I was looking for remote access software to help family with their PC and came across RustDesk(https://rustdesk.com/) but it needs a server.
Found out it can work without a server if you have Tailscale installed.
No fees for any of this and works on many platforms.
You need to enable IP access on the device you intend to connect to. It's under the security settings in RustDesk.
I've been playing around with it. The iOS RustDesk app is nice, and I've been controlling my Mac Mini at home using my iPad Pro with a Magic Keyboard, and it's shockingly smooth!
If you're just connecting over Tailscale and your machine is otherwise not exposing the (configurable) port to the internet, it's fine as far as I know. Set up firewall entries if you are concerned.
The only other thing I can add is - with very little configuration, you can allow direct routing to your entire local lan. If anyone is interested, I’ll document it. I’ve set it up in an lxc container on my Proxmox home server and am very happy with it. Allows direct access to all my VMs on the go!
Been using it for a while, older versions had memory leaks with multiple monitors (or virtual monitors too), nowadays seems better.
Supports various video encoders, various bitrate settings, allows sharing clipboard (though still has an annoying bug where sometimes copying something new into the clipboard doesn't work and only 2nd attempt works) and the relay is also easy to setup and host, in addition to it being free!
Honestly my favorite software in this space since RealVNC decided they want to be greedy (and since VNC / RDP kinda sucks in my experience).
my experience with RustDesk + Tailscale is really good. when i only needed windows remote devices, the Windows Remote Desktop over Tailscale is great. I used RustDesk for access to macOS and Android devices (all over Tailscale) and works great too. No complaints really. Much less hassle to setup than Parsec (latency isn't as good though), and way snappier than AnyDesk through their network. Great tool enabled by Tailscale.
Tailscale has another interesting feature that I figured out entirely by accident: while the SSO planes (at least using Apple as SSO, rather than your own) may be blocked, the data planes and actual control planes usually are not. If your device is connected to your tailnet before joining a given WiFi, it will stay connected afterward.
The guest WiFi at work blocks OpenVPN connections, but established Tailscale slips by. I haven't tried straight Wireguard because I don't consider Tailscale having timing and volume data on me to be all that valuable to them, and they do mitigate the double-NAT situation. I do run a private peer relay for my tailnet but not a full DERP server, nor do I run Headscale.
Obviously, your personal security concerns play a role here, but I'm not doing anything I wouldn't do straight from my home network, so I see no reason to make my life harder. If you need that level of security, you need a different solution.
While waiting for someone in the hospital I recently played the fun game of "how can I work around their firewall stopping me from connecting to tailscale" that they kindly provided.
It was just blocking new connections. Via SNI. Tailscale's control plane turn out not to care if SNI is sent. Tailscale's app let you set a custom control plane... like a local proxy that forwards connections to tailscale's servers without setting SNI.
I've seen this effect in several places, not just my work.
Of note: I do not work in the tech sphere. I suspect that this particular loophole may be used by IT personnel to be able to tell the management "yes, we block VPN use" while letting them continue to use their own VPNs. I see no reason to complain.
I suspect there's less thought put into it than that.
There's probably a firewall vendor that has a product that does SNI inspection for blocking things like pornhub and the product comes with a list of sites that includes VPN control planes.
I understand your point better now, but if that was really a risk I cared about, I wouldn’t have put it on the public Internet to begin with.
The worst they can do to me is make me tether, and my iPad will never hit that allotment. And, like I said, I think they use it themselves. So, no incentive to close their loophole.
Wait, tailscale survives connecting to a locked down wifi? That's insane. I remember not being able to use NordVPN at work. I'd just switch to 4G back then. But if you can't initiate a tailscale connection when connected to the office wifi, what does that mean?
I think this is mostly a Wireguard thing and not specifically a Tailscale thing. Wireguard does what they call "cryptokey routing" where if you prove you possess a key that the other peer knows, you get the traffic (subject to firewall, allowed IPs list, etc etc). Wireguard stores the most recent address:port that it heard from a particular cryptokey on, but it natively lets peers roam, as long as only one roams at a time.
Initiate while on mobile connection or tethered to one (or just leave it connected from home), use while on that WiFi.
EDIT: I figured this out because I brought my laptop from home to do a few things while at work that needed it. I noticed that my Tailscale connection (initially established at home) was working just fine. That's when I realized that it was the initial authentication that was blocked, not the service.
My phone is usually on my tailnet and my iPad is always on it (and using my home exit node), as a result. Using the exit node has a modest but noticeable effect on battery life, but just being connected is maybe 2% of battery a day. Negligible.
When I work at the local coffee shop I cannot SSH to my remote servers for work on their wifi, but if I connect to Tailscale and use my exit node at home I can. Lifesaver
My work guest WiFi network allows only IPv4 HTTPS on port 443 and their their own DNS. Everything else, including ICMP (ping) is blocked. Tailscale barely works as any persistant connection is dropped after 2-3 minutes.
Called this out and the security team said noone complains, that there is no use case and they do not want to deal with security risks.
I use tailscale and mullvad vpn for a list of exit nodes i can choose from to work around restrictions, but also bad routing.
Like, when in asia and the route is to europe, sometimes it adds weird hops, while when i use an exit-node in Japan, i know, i have perfect routing to Japan and from there perfect routing to europe.
But the Mullvad VPN exit nodes often runs into problems like cloudflare blocking. So i am looking for alternative, not well known providers for exit-nodes.
Sometimes i even dream of sending my europe traffic via the internal aws network via regions, but hey...
Genuinely curious: is Tailscale actually providing any values to this use case beyond what you get from a raw Wiregaurd exit node with port forwarding instead of Tailscale's NAT traversal? I've never used Tailscale, but I have a Wiregaurd setup on my home server for the same purpose as described in the article, and I've never had any issues with it.
Edit:
Noticed some sibling comments asking effectively the same thing as me. I've been meaning to write a blog post covering the basic networking knowledge needed to DIY with just Wiregaurd. My impression is that many people don't realize just how easy it is or don't have the requisite background information.
Tailscale is interesting. It's built on top of wiregaurd but is different in that it creates a mesh of vpn connections between your devices, rather than just a connection from client to server.
I haven't used it because I use witeguard the traditional way and haven't needed a mesh of devices. Also I haven't taken time to investigate the private company offering it and what sorts of my information is vulnerable if I use it.
72 comments
I was looking for remote access software to help family with their PC and came across RustDesk(https://rustdesk.com/) but it needs a server. Found out it can work without a server if you have Tailscale installed. No fees for any of this and works on many platforms.
Tutorial for Rustdesk + Tailscale setup for remote desktop access: https://www.youtube.com/watch?v=27apZcZrwks
You need to enable IP access on the device you intend to connect to. It's under the security settings in RustDesk.
I've been playing around with it. The iOS RustDesk app is nice, and I've been controlling my Mac Mini at home using my iPad Pro with a Magic Keyboard, and it's shockingly smooth!
Supports various video encoders, various bitrate settings, allows sharing clipboard (though still has an annoying bug where sometimes copying something new into the clipboard doesn't work and only 2nd attempt works) and the relay is also easy to setup and host, in addition to it being free!
Honestly my favorite software in this space since RealVNC decided they want to be greedy (and since VNC / RDP kinda sucks in my experience).
> Is it better than VNC?
It's the year 2026 out there. Anything is better than VNC.
The guest WiFi at work blocks OpenVPN connections, but established Tailscale slips by. I haven't tried straight Wireguard because I don't consider Tailscale having timing and volume data on me to be all that valuable to them, and they do mitigate the double-NAT situation. I do run a private peer relay for my tailnet but not a full DERP server, nor do I run Headscale.
Obviously, your personal security concerns play a role here, but I'm not doing anything I wouldn't do straight from my home network, so I see no reason to make my life harder. If you need that level of security, you need a different solution.
It was just blocking new connections. Via SNI. Tailscale's control plane turn out not to care if SNI is sent. Tailscale's app let you set a custom control plane... like a local proxy that forwards connections to tailscale's servers without setting SNI.
I've seen this effect in several places, not just my work.
Of note: I do not work in the tech sphere. I suspect that this particular loophole may be used by IT personnel to be able to tell the management "yes, we block VPN use" while letting them continue to use their own VPNs. I see no reason to complain.
There's probably a firewall vendor that has a product that does SNI inspection for blocking things like pornhub and the product comes with a list of sites that includes VPN control planes.
My point being that surely some of them have noticed the same thing I have, and it hasn't been stopped. I'm not going to raise the issue either way.
> I'm not going to raise the issue either way.
Except, you kinda just did
It'd be funny if someone working there was a visitor here...and it doesn't matter who you are. I was thinking of them closing the loophole
The worst they can do to me is make me tether, and my iPad will never hit that allotment. And, like I said, I think they use it themselves. So, no incentive to close their loophole.
EDIT: I figured this out because I brought my laptop from home to do a few things while at work that needed it. I noticed that my Tailscale connection (initially established at home) was working just fine. That's when I realized that it was the initial authentication that was blocked, not the service.
My phone is usually on my tailnet and my iPad is always on it (and using my home exit node), as a result. Using the exit node has a modest but noticeable effect on battery life, but just being connected is maybe 2% of battery a day. Negligible.
Called this out and the security team said noone complains, that there is no use case and they do not want to deal with security risks.
And the ossification continues.
> Called this out and the security team said noone complains
Classic. And this probably works do every complaint. You need an irritated executive.
> IPv4 HTTPS on port 443
TCP or TCP and UDP?
SSTP can work if they don't look at the traffic too hard.
Like, when in asia and the route is to europe, sometimes it adds weird hops, while when i use an exit-node in Japan, i know, i have perfect routing to Japan and from there perfect routing to europe.
But the Mullvad VPN exit nodes often runs into problems like cloudflare blocking. So i am looking for alternative, not well known providers for exit-nodes.
Sometimes i even dream of sending my europe traffic via the internal aws network via regions, but hey...
Edit: Noticed some sibling comments asking effectively the same thing as me. I've been meaning to write a blog post covering the basic networking knowledge needed to DIY with just Wiregaurd. My impression is that many people don't realize just how easy it is or don't have the requisite background information.
I haven't used it because I use witeguard the traditional way and haven't needed a mesh of devices. Also I haven't taken time to investigate the private company offering it and what sorts of my information is vulnerable if I use it.
On one ISP inbound IPv6 was blocked at router, while on other IPv6 was fully allowed.
Tailscale detected this is automatically created the tunnel from the blocked one to the other.
I was super impressed, as this was handled automatically.