How to Secure Windows Remote Desktop (RDP) with Wireguard VPN

There have been more and more RDP brute force hacks and subsequent ransomeware attacks. However, since the pandemic it’s important to have remote access to your infrastructure.

Luckily securing RDP with WireGuard is pretty easy. Plus there is a WireGuard app for most platforms. Windows, , , , , etc.. www.wireguard.com/instal…

From: www.henrychang.ca/how-to…

Setup firewall rules (just as you would for a Linux server setup: open and forward ports 51820, configure ddns etc)

You can use the handy graphical tool for setting up the VPN with Wireguard for Windows. Simply download, and install the Windows version, and run Wireguard.

From: golb.hplar.ch/2019/07/wi…

One feature I like is that the Windows version of WireGuard remembers the VPN connection state. When you reboot Windows while WireGuard is connected to the server, the software automatically reconnects and re-establishes the VPN tunnel when it starts up. This prevents you from accidentally connecting without a VPN.

My server conf

[Interface]
PrivateKey = 
ListenPort = 51820
Address = 10.5.4.1/32

[Peer]
PublicKey = 
AllowedIPs = 10.5.4.25/32

[Peer]
PublicKey = 
AllowedIPs = 10.5.4.20/32

To add another user just add another [Peer] section.

Then install your client App.

My client conf:

[Interface]
Address = 10.5.4.25
PrivateKey =    
#DNS = 10.5.5.1 #Server caching dnsmasq that forwards to azure
#DNS = 168.63.129.16 #Azure
DNS = 1.1.1.1 #Cloudflare

[Peer]
PublicKey = 
Endpoint = <serverip>:51820 
#Endpoint = 127.0.0.1:59401
#AllowedIPs = 0.0.0.0/0
AllowedIPs = 10.5.4.1/32

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

To generate a keypair for your client I use:

wg genkey | tee privatekey | wg pubkey > publickey

To turn your conf file into a qr code use:

qrencode -t ansiutf8 < wg0.conf

Point your remote desktop software to 10.5.4.1 instead of the server’s public IP.

Don’t forget to close the RDP port if it’s still open to the .

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.