This solution provides defense-in-depth for remote access:

1. Network Layer: Tailscale mesh VPN with WireGuard encryption
2. Host Layer: Windows Firewall restricts VNC to Tailscale subnet
3. Application Layer: VNC password authentication
4. System Layer: Hardening reduces attack surface

What it does:

• Creates encrypted WireGuard tunnels between devices
• Authenticates devices via Tailscale account
• Assigns private IPs (100.64.0.0/10 CGNAT range)

Why it's secure:

• WireGuard uses modern cryptography (ChaCha20, Curve25519)
• No exposed ports on public internet
• NAT traversal without port forwarding
• Device authorization via admin console

Rules created:

ALLOW: TCP 5900 from 100.64.0.0/10 (Tailscale subnet)
BLOCK: TCP 5900 from all other sources

Why it works:

• Only Tailscale-connected devices get 100.x.x.x IPs
• Even if attacker knows VNC port, connection blocked at firewall
• Firewall logging enabled for audit trail

Configuration:

• 16-character randomly generated password
• Mix of letters, numbers, special characters
• Stored in output/credentials.txt

Recommendations:

• Delete credentials file after noting password
• Store password in secure password manager
• Do not reuse password

Changes applied:

Automatic restart on failure:

• Ensures service availability
• 60-second delay prevents rapid restart loops
• Three restart attempts before giving up

Storage:

• Plain text in output/credentials.txt
• One-time use case (USB deployment)

Best Practices:

1. Copy password to secure password manager
2. Delete credentials.txt after use
3. Shred or overwrite if on USB drive

Types:

• Reusable: Can be used on multiple devices
• Single-use: One device only
• Pre-authorized: No admin approval needed

Recommendations:

1. Use single-use, pre-authorized keys
2. Set expiration (24 hours recommended)
3. Don't embed in scripts long-term
4. Rotate keys regularly

100.64.0.0/10 = 100.64.0.0 - 100.127.255.255

This is the CGNAT range allocated to Tailscale. Only devices on your Tailscale network will have IPs in this range.

VNC Viewer ──► Tailscale (encryption) ──► Windows Firewall ──► VNC Server
     │                                           │
     └──────────── Must be 100.x.x.x ────────────┘

Location: logs/setup_YYYYMMDD_HHMM.log

Contains:

• All installation steps
• Configuration changes
• Error messages
• Verification results

Location: %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log

Contains:

• Blocked connection attempts
• Useful for detecting attacks

Location: HKLM\SOFTWARE\RemoteAccessSetup

Tracks:

• Installation timestamps
• Component states
• Tailscale IP assigned

1. Verify USB contents - Ensure no tampering
2. Review scripts - Understand what will be installed
3. Test with --dry-run - Preview changes
4. Prepare auth key - Short expiration, single-use

1. Delete credentials file - Don't leave password on disk
2. Verify firewall rules - Run 90-verify-setup.bat
3. Test connection - Ensure VNC works over Tailscale
4. Check Tailscale admin - Verify device appears correctly

1. Keep systems updated - Windows Update, Tailscale, TightVNC
2. Monitor Tailscale admin - Review connected devices
3. Rotate VNC password - If compromise suspected
4. Review firewall logs - Check for attack attempts

When running 99-rollback.bat:

1. Credentials file is overwritten before deletion
2. Registry markers are removed
3. Firewall rules are deleted
4. Services are uninstalled

Note: Log files are preserved for troubleshooting. Manually delete if needed.