Remote desktop Safety

[danmitch1]

Hey guys, Ive been back at work since the beginning of June and im basically babysitting a dead office for the most part of the day. I figure I could be more productive with my own projects if I could only have access to my PC from home.. Ive done at home RDP inside the safety of my home network and now want to venture out of that safety zone.

With my helix gateway router I easily can forward the port to my PC so that Its accessible but what is lacking on that router is the option to hook up a network wide vpn. I cant afford to buy a VPN compatible router atm so thats not the solution ( hopefully not the only solution..)

I realize using the default listening port 3389 is an obvious weak move and opens you up to hackers. This morning I tried to follow a tutorial to change the default listening port in the registry editor..

1. In Registry Editor, navigate to HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Control, Terminal Server, WinStations and RDP-Tcp.
2. Right click on the PortNumber

But, under RDP-Tcp I do not see Portnumber.

Then I thought, does this actually make you that much safer ?

Also, with the router I have, there is an android app that I can add and delete a port forward on the fly. So what im wondering is, if im logged on to port 3389 can someone else log in as well? If not, am I just as safe if once done, I delete that port forward?

I also read that you can allow only one IP address from accessing the RDP so like I would put my work IP, but I cant seem to find that option on my router either.

Thanks for any help you might give !

 

[Sagath]

VPN is the only way I'd do this, personally. Is there other ways? Sure. But watching my NAS get hammered with port requests from Iran, Egypt, and China (before I had PFsense set up) makes me more like @KaptCrunch tinfoil crazy conspiracy dude.

You could set up a pi (if you have one spare) with OpenVPN or WireGuard. It would still leave a port open I believe, but at least its only to the pi. Alternatively (and more complex) you could set up PFsense on a spare machine to replace the router.

Beyond that I dont know, maybe someone more knowledgeable with networking can chime in.

 

[danmitch1]

VPN is the only way I'd do this, personally. Is there other ways? Sure. But watching my NAS get hammered with port requests from Iran, Egypt, and China (before I had PFsense set up) makes me more like @KaptCrunch tinfoil crazy conspiracy dude.

You could set up a pi (if you have one spare) with OpenVPN or WireGuard. It would still leave a port open I believe, but at least its only to the pi. Alternatively (and more complex) you could set up PFsense on a spare machine to replace the router.

Beyond that I dont know, maybe someone more knowledgeable with networking can chime in.

Oh crap! how are you monitoring that NAS port requests?
Lol, I dont blame him, our world is soooo fked up...
If all port forwarding is off, i should be relatively safe? Can more than one user connect to one port?

edit: and that PFsense might be an idea... I have a machine I use just for 3d printing to run an octo print server.. could I use that same machine I wonder?

 

[JD]

Please, please, please do not open RDP to the Internet. Regardless of what port you run it on, bots will find you and start attacking it.

At the very least, setup something like Guacamole (https://guacamole.apache.org/) to act as a RDP Gateway. Alternatively, if you are able to, run a Windows Server VM and install the RDP Gateway role.

And yes, if a port is open, the world can connect to it. The only way having a port open would be semi-secure was if you only accepted connections on that port from the specific IP of your phone/external device, but that would be pretty messy to manage and I'm not certain something your Videotron router allows.

 

[Marzipan]

hey dan, VPN routers don't have to be expensive.

take the TP-Link TL-R600VPN , which goes for about $80. it's not the most advanced, but it gets you a secure tunnel.

 

[danmitch1]

Please, please, please do not open RDP to the Internet. Regardless of what port you run it on, bots will find you and start attacking it.

At the very least, setup something like Guacamole (https://guacamole.apache.org/) to act as a RDP Gateway. Alternatively, if you are able to, run a Windows Server VM and install the RDP Gateway role.

And yes, if a port is open, the world can connect to it. The only way having a port open would be semi-secure was if you only accepted connections on that port from the specific IP of your phone/external device, but that would be pretty messy to manage and I'm not certain something your Videotron router allows.

Yup! I deleted the forwarded port ( I actually did each time I was done testing just incase) You think I could run 2 VM's off the same machine?

hey dan, VPN routers don't have to be expensive.

take the TP-Link TL-R600VPN , which goes for about $80. it's not the most advanced, but it gets you a secure tunnel.

Oh nice! thanks for that.. I have to contemplate this not to mention justify the purchase, tough times financially.. who knows, my work might pick up and then I will not beable to "play" anymore..

If I can get this working for free, it would be great!

Edit: that router is not wifi though eh? not sure I can use both routers.. like if I went that route?

 

[lowfat]

Edit: that router is not wifi though eh? not sure I can use both routers.. like if I went that route?

You'd just disable DHCP + the firewall on the second router.

 

[danmitch1]

Ahh ok , good to know. So at least I can save $ on a non wifi router

 

[Entz]

And yes, if a port is open, the world can connect to it. The only way having a port open would be semi-secure was if you only accepted connections on that port from the specific IP of your phone/external device, but that would be pretty messy to manage and I'm not certain something your Videotron router allows.

Yeah it is a PITA, we did this once and what we did is setup an account on a dynamic DNS system that the "remote" router (or PC to push) updated to keep the IP in sync, then you need to have a powershell script running on the target every few minutes that gets the IP from that dyndns system and updates the firewall rules. It does work but OpenVPN takes far less time.

If your only going to access a single machine, you could just setup OpenVPN server on it. Takes a few minuets and that would let you connect. You would then VPN to the RDP to the LAN address. Though if you have a way of doing it external (PI, commercial non-ISP router, VM, etc) that is better (usually if you want one you want more than one PC )

 

[danmitch1]

Yeah it is a PITA, we did this once and what we did is setup an account on a dynamic DNS system that the "remote" router (or PC to push) updated to keep the IP in sync, then you need to have a powershell script running on the target every few minutes that gets the IP from that dyndns system and updates the firewall rules. It does work but OpenVPN takes far less time.

If your only going to access a single machine, you could just setup OpenVPN server on it. Takes a few minuets and that would let you connect. You would then VPN to the RDP to the LAN address. Though if you have a way of doing it external (PI, commercial non-ISP router, VM, etc) that is better (usually if you want one you want more than one PC )

Yeah, id like to try the VM route. Can I run more than one off the same machine? as I mentioned I have a VM running octoprint but then again I only run it when I want to print, when I print im at home, Sooo i guess i just answered my own question eh lol...