How to Remote Desktop Into a Home PC Without Port Forwarding
You want to access your home PC from work, a hotel, or your laptop - but your ISP uses CGNAT so port forwarding does nothing, your router doesn't expose the option, or you simply do not want TCP port 3389 open to the entire internet. This guide shows how to use Windows Remote Desktop Protocol (RDP) to connect to any home PC from anywhere in the world, without touching your router, without a static IP address, and without exposing port 3389 publicly. The same approach works if you are behind T-Mobile Home Internet, a fiber connection with CGNAT, or any network where inbound connections are blocked.
Why Port Forwarding RDP Is Harder Than It Sounds - and Often Dangerous
The traditional method for remote desktop over the internet is to forward TCP port 3389 on your router to your home PC's local IP address. When it works, it works. But there are two serious problems with this approach: it frequently does not work at all, and even when it does, it exposes your PC to one of the most attacked ports on the internet.
| Problem | Why it happens | How common |
|---|---|---|
| CGNAT - no public IP to forward | Your ISP assigns you a private IP (100.64.x.x range) shared by many customers. Port forwarding requires a real public IP, which you do not have. Your router's port forwarding settings are completely useless in this case. | Extremely common - T-Mobile Home Internet, most fiber ISPs in Turkey/EU/Asia, all mobile connections |
| Dynamic IP - address keeps changing | Your public IP changes every time your router reconnects. You cannot save a permanent RDP address. | Standard on almost all residential connections worldwide |
| ISP blocks inbound port 3389 | Many residential ISPs block inbound traffic on well-known attack-target ports as a terms-of-service measure. | Common across UK, many EU providers, business-grade restrictions |
| Port 3389 open = massive attack surface | Within minutes of exposing port 3389 to the internet, automated bots begin brute-force password attacks. BlueKeep and DejaBlue were critical vulnerabilities that allowed remote code execution with no credentials. Security researchers and IT teams universally advise against exposing RDP directly. | Every single open 3389 port is attacked continuously - this is not hypothetical |
A TCP tunnel solves both problems simultaneously. Your home PC makes an outbound connection to Localtonet's servers. When you connect from outside, Localtonet forwards that traffic through the tunnel to your PC. Port 3389 is never exposed to the internet - it only listens on 127.0.0.1 inside your home network. CGNAT does not matter because your PC is making the outbound connection, not waiting for an inbound one.
Port 3389 is one of the most aggressively scanned ports on the internet. Automated scanners find open RDP ports within minutes, and brute-force attacks begin immediately. A tunnel approach - where port 3389 is never publicly exposed - is significantly more secure than port forwarding, regardless of your password strength. This guide uses a tunnel for all external access.
What You Need Before Starting
Step 1: Enable Remote Desktop on Your Home PC
Before anything else, you need to turn on the Remote Desktop feature on the PC you want to access remotely. This is a one-time step done directly on that machine.
Enable Remote Desktop in Windows Settings
Open Settings → System → Remote Desktop and toggle Enable Remote Desktop to On. Confirm when prompted. On Windows 10: open Settings → System → Remote Desktop. On Windows 11: Settings → System → Remote Desktop.
# Enable Remote Desktop
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
# Allow RDP through Windows Firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# Verify it is enabled
Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections"
# Should return 0Note your Windows username
You will need the exact username when connecting remotely. Run this command to see it:
whoamiDESKTOP-ABC123\YourUsernameThe part after the backslash is your local username. If your PC is joined to a Microsoft account, you may need to use your full Microsoft account email address instead.
Confirm RDP is listening on port 3389
netstat -an | findstr :3389 TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP [::]:3389 [::]:0 LISTENINGYou should see port 3389 in LISTENING state. If you do not, Remote Desktop is not enabled or a firewall rule is blocking it.
Prevent sleep while you need remote access
If your PC goes to sleep, the RDP session drops and you cannot reconnect remotely. Set the display and sleep timeouts to Never while you need continuous access:
# Set display and sleep to never turn off (plugged in)
powercfg /change standby-timeout-ac 0
powercfg /change monitor-timeout-ac 0Alternatively: Settings → System → Power & Sleep → set both "Screen" and "Sleep" to Never when plugged in.
Step 2: Install and Authenticate Localtonet on the Host PC
Download Localtonet
Download the Localtonet client for Windows from localtonet.com/documents/download. Extract the .zip file and place localtonet.exe in a permanent folder, for example C:\localtonet\.
Get your auth token from the dashboard
Log in to localtonet.com/dashboard and copy your auth token from the top of the page. It looks like a long alphanumeric string.
Authenticate and start Localtonet
cd C:\localtonet
localtonet.exe authtoken YOUR_AUTH_TOKENStep 3: Create the TCP Tunnel for RDP
Go to the TCP-UDP tunnel page in the Localtonet dashboard
Log in at localtonet.com and navigate to My Tunnels → TCP-UDP. This is where you create TCP tunnels for protocols like RDP, SSH, and databases.
Create a TCP tunnel pointing to port 3389
Fill in the tunnel creation form with these exact values:
| Field | Value | Why |
|---|---|---|
| Protocol | TCP-UDP |
RDP uses TCP for its primary connection. Modern RDP also uses UDP for improved performance. |
| Local IP | 127.0.0.1 |
Localtonet is running on the same machine as the RDP server. Always use 127.0.0.1 (localhost) here. |
| Local Port | 3389 |
The default RDP listening port on Windows. Do not change this unless you have deliberately moved RDP to a different port. |
| Name / Description | Home PC RDP |
Any label that helps you identify this tunnel in the dashboard. |
Start the tunnel and note your public address
Click Start. Localtonet assigns a public address in the format subdomain.localto.net:PORT. Write this down - it is what you will type into the Remote Desktop client from any device, anywhere.
abc12.localto.net:47832This address is stable and does not change between restarts as long as you use the same tunnel. You only need to write it down once.
Localtonet assigns a public port (like 47832) that maps to your local port 3389. The public port is not 3389, this is by design. Your PC's port 3389 is never directly reachable from the internet. External connections hit Localtonet's server on the assigned port, and Localtonet forwards them through the encrypted tunnel to your local 3389. You must include the port number when connecting (e.g., abc12.localto.net:47832).
Step 4: Connect via Remote Desktop
From Windows
Open Remote Desktop Connection
Press Win + R, type mstsc, and press Enter. Or search for "Remote Desktop Connection" in the Start menu.
Enter the Localtonet address
In the Computer field, paste your Localtonet tunnel address including the port number:
abc12.localto.net:47832Click Connect. Enter your Windows username and password when prompted. The format for the username is either just YourUsername or COMPUTERNAME\YourUsername.
Accept the certificate warning (first time only)
On the first connection, Windows shows a certificate identity warning because the PC's hostname does not match the Localtonet address. This is expected and safe - tick "Don't ask me again for this computer" and click Yes.
From macOS
Install Microsoft Remote Desktop from the Mac App Store
Search for "Microsoft Remote Desktop" in the Mac App Store. It is free and published by Microsoft. Install it.
Add a new PC
Open Microsoft Remote Desktop → click the + button → Add PC. In the PC name field, enter your Localtonet address including the port: abc12.localto.net:47832. Add your user account under User account with your Windows username and password. Click Add.
Connect
Double-click the PC you just added. Accept the certificate warning on first connection. You are now viewing your Windows desktop on your Mac.
From iPhone or Android
Install the Microsoft Remote Desktop app
Available free on the App Store (iOS/iPadOS) and Google Play Store (Android). Search for "Microsoft Remote Desktop" - publisher is Microsoft Corporation.
Add a PC with your Localtonet address
Tap the + icon → Add PC. Enter abc12.localto.net:47832 as the PC name. Add your Windows credentials. Save and connect.
From Linux
Install Remmina or xfreerdp
sudo apt install remmina remmina-plugin-rdp
# or use the command-line client:
sudo apt install freerdp2-x11Connect via command line
xfreerdp /v:abc12.localto.net:47832 /u:YourWindowsUsername /p:YourPassword /dynamic-resolution /cert:ignoreOr open Remmina, create a new connection with protocol RDP, server abc12.localto.net:47832, and your Windows credentials.
Step 5: Run Localtonet Automatically on Boot (So RDP Is Always Available)
For the tunnel to be active whenever your PC is on, Localtonet needs to start automatically at boot - ideally before you even log in, so you can use RDP to get into the machine even from the Windows login screen.
Windows - install as a system service
cd C:\localtonet
REM Register Localtonet as a Windows service that starts before login
localtonet.exe --install-service --authtoken YOUR_AUTH_TOKEN
REM Start the service now
localtonet.exe --start-service --authtoken YOUR_AUTH_TOKEN
REM Check status
localtonet.exe --status-service --authtoken YOUR_AUTH_TOKENAfter this, Localtonet runs as a Windows service (visible in Services → Localtonet). It starts automatically at boot, before any user logs in. This means your RDP tunnel is always active even when the Windows lock screen is showing - you can log in to the machine remotely.
Linux - systemd service
sudo localtonet --install-service --authtoken YOUR_AUTH_TOKEN
sudo localtonet --start-service --authtoken YOUR_AUTH_TOKEN
sudo systemctl status localtonetWindows Home Edition: Workaround for RDP Host
Windows 10 and 11 Home do not include the RDP server component - they can initiate RDP connections but cannot receive them. If your home PC runs Windows Home, you have two options:
| Option | How it works | Cost |
|---|---|---|
| Upgrade to Windows 11 Pro | Purchase the Pro upgrade from Settings → System → Activation → Upgrade your edition. Full native RDP host support after upgrade. | Paid (Windows Pro upgrade license) |
| RDP Wrapper Library | An open-source patch that enables the RDP server on Windows Home editions. Works on Windows 10 and 11 Home. Install from github.com/stascorp/rdpwrap. After installation, the RDP server works identically to the Pro version. | Free - open source |
| Use VNC instead of RDP | Install a VNC server (TigerVNC, RealVNC) which works on all Windows editions, then create a TCP tunnel pointing to port 5900 (VNC default) instead of 3389. VNC is slightly less efficient than RDP but fully functional. | Free |
Optimising RDP Performance Over a Tunnel
RDP over a tunnel adds a small amount of latency compared to a local network connection. These settings significantly improve the experience on slower connections or high-latency networks:
| Setting | Where to change it | Recommended value for remote access |
|---|---|---|
| Connection speed | mstsc → Show Options → Experience tab | Select Modem (56 Kbps) or Low-speed broadband - this disables visual effects like transparency, shadows, and animations that waste bandwidth. Desktop background can also be disabled. |
| Color depth | mstsc → Show Options → Display tab | Set to High Color (16 bit) instead of True Color (32 bit). Halves the color data sent over the wire with no noticeable visual difference for most tasks. |
| Display resolution | mstsc → Show Options → Display tab | If working on a low-bandwidth connection, reduce to 1280×720 or 1920×1080. Full 4K resolution over RDP is very bandwidth-intensive. |
| Disable font smoothing | mstsc → Show Options → Experience tab | Uncheck Font Smoothing and Desktop Composition to reduce GPU rendering load on both ends. |
| RemoteFX / H.264 codec | Enabled by default on Windows 10/11 Pro | Modern RDP uses H.264/AVC hardware encoding which dramatically improves performance for video and graphics. Ensure your GPU drivers are up to date on the host PC. |
Security Best Practices for Remote Desktop
| Practice | Why it matters | How to implement |
|---|---|---|
| Use a strong password | RDP is password-authenticated. A weak password is the single biggest security risk. Automated attacks run millions of password attempts continuously. | Settings → Accounts → Sign-in options → Password. Use at least 12 characters with letters, numbers, and symbols. |
| Enable Network Level Authentication (NLA) | NLA requires the user to authenticate before a full RDP session is established, blocking unauthenticated exploit attempts. | Settings → System → Remote Desktop → Advanced Settings → Require computers to use Network Level Authentication. Enabled by default on Windows 10/11 Pro. |
| Use a dedicated low-privilege account for RDP | If an attacker guesses the RDP account password, limiting that account's privileges limits the damage they can do. | Create a separate Windows account just for remote access with standard user (not administrator) privileges. Add it to Remote Desktop Users group: Settings → System → Remote Desktop → Select users. |
| Limit who can RDP | By default, all administrator accounts can RDP. Restricting this to specific accounts reduces the attack surface. | Control Panel → System → Remote Settings → Select Users → add only the accounts that need remote access. |
| Keep Windows Update current | Critical RDP vulnerabilities (BlueKeep, DejaBlue, etc.) are patched via Windows Update. An unpatched system is at risk even with a tunnel. | Settings → Windows Update → Check for updates. Enable automatic updates. |
| Lock the screen when not in use | When you end an RDP session without logging out, the session stays active on the host PC. Anyone with physical access to the machine sees your open session. | When finished, either log off (Start → Username → Sign out) or press Win+L to lock. Avoid just closing the RDP window. |
Troubleshooting Common Remote Desktop Problems
| Problem | Likely cause | Fix |
|---|---|---|
| "Remote Desktop can't connect to the remote computer" | Localtonet is not running on the host PC, RDP is not enabled, or the tunnel is not started | On the host PC: confirm Localtonet service is running (sc query localtonet), confirm RDP is enabled (Settings → System → Remote Desktop), confirm the tunnel shows as active in the Localtonet dashboard. |
| The address field does not accept the host:port format | Some RDP clients expect the port as a separate field rather than host:port |
In Windows mstsc.exe, enter it as abc12.localto.net:47832 directly in the Computer field - mstsc parses the colon-separated port correctly. In Microsoft Remote Desktop on macOS, there is a separate port field in the PC settings. |
| "Your credentials did not work" | Incorrect username or password, or the account is not in the Remote Desktop Users group | Double-check your Windows username with whoami on the host PC. Verify the account has a password set. Add the account to Remote Desktop Users if needed. |
| Connection drops after a few minutes | PC went to sleep, screen saver locked it, or a network timeout disconnected the session | Set power plan to prevent sleep (powercfg /change standby-timeout-ac 0). In the RDP session, go to Display settings and set the timeout to keep the session alive. Check Localtonet service is set to auto-restart on failure. |
| "Remote Desktop Services is currently busy" or black screen after login | Windows is already showing an active user session on the physical monitor. RDP and local sessions share the same session on Windows Home-tier; on Pro, they are separate. | On the host PC, sign out the local Windows session before connecting remotely. On Windows 11 Pro, multiple sessions are supported with the correct Group Policy settings. |
| Tunnel shows as active but connection still fails | Windows Firewall is blocking port 3389 on the host PC, or RDP is listening only on a specific interface | Run netstat -an | findstr :3389 on the host and confirm it shows 0.0.0.0:3389 LISTENING. Enable the RDP firewall rule: Enable-NetFirewallRule -DisplayGroup "Remote Desktop" in an elevated PowerShell. |
| Very slow or laggy remote session | High latency to Localtonet server, or RDP visual settings are too demanding for the connection | In mstsc → Show Options → Experience tab, select Modem (56 Kbps) to disable animations and desktop background. Reduce color depth to 16-bit. Check that the Localtonet client is running the latest version. |
| Windows Home: "Remote Desktop is not supported on this edition" | Windows Home does not include the RDP server component | See the Windows Home workaround section above: upgrade to Pro, use RDP Wrapper, or switch to VNC. |
Alternative: VNC for Windows Home, Linux, and macOS Hosts
If your host PC runs Windows Home, Linux, or macOS, you can use VNC (Virtual Network Computing) instead of RDP. VNC works on all platforms and all Windows editions. The Localtonet tunnel approach is identical - you just point the tunnel at VNC's port (5900) instead of RDP's port (3389).
| OS | VNC server software | Default port | Tunnel config |
|---|---|---|---|
| Windows (all editions) | TigerVNC Server, RealVNC, UltraVNC | 5900 | TCP tunnel → 127.0.0.1:5900 |
| macOS | Built-in Screen Sharing (System Preferences → Sharing → Screen Sharing) | 5900 | TCP tunnel → 127.0.0.1:5900 |
| Ubuntu Linux | x11vnc (for current desktop), TigerVNC (dedicated session) | 5900 | TCP tunnel → 127.0.0.1:5900 |
| Raspberry Pi | RealVNC (built-in on Raspberry Pi OS), xrdp (for RDP protocol) | 5900 (VNC) or 3389 (xrdp) | TCP tunnel → 127.0.0.1:5900 or 3389 |
sudo apt install x11vnc
# Set a VNC password
x11vnc -storepasswd
# Start VNC server for current X11 display
x11vnc -display :0 -auth guess -forever -usepw -rfbport 5900Frequently Asked Questions
Is it safe to use RDP over a Localtonet tunnel?
Yes, significantly safer than port forwarding. With a tunnel, port 3389 is never reachable from the public internet. Automated scanners that continuously probe port 3389 cannot find your PC. The only way to reach your RDP is to know the Localtonet address and have the correct Windows credentials. Compare this to open port forwarding, where every bot and scanner on the internet can attempt to connect and brute-force your password around the clock.
Does this work if my ISP uses CGNAT?
Yes. CGNAT is completely bypassed by the tunnel approach. Your home PC makes an outbound connection to Localtonet - outbound connections work fine through CGNAT. The problem CGNAT creates is with inbound connections, which a tunnel eliminates entirely. This is why T-Mobile Home Internet users, fiber customers with shared IP addresses, and anyone on a mobile connection can use this method successfully when port forwarding is impossible.
Will the address change every time I restart Localtonet?
No. As long as you use the same tunnel configuration in your Localtonet account, the assigned address and port are stable. They do not change when Localtonet restarts, when your home internet reconnects, or when your home IP changes. This is one of the main advantages over trying to track a dynamic home IP with a DDNS service, the Localtonet address is always the same regardless of what happens to your home connection.
Can I use this to remote into a PC at the login screen before logging in?
Yes, as long as Localtonet is installed as a Windows service (not just run manually as a desktop app). A service starts before any user logs in. RDP connects to Windows at the login screen, allowing you to enter credentials remotely. This is why the service installation step in this guide matters - running Localtonet manually only keeps the tunnel active while a specific user is logged in.
Can multiple people connect to the same PC at the same time?
Windows 10 and 11 Pro allow only one active RDP session at a time by default. If a second person connects, the first session is disconnected (with a warning). Windows Server editions support multiple simultaneous RDP sessions natively. For home use with one user, this limitation is rarely relevant. The physical user sitting at the PC can also be disconnected by an incoming RDP session, the session continues remotely.
What is the difference between RDP and TeamViewer / AnyDesk?
TeamViewer and AnyDesk are proprietary remote desktop tools that handle their own tunneling internally, you do not need to configure anything network-related. They work immediately but have usage limits on free plans and can become expensive for commercial use. RDP is a built-in Windows feature with no per-seat cost, no connection limits, and no dependency on a third-party commercial service staying online. Using RDP with Localtonet gives you the same "just works" connectivity as TeamViewer but using tools you fully control, with no ongoing per-seat fees.
Remote Into Your Home PC from Anywhere - No Router Changes Needed
Create a TCP tunnel in the Localtonet dashboard pointing to port 3389, install Localtonet as a Windows service, and your home PC is reachable via Remote Desktop from any device in the world. No port forwarding, no static IP, no open 3389 on the internet.
Create Your RDP Tunnel →
