DEV Community

Matt Mesmer
Matt Mesmer

Posted on

Ditch TeamViewer/Anydesk: A Free Self-Hosted Remote Desktop Solution is Here

#rustdesk #tailscale #linux #opensource

Self-Hosted Encrypted Remote Desktop on Windows 11: RustDesk + Tailscale + WSL2

TLDR: Replace expensive, privacy-risking remote desktop tools with a free, encrypted, self-hosted stack. Zero public ports. No port forwarding. Dockerized RustDesk server running on WSL2, accessible only through your private Tailscale tailnet.

The Problem

TeamViewer and Anydesk want your money and/or data. Chrome Remote Desktop phones home to Google. And both ask you to trust their servers with your screen data. NO THANKS!

I wanted free, open-source, encrypted end-to-end, and no public attack surface.

This setup replaced my paid remote desktop subscription and it's:

  • βœ… Free forever
  • βœ… Encrypted end-to-end
  • βœ… No vendor lock-in
  • βœ… Open-source code

Here's how I built it!

The Stack

mattmesmer/rustdesk-tailscale-wsl2-guide wires together four battle-tested tools into a single, repeatable setup:

Component Role Why It Matters
RustDesk Remote desktop server + client Open-source TeamViewer alternative
Tailscale Zero-config VPN Private networking without port forwarding
WSL2 + Docker Desktop Container host Native Linux containers on Windows
MagicDNS Stable hostnames No public DNS, no TLS certs to manage

The result: Remote into any machine on your tailnet from any device with internet access, encrypted, without touching public DNS, TLS certs, or firewall rules.

How It Works

  1. Tailscale gives every device a stable, private hostname (myhost.tailnet-name.ts.net)
  2. Docker runs the RustDesk server on WSL2, bridged into your tailnet automatically
  3. MagicDNS eliminates the need for public IP addresses, dynamic DNS, or certificates
  4. Ed25519 key pinning forces cryptographic verification on every connection
  5. ENCRYPTED_ONLY=1 rejects any unverified peer outright

No public ports. No port forwarding. No trust placed in third-party infrastructure.

Who This Is For

  • Privacy-maximizers who prefer to self-host and encrypt their data
  • Windows + WSL2 users who want Linux containers without a separate VM
  • Cheap homelabbers tired of SaaS remote desktop pricing
  • Anyone who can read a Docker Compose file and wants control back

Try It Out

The GitHub repository has everything you need:

  • Full docker-compose.yml with S6-overlay (hbbs + hbbr in one container)
  • Complete prerequisite checklist
  • Client configuration for every platform
  • Verification commands and troubleshooting
  • Maintenance & upgrade procedures

πŸ“‹ Check out the full guide on Github!
⭐ Star it if it saves you a subscription fee.

Quick Wins You'll Appreciate

Before After
Dynamic DNS services myhost.tailnet-name.ts.net β€” set and forget
Let's Encrypt cert anxiety Not needed β€” private names, private trust
Firewall port juggling Zero inbound rules
"Did I leave that port open?" Impossible by design

Feedback Welcome

This is the stack I run daily. If you hit edge cases, spot improvements, or want to see additional integrations (Ansible? Terraform? Proxmox?), report an issue or open a PR.

Top comments (0)