Setting up a VPN Server for RDP Access - Exclude RDP Port

[jksmurf]

Colin in this thread https://www.snbforums.com/threads/allow-access-to-port-only-from-certain-remote-ips.64435/ had a nice way of explaining RDP and OpenVPN simply but I have another question, so hopefully I am not asking something already answered (or I can only find very complex responses).

I would like to use an iPAD / Notebook to RDP into my own Windows 11 PC.
I have set up the VPN Server on my RT-AX86U and imported the OpenVPN profile into my iPAD.
The OpenVPN connection works fine, I can connect (tested it with the Router admin page). So that is step 1.

However I have 2 questions before I try to enable RDP (Step 2):

1. As I am coming from outside my Home Network (to connect to my Home Network), do I need to enable "Internet" as well as LAN Connection? Does that option mean "(a) Do you want to access the VPN Server (Tunnel) from the Internet or from the LAN (or Both) OR (b) Does it mean "Do you want Internet Access when tunnelling in (if so why would I?). The wording of this option is a wee bit confusing (for me at any rate).
2. However the main question I have is RDP Security. I understand that RDP ordinarily uses port 3389. However if I Tunnel in using a VPN, then my understanding is that it is "as if "I was already WITHIN my Home Network, i.e. in my LAN (only) correct? If so then is it correct to say no port opening is required at all i.e. I can make it more secure by keeping all my Ports closed (as I have now)? If this is correct, how do I tell RDP NOT to use any ports (at all) but assume I am only locally in the LAN?

Thanks a lot!

k.

 

[nbdwt73]

I use RDP thru a VPN to support a small business quite a lot. First question answer - if you want to provide security for your device(s) while traveling outside your private network (coffee shop, hotel, etc) then enable 'both'. That gives you a way to ensure a secure access point from an unknown environment. I use that feature (as do most people) as the main reason for my VPN. Plus, if you travel abroad as I do it also gives you a way to access sites that may be restricted to domestic only access (ex certain shopping sites).

Second question - no additional ports necessary. It acts as if you are on your local LAN (and you really are...).

 

[elorimer]

You do not need "Both" to RDP this way. "LAN" will work too. I'll spell this out.

The LAN option pushes to your client a route to your LAN. When your RDP client looks for the IP of your W11 machine, it then knows to go over the tunnel to find it.

The Internet option pushes to your client an instruction to redirect the default gateway of your ipad to the OpenVPN server. So when your ipad looks for some website, like cnn.com, that is not on its own LAN, it goes over the tunnel to your OpenVPN server for it, which in turn goes out your server's internet connection.

"Both", naturally, does both. In some cases that is a good thing, and in some cases it is a bad thing. Particularly if you have a slow upload speed (mine is 200/10), you are limited in your client's download speed to what your server can upload. If you are in a secure location, you don't want or need that unless you are doing some geolocating.

You can use the two servers to provide both options, or you can leave one server on "Both" but add a second client configuration to your Ipad, identical to the first, which adds pull-filter ignore redirect-gateway. That tells the client that when the server pushes to it the instruction to redirect the gateway, the client should ignore it. That gives you the ability on the Ipad to select whichever setup you want, using only one server.

 

[elorimer]

However the main question I have is RDP Security. I understand that RDP ordinarily uses port 3389. However if I Tunnel in using a VPN, then my understanding is that it is "as if "I was already WITHIN my Home Network, i.e. in my LAN (only) correct? If so then is it correct to say no port opening is required at all i.e. I can make it more secure by keeping all my Ports closed (as I have now)? If this is correct, how do I tell RDP NOT to use any ports (at all) but assume I am only locally in the LAN?

On the subject of RDP security. It is better to access your LAN over the VPN tunnel, because then you can (and should) add certificate-based authentication into the mix, instead of just user/password. This also makes it easier to access more than one machine. You do end up with perhaps unnecessary dual encryption, since the RDP client/W11 machine pair is encrypting the connection over the tunnel, and the Asus OpenVPN server/ipad client is also encrypting the tunnel. Unless the processing speed of the router is limiting your connection speed unacceptably, that shouldn't be a problem.

If you use RDP alone with port forwarding, you should move the port to something else. Better than that, lie down until it dawns on you to use OpenVPN. But you should also be sure you have set up both an Administrator account on your W11 machine, and a standard account (which you should do anyway, and only use the standard account), and then restrict RDP to the standard account. Administrators by default have access to RDP.

 

[jksmurf]

Thank you very much to both of you. I’m afraid it might take some time for me to get my head fully around elorimer‘s explanation although I will try.

In the case of Both, with the example website given, if the iPad is connected to say some coffee shop Wi-Fi somewhere, does this mean it will get cnn.com from the internet via that Wi-Fi, or go down the tunnel for it and get that website from my home networks internet?

On the second query, when you’re setting up RDP on the Win 11 machine (that is connected to the Router acting as VPN Server) do you have to actively select an option NOT to use any port (eg 3389) or does this happen by default?

thanks again

k.

 

[ColinTaylor]

"Both" means the iPad will get its internet via your home network. "LAN only" means the iPad will get it's internet directly (as normal) and only LAN traffic will go via the VPN.

You do not need to make any changes for RDP when connecting via a VPN.

 

[jksmurf]

"Both" means the iPad will get its internet via your home network. "LAN only" means the iPad will get it's internet directly (as normal) and only LAN traffic will go via the VPN.

You do not need to make any changes for RDP when connecting via a VPN.

Fantastic thank you Colin, very succinctly put. I am assuming that because I am "virtually" inside my LAN, then no ports need to be opened by RDP (on any machine) for me to connect to any PC within it, just the IP Address.

Awesome, I have seen quite a few posts and have been reading a lot about VPN Tunnels and still have a huge amount to learn, but a big thank you to all you kind folks at snbforums helping to simplify the concepts and implementation for my needs.

Thank you!

k.

 

[Viktor Jaep]

@jksmurf ... instead of messing with RDP, which can be quite the pain from the permissions and firewall perspective on a windows box, then dealing with inbound/outbound VPN as well, why not make it easy on yourself. Just install Teamviewer on your internal Windows boxes... it's free for personal use. They have Apple and Android clients as well which are free. It's a safe and secure point to point encrypted tunnel between viewer and server, and have even added a MFA solution to it as well. You can do file transfers, etc. Been using this tool for at least 10 years now very successfully to remote into my machines, and family's devices from outside our LAN.

 

[Jack Yaz]

@jksmurf ... instead of messing with RDP, which can be quite the pain from the permissions and firewall perspective on a windows box, then dealing with inbound/outbound VPN as well, why not make it easy on yourself. Just install Teamviewer on your internal Windows boxes... it's free for personal use. They have Apple and Android clients as well which are free. It's a safe and secure point to point encrypted tunnel between viewer and server, and have even added a MFA solution to it as well. You can do file transfers, etc. Been using this tool for at least 10 years now very successfully to remote into my machines, and family's devices from outside our LAN.

I'd recommend giving VNC Connect a look as well. They have a free Home subscription for 5 computers for personal use. The paid subscription isn't unreasonable either, I subscribe for a couple of devices that I needed more than Home's features on

 

[jksmurf]

@jksmurf ... instead of messing with RDP, which can be quite the pain from the permissions and firewall perspective on a windows box, then dealing with inbound/outbound VPN as well, why not make it easy on yourself. Just install Teamviewer on your internal Windows boxes... it's free for personal use. They have Apple and Android clients as well which are free. It's a safe and secure point to point encrypted tunnel between viewer and server, and have even added a MFA solution to it as well. You can do file transfers, etc. Been using this tool for at least 10 years now very successfully to remote into my machines, and family's devices from outside our LAN.

Thanks for that, actually I'm not married to Microsofts RDP per se, just thought the Client Apps on iPADs, Phones, Notebooks etc. would be more robust and ubiquitous using it (also for other family users). Oddly, a long time ago (before TeamViewer) I used to use UVNC too, with all those code certs and files you had to use to use. It was good, but quite 'techy' compared to today's offerings.

I have actually had (still do) TeamViewer installed for about 5 years or so and even used to use it remotely, but recently started to get worried about security (My wife's company (small biz) got hacked recently as they dropped VPN in favour of just using RDP, due to the VPN dropping connections etc. it's another story but the server files were all tagged and a message on the screen of the Boss made things very clear - quite scary).

Hence the entry into VPN which after the initial 1000-yard stare of zero comprehension, doesn't seem too difficult to implement.

k.

 

[iTyPsIDg]

Fantastic thank you Colin, very succinctly put. I am assuming that because I am "virtually" inside my LAN, then no ports need to be opened by RDP (on any machine) for me to connect to any PC within it, just the IP Address.

Awesome, I have seen quite a few posts and have been reading a lot about VPN Tunnels and still have a huge amount to learn, but a big thank you to all you kind folks at snbforums helping to simplify the concepts and implementation for my needs.

Thank you!

k.

All network communication occurs over one or more ports. Because you are virtually in your LAN, you do not need to open ports on the router for RDP. If you use a software firewall on Windows, you must allow the necessary RDP port from within your network.

Generally, people use the Windows Firewall, and that has three options for types of networks: Public, Private, and Domain. When you first set up your network, you chose Public or Private. Domain happens when you join the machine to an Active Directory domain. You can change the network, but I don't remember how off the top of my head, and I switched to a Mac a few months ago, so I can't quickly check.

In the Windows Firewall, you can create rules so that the RDP port is open on a Private or Domain network but not Public, for example.

But in the end, all communication occurs with the IP and the port.