How to Set Up Secure Remote Access for a Small Business
VPN, Tailscale, RDP, remote desktop tools — here is what actually works for SMB remote access and what will get you compromised.
Remote access to business systems is one of those things that’s easy to set up badly and surprisingly straightforward to set up well. The gap between the two is mostly knowing what the actual risks are and which tools address them without requiring a full IT department.
This article walks through the options, explains why some common approaches are genuinely dangerous, and gives you a concrete recommendation for most small business scenarios.
The Problem with Exposed RDP
Let’s start with the thing that causes the most damage at the SMB level: Remote Desktop Protocol (RDP) exposed directly to the internet.
RDP is built into Windows. It lets you connect to a computer remotely and use it as if you were sitting in front of it. It’s useful and it works well. The problem is what happens when you open port 3389 — the default RDP port — to inbound connections from the internet.
Automated scanning tools probe every IP address on the internet continuously. Within hours of opening port 3389, you will have bots attempting to brute-force credentials on that port. This isn’t theoretical — it’s what happens. The attack tools are freely available and constantly running. Organizations that run RDP directly exposed to the internet get compromised regularly. Ransomware gangs specifically hunt for it.
The rule is simple: never expose RDP directly to the internet. If you or a previous IT person did this, fix it today. Close port 3389 on your firewall or router. RDP should only ever be accessible through a protected tunnel.
Your Options for Secure Remote Access
There is no single right answer here — it depends on what you actually need to do remotely. Here’s an honest breakdown.
Traditional VPN
A VPN creates an encrypted tunnel from a remote device to your network. Once connected, the remote device can reach internal resources — file shares, printers, RDP to internal machines — as if it were on-site.
For small businesses, this means running VPN software on your router (if it supports it) or on a dedicated appliance. Common options include:
- Firewalls with built-in VPN: Firewalls like those from Fortinet, Sophos, or pfSense/OPNsense can serve as VPN endpoints. This is the traditional enterprise approach.
- OpenVPN or WireGuard on a small server or NAS: Technically capable but requires setup and ongoing maintenance.
Traditional VPN works well. The downsides are operational: it requires a static IP address or dynamic DNS, certificate or key management, and user configuration on each client device. For a small business without dedicated IT, the setup complexity often leads to it being configured insecurely or abandoned.
RDP Through VPN
Once you have a VPN, you can use RDP — but only to internal machines, through the tunnel. This is the correct way to use RDP remotely. The RDP port stays closed to the internet; the VPN handles the secure connection, and RDP handles the remote desktop session.
This combination is secure and capable. The catch is still the VPN setup overhead.
Remote Desktop Tools: TeamViewer, AnyDesk, Splashtop
These are application-layer remote access tools. They work by having a client installed on the target machine that connects outbound to the vendor’s servers. You authenticate through the vendor’s platform and the connection is proxied through their infrastructure.
Pros:
- No port forwarding, no VPN, no firewall changes required
- Works through any internet connection
- Generally easy to set up and use
Cons:
- You’re depending on the vendor’s infrastructure and security practices
- Licensing costs add up, especially for multiple users or machines
- The vendor has visibility into your connections (in most configurations)
- TeamViewer in particular has had credential-stuffing incidents where accounts with reused passwords were compromised
These tools are fine for occasional access or IT support scenarios. For regular daily use as your primary remote access method, they’re an expensive middle ground with more third-party dependency than necessary.
Tailscale: The Right Answer for Most Small Businesses
Tailscale is a WireGuard-based mesh VPN that deserves serious attention from small businesses. I use it and recommend it regularly. Here’s why it changes the equation.
Traditional VPNs require a central server that all traffic routes through. Tailscale creates a mesh — each device on your Tailscale network can communicate directly with other devices, peer-to-peer where possible. Setup is simpler, performance is better, and there’s no single point of infrastructure failure.
What makes Tailscale practical for SMBs:
- No port forwarding required: Tailscale uses NAT traversal. You install the client on each machine, log in, and they find each other automatically.
- Works on everything: Windows, Mac, Linux, iOS, Android, Raspberry Pi. If your office has a mix of machines, this isn’t a problem.
- Subnet routing: Install Tailscale on one machine at the office and enable it as a subnet router. Now all of your remote users can reach the entire office network, not just the machines running Tailscale.
- Free tier is genuinely useful: Up to 3 users and 100 devices on the free plan. Most small businesses will find the personal or business plans (around $5–18/user/month) necessary, but the free tier is good for testing.
- MFA integration: Tailscale authenticates through your identity provider (Google, Microsoft, GitHub, Okta, etc.), so you can enforce MFA at the identity layer.
The setup process for a basic Tailscale deployment: install the client on the remote machine and the office machine, log into the same Tailscale account on both, and they appear in each other’s Tailscale network. You can then RDP, access file shares, or connect to anything on the office subnet. It takes about 20 minutes if you’ve done it before.
Cloudflare Access
Cloudflare Access is part of the Cloudflare Zero Trust platform. It lets you put specific applications behind an authentication layer — users authenticate through your identity provider before getting access, and there’s no VPN tunnel in the traditional sense.
Where it shines: protecting internal web applications (internal tools, Portainer, a local Nextcloud instance, etc.) without exposing them to the internet. You can make an internal web app accessible only to authenticated users from anywhere, with no VPN client required.
Where it doesn’t fit as well: accessing raw TCP services like RDP or file shares requires the Cloudflare WARP client and more configuration. For pure remote desktop or file share access, Tailscale is simpler.
Cloudflare Access is worth knowing about and the free tier covers up to 50 users for basic use cases. For most small businesses, it’s a complement to Tailscale rather than a replacement.
MFA Is Not Optional
Whatever method you use, multi-factor authentication must be enabled. This applies to:
- The VPN or Tailscale account
- Any remote desktop tool accounts
- Email, Microsoft 365, Google Workspace — everything cloud-based
The attack path that hurts small businesses most isn’t sophisticated malware — it’s credential theft. Someone’s password gets phished or found in a data breach, and suddenly an attacker has remote access to your systems. MFA breaks that chain.
Tailscale enforcing authentication through Google or Microsoft accounts (which themselves have MFA enabled) is one of the cleaner implementations. The authentication step isn’t skippable.
What to Avoid
A few patterns worth calling out explicitly:
Port forwarding RDP: Covered above. Don’t do it. Close it if it’s open.
Sharing TeamViewer or AnyDesk “unattended access” passwords by email or Slack: These passwords are essentially permanent backdoors into machines. They should be treated with the same care as server credentials, not pasted into a chat message.
Using personal VPN services (NordVPN, ExpressVPN, etc.) as business remote access tools: Consumer VPN services route your traffic through their servers and change your apparent IP address. They don’t connect you to your office network. This is a different tool for a different purpose.
Disabling firewall rules to “just make it work” and planning to re-enable them later: The “temporary” firewall hole that never gets closed is a classic. If you’re making firewall changes to solve a remote access problem, the right solution is a proper remote access tool, not an open port.
Practical Recommendation
For most small businesses in 2026:
- Install Tailscale on the machines you need to reach remotely and on the devices you’ll use to connect.
- Enable subnet routing on an always-on machine at the office (a server, NAS, or a low-power PC that stays on) so you can reach the full office network.
- Enforce MFA on the identity provider account that Tailscale authenticates through.
- Use RDP through Tailscale for remote desktop sessions. Port 3389 stays closed on your router.
- Verify that port 3389 is not accessible from the internet using a tool like ShieldsUP (grc.com) or a quick port scan.
If you need to expose specific internal web applications to remote users who don’t have the Tailscale client, Cloudflare Access is worth adding on top. For everything else, Tailscale handles it.
This setup is free or low-cost, doesn’t require enterprise hardware, and provides meaningful security without demanding that you become a network engineer to maintain it.
Related Articles
Best Antivirus and Endpoint Protection for Small Business in 2026
Consumer antivirus won't cut it for a business. Here are the SMB-realistic options, what central management actually gives you, and what to skip.
Break-Fix vs MSP: Which IT Support Model Actually Makes Sense for Small Business
Break-fix vs managed services — what each costs, when each makes sense, and the red flags to watch for in MSP contracts.
Video Surveillance Basics for Small Business — What You Actually Need
IP cameras, NVR vs cloud storage, resolution, PoE cabling, and storage math. A practical guide to business surveillance without overkill.