public

How to use Remote Desktop Protocol (RDP) over OpenVPN

By now, hopefully we all know that the Remote Desktop Protocol (RDP) port shouldn't be exposed to the Internet. This is a simple guide that allows you to configure your

a month ago • 3 min read

Latest Post How to use Remote Desktop Protocol (RDP) over OpenVPN public

By now, hopefully we all know that the Remote Desktop Protocol (RDP) port shouldn't be exposed to the Internet. This is a simple guide that allows you to configure your servers so that they could only be accessed over RDP only from a local network that's going to be created using OpenVPN.

As an intermediate server, I am using a pretty small server running Ubuntu, whose only purpose is to make all of the servers work together in a virtual private network.

Server configuration

# Install prerequisites.
sudo apt install openvpn easy-rsa

# Make a directory where the keys will be stored.
make-cadir /etc/openvpn/easy-rsa

# Use a source for easy-rsa.
cd /etc/openvpn/easy-rsa
source ./vars

# Build the certificate authority and server configuration.
./build-ca
./build-key-server <openvpn_server_name>
./build-dh

# Generate the certificate for a client.
./build-key <client_name>

File /etc/openvpn/openvpn.conf should look something like this:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<openvpn_server_name>.crt
key /etc/openvpn/easy-rsa/keys/<openvpn_server_name>.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pemserver 10.10.10.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status /var/log/openvpn.log
verb 3

This will create a virtual private network and provide users with a 10.10.10.X IP address.

P.S. Don't forget to allow connections to the port 1194 in the firewall.

Setting static IP addresses to specific OpenVPN clients

Note that in this case, both servers and your end devices are considered as "clients" by OpenVPN.

To set static IP addresses to specific clients, add the following line to the openvpn.conf file:

client-config-dir <directory_name>

Create the directory you've specified under /etc/openvpn/ and within it, create a file for each of the clients you want to assign a private IP address for:

$ tree <directory_name>
.
├── server1
├── server2
└── server3

Each of those files only needs one line long setup: echo "ifconfig-push 10.10.10.100 255.255.255.0" > server1, which will set the IP address of the first server to 10.10.10.100.

Client configuration

Assuming you've already generated the certificate for a client (by using ./build-key <client_name> mentioned above), copy the following to the client machine from the keys directory:

On a client machine, create an OpenVPN configuration file. It should look something like this and be named something like <openvpn_server_name>.ovpn:

client
dev tun
proto udp
remote <SERVER_IP> 1194
ca ca.crt
cert <client_name>.crt
key <client_name>.key
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3

Your final task is to install that certificate to the client's computer.

Windows

elementary OS

Note that this process should be pretty similar on all distributions that use a GNOME-based desktop environment. I just happen to be using elementary OS .


Once both your client and your server are connected to the same virtual network, you can RDP into the server using its virtual private IP address provided by OpenVPN.

As a final step, disable RDP connection from your firewall and you're good to go.

Aleksandar Todorović

Published a month ago