How to expose RDP without a public IP (and without compromising security)

Exposing port 3389 directly to the internet via port forwarding is one of the fastest ways to get your machine compromised — automated campaigns probe IPs with 3389 open 24/7. SuperDMZ solves this by placing the tunnel between you and the attacker and forcing extra authentication before the packet even reaches Windows.

4-step recipe

1. In the panel, create a TCP tunnel (not HTTP) pointing to 127.0.0.1:3389. Pick a node close to whoever is going to access it.

2. In "Authorized IPs" list only the IPs you'll connect from. Accepts CIDR:

187.45.92.0/24, 200.123.4.5/32

3. Tick "Require auth key" and copy the generated key. Anyone without the right key gets a 401 on our side, before port 3389 ever sees a packet.

4. Install the SuperDMZ client on the Windows machine to be accessed. Add the tunnel token. The tunnel comes up in under 30 seconds.

How to connect from the other side

The panel shows the final URL, e.g. spo1.nodes.superdmz.com:18420. In Remote Desktop client:

1. Computer: spo1.nodes.superdmz.com:18420
2. User: the target machine's Windows user
3. After connecting, our side-channel asks for the auth key (popup)

Security layers you gain

• Port never open on the router — your machine never lands on Shodan
• IP allowlist — non-authorized IP packets are dropped at the node, never reach Windows
• Auth key — second layer on top of Windows password
• Connection log — the panel shows every IP that tried to connect, with country, time and bytes

What we don't recommend

Don't expose RDP without IP allowlist and without auth key. Not worth it. If you have 100 possible IPs, narrow it to one. If you really need "from anywhere", make two tunnels: one IP-restricted, one with auth key — and disable the second when you're not actively using it.