Remote desktop (RDP / VNC) through a tunnel

Time · ~5 min Level · Beginner Protocol · RDP 3389 / VNC 5901

You want the full graphical desktop of a machine that has no public IP — a Windows server’s screen over RDP, or a Linux box over VNC — and you want it from your own computer, with your normal client. As always with LRO, the desktop port stays bound to localhost on the remote machine; you reach it on a local port on yours, over an encrypted tunnel. Port 3389 never faces the internet.

Roles for this task: the machine whose desktop you want is the Client (the endpoint lives on it); your computer is the Support (it opens the local port your viewer connects to). New here? Start with your first tunnel; unsure which side is which, see choosing the agent role.

Confirm the desktop service is running
On the remote machine, the desktop service should be listening locally:
- Windows / RDP — enable Remote Desktop (System → Remote Desktop). It listens on 3389. Keep Network Level Authentication on.
- Linux / VNC — run a VNC server (TigerVNC, x11vnc) bound to 127.0.0.1, typically on 5901.
$ ss -ltn | grep -E ':3389|:5901' # RDP and/or VNC listening locally

The remote machine runs the LRO agent in Client mode; your computer runs it in Support mode.
Add the desktop endpoint on the client agent
In the panel, Endpoints → Create endpoint. Pick the client agent (the remote machine), name it e.g. Office Desktop, and set target 127.0.0.1 and port 3389 (RDP) or 5901 (VNC).

Fig 1. The desktop endpoint lives on the client agent — here a VNC display at 127.0.0.1:5901.
Open a tunnel from your machine
Tunnels → Add tunnel. Choose your computer as the support agent, pick the Office Desktop endpoint, and set a listen port — matching the service default keeps the connect command simple. Create it; it goes Active in a moment.

Fig 2. The active tunnel — your machine listens on 5901 and forwards to the remote desktop.
Connect with your desktop client
On your computer, point your viewer at the listen port. The session lands on the remote desktop through the tunnel:

Fig 3. Connecting — VNC with vncviewer, RDP with xfreerdp or Windows mstsc, all pointed at the local port.

… and the remote desktop appears, exactly as if the machine were on your desk:

Fig 4. The remote desktop, rendered on your machine over the tunnel — a live GUI session, port 5901 never exposed.

Notes

RDP and VNC both work — only the port and viewer change (RDP 3389 + mstsc/xfreerdp; VNC 5901 + any VNC viewer). The three LRO steps are identical.
Nothing is exposed — the desktop port stays on 127.0.0.1 on the remote machine and on a local port on yours. No inbound rule, no public RDP (which is a constant target for scanners).
Keep the desktop’s own auth — RDP’s Network Level Authentication, a VNC password. The tunnel is the transport; account security is still yours.
Lock it down — set Allowed addresses (ACL) on the tunnel so only your machine can use the listener.
Performance — interactive desktops are sensitive to latency; over a decent link the experience is close to local. The bottleneck is the network path, not LRO.

Reach any desktop, anywhere — without exposing RDP to the internet.

Create an account →