Self-Hosted Encrypted Remote Desktop on Windows 11: RustDesk + Tailscale + WSL2
TLDR: Replace expensive, privacy-risking remote desktop tools with a free, encrypted, self-hosted stack. Zero public ports. No port forwarding. Dockerized RustDesk server running on WSL2, accessible only through your private Tailscale tailnet.
The Problem
TeamViewer and Anydesk want your money and/or data. Chrome Remote Desktop phones home to Google. And both ask you to trust their servers with your screen data. NO THANKS!
I wanted free, open-source, encrypted end-to-end, and no public attack surface.
This setup replaced my paid remote desktop subscription and it's:
- β Free forever
- β Encrypted end-to-end
- β No vendor lock-in
- β Open-source code
Here's how I built it!
The Stack
mattmesmer/rustdesk-tailscale-wsl2-guide wires together four battle-tested tools into a single, repeatable setup:
| Component | Role | Why It Matters |
|---|---|---|
| RustDesk | Remote desktop server + client | Open-source TeamViewer alternative |
| Tailscale | Zero-config VPN | Private networking without port forwarding |
| WSL2 + Docker Desktop | Container host | Native Linux containers on Windows |
| MagicDNS | Stable hostnames | No public DNS, no TLS certs to manage |
The result: Remote into any machine on your tailnet from any device with internet access, encrypted, without touching public DNS, TLS certs, or firewall rules.
How It Works
-
Tailscale gives every device a stable, private hostname (
myhost.tailnet-name.ts.net) - Docker runs the RustDesk server on WSL2, bridged into your tailnet automatically
- MagicDNS eliminates the need for public IP addresses, dynamic DNS, or certificates
- Ed25519 key pinning forces cryptographic verification on every connection
-
ENCRYPTED_ONLY=1rejects any unverified peer outright
No public ports. No port forwarding. No trust placed in third-party infrastructure.
Who This Is For
- Privacy-maximizers who prefer to self-host and encrypt their data
- Windows + WSL2 users who want Linux containers without a separate VM
- Cheap homelabbers tired of SaaS remote desktop pricing
- Anyone who can read a Docker Compose file and wants control back
Try It Out
The GitHub repository has everything you need:
- Full
docker-compose.ymlwith S6-overlay (hbbs + hbbr in one container) - Complete prerequisite checklist
- Client configuration for every platform
- Verification commands and troubleshooting
- Maintenance & upgrade procedures
π Check out the full guide on Github!
β Star it if it saves you a subscription fee.
Quick Wins You'll Appreciate
| Before | After |
|---|---|
| Dynamic DNS services |
myhost.tailnet-name.ts.net β set and forget |
| Let's Encrypt cert anxiety | Not needed β private names, private trust |
| Firewall port juggling | Zero inbound rules |
| "Did I leave that port open?" | Impossible by design |
Feedback Welcome
This is the stack I run daily. If you hit edge cases, spot improvements, or want to see additional integrations (Ansible? Terraform? Proxmox?), report an issue or open a PR.
Top comments (0)