Many users, at least once, interested in the issue of organizing a secure channel of communication between computers on the Internet, have come across such abbreviations as RDP and VPN. Most often, on various forums devoted to network security, it is advised to connect to remote computers or servers via RDP through VPN. For the uninitiated person, this advice may at first seem to be some set of incomprehensible words, which only a computer networking specialist can understand. However, it is not as complicated as it may seem at first sight, as we will demonstrate in this article.
The need to establish a secure connection to remote devices
To begin with, let us find out in what situations an ordinary user, who has nothing to do with network administration, may find it necessary to establish a secure connection to remote devices. Initially, this capability was used for corporate purposes to provide employees with remote access to company servers, so that they could work with corporate data when away from the office, for example on a business trip or when away from home. However, secure remote device access technologies were later adopted by ordinary users to provide anonymous and secure access to web resources.
How does it work? In fact, organization of anonymous access to the Internet with the provision of traffic encryption and IP spoofing is divided into 3 stages. First, the user has to use a SOCKS proxy to spoof the IP address so that the destination node can’t detect that the proxy server is being used. Second, a secure channel must be set up to connect to the rented server to connect to the SOCKS proxy. Connection to this remote server is done using RDP, or using RDP over VPN, which is the most secure, but also the most difficult option to implement. A simplified secure communication channel can be shown as follows.
As can be seen from the figure, in this case, the user accesses the final web page using two intermediate hosts (a rented server and a SOCKS proxy), which protects the transmitted data from third parties and hides its IP address, and also significantly complicates the task of targeting attacks on the user device, intercepting data and determining its real IP address.
So, let’s finally clear up some obscure acronyms.
What is RDP
RDP is an acronym for Remote Desktop Protocol. This protocol was developed by Microsoft to allow users to access remote servers and computers running the Windows operating system. With this protocol, users can remotely connect to and control computers as if they were working directly on it. Once you connect, the RDP client shows you the desktop of the remote computer and you can interact with it as you normally do – with your mouse and keyboard. All you need to do is to enable RDP connections on the remote computer and connect to it using an RDP client program. This is accomplished using standard Microsoft Windows software and the user does not need to install any additional software.
Many people think that RDP is a security hole, but this is far from it. RDP today is not only a reasonably secure protocol, but also allows you to hide the fact of tunneling, that is, for the SOCKS-proxy user looks like he is working directly from the rented server, and for the final web-site – directly from the SOCKS-proxy.
How to organize remote access via RDP?
This method of remote access organization is the easiest and does not require any special knowledge from the user. As a rule, when renting a remote Windows-server, access to it is carried out via RDP, so the user does not need to configure anything. All he needs to do in this case is to run the built-in RDP-client on his computer and enter the server IP-address, username and password provided by the server landlord. Thus, setting up a secure and anonymous channel in this way requires performing three simple steps:
1) You need to rent a remote Windows server from any service provider you like
2) After paying for the server, the service provider sends the user the data necessary for remote server management – the server IP-address, username and password
3) The user must launch the RDP client on his computer or mobile device and enter the IP address, login, and password from the previous step.
After these three steps, the remote server desktop is displayed in the user’s RDP client and the user can control the mouse and keyboard from his device.
Next, the user only has to configure the SOCKS proxy on the remote server.
Now let’s deal with a more complicated way of organizing a secure channel – VPN. VPN is an acronym for Virtual Private Network. In fact, VPN is the organization of a logical network, i.e. a kind of local network over another network, in our case over the Internet. To protect transmitted data in this case from third parties, reliable and modern encryption methods are used, allowing users not to worry about data security.
What is the advantage of VPN over RDP?
What is the advantage of VPN over RDP? VPN can be configured to work on almost any port, unlike RDP, which uses port 3389 as standard. If you want to organize anonymous access from your workplace, you may encounter a ban on using this port for data transmission. Corporate network administrators often close most ports, so it is not possible to use the default RDP client to connect to a remote server using RDP. Theoretically, the RDP port can be changed by editing the appropriate option in the Windows Registry, but in this case, the RDP connection loses its universality, which may negatively affect the user experience. In this case, it is more practical to use a VPN connection, the setting of which can specify any open port.
How to setup a VPN
Setting up a VPN is quite a complicated task, which can fully cope only with an expert in the administration of computer networks. When setting up a VPN takes into account the peculiarities of the equipment used, because it is necessary to configure not only the remote server and user’s computer, but also various routers and firewalls. However, for individual work with unclassified data, setting up a VPN can be systematized and described in such a way that almost any user can cope with it. Let’s try to do this and describe everything in the form of step-by-step instructions. Used equipment in our case: rented server Windows 2008 and home laptop with Windows 7, connected to the Internet via Wi-Fi through a router D-Link Dir-615.
- To set up VPN first of all we need to connect to remote server via RDP using above mentioned method, that means to run built-in Windows RDP-client on laptop, enter remote server IP-address, login, click “Connect” button and enter password. In some cases, VDS-server providers (remote server landlords) send a user during registration an .rdp format file. When you run it, an RDP-client is automatically launched with an IP-address and a login already entered, that is, in order to access a remote server via RDP just run this file and enter the password provided by the VDS-provider.
- After connecting to the remote desktop open Server Manager on the remote server in the “Start -> Administration -> Server Manager” menu.
- In Server Manager go to Roles -> Add Roles tab.
- This will open the “Setup Wizard”. Click “Next.”
- Check the “Network and Access Policy Services” checkbox and click “Next”.
- Go to the “Role Services” tab and select “Routing and Remote Access Service”, “Remote Access Service”, “Routing”. Click the “Next” button, then click the “Install” button and wait for the process to finish
- Click the “Close” button, in response to the request to restart the server, click “Yes” and wait for the server to restart. This will terminate the RDP connection.
- Remote server reboot process takes some time, so it will not be available for RDP connection for 3-5 minutes. Wait 3-5 minutes (depends on your provider) and reconnect to the server via RDP, after that the “Configuration Wizard” on the remote server will resume its work
- As a result, the Setup Results window will open. Click the “Close” button.
- Go to the Roles – > Routing and Remote Access tab. Click the “More actions” button on the right side of the window and select “Configure and Enable Routing and Remote Access”. This will launch the corresponding configuration wizard, in which you should click “Next”.
- Select “Special configuration” and click “Next”.
- Select “Virtual Private Network (VPN) Access”, click the “Next” button, then click the “Finish” button
- This will prompt you to start the Routing and Remote Access service. Launch the service by clicking on the appropriate button
- Right-click on the “Routing and Remote Access” item, select “Properties” from the pop-up menu
- Go to the IPv4 tab, check the “Enable IPv4 forwarding” checkbox, enable “static address pool” and click “Add”.
- In the window that appears, enter the starting and ending IP addresses given to connected clients and click “OK”. You can enter the same values as in the figure below
- Next, you need to add a user who will be allowed to access the server remotely via VPN. To do this, go to the “Configuration -> Local Users and Groups -> Users” tab. Right-click on the pop-up menu and select the “New user…” item.
- In the window that appears, fill in the fields as follows:
- User. You can enter any set of letters/digits you will use as a login to access VPN-server
- Full name. Any set of letters/digits. You may leave it blank.
- Description. Any set of alphanumeric characters. May be left blank.
- Password. Password must be at least eight characters long. There must be three of the following four categories of characters in the password:
- uppercase letters of the English alphabet from A to Z;
- lowercase letters of the English alphabet from a to z;
- decimal digits (0 to 9);
- Non-alphabetic characters (for example, !, $, #, %).
Thus, a password must contain at least one lowercase letter, one uppercase letter and one number and be at least 8 characters long.
An example of incorrect passwords: qwert0 (no capital letters), Qwertyz (no digits) Qwer0 (too short)
An example of correct password: Qwertyz0
- Confirmation. Re-enter password. Passwords must match.
- Uncheck the “Require password change at next login” box. Tick the checkboxes “Prevent the user from changing the password” and “Password expiration not limited”.
After that Click the Create button.
- Next, allow the user to access the network. To do this, double-click on the user name, go to the “Incoming calls” tab and set the network access rights switch to “Allow access”. Then press the “OK” button.
- In addition, you need to open port 1723 for TCP connection in the server firewall. To do this, go to the “Configuration -> Windows Firewall with Advanced Security” tab, right-click on “Rules for incoming connections” and select “Create rule” from the pop-up menu
- Set the switch to the “For port” position and press the “Next” button
- Set the switches to “TCP Protocol” and “Specific Local Ports”. Enter the value 1723 in the “Local ports defined” field.
- Click the “Next” button.
- Select “Allow connection” and click the “Next” button.
- In the next window press the “Next” button.
- Enter an arbitrary profile name and press the “Done” button. Server-side VPN configuration is complete
- Now you need to connect to the remote server via VPN from the user’s computer. Go to “Start -> Control Panel -> Network and Internet -> Network and Sharing Center”.
- Select “Setting up a new connection or network”.
- Select “Connect to Workplace” and click “Next”.
- Select “Use my Internet connection (VPN)”.
- Enter the IP address of the server issued by your remote server provider in the Internet address field, and check the “Don’t connect now, only perform setup to connect in the future” box. Click the “Next” button
- Enter the user name and password you set earlier for VPN access and click “Create”.
- Next, you need to enter the properties of the newly created connection. To do this, click on the network connection icon in the bottom panel of Windows, right-click on the newly created connection and select “Properties”.
- Go to the Network tab and double-click on Internet Protocol version 4 (TCP/IPv4)
- Click the “Advanced” button.
- Uncheck the “Use default gateway on remote network” box and click “OK”. Close all windows by clicking on the “OK” button.
- Click on the network connection icon on the bottom panel of Windows, left click on the created connection and click on “Connect”.
- Enter the user name and password you set earlier for the VPN connection and click “Connect”. As a result, a VPN connection will be established between your computer and the remote server
Once again, let me remind you that establishing a VPN connection is just organizing a secure local network via the Internet. Thus, after the establishment of a VPN-connection the remote server gets the IP-address of the local network server (the parameters are set in step 16, in our case the IP-address of the server is 192.168.2.1), and the user computer gets another IP-address of the local network (also defined in step 16). Remote server and user computer will be united into local network, but for remote server management you still need to use remote desktop management tools, RDP is the best. So, after organizing VPN-channel, it comes down to connecting local user’s computer via RDP to remote server via VPN, i.e. via IP address of local network server (192.168.2.1 in our example).
The first thing you need to do is to enable RDP connection on the server for certain users. To do this, open the remote desktop (the usual way, like you did before), go to Start, right-click on Computer, then click on Properties
Click on the “Remote Access Setup” link on the left side of the window
Once this has been done click on “Select Users” and then the “Add” button
Enter the user name you want to use for VPN connection and press the button “OK”. Close all the windows by pressing the “OK” button.
After that you will be able to connect via RDP over VPN to the remote server. To do this, open RDP-client on your computer, enter the local IP-address of the server (in our case, 192.168.2.1), enter the user name you specified to connect via VPN and click “Connect”.
As a result, you get access to the remote server desktop via RDP over VPN. After that you don’t need to set up anything, you just need to establish VPN connection and connect to the remote server via RDP using the IP address of the server in the VPN network (192.168.2.1 in our example).
After you connect via RDP, you need to set up a SOCKS proxy on the remote server according to the step-by-step instruction How to set up a proxy on RDP (Remote Desktop Protocol) posted on our site.
I would like to add that there are many variants of additional settings for the above described VPN setting option, which increase connection security, but all of them require users to be network savvy, that’s why it is not recommended for beginners to use them. A basic VPN setup is quite enough to establish a secure and anonymous channel for personal purposes.
Using additional software is quite possible, as you use it on your rented server and you can control the level of security. Such software solutions can be found online. One of the most common examples is OpenVPN. Typically, all of these software solutions are mostly free, but are not user friendly and are very “tricky” to set up. That is why users who want to get a basic level of protection with minimal effort and cost, it is recommended to use the standard means Windows.
If a user organizes secure and anonymous access to web resources from a home computer, it is sufficient to use RDP to connect to a remote server. This protocol is quite secure, so you hardly have to worry about the security of your data.
If it is necessary to increase the level of security, or to organize secure and anonymous access from a corporate computer located in the network with closed ports, you must organize VPN connection and then use RDP.
Both in the first and second cases, the remote server must be configured for use with SOCKS-proxy, provided by our service. This will allow you to change the IP address to bypass regional blocking, as well as improve security and anonymity. The most convenient program for organizing work through SOCKS-proxy is ProxyHelper. Description of this program can be found in FAQ on our website.