Isn't it better to do it with teamviewer? than reinvent the wheel

Unfortunately, Windows Server does not know how to authenticate a client against a certificate. All those instructions on the internet how to use the certificate are for the CLIENT to authenticate the SERVER, so as not to connect to a "fake" server.
Once again in other words: the server authenticates the client only by password. In order for the client to authenticate the server, a certificate can be used.

You can make it cooler and much safer without any certificates attached to Windows, etc.:
1. Raise your openacess vpn server on any cloud VDS server or other resource. By the way, you can raise vpn on the same server to which you plan to access via RDP (the main thing is that the ip address is external and it can be accessed from the big Internet)
2. Remember the ip address of this server, in the case of an all in one solution, remember the internal local address , which will be issued to us every time when connecting to vpn
3. On the router, we do port forwarding for RDP, we specify 3389 as the local port, as the port sticking out, any except the default one. Protolol - TCP IP or both , specify the ip address of that openvpn server as the source address. (point 2)
4. Thus, it will be possible to reach your remote desktop only by connecting via vpn, other connections from any other addresses will be dropped.

Also, tell me a simple way to log rdp connections, who came in from which ip when.

Isn't it easier to change the connection port from 3389 to any other?

Is this win7 behind some kind of router or is there a full-fledged gateway on the line?
Just at one time I wanted to do this: The gateway is on the line, port-knocking
is configured in it . Next, a self-extracting archive is created, which contains port-knocking for windows , the saved rdp-config, a shortcut for placing it on the desktop, and a small bat-file, which will be launched by the shortcut like this: where 8080 is the port, if on it knock on it, the port for rdp 8081 will open - the port, if you knock on it, the port for rdp will be closed. The archive is configured so that after unpacking it copies the shortcut to the desktop.
port-knoking 8080
start mstsc rdp.conf
port-knoking 8081
Further, the user does not need to do anything except click on the shortcut (run bat'nickname) and enter the login / password from the system.
All this is somewhat confusing - but then it seemed to me that it would be easier for users than to explain how to install a certificate / raise VPN / etc ..., and it becomes more secure than just using a login / password.

Use an encrypted tunnel with zebedee . On a working computer, launch the zebedee service, and on the client machine, launch the zebedee console client from a flash drive using a batch file.
Pluses:
1. The channel between the client machine and service is ciphered.
2. Traffic is compressed.
3. Protection against unauthorized connections using keys.
4. Ability to forward multiple ports through one tunnel.

As far as we know, without a certification center, nothing sensible will work anyway.
If you need a very very reliable connection without a domain, then you can use IPSec. This will require configuration on each client, but all traffic will be encrypted. In this case, you can also use certificates, but without a certification authority, it will not work here either. Without an IPSec CA, the channel can establish a preshared key connection.

If you still need a corporate authentication solution, then I advise you to look towards One-Time Password technologies. With them, no client part is needed, PKI with all the consequences does not need to be kept. OTP examples: RSA SecurID, Aladdin OTP, endeed ID.
Just do not hang bare rdp outside, it is vulnerable.

Because MS12-020.

Also, tell me a simple way to log rdp connections, who came in from which ip when.

Tell me, does a self-signed certificate not save in a situation of an open port 3389?
(on the example of win2008r2/2012)

WinSSHD
www.bitvise.com/ssh-server