Presently I just port forward to the computer’s RDP, but this is a bad idea. Can someone:
Tailscale, zerotier, wireguard…
Explain how exactly this would work? Do I still keep RDP enabled?
Obviously…
I guess I would go into the router and DISable the port forwarding to 3389,
Correct
but what do I need to do to enable VPN access?
Depends on your chosen VPN solution…
There are MANY VPN services that can do this… MANY have been suggested to you, this thread and your other one.
Does your router/gateway have a remote access VPN service built in? Use that…
Start trying them, figure them out, and figure out what you like.
Go look at Zerotier.
You can run your own VPN; IPsec and Wireguard tend to perform best.
SSHd with certificates…
When you connect to your SSH server, you setup a port forward so that 127.0.0.2:45675 actually goes to 192.0.2.34:3389 and then enter 127.0.0.2:45675 into mstsc.exe
If it’s just RDP you want then you could consider Apache Guacamole as an RDP gateway.
You can set it up with a TOTP secondary auth for some added security, requiring a code from an authentication app such as Google Authenticator to log you in.
Your router may have built in support for open vpn. Worth looking before setting up a dedicated vpn box.
Re: wireguard: https://www.turnkeylinux.org/wireguard
Will that work? I could put it on a $50 used thin client. But could you explain how it works? So basically I install it on the thin client and connect the thin client to the router. Then, I go into the router, disable port forwarding directly to the Windows Desktops, and enable port forwarding to the thin client? So then access over WWW to the Windows Desktops is gone; only option is to connect over WWW to thin client VPN, and THEN connect through that thin client to the Windows Desktops (same RDP protocol, but using local LAN 192.168.1.XXX IP?)?
Love my Wireguard setup. Super fast, rock solid and free. Not the easiest to setup (openvpn is easier IMO), but truly great.
Will this work?
https://www.turnkeylinux.org/wireguard
I have some experience installing and running Turnkey Redmine on a thinclient PC, but nothing VPN-specific (just the linux installation, shell login, etc… stuff).
Basically yes.
I’ve used it with a RPi, moved to proxmox but kept the same software:
Works great!
There is x86 image or proxmox etc if you are not very comfortable with Linux, it’s super easy