This can be realized by Port Forwarding \ Virtual Servers router feature.
Virtual servers can be used for setting up public services on your LAN. A virtual server is defined as a service port, and all requests from Internet to this service port will be redirected to specified IP in LAN. Any PC that was used for a virtual server must have a static or reserved IP address because its IP address may change when using the DHCP function (see DHCP \ Address Reservation).
In TP-LINK router this settings located in Forwarding \ Virtual Servers.
- Turn off firewall (on server and on client);
- Test port-forwarding (see below);
- Add 3389 port to port-forwarding configuration; Send test data to this port;
- After you can successfully connect to RDP server via client you can turn on firewall and add 3389 port to incomming rules. You can check if there is exists such rule using powershell script (see below).
To test port forwarding you can use any online tool, like this Port Forwarding Tester and other Net tools. Another simple option is to run lightweight http-server like http-server or serve locally and add port-forwarding rule in router.
To ensure that RDP server responds on your request and there are no problems on server side, you can send test data to RDP server:
PS> Test-NetConnection -ComputerName <ip> -Port 3389 -InformationLevel "Detailed"
If server responds then result will have TcpTestSucceeded: True.
PS> Get-NetFirewallPortFilter –Protocol TCP | Where {$_.LocalPort -eq '3389'} | Get-NetFirewallRule
Login screen appears, but after you enter credentials, you get error message "Unable to RDP to Virtual Machine: CredSSP Encryption Oracle Remediation". Solution is here. Install CredSSP updates for CVE-2018-0886 or allow vulnerable connection: REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2 (Remember to un-do this after server will be patched).