We help IT Professionals succeed at work.

Connecting through VPN then through RDP

K A asked
Isn't VPN access just as susceptible to hackers as RDP access?  Consider that we are trying to solve very frequent attempts from an outsider to connect to a user's workstation using RDP.  We are seeing Windows Event 4625 about every 5 seconds.   The user connects successfully from home quite often, but the "brute-force" attacks have become too much for us to stand.  It's been recommended that we deploy a VPN for the user to connect to, then allow them to connect to their workstation using RDP.

Wouldn't establishing VPN capability through the firewall just expose different ports to the internet?  How is this safer than an RDP connection?
Watch Question

In simple terms: the vpn creates a virtual tunnel between the end user and your vpn device (using your example of an end user connecting remotely to your office) using encryption protocols.  You can have the user authenticate using a variety of methods depending on your vpn device capabilities and your network configuration. Once the vpn is session is established you can have your end users RDP or access the internal resources as if he\she was in the office. It will help you because theoretically braking the vpn session is very difficult, I advise everyone to stop doing port forwarding to windows machines and implement a vpn solution.

hope it helps.
Kent WSr. Network / Systems Admin

VPN, if setup correctly, it much more secure than simply opening RDP up to the outside world. At a minimum, you would want to restrict the RDP ports to the remote users IP / IP range at the very least.

Using VPN with encrypted tunneling and certificate(s) is vastly more secure than direct RDP port access.
VPN (if setup correctly) will establish a secure, encrypted, certificate based pathway into the network hosting the RDP server, which the remote user can then connect to. If the remote user does not have the corresponding certificate for that user, then no access is granted. Depending on which VPN tech you choose, more safe guards can be added, including 2FA, restricting from IP addresses, etc.
The VPN field is simply so vast, it would be impossible to give all the options here, but to answer your question, yes, secured VPN would be much better than what you are doing now.

Just thinking logically, would already put you on the VPN path. Bruteforcing TWO things (VPN + RDP) takes longer and is MORE difficult than bruteforcing ONE thing (RDP only). Heck, if you don't like your VPN solution, just buy a new router, and voila, new VPN solution.


Thank you all for your responses.  We have deployed a hardware-based security appliance (i.e. firewall with VPN capability), and we very much like the additional security features that are included.  However, our question still remains... perhaps we are missing something obvious.

To connect an outside user through the VPN to the internal network, and then to a desktop using RDP, still only requires a free downloaded VPN client, a username, and a password.  Granted, once the connection is made it is encrypted, but still, all that has essentially been required is a username and password - no different than the old straight, port-forwarded, RDP method.  Would someone please elaborate on how this is, in and of itself, more secure than straight RDP?
Sr. Network / Systems Admin
The VPN *should* be configured to only allow connections with a key pair / cert. The client should have the public key associated with the VPN servers private key. The client certificate can be baked into the client, if your VPN software generates the exe (many do, some don't), or you can apply the cert to the client.
Validation is associated with user / pass and certificate. No certificate, no connection.

If you did not have to apply the certificate to a free downloaded client, then it sounds like the VPN server may not be configured correctly.
Some clients, like OpenVPN client can find and apply the certificate if it happened to be on the client computer somewhere.


Thanks all... it appears certificates are the key.  We'll put that in place.  Thanks for all of your helpful comments.