were susceptible to DNS rebinding attacks, and blocking internal IP address translation helped older browsers stay secure.

Accessing the Server Remotely

Navigate to the demo portal

Click the login button and either sign in with a Microsoft account or click "Create an account" to create a portal account.

Initially, make sure you sign into the online portal from the same location as the connected Mako Server. The online portal automatically grants you access to any device that is connected from the same Intranet. This grant is saved in the online portal's database.

After signing into the portal from the same Intranet, try signing into the portal from another Intranet. The easiest way to do this is to you use your phone with WiFi turned off. When the WiFi is off, you will be accessing the online portal from your mobile network provider's Intranet.

The domain name provided in the link in the portal to your Mako Server will be different when accessing the portal from another network. The link provided will have the following form:

The sub-domain name is now a random number with 128 bits of entropy. This domain name changes automatically every 12 hours; thus you must always navigate to the online portal and login to get a fresh link.

A reverse connection bridge is initiated when the above link is clicked, enabling the user to access a server in another network. All traffic between the user and the destination server is routed via the online connection bridge.

What Have We Done?

You have been given a brief introduction to SharkTrustX. The Mako Server includes a crypto security module hardwired for the domain The Mako Server also includes a soft crypto module that lets you use a different portal. You can use a different portal by adding the following settings in mako.conf:

  • challenge.servername - The portal domain name
  • challenge.key - Portal registration key
  • challenge.secret - Portal secret

See the Mako Server's Let's Encrypt settings for details on the above.

The domain is one of several portals hosted by You can add your own portal (domain name) to this server and be the administrator for the portal. How to set up a new domain name (new portal) is explained in the more detailed Let's Encrypt tutorial.

Note that the portals hosted by our demo server should not be used for production. We may from time to time disrupt this service when testing new features. Instead, you should host your own SharkTrustX server on your own cloud server. See the SharkTrustX Github page for details.


SharkTrustX keeps the identity of your server's remote connection bridge domain name virtually impossible to guess with its 128 bits of entropy. Having said that, a server available via the remote connection bridge should, from a security perspective, be considered similar to a server accessible via port forwarding. You must implement authentication if you have a server side web application that can do real work. A static web page such as the Mako Server's integrated hello page is safe to show anyone without authentication.

Want Expert Eyes on Your Project?

Navigate the world of embedded web servers and IoT effortlessly with our comprehensive tutorials. But if time isn't on your side or you need a deeper dive, don't fret! Our seasoned experts are just a call away, ready to assist with all your networking, security, and device management needs. Whether you're a DIY enthusiast or seeking expert support, we're here to champion your vision.


OPC-UA Client & Server

An easy to use OPC UA stack that enables bridging of OPC-UA enabled industrial products with cloud services, IT, and HTML5 user interfaces.

Edge Controller

Edge Controller

Use our user programmable Edge-Controller as a tool to accelerate development of the next generation industrial edge products and to facilitate rapid IoT and IIoT development.

On-Premises IoT

On-Premises IoT Platform

Learn how to use the Barracuda App Server as your On-Premises IoT Foundation.

Embedded Web Server

Barracuda Embedded Web Server

The compact Web Server C library is included in the Barracuda App Server protocol suite but can also be used standalone.

WebSocket Server

Microcontroller Friendly

The tiny Minnow Server enables modern web server user interfaces to be used as the graphical front end for tiny microcontrollers. Make sure to check out the reference design and the Minnow Server design guide.

WebDAV Server

Network File System

Why use FTP when you can use your device as a secure network drive.

HTTP Client

Secure HTTP Client Library

PikeHTTP is a compact and secure HTTP client C library that greatly simplifies the design of HTTP/REST style apps in C or C++.

WebSocket Client

Microcontroller Friendly

The embedded WebSocket C library lets developers design tiny and secure IoT applications based on the WebSocket protocol.

SMTP Client

Secure Embedded SMTP Library

Send alarms and other notifications from any microcontroller powered product.

Crypto Library

RayCrypto C Library

The RayCrypto engine is an extremely small and fast embedded crypto library designed specifically for embedded resource-constrained devices.

Embedded PKI Service

Automatic SSL Certificate Management for Devices

Real Time Logic's SharkTrust™ service is an automatic Public Key Infrastructure (PKI) solution for products containing an Embedded Web Server.


Modbus TCP client

The Modbus client enables bridging of Modbus enabled industrial products with modern IoT devices and HTML5 powered HMIs.

Posted in Tutorials