What's new
  • Please do not post any links until you have 3 posts as they will automatically be rejected to prevent SPAM. Many words are also blocked due to being used in SPAM Messages. Thanks!

Remote desktop Safety

danmitch1

Well-known member
Joined
Dec 15, 2007
Messages
2,224
Hey guys, Ive been back at work since the beginning of June and im basically babysitting a dead office for the most part of the day. I figure I could be more productive with my own projects if I could only have access to my PC from home.. Ive done at home RDP inside the safety of my home network and now want to venture out of that safety zone.

With my helix gateway router I easily can forward the port to my PC so that Its accessible but what is lacking on that router is the option to hook up a network wide vpn. I cant afford to buy a VPN compatible router atm so thats not the solution ( hopefully not the only solution..)

I realize using the default listening port 3389 is an obvious weak move and opens you up to hackers. This morning I tried to follow a tutorial to change the default listening port in the registry editor..

  1. In Registry Editor, navigate to HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Control, Terminal Server, WinStations and RDP-Tcp.
  2. Right click on the PortNumber
But, under RDP-Tcp I do not see Portnumber.

Then I thought, does this actually make you that much safer ?

Also, with the router I have, there is an android app that I can add and delete a port forward on the fly. So what im wondering is, if im logged on to port 3389 can someone else log in as well? If not, am I just as safe if once done, I delete that port forward?

I also read that you can allow only one IP address from accessing the RDP so like I would put my work IP, but I cant seem to find that option on my router either.

Thanks for any help you might give !
 

Sagath

Moderator
Staff member
Folding Team
Joined
Feb 7, 2009
Messages
5,549
Location
Edmonton, AB
VPN is the only way I'd do this, personally. Is there other ways? Sure. But watching my NAS get hammered with port requests from Iran, Egypt, and China (before I had PFsense set up) makes me more like @KaptCrunch tinfoil crazy conspiracy dude.

You could set up a pi (if you have one spare) with OpenVPN or WireGuard. It would still leave a port open I believe, but at least its only to the pi. Alternatively (and more complex) you could set up PFsense on a spare machine to replace the router.

Beyond that I dont know, maybe someone more knowledgeable with networking can chime in.
 

danmitch1

Well-known member
Joined
Dec 15, 2007
Messages
2,224
VPN is the only way I'd do this, personally. Is there other ways? Sure. But watching my NAS get hammered with port requests from Iran, Egypt, and China (before I had PFsense set up) makes me more like @KaptCrunch tinfoil crazy conspiracy dude.

You could set up a pi (if you have one spare) with OpenVPN or WireGuard. It would still leave a port open I believe, but at least its only to the pi. Alternatively (and more complex) you could set up PFsense on a spare machine to replace the router.

Beyond that I dont know, maybe someone more knowledgeable with networking can chime in.
Oh crap! how are you monitoring that NAS port requests?
Lol, I dont blame him, our world is soooo fked up...
If all port forwarding is off, i should be relatively safe? Can more than one user connect to one port?

edit: and that PFsense might be an idea... I have a machine I use just for 3d printing to run an octo print server.. could I use that same machine I wonder?
 

JD

Moderator
Staff member
Joined
Jul 16, 2007
Messages
10,614
Location
Toronto, ON
Please, please, please do not open RDP to the Internet. Regardless of what port you run it on, bots will find you and start attacking it.

At the very least, setup something like Guacamole (https://guacamole.apache.org/) to act as a RDP Gateway. Alternatively, if you are able to, run a Windows Server VM and install the RDP Gateway role.

And yes, if a port is open, the world can connect to it. The only way having a port open would be semi-secure was if you only accepted connections on that port from the specific IP of your phone/external device, but that would be pretty messy to manage and I'm not certain something your Videotron router allows.
 

Mr. Friendly

Well-known member
Joined
Nov 21, 2007
Messages
6,774
Location
British Columbia
hey dan, VPN routers don't have to be expensive.

take the TP-Link TL-R600VPN , which goes for about $80. it's not the most advanced, but it gets you a secure tunnel. :)
 

danmitch1

Well-known member
Joined
Dec 15, 2007
Messages
2,224
Please, please, please do not open RDP to the Internet. Regardless of what port you run it on, bots will find you and start attacking it.

At the very least, setup something like Guacamole (https://guacamole.apache.org/) to act as a RDP Gateway. Alternatively, if you are able to, run a Windows Server VM and install the RDP Gateway role.

And yes, if a port is open, the world can connect to it. The only way having a port open would be semi-secure was if you only accepted connections on that port from the specific IP of your phone/external device, but that would be pretty messy to manage and I'm not certain something your Videotron router allows.
Yup! I deleted the forwarded port ( I actually did each time I was done testing just incase) You think I could run 2 VM's off the same machine?

hey dan, VPN routers don't have to be expensive.

take the TP-Link TL-R600VPN , which goes for about $80. it's not the most advanced, but it gets you a secure tunnel. :)
Oh nice! thanks for that.. I have to contemplate this not to mention justify the purchase, tough times financially.. who knows, my work might pick up and then I will not beable to "play" anymore..

If I can get this working for free, it would be great!

Edit: that router is not wifi though eh? not sure I can use both routers.. like if I went that route?
 

danmitch1

Well-known member
Joined
Dec 15, 2007
Messages
2,224
Ahh ok , good to know. So at least I can save $ on a non wifi router (y)
 

Entz

Well-known member
Joined
Jul 17, 2011
Messages
1,870
Location
Kelowna
And yes, if a port is open, the world can connect to it. The only way having a port open would be semi-secure was if you only accepted connections on that port from the specific IP of your phone/external device, but that would be pretty messy to manage and I'm not certain something your Videotron router allows.
Yeah it is a PITA, we did this once and what we did is setup an account on a dynamic DNS system that the "remote" router (or PC to push) updated to keep the IP in sync, then you need to have a powershell script running on the target every few minutes that gets the IP from that dyndns system and updates the firewall rules. It does work but OpenVPN takes far less time.

If your only going to access a single machine, you could just setup OpenVPN server on it. Takes a few minuets and that would let you connect. You would then VPN to the RDP to the LAN address. Though if you have a way of doing it external (PI, commercial non-ISP router, VM, etc) that is better (usually if you want one you want more than one PC :p)
 
Last edited:

danmitch1

Well-known member
Joined
Dec 15, 2007
Messages
2,224
Yeah it is a PITA, we did this once and what we did is setup an account on a dynamic DNS system that the "remote" router (or PC to push) updated to keep the IP in sync, then you need to have a powershell script running on the target every few minutes that gets the IP from that dyndns system and updates the firewall rules. It does work but OpenVPN takes far less time.

If your only going to access a single machine, you could just setup OpenVPN server on it. Takes a few minuets and that would let you connect. You would then VPN to the RDP to the LAN address. Though if you have a way of doing it external (PI, commercial non-ISP router, VM, etc) that is better (usually if you want one you want more than one PC :p)
Yeah, id like to try the VM route. Can I run more than one off the same machine? as I mentioned I have a VM running octoprint but then again I only run it when I want to print, when I print im at home, Sooo i guess i just answered my own question eh lol...
 
Top