RDP Remote Access
Reach a Windows desktop behind NAT or a firewall without opening port 3389. NFLTR carries the Remote Desktop session through a private TCP tunnel, while your RDP client still connects to localhost.
Run the NFLTR agent on the Windows machine that already accepts Remote Desktop connections, then create a local listener on your laptop with nfltr tcp-connect. Your RDP client talks to localhost; NFLTR forwards the TCP stream to the remote desktop.
1. Prepare the Windows machine
- Enable Remote Desktop in Windows settings.
- Confirm the machine already accepts a normal RDP connection on port
3389. - Install and authenticate the NFLTR agent on that same machine.
2. Start the tunnel on the remote side
# On the Windows machine
nfltr tcp 3389 --name office-desktopUse a stable name so you can reuse the same client-side profile later.
3. Expose the remote desktop on your laptop
# On your laptop
nfltr tcp-connect office-desktop 3389 --listen :3389This makes the remote desktop appear on localhost:3389 for as long as the command stays running.
Bind a different local port if your machine is already using 3389:
nfltr tcp-connect office-desktop 3389 --listen :13389Then point your RDP client at localhost:13389.
4. Connect with your RDP client
| Client platform | How to connect |
|---|---|
| Windows | mstsc /v:localhost:3389 |
| macOS | Open Microsoft Remote Desktop and add a PC named localhost:3389. |
| Linux | Use Remmina or run xfreerdp /v:localhost:3389. |
Your desktop client talks to localhost. NFLTR forwards the TCP stream to the Windows machine behind the firewall.
5. Security notes
- No inbound firewall rule is needed on the remote network. The agent makes the outbound connection to NFLTR.
- You are not publishing port
3389directly to the internet. - TCP tunnels use NFLTR's encrypted transport between your client-side connector and the remote agent.
- Access still depends on the Windows account and Remote Desktop policy configured on the destination machine.
6. Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| Connection fails immediately | Remote Desktop is disabled or the Windows firewall is blocking local port 3389. | Enable Remote Desktop and confirm the machine accepts a normal LAN RDP session first. |
| Authentication or NLA errors | The client and Windows host disagree on Network Level Authentication requirements. | Use a modern RDP client and verify the destination account is allowed to sign in remotely. |
| Nothing listens on localhost | nfltr tcp-connect is not running or is bound to a different port. | Restart the client-side command and confirm the --listen value. |
| Need browser-only access | RDP is a native TCP protocol, not a browser share URL. | Use a desktop client for RDP, or use Browser Terminal / Web Terminal for shell access instead. |
Next steps
- TCP & SSH Tunneling — full TCP tunnel reference for SSH, databases, and custom ports
- DevOps & Remote Access — SSH, browser terminal, WireGuard, logs, and database tunnels
- On-Premise Access — patterns for shipping NFLTR into customer or branch networks