How To Securely Configure Remote Desktop

Setup remote desktop securely without exposing RDP port to Internet

One of the best features of Windows is its remote desktop functionality. Back in the early days of the Internet it was no problem configuring your home PC to be accessible from anywhere. Enable it, open some ports on your router, and you were done. However, these days securely configuring remote desktop is more difficult. Bots are constantly probing for open port 3389 (the port used by RDP), and if your ISP is someone like Xfinity, they will automatically block the port when a bot has been detected, defeating the whole purpose of having the port open. There have also been security bugs discovered in RDP which has made running RDP on an open port a dangerous undertaking.

Meshify addresses these concerns and makes it once again safe to connect back to your home PC with remote desktop. Meshify allows you to create a light-weight, secure VPN connection to your home. And it’s free! Once you see how useful we are, you may be interested in one of our paid plans that really lets you take control of your network.

The first thing you need to do to setup remote desktop is to enable it. On a Windows 10 Pro machine, go to Settings, System, and then click on Remote Desktop in the left-hand menu.

Enabling Remote Desktop

Click on “Enable Remote Desktop” to enable it. Now, it’s time to setup the VPN.

Creating a new mesh

Login to the Meshify Admin. Note that you can login using your Google or Microsoft account rather than storing credentials with us. We are not interested in managing your credentials. You can use your own identity provider and get all their benefits, such as multi-factor authentication. After logging in, click on Meshes and click “Create New Mesh”.

Create new mesh

Name your mesh, in our case we chose “meshify”. The name you choose here will show up in Task Manager (or ifconfig or ip addr on Linux) so you can be creative, or you can just call it “home”. You will also need to specify the IP subnet. For this enter 10.10.10.0/24 and press tab. In the unlikely event that your local network uses this subnet, choose another, such as 10.0.0.0/24, 192.168.100.0/24, or any internal-use subnet. We will assign and distribute IP addresses based on what you enter here. With Meshify you get to choose your IP subnets for your VPN, and if you need a machine to have a specific IP address (in the subnet you’ve defined), you can do that. If you’d like to specify DNS servers enter them next. We’ve specified 9.9.9.9 above. Enable UPnP and then click Submit.

Adding a Window Host

After creating the Mesh, you need to add hosts to it. For this download the Meshify Agent for Windows. Follow the instructions and install the client.

Launch the Meshify Agent and click the Login button. A browser window will pop-up to assist you with the login. Login the same way you originally logged into the admin. After successful login, click on “Add Host”.

You will be presented with your list of meshes. Select the appropriate mesh and click OK. After a few seconds you should see the mesh appear in the UI. You can now exit the program.

Managing your Hosts

Now that you’ve created your host, you manage it in the admin. Click on “Hosts” to see your newly added host.

Note that “Endpoint” is blank. In order for this host to be reachable on the internet, you must specify an endpoint. Open a new browser and type “What is my IP address” into it. The first result is typically your IP address. Click the edit icon and paste this value into the Endpoint field, then add a colon, and 51820. For Listen port, also specify 51820. Click Submit.

Specify your external IP address and a port for the endpoint

Note that if you see results that have lots of colons in it, that’s an IPv6 address. While we fully support IPv6, it may cause you unnecessary problems. We recommend you start with an IPv4 address if available. Click other results in the search results for your IPv4 address; you should be able to find your IPv4 address, which looks similar to above.

After making this change, the Meshify Agent running on your windows machine will pick it up and update its configuration. Enabling UPnP on the mesh will enable the Meshify Agent to automatically set up the port forwarding from your router/gateway to your Windows machine. It will also keep your external IP address in sync. The UPnP configuration refreshes hourly in case you reboot your router (or other reasons).

You have now successfully configured your home machine to be securely accessible from the internet. Repeat the process of adding a windows host for your laptop, and then head off to a coffee shop to test your connection. Enjoy!

Troubleshooting

There are many things that can go wrong and multiple ways of solving the problem. If you have tethering capabilities between your phone and your laptop, you can iron out most of these issues from the comfort of your own home.

Disable Windows Firewall

To disable Windows firewall, go to “Settings”, “Update and Security”, and then click on “Windows Security” and click “Open Windows Security”. Click on “Firewall and Network Protection”, and disable the firewall for both public and private networks. Now check if you can RDP into the machine using the IP address assigned by Meshify. If this solves your problem then you can re-enable the firewall and add Remote Desktop to the firewall exceptions.

Enable UPnP or Setup Port Forwarding

Most of the time UPnP is enabled by default on your internet gateway. Login to your gateway by whatever means your ISP provides you (this may be logging into it directly into the router using a web browser, or through the ISP’s website itself) and check this. If UPnP is enabled but not working, reboot the router. Once the router is back up, reboot the local machine. That should resolve the problem. If for some reason UPnP cannot be enabled, and if your router supports manual port forwarding configuration, you can do this instead. You will need to know the local (non-meshify) IP address of the machine. You can usually find this by typing ipconfig /all at a command prompt on the machine.

Note that it’s not a requirement to use 51820 as the port number. As long as you’re consistent, you can use any port (1024-65534) you want. Important: if you would like to expose multiple endpoints for the same machine, this is perfectly acceptable. However, you must specify different ports for each endpoint. The Endpoint field can also accept multiple IP address/port combinations, and is typically used to specify the IPv4 and IPv6 endpoints for the host. If you have a multi-homed router, we recommend creating a “backup” mesh for accessing your hosts using the non-primary connection.