Documentation
Access your PC from anywhere: your Windows desktop, wherever you are
Getting back to your office workstation from home, fixing a parent’s PC, driving a powerful editing rig from a lightweight laptop : accessing your PC remotely is an everyday need — and the worst way to meet it is to open the RDP port to the Internet. VIGIL-MESH brings the PC into a private, end-to-end encrypted network where it stays invisible to the rest of the world : you then open its desktop with the Windows Remote Desktop client by simply typing its name, or straight from a browser tab, with nothing to install on the device you are working from. Zero inbound ports, zero router configuration.
Three situations where you want your PC remotely
The need is always the same — see the screen of a Windows machine and act on it as if you were sitting there — but it comes in very different shapes. Three scenarios come up constantly :
The office PC from home (and the other way around)
Your business software, licenses and files live on the office workstation. Rather than duplicating everything, you open its desktop from home and work on it, in its exact environment. In the evening, the reverse move : grabbing a document left on the home PC from the office. Once both machines are members of the same network, access works in both directions.
A parent's PC, for assistance
“It stopped working” over the phone is hard to fix ; in front of the screen, it takes minutes. Enroll your parent’s PC into your private network once : from then on you can open their desktop whenever they call, without dictating technical instructions over the phone, and without their machine being reachable by anyone but you.
The powerful workstation, from a light laptop
The video editing, CAD or compute workstation stays at the office, with its GPU and fast drives. You travel with a light laptop and open its desktop remotely : the application runs on the powerful machine, only the display travels. The laptop needs neither the horsepower, nor the licenses, nor the data.
Windows already ships the tool for this : Remote Desktop (RDP), built into the system, with a faithful and responsive rendering of the desktop. The whole problem lies elsewhere : how do you reach that PC from outside without making it reachable by the entire Internet ?
Why you should never expose port 3389
A useful reminder : a machine is like a building, its IP address is the address of the building, and its ports are numbered doors behind which services listen. Windows Remote Desktop listens behind door 3389. The “historical” way to reach it from outside is to create a port forwarding rule on the router : whatever arrives on port 3389 of your public address is sent to the PC. That amounts to cutting this door straight onto the street.
And the Internet is an extremely busy street. Bots roam it permanently and knock methodically on every door of every address. An RDP port open to the Internet is a classic, massively documented attack target : it gets spotted by automated scans, then subjected to continuous password-guessing attempts, and targeted as soon as a flaw in the service is published. Most intrusions are not targeted attacks — they are doors left on the street.
- Port forwarding exposes — the service becomes reachable by you, but also by anyone. Its security then rests entirely on a password and on the absence of flaws in the software that listens.
- It is often impossible — on a 4G/5G connection or on many CGNAT lines, the NAT belongs to the carrier : there is simply no port for you to open.
- It is brittle — public address that changes, replaced router, rule to recreate : access breaks precisely on the day you need it, far from the machine.
Two paths to the same desktop
With VIGIL-MESH, the PC joins a private network where only your machines exist. Each member only establishes outbound connections — a single flow on 443 UDP, like a web browser —, receives a stable address and a readable name (MagicDNS), and is only reachable by the members your rules allow. From there, two paths lead to the PC’s desktop, depending on the device you start from.
| Remote Desktop client (native) | Desktop in the browser | |
|---|---|---|
| To install on the client side | The VIGIL-MESH client + your system's RDP client | Nothing: a browser is enough |
| How you reach the PC | By its MagicDNS name, as if it were on the local network | From the console, in the network's Administration tab |
| Best for | Your usual devices, enrolled in the network | A borrowed computer, a device that is not enrolled |
| Availability | Available with any standard RDP client | SSH terminal available; RDP desktop being built on the same foundation |
Both paths share the same foundation : the PC’s port 3389 is never exposed to the Internet. It is only reachable through its private-network address, under the control of the access policies.
Path 1: the Remote Desktop client, through the mesh
The first path is the most natural one if you already use Remote Desktop on your local network : nothing changes except the reach. The target PC and your device (laptop, another workstation, Android phone) are members of the same VIGIL-MESH network. In the Remote Desktop client, you type the PC’s name — “office-pc”, say — instead of an IP address : MagicDNS resolves it locally to its stable address on the mesh, and the RDP session is established through the encrypted tunnel.
- The same client as usual — the Windows Remote Desktop Connection, or any standard RDP application able to target a hostname, including from Android once the phone is enrolled.
- A name that never breaks — the PC’s address on the mesh is stable (100.64.0.0/10 space) and its name follows it : your shortcuts and .rdp files stay valid wherever you are, on home fiber as well as on a phone hotspot.
- Nothing to reconfigure on the road — the network path changes (Wi-Fi, 4G, hotel), but the session always targets the same name.
Performance: why the direct path matters
A remote desktop carries the whole screen — a continuous stream of images, far more demanding than the text of a terminal. Perceived quality therefore depends directly on the path your packets take. This is where VIGIL-MESH’s architecture matters : the connection is established immediately through a relay, then migrates without interruption to the direct peer-to-peer path as soon as NAT traversal has found one. On the direct path, your packets go from one machine to the other without a detour through a server : latency and throughput are those of your Internet connections on both ends, not those of an intermediary.
Let’s be honest about the limit : the direct path is not guaranteed. When both ends sit behind a symmetric NAT — two 4G connections on CGNAT, for instance —, the traffic stays permanently relayed by the vigil : the session works, simply over a longer path. The vigil is structurally blind (it does not hold the keys), and you can host your own so that even the relayed path goes through a machine of yours.
Locking down access: only your account reaches the RDP port
Making the PC disappear from the Internet is half the job. The other half is deciding who, inside the private network, is allowed to knock on its door 3389. That is the role of the access policies (ACLs), deny by default : whatever is not explicitly allowed is forbidden. A single rule is enough — your identity, to this PC, on the Remote Desktop port — and the rest of the network is blind to that service.
- Rules by identity — ACLs speak of accounts, machines and groups, not of addresses : the policy survives device changes.
- Encryption inside encryption — the RDP session travels inside an end-to-end QUIC/TLS 1.3 connection, with a hybrid post-quantum X25519 + ML-KEM key exchange. Relay included, nobody in the middle holds the keys.
- Immediate revocation — a lost or stolen laptop is revoked from the console : it leaves the network map and its sessions drop at once.
- Windows’ own protections stay in place — keep the account password strong and Network Level Authentication (NLA) enabled, as Windows offers by default. The private network adds to these defenses, it does not replace them.
Setting up access, step by step
- 1Create your workspaceCreate an account and a workspace in the VIGIL-MESH console. It is free for personal use.
- 2Install the client on the machines involvedThe target PC first, then the devices you want to access it from : laptop, another workstation, Android phone. A borrowed computer that will only use the browser has nothing to install.
- 3Enroll each machineIn the console, Networks page → Machines → “Add a machine” : the assistant hands you a single-use enrollment key to pass to the client.
- 4Verify connectivityEach machine receives its stable address and its MagicDNS name. A ping to the PC’s name confirms the path is in place.
- 5Enable Remote Desktop on the PCOn the Windows side (Pro or Enterprise edition) : Settings → System → Remote Desktop, then turn the switch on. The account used must have a password. No “access from the Internet” option to configure : the private network takes care of it without exposure.
- 6Connect by the PC's nameOpen Remote Desktop Connection on your device and type the PC’s MagicDNS name — as if it were in the next room. Then tighten the ACLs so that only your account reaches its RDP port.