Apologies if this is kindof a noob question, but we all gotta start somewhere.
I’ve got a fresh windows server running that my buddy needs to access from another town. I run a PiVPN (wireguard) and was hoping to just let them use that and the remote desktop client on windows to get into the machine. Is this considered bad practice/opens up any vulnerabilities that I may be unaware of? It all seems fine to me but I’ve never really had to use this kind of setup in the past, figured I’d get some outside opinions before going in guns blazing.
Since you’re requiring him to us the VPN to hit the Remote Desktop rather than doing something like
Port forwarding, you’re not exposing yourself to the outside world.
Only security risk I can see here is letting someone else onto your network. The security hole there is only as big as the trust between you two. That can range anywhere between “nothing bad happens” and “the fbi comes kicking in your door cause the dude downloaded kiddie porn with your Remote Desktop”
Nope, you’re good keeping it private. Just hope you trust the dude on the other end. If he can RDP to that server can he pivot around your LAN? Is that server isolated or you don’t care?
RDP access over the VPN is very common. Especially if you only allow certain IP’s to connect. If you can enforce 2FA before connecting to the VPN, that’s even better.
Having a VPN for it, makes is a thousand times better than just opening port 3389 on the outside of your/his router.
But if you can’t do it with a VPN, you can run RDP on a different port, with the only modification needed is the portforwarding rule and the connection with :portnumber behind it.
It’s entirely based on what you let him do once he RDPs in. Others have already covered it. At least set him up with a username of his own and then you can log or shut off access if necessary.
it is not a bad practice; but rather, the standard/best practice in any prod environment who values network security. have just implemented rdp/rdc via vpn only following security audit recommendation. vpn access autodisables if user has not logged on for 30days. works perfect.
I concur with this. More sophisticated VPNs support firewall rule sets within the VPN, so you could limit access to a specific host if you wanted. Then, you can even take that a step further and put that host in a DMZ.
word. everything else on the network is pretty locked down and even then i trust him as we’ve been doing projects like this for years. appreciate the input
Sounds good, just make sure you can quickly terminate access if necessary. Not just for malicious actions if your relationship goes bad but his devices can now affect yours. Don’t want that ransomware because someone clicked a bad link! No admin rights on that server if you can get away with it.
I’m not sure what PiVPN uses as it’s default conditional access rules. I’ve never used it before. Is OP using only username/pw, is he whitelisting IP address, is he requiring a key, etc? I don’t know what he’s doing which is why i’m asking.
No worries. If it’s normal wireguard, there is a key pair (private and public) in both directions. At least, that’s how it works using wireguard in pfsense. So it’s far more than username and password.