TekOnline

Reliable Remote Desktop at Home with Tailscale and Guacamole

If you run a home server and want to access it remotely, the cleanest setup is often:

  • Tailscale for the private network
  • Apache Guacamole as the browser-based remote desktop gateway
  • Windows Remote Desktop on the target machine
  • No public RDP port forwarding

This gives you remote access without exposing port 3389 to the internet.

Goal

The target setup looks like this:

Browser
  |
  v
Guacamole server
  |
  v
Tailscale private network
  |
  v
Windows PC or server via RDP

The important part is that Guacamole connects to the Windows machine using its Tailscale IP, not its public IP and not a forwarded router port.

Why Tailscale

Tailscale creates a private WireGuard-based network between your own devices. Each device gets a stable private IP, usually in the 100.x.x.x range.

For home users, this avoids several common problems:

  • No router port forwarding
  • No dynamic DNS needed for RDP
  • Works behind CGNAT in many cases
  • Safer than exposing Remote Desktop publicly
  • Easy to limit which devices can talk to each other

Install Tailscale on the Windows Machine

Install Tailscale from:

https://tailscale.com/download/windows

After installation, sign in and confirm the machine appears in the Tailscale admin console.

On the Windows machine, check its Tailscale IP:

tailscale ip -4

Example:

100.108.197.118

That is the address Guacamole should use for RDP.

Use Unattended Mode

For a home server, media PC, or always-on Windows box, Tailscale should not depend on someone being logged into Windows.

Run PowerShell as Administrator:

tailscale up --unattended=true

Then confirm:

tailscale debug prefs

Look for:

"ForceDaemon":true

That means Tailscale is running in unattended/server mode.

Also confirm the Windows service is automatic:

Get-Service Tailscale

You want:

Status   : Running
StartType: Automatic

This matters because if Tailscale is only tied to a desktop user session, it may stop working after logout, reboot, or a user switch.

Enable Auto Updates

Tailscale should keep itself current:

tailscale set--auto-update=true --update-check=true

Verify:

tailscale debug prefs

Look for:

"AutoUpdate":{"Check":true,"Apply":true}

Enable Remote Desktop on Windows

On the Windows machine:

  1. Open Settings
  2. Go to Remote Desktop
  3. Enable Remote Desktop
  4. Add the user account that Guacamole will use

Or check from PowerShell:

Get-Service TermService

RDP should also be listening on port 3389:

Test-NetConnection127.0.0.1-Port3389

Use a Dedicated Windows User

Do not use your main admin account for Guacamole if you can avoid it.

Create a local Windows user just for remote desktop, for example:

guac-rdp

Add that user to:

Remote Desktop Users

This gives Guacamole the access it needs without giving it full administrator access.

Install Tailscale on the Guacamole Server

Your Guacamole server also needs to be on the same Tailscale network.

On Linux, installation is usually:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Check that it can see the Windows machine:

tailscale status

Then test RDP connectivity:

nc -vz 100.108.197.118 3389

Replace 100.108.197.118 with your Windows machine’s Tailscale IP.

Configure Guacamole

In Guacamole, create a new RDP connection.

Use:

Protocol: RDP
Hostname: 100.108.197.118
Port: 3389
Username: guac-rdp
Password: your Windows password
Security mode: NLA
Ignore server certificate: usually enabled for home setups

You can also use the Tailscale machine name if MagicDNS is enabled, for example:

j-server

But the 100.x.x.x IP is often simplest and most predictable.

Lock Down the Windows Firewall

By default, Windows may allow RDP from anywhere on the local network. That is broader than necessary.

A more robust setup allows RDP only from the Guacamole server’s Tailscale IP.

Example:

Set-NetFirewallRule `
  -DisplayName"Remote Desktop - User Mode (TCP-In)" `
  -RemoteAddress100.87.69.61

Replace 100.87.69.61 with your Guacamole server’s Tailscale IP.

This way, even other devices on your tailnet cannot RDP into the Windows machine unless allowed.

Avoid Public RDP

Do not forward port 3389 on your router.

A good home setup should look like this:

Internet -> Guacamole HTTPS only
Guacamole -> Windows RDP over Tailscale only

Not this:

Internet -> Windows RDP port 3389

Public RDP is heavily scanned and commonly attacked.

Check After Reboot

After rebooting the Windows machine, confirm:

tailscale status
tailscale ip -4
tailscale debug prefs
Test-NetConnection100.108.197.118-Port3389

You want:

  • Tailscale online
  • Same 100.x.x.x IP
  • ForceDaemon=true
  • RDP reachable over the Tailscale interface

For a reliable home setup:

  • Tailscale installed on both Guacamole and Windows
  • Windows Tailscale running in unattended mode
  • Auto-update enabled
  • RDP enabled only for a dedicated user
  • Windows firewall restricted to the Guacamole Tailscale IP
  • No router port forwarding for RDP
  • Guacamole connects to the Windows machine’s Tailscale IP

That gives you a simple and durable remote desktop setup that survives reboots, user logouts, and normal home network changes.

Posted

in

by

jcianci12

Tags:

, , ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *