Long story short: I want to use Windows RDP to connect to my machine with the Microsoft Android app (over the internet).
It seems to me all that’s between me and the h4x0rz is a password, is there anything more I can do besides to change to port 1337?
I’ve done a bit of reading on a RDP gateway, but that sounds like I have to run a separate server to do that?
I use Parsec at the moment, but it sucks on a phone.
If I should be looking elsewhere than RDP, let me know.
You can use wireguard on windows these days:
Can you use wireguard on Android? That is perhaps more important.
I run a neorouter free server at home, then I have my pcs on that neorouter virtual private network, I can then run the neorouter client on my phone and rdp or vnc onto my pcs as required.
Been a while since neorouter was updated though so perhaps time to look for an alternative anyway.
Can you use wireguard on Android? That is perhaps more important.
Yes. See: Installation - WireGuard
I am using Wireguard on my Android Phone without any issues. You can even create a QR codes to simply set up your phone: Generating WireGuard QR codes for fast mobile deployments - Server Side Up
It seems to me all that’s between me and the h4x0rz is a password, is there anything more I can do besides to change to port 1337?
I would not recommend to expose your RDP port to the internet. Even if you change the default port.
I’ve done a bit of reading on a RDP gateway, but that sounds like I have to run a separate server to do that?
If you go with a VPN solution like Wireguard you could do it directly on your Windows PC and then use RDP through the VPN tunnel.
In my case I have a separate Linux host with Wireguard. (As my Windows computer at home is not running 24/7 and I am using Wake-On-Lan if I need to connect to it.)
I use Parsec at the moment, but it sucks on a phone.
Is the goal to stream games?
Please make sure that any service you expose to the Internet is up-to-date and uses strong passwords/keys.
Linode, Secure SSH with Keys, Secure VPN with keys 1 to 1 connection, then RDP.
So secure, only you have access, know about it, and you can add extra security.
Another question: I see you have to whitelist IPs for wireguard, considering I use a VPN on my phone already, wouldn’t this cause problems (connecting from a different node, etc.)? Also I doubt my phone is assigned a static IP on the cellular network? EDIT: I suppose if i have it set to 0.0.0.0 it should catch everything, right?
I’ll have to DL the wireguard android app and see whats up.
I have a spare Windows (i5-4th gen) box that I’m looking to run this on, currently it’s a minecraft server and a “NAS” so it’s already up all the time.
Speaking of NAS/ remoting, do people still use FTP for remote file transfers when setting something like this up? SCP over SSH seems to be a good way to go. That being said, the less I have to use a terminal from an android phone the better.
Thanks for the help y’all.
Don’t expose RDP port on the internet. Make a VPN, either on a device on the same network as your Windows machine (like a RPi 4), or directly on Windows, then port forward the VPN port on your router. Also, use a DynDNS server. Some routers have DDNS built-in (like asus’ asuscomm.com), but if your router doesn’t have it, you can use other services like no-ip.
As others recommend, Wireguard is lightweight and easy to configure. Works on Android and Windows. On Android you may need to reconnect from time to time if you leave it always open. You can also do split tunnel, so not all the traffic goes to your home (instead of using 0.0.0.0/0 on your phone, just use the subnet of the VPN and of your home LAN and that’s it, EZ PZ).
Just make sure that both your Windows machine and your VPN (or just Windows if you set Wireguard on it) has a statically mapped IP address configured in your DHCP server (usually your router). Then you can use Microsoft’s RDP client in Android to connect to RDP from your phone.
The Dynamic DNS part is probably the most important step, so that no matter what IP your home address gets, you can still connect to your VPN.
This.
Changing port numbers does very little because your machine is going to be regularly port-scanned by various people/bots on the internet anyway.
I would recommend not exposing ANY services to the internet except for VPN, and even then, if you know which IPs you are going to be connecting from, whitelist the VPN for those ports.
At least do geo-IP blocking if you can, I mean there’s no reason for IPs from china or Russia to VPN into my home network for example.
Exposing RDP directly to the internet on whatever port is just asking for disaster, as even if your password is good, there’s been a recent history of RDP exploits to essentially bypass authentication anyway.
Good idea. this doesn’t seem to be a feature built into wireguard, recommendations?
For full transparency as far as I’ve gone with this in the past is a DDNS server and all traffic routed through a commercial VPN, so much more than that and I’m not very knowledgeable.
Do you mean the AllowedIPs field?
This is not for the IPs allowed to connect, but for the IPs the device is allowed to be forwarded to after it connected.
So if you only need a connection to you Workstation at home, you could fill in your Workstation IP in there so the connected VPN client is only allowed to this IP.
For full transparency as far as I’ve gone with this in the past is a DDNS server and all traffic routed through a commercial VPN, so much more than that and I’m not very knowledgeable.
Things I would have a look at (already mentioned by the others)
Home Router
Port Forwarding supported?
This is feature on most home routers that allow you to forward a defined port to a device in your network. Per default your router at home should block all new incoming connections from the internet. If we want to setup a VPN we need to be able to forward traffic received on our router to be forwarded to our VPN server.
I guess If you have a MC Server setup you did something like this already?
DDNS possible?
I guess if you set this up already it should be clear.
Static IPs for your Workstation & VPN Server/Gateway
We need to be able to set static IPs if we want to use port forwarding.
Firewall (optional)
If you want advanced features like geo-blocking you may have to think about a dedicated firewall. (To my knowledge the Windows host firewall is not able to do this)
In my case I do not “port forward” directly to my Wireguard server. Instead I have another host (firewall) in between (just for VPN traffic) where I can do additional filtering.
So it is forwarded like this: INTERNET --> Home Router --> firewall --> Wireguard Server (this is rather advanced)
Wireguard/OpenVPN/etc. Setup