Community guide: resilient unattended Sunshine host on Windows

[Drugos90]

Hi everyone,

I put together a guide based on the setup I use for a resilient Windows remote gaming host with Sunshine and Moonlight.

The goal is to keep the machine reachable when nobody is physically present. It includes automatic Windows sign-in, silent Sunshine crash recovery, Tailscale access, OpenSSH troubleshooting, remote reboot, logging, and recovery after a normal Windows restart.

I have documented the security tradeoffs and sanitized the reusable scripts and examples before publishing them.

I would appreciate feedback, corrections, and testing from other Windows users, especially on different Windows versions and hardware.

Guide and scripts:
https://github.com/Drugos90/sunshine-resilient-windows-host

Thanks!

[ReenigneArcher]

Hackers dream target

I'm closing this, because no one should disable any of these security features for convenience. People really need to wake up and start understanding the risks, especially now that AI can easily help attackers infiltrate even easier than before.

[Drugos90]

Fair concern. This setup intentionally prioritizes unattended availability on a dedicated, physically secured gaming host, and the autologin/UAC tradeoffs are documented upfront. It publishes no credentials, IPs, certificates, or configuration data; remote access goes through Tailscale without router port forwarding. I’d welcome specific attack paths or hardening suggestions so they can be tested and documented.

[ReenigneArcher]

Doesn't matter... have you reviewed Sunshine's published security reports?

[Drugos90]

You’re right to raise this. Sunshine has published serious advisories, including CVE-2026-32253 GHSA-ph75-mgxh-mv57), an authentication bypass fixed in v2026.516.143833, and CVE-2025-53095 GHSA-39hj-fxvw-758m), a CSRF/command-injection issue
fixed in 2025.628.4510.

As long the host uses v2026.516.143833, it includes those fixes. Tailscale and no port forwarding reduce exposure, but they do not replace patching. I’m adding an explicit requirement to review Sunshine advisories and remain updated.

Thanks for pointing this out.

[Drugos90]

Understood why you close this tho, and thank you for reviewing it. This was based on a dedicated host where I deliberately prioritized unattended availability, but I understand that publishing disabled security controls as general setup instructions can encourage unsafe configurations. I’ll revise the repository so it is not presented as a safe general recommendation.