A̶n̶y̶d̶e̶s̶k̶ --> Rustdesk!
Introduction
AnyDesk is one of the most popular remote desktop tools, used worldwide—including in some security-sensitive industries. The issue is that closed-source software is hard to audit, and it’s especially risky if the vendor operates in jurisdictions with broad government access powers, like the EU.
More specifically, AnyDesk is a German company and (at least for its public infrastructure) relies on third-party OVHcloud hosting (French, based in the EU). I think that in 2025, it’s hard to argue how big of a concern that is ;)
At a high level, this kind of software uses centralized “rendezvous” (sometimes called “broker” or “signaling”) servers to match clients and help them establish a peer-to-peer (P2P) connection. If a direct P2P connection can’t be established—due to NAT, complex network topologies, or restrictive firewalls—the connection typically falls back to a relay server that forwards traffic between the endpoints.
Even if the vendor states that traffic is end-to-end encrypted, you still have to trust the vendor’s binaries and update mechanism. A malicious or compromised update could weaken or disable encryption, or misuse/replace certificates and keys. With closed-source clients and servers, it’s difficult to independently verify what is happening on the wire over time.
For example, there were several quite severe flaws recently:
- https://www.quorumcyber.com/threat-intelligence/anydesk-code-signing-certificate-compromised-and-revoked/
- https://securitricks.com/cve/CVE-2025-27916
- https://vulnerability.circl.lu/vuln/ghsa-rqf6-6p8f-f2pv
As an alternative to AnyDesk for remote desktop access, you can self-host an open-source solution such as RustDesk.
The idea is roughly: deploy your own rendezvous (ID) server and relay server on hardware you control → distribute the server address (and, where applicable, its public key / fingerprint) to your clients → connect by ID (similar to AnyDesk) while keeping the entire control plane—and any necessary relaying—inside your own network.
Installation
Server (you can peek here)
The easiest way is to go to the releases of the main GitHub repository:
https://github.com/rustdesk/rustdesk-server/releases
Find the ZIP archive with the prebuilt binaries and unpack it to /opt/rustdesk.
chmod +x /opt/rustdesk/hbbs
chmod +x /opt/rustdesk/hbbr
Next, define two linux services, /etc/systemd/system/rustdesk-hbbr.service:
[Unit]
Description=RustDesk Relay Server
After=network.target
[Service]
Type=simple
WorkingDirectory=/opt/rustdesk
ExecStart=/opt/rustdesk/hbbr
Restart=always
Environment="RUST_LOG=debug"
StandardOutput=append:/opt/rustdesk/hbbr.log
StandardError=append:/opt/rustdesk/hbbr.log
[Install]
WantedBy=multi-user.target
And /etc/systemd/system/rustdesk-hbbs.service:
[Unit]
Description=RustDesk ID Server
After=network.target
[Service]
Type=simple
WorkingDirectory=/opt/rustdesk
Environment="RUST_LOG=debug"
ExecStart=/opt/rustdesk/hbbs -r 77.248.189.109:21117
StandardOutput=append:/opt/rustdesk/hbbs.log
StandardError=append:/opt/rustdesk/hbbs.log
Restart=always
[Install]
WantedBy=multi-user.target
Start the Signal (ID) server first:
sudo systemctl daemon-reload
sudo systemctl enable rustdesk-hbbs.service
sudo systemctl start rustdesk-hbbs.service
Wait until it starts:
sudo systemctl status rustdesk-hbbs.service
Then run the relay part:
sudo systemctl daemon-reload
sudo systemctl enable rustdesk-hbbr.service
sudo systemctl start rustdesk-hbbr.service
Once it has started, a pair of ed25519 keys will appear in /opt/rustdesk. The clients will need the public key.
Don’t forget to forward these ports externally and whitelist them:
ufw allow 21114:21119/tcp
ufw allow 21116/udp
sudo ufw enable
Client
From the same releases, install the client:
https://github.com/rustdesk/rustdesk-server/releases
Then open Settings → Network → Unlock → ID/Relay server and enter:
- Server address:
<SERVER IP>:21116 - In the
keyfield, paste the public key you took from the server - Leave the other fields empty
In this case we intentionally use only the ID server — then all the traffic will go peer-to-peer. If for some reason the network cannot establish P2P, then you can stream data through the Relay server.
On all client machines, it’s convenient (yet less secure) to configure a permanent password in the Security tab of the settings.
On the machines you plan to connect to, allow the RustDesk service to run and to start automatically on OS boot.
The usage flow is almost the same as AnyDesk, so it’s pretty quick to get familiar with.
Note on session encryption:
While the server’s public key authenticates the infrastructure and secures the signalling channel, the actual remote‑desktop traffic is protected by end‑to‑end encryption.
During the connection handshake, the clients generate ephemeral encryption keys, ensuring that even the RustDesk server (or relay) cannot decrypt the screen data. This provides an additional layer of security beyond the server key and the password on the controlled machine.
Enjoy!