VIGIL MESH

Documentation

A TeamViewer alternative: remote desktop over your own private network

TeamViewer made remote control accessible to everyone: an ID, a password, and you are looking at the screen of a machine on the other side of the world. But when the machines are yours — your office workstation, your servers, the small fleet of a team or a workshop —, another approach exists: an encrypted private network that connects your machines to each other, where remote desktop and terminal sessions travel end to end, with no third-party gateway that could see the traffic and no port opened on the router. This page compares the two approaches honestly — each one excels at a different use case — then shows how to set up the second.

What TeamViewer does very well

TeamViewer is a remote support and remote desktop tool: both ends install the vendor's software, and the vendor's infrastructure connects them. Its historical strength fits in a scene everyone knows: fixing the computer of someone you have never met. The person reads out an ID and a password displayed on their screen, you type them in, and you take control. No account to create on the helped side, no network to prepare, no shared configuration beforehand.

Nothing to preconfigure

The machine you are helping does not need to be known in advance: the software runs, an ID appears, the session starts. For one-off assistance to third parties, this is unbeatable.

Crosses networks on its own

Home routers, corporate firewalls, mobile connections: the vendor's infrastructure takes care of connecting the two machines, without anyone touching a router.

Free for personal use

The vendor offers the tool free of charge for personal use, which made it the family reflex for computer help — the parents' PC, a relative's tablet.

What gets in the way of some use cases

TeamViewer's qualities stem from an architectural choice: the vendor is the one connecting the machines. That choice is coherent for a universal support tool, but it has consequences worth knowing when what you want is permanent access to your own machines.

  • The path goes through a third party. The brokering — and the relaying of traffic when the direct connection does not come through — is operated by the vendor’s servers. Access to your own machines therefore depends on the availability and rules of an external service, even when both machines are in the same room.
  • The commercial-use policy. The tool is free for personal use, and the vendor detects usage it deems commercial: a session judged professional can be limited. It is a legitimate, openly stated policy — but the boundary can be delicate to live with when you fix the association’s computer, an occasional client’s PC, or your own work-from-home machine.
  • A third-party agent and account on every machine. Every reachable machine runs the vendor’s software, and access rights live in an account hosted with them. Who may reach what is not a rule of your network: it is data held by the service.

The private-network approach: your machines talk to each other directly

The alternative is to stop going through a brokering service on every session, and instead build a private network between your machines once. Each machine is enrolled into your workspace, receives a stable private address and a readable name (MagicDNS), and becomes reachable by the other members as if they shared the same local network — wherever they physically are. Remote desktop and the terminal are then no longer a vendor's services: they are the standard protocols, RDP and SSH, travelling inside your own encrypted network.

Native RDP to your Windows workstations

The usual Windows Remote Desktop client connects to port 3389 of the machine through its private address or name — never exposed to the internet. Same tool, same habits, but the door no longer opens onto the street: it opens onto your network.

Terminal and desktop from the browser

The Administration tab of the console opens an SSH terminal on a machine of the network, right in the browser: the page becomes a mesh node and a classic SSH client runs inside it. Your credentials are consumed in the page and never transit our servers.

SSH for servers and headless machines

For a Linux server, a gateway or a robot, the SSH terminal remains the most efficient tool: a few bytes per keystroke, fluid even on a mediocre mobile link, and reachable by the machine's name.

No gateway that sees the traffic

Sessions are end-to-end encrypted QUIC/TLS 1.3 connections, with a hybrid post-quantum key exchange (X25519 + ML-KEM). No intermediate server terminates the session: decryption only exists at the two ends.

The difference with a bastion or web gateway deserves emphasis. Those middleboxes terminate the SSH or RDP session on their server, which therefore holds the cleartext and your credentials, then forward the display to you. Here there is no intermediate termination: the protocol starts on your workstation — or in your browser tab — and ends on the target machine. The infrastructure carries opaque bytes; it does not read.

No third-party account in the loop — and no port to open

Replacing a brokering service must not bring back the chore everyone runs from: opening a port on the router, exposing port 3389 to the internet — one of the most attacked configurations there is, scanned continuously by bots. VIGIL-MESH asks for none of it: no node opens an inbound port. Every machine only establishes outbound connections, over a single flow on 443 UDP — the same port as the modern web, allowed outbound on nearly every network, including behind a consumer router or a 4G/5G connection on CGNAT.

  1. 1
    Immediate connection through a relayAs soon as two machines need to talk, traffic goes through a relay (the vigie), itself reached outbound. No waiting: the RDP or SSH session opens right away.
  2. 2
    NAT traversal looks for the direct pathIn parallel, the two machines try to establish a direct peer-to-peer path, without any port having been configured anywhere.
  3. 3
    Seamless migrationAs soon as a direct path exists, the session migrates to it without reconnecting: your remote desktop does not even blink, the traffic simply changes route.

The relay deserves a word, because this is where the approach differs most from a support service: the vigie is structurally blind. It does not hold the session keys and carries end-to-end encrypted connections whose content it never sees. And if transiting through a shared relay bothers you, you can host your own private vigie, dedicated to your workspace: the relayed path then goes through a machine of yours.

Who this is the right choice for — and who TeamViewer remains better for

The entry cost of the private-network approach is simple to state: every machine must be enrolled once. It takes a few minutes per machine, but it assumes you have access to it and responsibility for it. This criterion settles almost every use case:

SituationBetter choiceWhy
Occasionally fixing a stranger's machineTeamViewerNothing to preconfigure: ID + password and the session starts
Support for varied clients, machines never seen beforeTeamViewerYou cannot enroll machines you do not know in advance
Reaching your own machines every dayPrivate networkEnroll once, then native RDP/SSH by name, with no third party in the loop
Administering servers and headless machinesPrivate networkLightweight SSH terminal, reachable by name, including from the browser
A managed fleet: family, workshop, small teamPrivate networkIdentity-based ACLs, immediate revocation, no exposed port
Requirement: no third party may see the trafficPrivate networkEnd-to-end encryption, blind relay, self-hostable vigie

The two approaches are not mutually exclusive either: many people keep a support tool for the unexpected — a visiting friend's laptop — and run their own machines on their private network. These are two different problems, and it is healthy to solve them with two different tools.

A fleet of machines: workshop, managed family, small team

The private-network approach shows its full value as soon as there are more than two machines, because it turns a pile of one-off sessions into an administered network. Three concrete examples:

  • The workshop. The workstations driving the machines, the drawings server and the industrial gateway are enrolled. From the office — or from a browser on the road — you open a desktop on the milling machine’s workstation or a terminal on the gateway, by name, while none of those machines is reachable from the internet.
  • The managed family. During a visit, you enroll the parents’ PC once. From then on, every fix is an ordinary remote desktop session to a machine of your own network — no ID to have read out over the phone, no limited session, nothing to reinstall.
  • The small team. Workstations and servers live in the same workspace. Everyone reaches their own machines; the administrator reaches everything; the contractor sees a single machine, on a single port.

That last point rests on access policies (ACLs), and it is what separates an administered network from a mere contact list: deny by default. What is not explicitly allowed is forbidden, and the rules speak of identities — machines, groups, tags —, never of addresses:

SourceDestinationAction
group:adminsall machines (SSH, RDP)Allow
machine:office-desktag:workshop (port 3389)Allow
machine:contractormachine:drawings-server (port 443)Allow
(any source)(any destination)Deny by default

Setting up your network, step by step

The setup happens once, machine by machine. The client exists for Windows, Linux, Android and NVIDIA Jetson — and the browser can become an ephemeral node through the console, with nothing to install.

  1. 1
    Create an account and a workspaceThe workspace is the perimeter where your networks, machines and access rules will live.
  2. 2
    Install the client on the machines involvedThe Windows workstation you want to reach over RDP, the server to administer over SSH, the laptop you work from.
  3. 3
    Enroll each machineNetworks page → Machines → “Add a machine”: the wizard hands you a one-time enrollment key, passed to the client as a command or as a QR code on mobile. The machine generates its identity locally and opens no inbound port.
  4. 4
    VerifyThe machine appears in the console with its stable address; a ping or its MagicDNS name confirms it is reachable.
  5. 5
    Connect as if localRemote desktop to the Windows workstation's name, SSH to the server's name — or a terminal from the console's Administration tab. The ACLs decide who may administer what.

Frequently asked questions

Can VIGIL-MESH replace TeamViewer for fixing a stranger's computer?
No, and this page does not claim it can. The private-network approach requires enrolling the machine once into your workspace — impossible for a one-off fix at the home of someone you will never see again. For that case, a support tool like TeamViewer remains the right choice. The private network wins as soon as the machines are yours or belong to a fleet you manage.
Do I need to open port 3389 (RDP) or 22 (SSH) on my router?
No, no inbound port. These services are only reachable through the machine's private address, inside the encrypted network and under the control of the ACLs. Every machine only establishes outbound connections, over a single 443 UDP flow — nothing to configure on the router, nothing to justify to a corporate firewall.
Who can see my remote desktop sessions?
No one but the two ends. Sessions are end-to-end encrypted QUIC/TLS 1.3 connections, with a hybrid post-quantum key exchange. When a relay is needed, it carries opaque packets without holding the keys — and you can host your own private vigie if you want to own that relay too.
Does it work behind a 4G/5G connection or CGNAT?
Yes. CGNAT prevents hosting a server, but it lets connections out — and VIGIL-MESH only goes out. The session opens immediately through the relay, then migrates seamlessly to the direct path if NAT traversal succeeds. If both ends sit behind a symmetric NAT, traffic stays relayed permanently, through the blind relay.
Is it free?
VIGIL-MESH is free for personal use: direct traffic between your machines is unlimited, and a quota applies to relayed traffic. TeamViewer is also free for personal use, with detection of usage deemed commercial — which is precisely one of the model differences described above.
Can I reach my machines from a workstation that is not enrolled?
Yes. Sign in to the console from a browser: the tab becomes an ephemeral member of the network for the lifetime of the session, and you open an SSH terminal on your machines with nothing to install. The key of this browser device vanishes with the tab — protect the account with MFA.
What about my headless Linux servers?
That is SSH terminal territory: a few bytes per keystroke, fluid even on a mediocre mobile link, reachable by the machine's name. RDP remote desktop, for its part, targets Windows workstations and graphical software. Both travel over the same encrypted network.
How do I cut off a machine or a person?
From the console: suspending pauses access without deleting the identity, revoking removes it permanently — the machine instantly loses all reachability on the network. And since the ACLs apply deny by default, each machine could only ever reach what its rights allowed anyway.
Read nextSSH terminal and remote desktop in the browser