Beyond the Firewall: How TailVNC Fuses WireGuard and VNC for Untraceable Access

TailVNC

A Windows remote desktop persistence tool built on top of Tailscale’s WireGuard-encrypted mesh network. TailVNC embeds a fully self-contained VNC server and Tailscale node into a single binary, enabling secure remote desktop access over Tailscale/Headscale without exposing any ports to the public internet. Designed for both legitimate infrastructure administration and red team persistence operations.

Features

• Tailscale/Headscale Integration – Leverages tsnet to embed a WireGuard peer directly into the binary; supports both official Tailscale coordination and self-hosted Headscale control planes
• Windows Session 0 Isolation Bypass – When running as SYSTEM, automatically spawns an agent process in the active user session via CreateProcessAsUser and proxies VNC traffic through IPC, circumventing Vista+ session isolation
• Dynamic Desktop Tracking – Follows the user across desktop transitions including the default desktop, Winlogon (login screen), UAC secure desktop, and lock screen via OpenInputDesktop/SetThreadDesktop
• Ctrl+Alt+Del Injection – Sends the Secure Attention Sequence from Session 0 via sas.dll!SendSAS
• Bidirectional Clipboard Sync – Latin-1 clipboard synchronization between VNC client and target host
• Build-Time Configuration Embedding – Auth key, VNC password, listen port, and control URL are injected at compile time via LDFLAGS; the resulting binary requires no configuration files at runtime
• Auth Key Obfuscation – Tailscale auth key is XOR-obfuscated at build time to prevent plaintext credential exposure in the binary

Use

TailVNC must run with SYSTEM privileges. When executing in Session 0 (as a Windows service or under SYSTEM context), the tool automatically detects the active console session, spawns an agent process within it for screen capture and input injection, and proxies all VNC traffic. If launched directly within an interactive user session, it operates in local mode without the agent proxy layer.

Upon execution, the target host joins the configured Tailscale network as a new node. Connect using any standard VNC client:

[pastacode lang=”bash” manual=”%3CTailscale%20IP%3E%3A5900″ message=”” highlight=”” provider=”manual”/]

Download

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy