VIGIL MESH

Documentation

Access your PC from anywhere: your Windows desktop, wherever you are

Getting back to your office workstation from home, fixing a parent’s PC, driving a powerful editing rig from a lightweight laptop : accessing your PC remotely is an everyday need — and the worst way to meet it is to open the RDP port to the Internet. VIGIL-MESH brings the PC into a private, end-to-end encrypted network where it stays invisible to the rest of the world : you then open its desktop with the Windows Remote Desktop client by simply typing its name, or straight from a browser tab, with nothing to install on the device you are working from. Zero inbound ports, zero router configuration.

Three situations where you want your PC remotely

The need is always the same — see the screen of a Windows machine and act on it as if you were sitting there — but it comes in very different shapes. Three scenarios come up constantly :

The office PC from home (and the other way around)

Your business software, licenses and files live on the office workstation. Rather than duplicating everything, you open its desktop from home and work on it, in its exact environment. In the evening, the reverse move : grabbing a document left on the home PC from the office. Once both machines are members of the same network, access works in both directions.

A parent's PC, for assistance

“It stopped working” over the phone is hard to fix ; in front of the screen, it takes minutes. Enroll your parent’s PC into your private network once : from then on you can open their desktop whenever they call, without dictating technical instructions over the phone, and without their machine being reachable by anyone but you.

The powerful workstation, from a light laptop

The video editing, CAD or compute workstation stays at the office, with its GPU and fast drives. You travel with a light laptop and open its desktop remotely : the application runs on the powerful machine, only the display travels. The laptop needs neither the horsepower, nor the licenses, nor the data.

Windows already ships the tool for this : Remote Desktop (RDP), built into the system, with a faithful and responsive rendering of the desktop. The whole problem lies elsewhere : how do you reach that PC from outside without making it reachable by the entire Internet ?

Why you should never expose port 3389

A useful reminder : a machine is like a building, its IP address is the address of the building, and its ports are numbered doors behind which services listen. Windows Remote Desktop listens behind door 3389. The “historical” way to reach it from outside is to create a port forwarding rule on the router : whatever arrives on port 3389 of your public address is sent to the PC. That amounts to cutting this door straight onto the street.

And the Internet is an extremely busy street. Bots roam it permanently and knock methodically on every door of every address. An RDP port open to the Internet is a classic, massively documented attack target : it gets spotted by automated scans, then subjected to continuous password-guessing attempts, and targeted as soon as a flaw in the service is published. Most intrusions are not targeted attacks — they are doors left on the street.

  • Port forwarding exposes — the service becomes reachable by you, but also by anyone. Its security then rests entirely on a password and on the absence of flaws in the software that listens.
  • It is often impossible — on a 4G/5G connection or on many CGNAT lines, the NAT belongs to the carrier : there is simply no port for you to open.
  • It is brittle — public address that changes, replaced router, rule to recreate : access breaks precisely on the day you need it, far from the machine.

Two paths to the same desktop

With VIGIL-MESH, the PC joins a private network where only your machines exist. Each member only establishes outbound connections — a single flow on 443 UDP, like a web browser —, receives a stable address and a readable name (MagicDNS), and is only reachable by the members your rules allow. From there, two paths lead to the PC’s desktop, depending on the device you start from.

Remote Desktop client (native)Desktop in the browser
To install on the client sideThe VIGIL-MESH client + your system's RDP clientNothing: a browser is enough
How you reach the PCBy its MagicDNS name, as if it were on the local networkFrom the console, in the network's Administration tab
Best forYour usual devices, enrolled in the networkA borrowed computer, a device that is not enrolled
AvailabilityAvailable with any standard RDP clientSSH terminal available; RDP desktop being built on the same foundation

Both paths share the same foundation : the PC’s port 3389 is never exposed to the Internet. It is only reachable through its private-network address, under the control of the access policies.

Path 1: the Remote Desktop client, through the mesh

The first path is the most natural one if you already use Remote Desktop on your local network : nothing changes except the reach. The target PC and your device (laptop, another workstation, Android phone) are members of the same VIGIL-MESH network. In the Remote Desktop client, you type the PC’s name — “office-pc”, say — instead of an IP address : MagicDNS resolves it locally to its stable address on the mesh, and the RDP session is established through the encrypted tunnel.

  • The same client as usual — the Windows Remote Desktop Connection, or any standard RDP application able to target a hostname, including from Android once the phone is enrolled.
  • A name that never breaks — the PC’s address on the mesh is stable (100.64.0.0/10 space) and its name follows it : your shortcuts and .rdp files stay valid wherever you are, on home fiber as well as on a phone hotspot.
  • Nothing to reconfigure on the road — the network path changes (Wi-Fi, 4G, hotel), but the session always targets the same name.

Path 2: the desktop in a browser tab

The second path requires nothing installed on the client side : any browser will do. In the VIGIL-MESH console, the Administration tab of a network lists the machines that are online and lets you open a session directly in the page. The mechanism is remarkable : the node’s core is compiled to WebAssembly and runs inside the tab, which becomes a real — ephemeral — member of the network. The RDP client then runs in your browser and connects to the PC’s port 3389 through the mesh.

The difference with a classic “web gateway” is essential : a web bastion terminates the session on an intermediate server, which therefore sees your screen and your credentials in the clear. Here, there is no intermediate termination : the protocol starts in your tab and ends on the PC. Your credentials are consumed by the client running in the page ; they never transit through our servers, and the relay only sees opaque packets.

  • Zero software on the client side — a borrowed computer or a device that is not enrolled is enough : you sign in to your account, and the tab joins the network for the duration of the session.
  • Including from a Mac — the browser path does not depend on the operating system : any device with a modern browser can open the console.
  • A key that dies with the tab — the browser node is ephemeral : its private key is generated in the page and disappears when you close it. Protect access to the account (MFA) accordingly.

Performance: why the direct path matters

A remote desktop carries the whole screen — a continuous stream of images, far more demanding than the text of a terminal. Perceived quality therefore depends directly on the path your packets take. This is where VIGIL-MESH’s architecture matters : the connection is established immediately through a relay, then migrates without interruption to the direct peer-to-peer path as soon as NAT traversal has found one. On the direct path, your packets go from one machine to the other without a detour through a server : latency and throughput are those of your Internet connections on both ends, not those of an intermediary.

Let’s be honest about the limit : the direct path is not guaranteed. When both ends sit behind a symmetric NAT — two 4G connections on CGNAT, for instance —, the traffic stays permanently relayed by the vigil : the session works, simply over a longer path. The vigil is structurally blind (it does not hold the keys), and you can host your own so that even the relayed path goes through a machine of yours.

Locking down access: only your account reaches the RDP port

Making the PC disappear from the Internet is half the job. The other half is deciding who, inside the private network, is allowed to knock on its door 3389. That is the role of the access policies (ACLs), deny by default : whatever is not explicitly allowed is forbidden. A single rule is enough — your identity, to this PC, on the Remote Desktop port — and the rest of the network is blind to that service.

  • Rules by identity — ACLs speak of accounts, machines and groups, not of addresses : the policy survives device changes.
  • Encryption inside encryption — the RDP session travels inside an end-to-end QUIC/TLS 1.3 connection, with a hybrid post-quantum X25519 + ML-KEM key exchange. Relay included, nobody in the middle holds the keys.
  • Immediate revocation — a lost or stolen laptop is revoked from the console : it leaves the network map and its sessions drop at once.
  • Windows’ own protections stay in place — keep the account password strong and Network Level Authentication (NLA) enabled, as Windows offers by default. The private network adds to these defenses, it does not replace them.

Setting up access, step by step

  1. 1
    Create your workspaceCreate an account and a workspace in the VIGIL-MESH console. It is free for personal use.
  2. 2
    Install the client on the machines involvedThe target PC first, then the devices you want to access it from : laptop, another workstation, Android phone. A borrowed computer that will only use the browser has nothing to install.
  3. 3
    Enroll each machineIn the console, Networks page → Machines → “Add a machine” : the assistant hands you a single-use enrollment key to pass to the client.
  4. 4
    Verify connectivityEach machine receives its stable address and its MagicDNS name. A ping to the PC’s name confirms the path is in place.
  5. 5
    Enable Remote Desktop on the PCOn the Windows side (Pro or Enterprise edition) : Settings → System → Remote Desktop, then turn the switch on. The account used must have a password. No “access from the Internet” option to configure : the private network takes care of it without exposure.
  6. 6
    Connect by the PC's nameOpen Remote Desktop Connection on your device and type the PC’s MagicDNS name — as if it were in the next room. Then tighten the ACLs so that only your account reaches its RDP port.

Frequently asked questions

Do I need to open port 3389 or configure my router?
No, and that is the whole point. Each machine only establishes outbound connections — a single flow on 443 UDP, like a web browser. The PC's port 3389 is only reachable through its private-network address, under the control of the ACLs. This also works behind a 4G/5G connection or a CGNAT line, where port forwarding is impossible anyway.
Does my PC have to stay on?
Yes: to receive a Remote Desktop session, the PC must be powered on and connected. A machine that is off or in deep sleep does not run the client and is not reachable. The pragmatic setting is to prevent the PC from sleeping (the display itself can turn off) during the periods when you want to be able to reach it.
Does Wake-on-LAN work through the mesh?
Caution on this one. The Wake-on-LAN magic packet is a layer-2 broadcast, and every VIGIL-MESH network is a broadcast domain: broadcast traverses the mesh between members (see the page on L2 broadcast and multicast, /docs/l2-multicast). But a sleeping PC no longer runs the client: the most reliable setup is to have, on the same local network, a small always-on machine that is a mesh member, from which you emit the magic packet locally. We do not guarantee the wake-up itself: it depends on the network card, the BIOS/UEFI and their settings.
What if the PC runs Windows Home?
Receiving an RDP connection is reserved for the Windows Pro and Enterprise editions — a Windows rule that the network does not change. A machine running Windows Home can perfectly join the network and connect to the others, but cannot be a Remote Desktop target. Alternatives: upgrade the machine to the Pro edition, or administer it through another channel of the mesh, for instance an SSH terminal (the Windows OpenSSH server installs on all editions).
Can I access my PC from a Mac or a phone?
From Android, yes: the VIGIL-MESH client brings the phone into the network, and any Remote Desktop application able to target a hostname reaches the PC by its MagicDNS name. From a Mac or a device without a dedicated client, the path is the browser: the console works in any modern browser, and the tab becomes an ephemeral member of the network — the terminal is available there, and the RDP desktop in the tab is coming on the same foundation.
Can anyone — you included — see my session?
No. The RDP session is transported inside an end-to-end encrypted QUIC/TLS 1.3 connection between your two machines; the relay, when used, is structurally blind and does not hold the keys. On the browser path, your credentials are consumed by the client running in the page: they never transit through our servers, unlike a web bastion that terminates the session in the middle.
What shows on the PC's physical screen during my session?
Standard Windows behavior applies: when a Remote Desktop session opens, the PC's physical screen locks and shows the sign-in screen. Nobody in the room sees what you are doing — and conversely, RDP is not meant to share the screen with someone sitting at the machine; for hands-on assistance together, a screen-sharing tool remains better suited.
The network is fine but the RDP connection is refused — why?
The classic causes are on the Windows side or the rules side, not the network side: Remote Desktop is not enabled on the PC; the target account has no password (Windows refuses RDP connections on a passwordless account); the machine runs Windows Home, which cannot receive RDP connections; or the network's ACL does not allow your identity to reach that PC's port 3389. Check these four points in that order — a ping that answers while RDP fails almost always points to one of them.
Read nextSSH terminal and remote desktop in the browser