RustDesk is the perfect solution for secure remote access, open-source and under your complete control. In this article I'll show you how to deploy your own server, configure it as a closed network, and secure it for corporate use.
Diagram created with https://savnet.co
RustDesk is an open-source alternative to tools like TeamViewer or AnyDesk, but with a key advantage: you can self-host it. This means:
- Complete control over your data
- No connection limits
- Zero licensing costs (only server costs)
Step 1: Prepare the Server
You'll need a Linux server with Ubuntu 22.04 or 24.04 LTS with:
- 1 vCPU, 2 GB RAM (enough for dozens of connections)
- Ubuntu 22.04 LTS or higher
- Fixed public IP
Step 2: Initial Server Configuration
Connect via SSH and update the system:
ssh root@your_server_ip
apt update && apt upgrade -y
timedatectl set-timezone America/New_York # Adjust to your timezone
reboot
Step 3: Install Docker and Docker Compose
Follow the official Docker installation:
# Install dependencies
apt install -y ca-certificates curl gnupg
# Add official Docker repository
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
| tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install Docker
apt update
apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# Verify installation
docker --version
docker compose version
Step 4: Prepare RustDesk Structure
mkdir -p /opt/rustdesk-server/data
cd /opt/rustdesk-server
Step 5: Create the docker-compose.yml File
Create nano /opt/rustdesk-server/compose.yml:
services:
hbbr:
container_name: hbbr
image: rustdesk/rustdesk-server:latest
command: hbbr
volumes:
- ./data:/root
network_mode: "host"
restart: unless-stopped
hbbs:
container_name: hbbs
image: rustdesk/rustdesk-server:latest
command: hbbs
volumes:
- ./data:/root
network_mode: "host"
depends_on:
- hbbr
restart: unless-stopped
Important: We use network_mode: "host" because RustDesk needs to see the real host IP to function correctly.
Step 6: Start the Services
# Start services
docker compose up -d
# Verify they're running
docker ps
# View logs
docker compose logs
Step 7: Get the Server Public Key
This key is crucial for clients to trust your server:
cat /opt/rustdesk-server/data/id_ed25519.pub && echo ""
Save the result. It will look something like:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Step 8: Configure the Firewall
Ports needed for RustDesk OSS:
- TCP 21115 - Main service
- TCP 21116 - ID service
- UDP 21116 - For better performance
- TCP 21117 - Relay service
Configure UFW on the server:
# Install firewall ufw
apt install -y ufw
# Allow SSH from YOUR public IP
ufw allow from your_admin_ip to any port 22
# IF YOU DON'T HAVE a public IP, allow any origin with
ufw allow 22
# Allow RustDesk ports
ufw allow 21115/tcp
ufw allow 21116/tcp
ufw allow 21116/udp
ufw allow 21117/tcp
# Enable firewall
ufw enable
ufw status verbose
Configure cloud provider firewall:
In your cloud provider panel, create Inbound rules that allow only from your corporate IPs:
Step 9: Configure Computer/Client
On each computer:
- Open RustDesk
- Go to Settings → Network
- Click Unlock Network Settings
- Go to Server ID/Relay
- Configure:
-
ID Server:
YourRustServerIP -
Relay Server:
YourRustServerIP - Key: Paste the public key obtained in step 7
- API Server: Leave empty (only for RustDesk Pro)
-
ID Server:
If you want to quickly use your configuration, click the copy icon in the top right corner, and the paste icon to import:
Ways to Improve Your RustDesk Client Security
RustDesk offers multiple authentication methods to securely control remote access. Here I explain each option:
1. One-time password
- Automatically generated for each session and the user must provide it to the remote technician to connect
- Length options: 6, 8, or 10 digits
- The key changes with each session
- Ideal use: Temporary technical support or occasional access
2. Permanent password
- Key you specify manually that doesn't change between sessions
- Allows continuous access without needing to share new keys
- Ideal use: Frequent remote access to your own computer
3. Both passwords
- Flexibility to use temporary OR permanent password
- Ideal use: Mixed scenarios (personal use + occasional support)
4. Two-Factor Authentication (2FA)
- Additional security layer
- Options: codes from authenticator app or Telegram bot integration
- Ideal use: Computers accessible from public internet
5. Trusted devices
- Only applies when using 2FA
- Mark specific devices as trusted
- Avoids requesting 2FA on each connection from those devices
- Improves convenience while maintaining security
6. Additional Security Settings
- Password length: Configurable based on security needs
- Expiration time: For temporary passwords
- Audit logging: Access monitoring
Practical Recommendations:
For frequent personal use: Permanent password + optional 2FA
For technical support: One-time password
For corporate environments: Mandatory 2FA + trusted devices
For maximum security: Combination of methods + audit logging
These methods allow you to balance security and convenience according to your specific needs.
How to Make This a Truly Closed Network
1. Block Access from Public Internet on the RustDesk Server
Don't allow access from any IP in the firewall ufw rules or cloud provider rules. Only allow:
- Your office IPs
- Your corporate VPN IP
- Specific authorized ranges
2. Implement VPN for Remote Access
The most secure way: remote users first connect to the corporate VPN, then access RustDesk.
3. Create Administrative User Without Root:
adduser adminops
usermod -aG sudo adminops
mkdir -p /home/adminops/.ssh
cp /root/.ssh/authorized_keys /home/adminops/.ssh/authorized_keys
chown -R adminops:adminops /home/adminops/.ssh
chmod 700 /home/adminops/.ssh
chmod 600 /home/adminops/.ssh/authorized_keys
# Disable root SSH
if grep -q '^PermitRootLogin' /etc/ssh/sshd_config; then
sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
else
echo 'PermitRootLogin no' >> /etc/ssh/sshd_config
fi
sshd -t && systemctl restart ssh
RustDesk Pro: For Advanced Enterprise Needs
The RustDesk version we've configured is excellent for basic remote access, but if you need advanced enterprise features, RustDesk offers a Pro version with additional capabilities:
- Centralized user and group management
- Granular access control (role-based permissions)
- LDAP/Active Directory authentication
- Detailed auditing and logs
- Priority technical support
- Mass management functions
For these organizations, you can check the Pro plans at https://rustdesk.com/pricing/.
Need a cloud server? You can get an Ubuntu Droplet on DigitalOcean using our referral link and receive initial credits to try this tutorial.
Have you implemented RustDesk in your organization? Share your experience in the comments!
Top comments (0)