I was thinking of putting ZT on all the users office computers that need remote access and then putting on their home computer. This seems like a big security risk of opening up the office network to a home computer that may or may not be protected. What is the best practice for allowing remote desktop users? Can you isolate the ZT traffic and not allow it onto the office LAN?
If you set a network for each office computer and join the home client to the network for only one office computer, then you will effectively achieve what you are aiming to do. Furthermore, if you set the firewall on the office computer to only communicate using RDP over the Zerotier link, then you will have it further locked down.
Under that scenario, you have created a point to point link for each office computer and client.
I found a ZT config that will only allow 3389 over the VPN. Is this good enough?
Does this prevent connecting to anything other than RDP on the local computer, like network shares?
accept ethertype arp; # so nodes can find each other
drop not ipprotocol tcp;
accept dport 3389 ; # Destination is RDP
drop chr tcp_syn and not chr tcp_ack; # No new TCP connections (except RDP)
accept; # Accept what’s left, returning RDP traffic
Personally, I would use the Firewall settings on each office PC [electing to turn off file sharing on the zerotier link, or declaring it a public link and only allowing RDP], as it is good practice to assume your internal network may turn hostile one day. As it is, the config you have there looks like it might work.
Try it with one client and one PC, then see if you can access the things you want blocked.
If it works as expected, then you can set up the remaining machines with your settings.
Note: I’m using the approach of implementing a test system, seeing if everything works as expected, then rolling out the changes to everything else.
If A = remote user, B = ZeroTier adapter office desktop, C = office Lan on office desktop and D = network shares, etc
Can A connect to D? Is there a bridge between adapters on the office desktop (B and C)?
In Windows, no, this only happens if you make an explicit bridge between the network interfaces [B and C]. Given you are using RDP, and locking it down on the Zerotier interface, there should be no traffic going from A to D.
Keep in mind, all the features of RDP remain in place, but it will all be indirect access overall.