How to secure RDP (Remote Desktop Protocol) by restricting to Tailscale

Remote Desktop Protocol (also known as Windows Remote Desktop or Windows Terminal Server) is among the most commonly exploited targets for ransomware and other attackers. Tailscale can help you vastly reduce your attack surface, by allowing only authorized clients on your Tailscale network to connect to your RDP servers, and not requiring you to expose RDP ports on a public IP address. Tailscale works transparently to the client, securing your network while keeping the service easy to use.

Prerequites

This guide requires you to be on a Windows system that can serve as a Remote Desktop Server. The guide was written using a Windows 10 Pro machine, but this process should work on modern Windows Server releases as well.

You’ll also need a Tailscale account. You can make a free solo account using a @gmail.com address.

Step 1: Open Windows Firewall with Advanced Security

Open your Start Menu, type “Windows Defender Firewall with Advanced Security”, and click its icon to open the Advanced Security console of the Windows Firewall.

Step 2: Find remote desktop rules

On the left-hand side pane of the Windows Firewall window, click “Inbound Rules”. The list of inbound firewall rules should appear in the central pane. Scroll down to the rules for “Remote Desktop - User Mode”.

Step 3: Restrict access to Tailscale

Right click the TCP rule, and click Properties. In the Properties window, select the “Scope” tab on the top.

Under “Remote IP Addresses”, choose “These IP addresses:” and then click the “Add…” button to add a range of allowed IPs. Since Tailscale allocates IP addresses in the 100.64.0.0/10 subnet, and we want to allow access to Tailscale IP addresses, type in that range and click OK.

Click OK in the Properties window to confirm your changes.

Finally, repeat the steps above for the UDP rule as well.

And we’re done! Verify that another computer on your Tailscale network can connect to Remote Desktop, and that a computer accessing from another IP (for example, a 10.x.x.x or 192.168.x.x address on your network) cannot. At this point, any node on your Tailscale network should be able to access Remote Desktop from the server. To control access within your Tailscale network, you should use Access Control Lists (ACLs).

Last updated