Remote access (Tailscale + VNC)
The dashboard's remote-control commands handle 95% of what you need to do to a sign. The other 5% requires actual hands-on the kiosk: change a setting that isn't exposed in the UI, run a one-off PowerShell command, look at something the logs don't capture. Tailscale + RDP (or VNC) is how you do that without driving to the venue.
This page is the operator-facing companion to Tailscale integration, which covers baking Tailscale into the kiosk image. Here we're talking about using it once it's deployed.
When to reach for remote desktop
Order of escalation:
- Dashboard commands — refresh, fetch logs, reboot. Cheap, fast, no login needed.
- Status overlay on the kiosk (Ctrl+Shift+S) — useful if a tech is on-site with a keyboard.
- Remote desktop via Tailscale — when you need to look at the kiosk, change something not exposed in the UI, or work around a state the dashboard can't see.
- Drive to the venue — when remote desktop isn't reachable, your last option. The Tailscale + always-on power profile setup makes this rare.
Tailscale is what makes step 3 possible. Without it, kiosks behind venue NAT are unreachable from outside.
Prerequisites
Before remote desktop works, you need:
- Tailscale baked into the kiosk image — see Tailscale integration. The kiosk should appear in your Tailscale admin console as
tag:displaysync-sign. - A remote-desktop server running on the kiosk and bound to the Tailscale interface — typically Windows RDP (built-in) or a VNC server you install during the image build.
- Your support device on the same tailnet, either as
autogroup:adminor with a tag your ACLs grant access from.
Path A — RDP (built-in to Windows Pro)
Windows RDP is the simplest because it's already on every kiosk. Enable it during the image build:
# Enable RDP
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" `
-Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# Add the kiosk user to Remote Desktop Users
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "DisplaySync"
Bind RDP to the Tailscale interface only (don't listen on the venue LAN):
# Block RDP on all non-Tailscale interfaces
Set-NetFirewallRule -DisplayGroup "Remote Desktop" `
-InterfaceAlias "Tailscale" -Profile Any -Action Allow
Set-NetFirewallRule -DisplayGroup "Remote Desktop" `
-InterfaceAlias "Ethernet*","Wi-Fi*" -Action Block
Connect from your laptop's RDP client:
- macOS: Microsoft Remote Desktop (App Store)
- Windows: mstsc.exe (built-in)
- Linux: Remmina
Use the kiosk's Tailscale IP (e.g., 100.x.y.z) as the host, kiosk username and password from the provisioning summary.
RDP on the kiosk user disconnects the wall
Logging in via RDP as the kiosk user kicks out the local session — the
wall goes blank because Windows can only have one interactive session
for that account. To work around it, RDP in as the builder admin
(imgadmin, if you kept it) or another local admin account, then jump
to the kiosk session via Task Manager → Users → Connect.
Or use VNC (Path B) which mirrors rather than replaces the local session.
Path B — VNC (mirrors the local session)
VNC servers connect to the existing logged-in session, so they don't disconnect the wall. Pick one and install it during the image build.
TightVNC
Free, simple, sufficient for occasional support work.
- Download from tightvnc.com and install with default options.
- During install, set a viewer password (long, random — store it with your fleet credentials).
- Configure the server to bind only to Tailscale:
# TightVNC service config — restrict to a single IP (your kiosk's Tailscale IP)
$tsIp = (& "C:\Program Files\Tailscale\tailscale.exe" ip -4).Trim()
& "C:\Program Files\TightVNC\tvnserver.exe" -controlservice -reload `
-listenip $tsIp
- Add a Windows firewall rule that allows VNC's port (5900 by default) only on the Tailscale interface, and blocks it on Ethernet/Wi-Fi.
Connect from any standard VNC client (RealVNC Viewer, Screens, etc.) using the kiosk's Tailscale IP.
MeshCentral / RustDesk / similar
Heavier alternatives that include audit logging, multi-user access, and fancier features. Worth evaluating for fleets where compliance or audit requirements demand a paper trail. For most events, TightVNC is enough.
Tailscale ACLs
Whatever protocol you use (RDP, VNC, SSH), Tailscale's ACL grants are what actually gate access. The pattern from Tailscale integration:
{
"grants": [
{ "src": ["autogroup:admin"], "dst": ["*"], "ip": ["*"] },
{ "src": ["autogroup:member"], "dst": ["tag:displaysync-sign"], "ip": ["*"] },
{ "src": ["autogroup:member"], "dst": ["autogroup:self"], "ip": ["*"] }
]
}
Default-deny: signs can't reach anything. Members (your support team) can reach signs and their own devices. Admins reach everything. No outsider can reach a sign without being added to your tailnet first.
Tailscale SSH (Linux signs only)
If you're running Linux kiosks, Tailscale's built-in SSH integration is the cleanest remote-access path:
# From any tagged admin device:
tailscale ssh DisplaySync@kiosk-name
Tailscale handles authentication via the tailnet — no SSH keys to manage, no passwords to rotate. ACLs control who can SSH where.
For Windows kiosks, Tailscale SSH isn't available natively (Windows SSH integration is limited). RDP/VNC are the right tools.
Maintenance mode pairs well
Before doing destructive work over remote desktop, put the sign in maintenance mode so the watchdog doesn't fight you:
- From the kiosk (over RDP/VNC): press Ctrl+Shift+Q in the sign app
- Or remotely: drop the sentinel file via PowerShell
New-Item "C:\ProgramData\DisplaySync\.maintenance" -ItemType File -Force Stop-Process -Name "DisplaySync Sign" -Force
The watchdog won't relaunch the sign app while .maintenance exists. When you're done, delete the sentinel and reboot, or just reboot — auto-login + scheduled task takes you back to normal.
See Crash recovery → Maintenance mode for full detail.
Audit trail
Unlike the dashboard's in-app commands (which write to the audit log automatically), RDP/VNC sessions don't show up anywhere DisplaySync tracks. If you need an audit trail of who-did-what-when, you have to roll your own:
- Tailscale logs capture connection events (who SSHed/connected to which device, when)
- Windows Event Viewer captures RDP login events on the kiosk
- MeshCentral has built-in session recording if you choose that path
For most teams, the Tailscale connection log + an internal Slack/notes habit ("hopping into LOBBY-WEST-03 to fix X") is enough.
Failure modes
| Symptom | Likely cause | Fix |
|---|---|---|
| Tailscale IP missing in dashboard | Tailscale service not running on kiosk | Reboot kiosk, or RDP in via LAN if you can and Start-Service Tailscale |
| RDP timeout | Firewall rule blocking, or RDP not enabled | Confirm RDP rule allows the Tailscale interface, kiosk user is in Remote Desktop Users |
| VNC password rejected | Wrong password, or service config drifted | Re-set the viewer password in TightVNC config, or reinstall |
| Tailscale ACL blocking access | ACL misconfigured | Check the admin console's ACL Tester with your source + dest |
| Connected but display is the lock screen | Lock screen wasn't disabled at image build | Re-apply the lock screen disable |
For a fuller symptom-indexed playbook covering ACL drift, key-rotation surprises, and post-Sysprep clone behavior, see Troubleshooting → Tailscale issues.
In-person alternatives to remote access
When Tailscale/VNC isn't reachable but you have keyboard access at the kiosk, the desktop sign exposes three diagnostic overlays via global hotkeys — useful as fallbacks for the remote-access workflows above:
Ctrl+Shift+S— Status overlay (heartbeat, backend URL, connection state)Ctrl+Shift+N— Network diagnostics (NIC, IP, internet + backend reachability, latency)Ctrl+Shift+C— Config overlay (URL editor, kiosk-mode toggle, Exit for Maintenance)
See Hotkeys for full details.
What's next
- Tailscale integration — image-build setup
- Crash recovery — entering maintenance mode safely
- Best practices → Stability over features — when not to use remote access during a live event