← Back to Skills Marketplace
ctz168

Rdptunnel

by SamAI.cc · GitHub ↗ · v4.7.0 · MIT-0
cross-platform ✓ Security Clean
56
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install rdptunnel
Description
Expose local RDP (Remote Desktop) servers to the public internet via aitun TCP tunnel with TLS-based routing. Perfect for AI agents that need to provide remo...
README (SKILL.md)

RDP Tunnel - Remote Desktop Access via Aitun TCP Forwarding

When to Use

Use this skill when:

  • You need to access a remote Windows desktop that is behind NAT, firewall, or a private network
  • You want to expose a local RDP server so a colleague or client can connect remotely via Remote Desktop
  • You are running a Windows VM or VDI instance with no public IP and need to make it reachable
  • You want to provide temporary remote desktop access for support, training, or demonstration
  • You need to connect to a home Windows PC or workstation from another location
  • You want to access a Linux machine running xrdp or a VNC-to-RDP gateway
  • You need to remotely manage a GUI application that cannot be accessed via SSH

Do NOT use this skill when:

  • The RDP server already has a public IP and is directly reachable
  • You only need command-line access (use sshtunnel instead)
  • You want to expose an HTTP service (use aitun-tunnel instead)

Instructions

Step 1: Install aitun

pip install aitun

Or verify it is already installed:

which aitun || pip show aitun

Step 2: Ensure RDP server is running locally

Verify the local RDP service is running and accessible:

On Windows:

# Check if Remote Desktop is enabled
Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections

# Enable Remote Desktop (0 = enabled, 1 = disabled)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 0

# Ensure the RDP service is running
Get-Service -Name TermService | Start-Service

On Linux (xrdp):

# Install xrdp
sudo apt install xrdp -y    # Debian/Ubuntu
sudo yum install xrdp -y    # CentOS/RHEL

# Start xrdp service
sudo systemctl start xrdp
sudo systemctl enable xrdp

# Verify it is listening on port 3389
ss -tlnp | grep :3389

Step 3: Create a TCP tunnel for RDP

RDP uses TCP port 3389 by default. Use aitun's --tcp-ports flag to forward this port. TCP forwarding requires an auth token (register at https://aitun.cc):

aitun -p 3389 --tcp-ports 3389 -k YOUR_TOKEN &
AITUN_PID=$!
sleep 3

The output will show:

[TCP] rdp -> localhost:3389 (subdomain: yourname.t.aitun.cc:3389)

If port 3389 is occupied on the server, a port from the 7000-7999 range will be automatically assigned.

Step 4: Connect remotely

From any machine on the internet:

Windows (Remote Desktop Connection):

  1. Press Win + R, type mstsc, press Enter
  2. Enter yourname.t.aitun.cc:3389 as the computer name
  3. Click Connect and enter credentials

Linux (FreeRDP):

xfreerdp /v:yourname.t.aitun.cc:3389 /u:username /cert:ignore

macOS (Microsoft Remote Desktop):

  1. Open Microsoft Remote Desktop from the App Store
  2. Click "+" → "New Remote Desktop"
  3. Enter yourname.t.aitun.cc:3389 as the PC name
  4. Connect and enter credentials

Step 5: Clean up

When done, stop the tunnel:

kill $AITUN_PID 2>/dev/null

Advanced Usage

Forward RDP + SSH Together

aitun -p 3389 --tcp-ports 3389,22 -k YOUR_TOKEN &
AITUN_PID=$!
sleep 3

Custom RDP Port

If RDP is running on a non-standard port (e.g., 13389):

aitun -p 13389 --tcp-ports 13389 -k YOUR_TOKEN &

Connect to RDP in a Docker Container

# Container running xrdp on port 3389, mapped to host port 13389
aitun -p 13389 --tcp-ports 13389 -k YOUR_TOKEN &

# Then connect:
# xfreerdp /v:yourname.t.aitun.cc:13389 /u:username

How TCP Routing Works

aitun v4.7.0 uses TLS with SNI for all TCP tunnel routing:

  1. All TCP tunnels require TLS — the server terminates TLS and extracts SNI for subdomain identification
  2. RDP connections are routed by SNI just like SSH-over-TLS and HTTPS
  3. Each subdomain gets its own port 3389 — no conflicts with other users
  4. If the requested port is occupied on the server, a port from the 7000-7999 range is assigned

Note: RDP clients connect directly without ProxyCommand (unlike SSH which needs aitun ssh-proxy), because RDP traffic is routed at the TCP level by the server based on SNI from the initial TLS handshake.

Security Recommendations

  • Use strong passwords on all RDP accounts
  • Enable Network Level Authentication (NLA) on Windows RDP servers
  • Restrict RDP access to specific users via group policy
  • Consider changing the default RDP port (3389) to reduce automated attacks
  • Monitor RDP logs for unauthorized access attempts
  • Disable RDP when not actively needed

CLI Reference

The aitun command (installed via pip install aitun) accepts these flags:

Flag Description
-p PORT Local service port (default: 8080)
-k TOKEN Auth token for registered subdomain (required for TCP forwarding)
--host HOST Local service address (default: localhost)
--tcp-ports PORTS TCP forwarding ports, comma-separated (e.g., 3389,22; requires -k)
--p2p Enable P2P direct connection (default: enabled)
--no-p2p Disable P2P, force server relay mode
--daemon Run as background daemon
--stop Stop running daemon

Subcommand:

Command Description
aitun ssh-proxy \x3Chost> [port] SSH ProxyCommand — wraps SSH in TLS for SNI routing

Notes

  • TCP forwarding (required for RDP) requires a registered account and -k token — free tunnels do not support TCP
  • Register at https://aitun.cc to get an auth token
  • All traffic is encrypted through the aitun tunnel (TLS on the server side)
  • If the requested port (e.g., 3389) is occupied on the server, a port from the 7000-7999 range will be automatically assigned
  • RDP traffic itself is also encrypted, but the tunnel adds an additional security layer
  • P2P mode reduces latency for remote desktop sessions; use --no-p2p only if P2P connection fails
  • For best performance, ensure a stable internet connection on both ends
  • The tunnel stays active as long as the aitun process runs; use --daemon for persistent background operation
  • Subdomains remain active for 30 days of inactivity; use heartbeat to renew
Usage Guidance
Install only if you deliberately want to make a Remote Desktop service reachable through aitun. Use it on authorized machines only, require strong unique credentials, enable NLA or equivalent protections, restrict allowed users and source access where possible, monitor login attempts, stop the tunnel when finished, and disable RDP/xrdp if you do not need ongoing remote access.
Capability Assessment
Purpose & Capability
The capability is high-impact because it makes RDP reachable from the internet, but the description, usage section, connection steps, and security recommendations all disclose that purpose.
Instruction Scope
The commands are user-directed and focused on RDP/xrdp setup plus aitun tunneling; the main weakness is that the hardening and rollback advice is separated from the enablement steps.
Install Mechanism
Installation is limited to the documented aitun Python package and a python3 requirement; no bundled executable scripts or hidden install actions were present.
Credentials
Opening remote desktop access is proportionate to this skill's purpose, but users should treat it as a significant host exposure change and only use it on systems they control.
Persistence & Privilege
The tunnel can be stopped with the recorded process ID, but the Windows RDP and Linux xrdp service enablement can persist after the tunnel is stopped, so users should disable those services when no longer needed.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install rdptunnel
  3. After installation, invoke the skill by name or use /rdptunnel
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v4.7.0
v4.7.0: All TCP requires TLS with SNI, updated for SSH-over-TLS architecture
v1.1.0
Add range-based port allocation fallback (7000-7999) when requested port is occupied
v1.0.0
Initial release of rdptunnel: expose local RDP servers to the public internet via aitun TCP tunnel. - Provides a step-by-step guide to set up secure remote desktop access for Windows, Linux (xrdp), or VDI instances behind NAT/firewall. - Supports advanced scenarios: custom RDP ports, concurrent SSH/RDP tunnel, Dockerized servers, and VNC-to-RDP bridging. - Includes instructions for both server and client platforms (Windows, Linux, macOS). - Lists security best practices and troubleshooting tips. - Requires aitun with registered token for TCP forwarding. - All traffic is encrypted end-to-end through the tunnel for added security.
Metadata
Slug rdptunnel
Version 4.7.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is Rdptunnel?

Expose local RDP (Remote Desktop) servers to the public internet via aitun TCP tunnel with TLS-based routing. Perfect for AI agents that need to provide remo... It is an AI Agent Skill for Claude Code / OpenClaw, with 56 downloads so far.

How do I install Rdptunnel?

Run "/install rdptunnel" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Rdptunnel free?

Yes, Rdptunnel is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Rdptunnel support?

Rdptunnel is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Rdptunnel?

It is built and maintained by SamAI.cc (@ctz168); the current version is v4.7.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments