Think of Tailscale as a virtual network cable that connects all your devices (laptop, RDP server, phone, home PC) together, no matter where they are in the world.
Technically, it is a “Mesh VPN” built on top of WireGuard, a modern, high-speed security protocol.
Unlike a traditional VPN (where all your traffic goes to a central server in a different country), Tailscale creates a direct, private tunnel between your devices. Your laptop talks directly to your RDP server, making the connection faster and smoother.+1
Why is it Beneficial for You? (DevOps & Hosting Context)
For a hosting business owner and DevOps engineer, Tailscale solves three major headaches:
1. “Zero-Config” Networking (No Router Settings)
- The Problem: Normally, to access your RDP from outside, you have to log into your router, set up “Port Forwarding” (Port 3389), and worry about Static IPs.
- The Tailscale Fix: It works through “NAT Traversal.” You install it, and it just works. It punches through firewalls and complex router setups automatically. You never need to touch a router config page again.+2
2. Invisible Security (Cloaking)
- The Problem: If you open Port 3389 to the internet, hackers will find it. They use bots to scan every IP address for open RDP ports and launch brute-force attacks 24/7.
- The Tailscale Fix: With Tailscale, you close Port 3389 on your firewall completely. Your server becomes “invisible” to the public internet. The only way to connect is through the secure Tailscale tunnel. If a hacker scans your server’s IP, they see nothing.
3. Access from Anywhere (Dynamic IPs)
- The Problem: Your home or office ISP likely changes your IP address (Dynamic IP). If you whitelist your home IP on your servers, you get locked out when your ISP changes it.
- The Tailscale Fix: Tailscale gives each device a stable private IP (e.g.,
100.x.y.z) that never changes. You can whitelist this Tailscale IP in your servers/databases. No matter where you are (cafe, hotel, home), your access remains consistent
Using Tailscale for RDP is one of the best moves you can make. It eliminates the need to open dangerous ports (like 3389) to the public internet, effectively making your Windows RDP invisible to scanners and hackers while keeping it instantly accessible to you.
Install and Manage
Here is the step-by-step implementation guide:
Phase 1: Setup on the Remote Windows (The RDP Host)
- Install Tailscale:
- Download and install the Tailscale client for Windows.
- Log in with your preferred identity provider (Google, Microsoft, GitHub, etc.).
- Enable “Unattended Mode” (Critical):
- Right-click the Tailscale icon in the system tray.
- Go to Preferences -> Check Run Unattended.
- Why: This ensures Tailscale starts immediately upon boot, even before you log in. If you don’t do this, you might lock yourself out after a reboot.
- Get Your Private IP:
- In the Tailscale menu, look at the top for your IP address (it will look like
100.x.y.z). This is your new private RDP address.
- In the Tailscale menu, look at the top for your IP address (it will look like
- Disable Key Expiry (Optional but Recommended):
- Go to the Tailscale Admin Console in your browser.
- Find your Windows server in the list -> Click the three dots -> Disable Key Expiry.
- Why: Prevents the authentication from expiring every 90 days, which would require a manual re-login.
Phase 2: The “Lock Down” (Security)
This is the most important step. Right now, RDP might still be listening on the public internet. We need to force it to listen only on the secure Tailscale network.
- Open Windows Defender Firewall with Advanced Security.
- Click Inbound Rules.
- Find the rule named Remote Desktop – User Mode (TCP-In).
- Double-click it and go to the Scope tab.
- Under Remote IP address, select These IP addresses and click Add.
- Add the Tailscale subnet:
100.64.0.0/10 - Click OK and Apply.
- Result: Your RDP port (3389) will now reject any connection request from the public internet. It will only accept connections coming from your private Tailscale network.
Phase 3: Connect from Your Laptop/Phone
- Install Tailscale on your local device (Mac, Linux, Windows, or Mobile).
- Log in with the same account you used on the server.
- Open your RDP Client (Microsoft Remote Desktop).
- PC Name: Enter the Tailscale IP of the remote server (the
100.x.y.zaddress) or the MagicDNS name (e.g.,windows-server). - User/Pass: Enter your normal Windows Administrator credentials.
- Connect.
