There have been more and more RDP brute force hacks and subsequent ransomeware attacks. However, since the pandemic it’s important to have remote access to your windows infrastructure.
Luckily securing RDP with WireGuard is pretty easy. Plus there is a WireGuard app for most platforms. Windows, MacOS, Linux, iOS, Android, etc.. www.wireguard.com/instal…
Setup firewall rules (just as you would for a Linux server setup: open and forward ports 51820, configure ddns etc)
You can use the handy graphical tool for setting up the VPN with Wireguard for Windows. Simply download, and install the Windows version, and run Wireguard.
One feature I like is that the Windows version of WireGuard remembers the VPN connection state. When you reboot Windows while WireGuard is connected to the server, the software automatically reconnects and re-establishes the VPN tunnel when it starts up. This prevents you from accidentally connecting without a VPN.
My server conf
[Interface] PrivateKey = ListenPort = 51820 Address = 10.5.4.1/32 [Peer] PublicKey = AllowedIPs = 10.5.4.25/32 [Peer] PublicKey = AllowedIPs = 10.5.4.20/32
To add another user just add another [Peer] section.
Then install your client App.
My client conf:
[Interface] Address = 10.5.4.25 PrivateKey = #DNS = 10.5.5.1 #Server caching dnsmasq that forwards to azure #DNS = 184.108.40.206 #Azure DNS = 220.127.116.11 #Cloudflare [Peer] PublicKey = Endpoint = <serverip>:51820 #Endpoint = 127.0.0.1:59401 #AllowedIPs = 0.0.0.0/0 AllowedIPs = 10.5.4.1/32 # This is for if you're behind a NAT and # want the connection to be kept alive. PersistentKeepalive = 25
To generate a keypair for your client I use:
wg genkey | tee privatekey | wg pubkey > publickey
To turn your conf file into a qr code use:
qrencode -t ansiutf8 < wg0.conf
Point your remote desktop software to 10.5.4.1 instead of the server’s public IP.
Don’t forget to close the RDP port if it’s still open to the internet.