Like the option of using an ssh tunnel.
The principle is this,
One network - 192.168.0.X
rdp server is 192.168.0.2
ssh server - 192.168.0.10
In some cases, routers can be the ssh server
client outside connects to ssh server and creates a tunnel 192.168.0.2:3389 to local port 44444
then installed rdp to 127.0.0.1:44444
traffic goes through the tunnel.
To encrypt the traffic using a VPN, in this case it is possible to configure so that the client computer will be part of a network, with all the consequences....
Config for sshd with keys
user@ssh:~$ cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
# Use these options to restrict which interfaces/protocols sshd will bind to
# HostKeys for protocol version 2
#Privilege Separation is turned on for security
# Lifetime and size of ephemeral version 1 server key
# Don't read the user's ~/.rhosts and ~/.shosts files
# For this to work you will also need host keys in /etc/ssh_known_hosts
# similar for protocol version 2
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
# To enable empty passwords, change to yes (NOT RECOMMENDED)
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
# Change to no to disable tunnelled clear text passwords
# Kerberos options
# GSSAPI options
# Allow [11~client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
PermitOpen 192.168.0.2:3389 192.168.0.20:3389
Maybe a bunch of extra (comments have been removed.) if there's something critical - tell me...