SSH Tunneling Windows RDC

Posted on July 5, 2009 by Jeff Fitzsimons

This article explains how to securely port-forward Windows Remote Desktop (Terminal Services) over SSH, using standard SSH command line syntax. If you prefer to use GUI SSH tools, such as PuTTY, there are other guides for that.

Terminology Notes

My terminology assumes that you are connecting to a machine on your home network, which is protected by a firewall. However, the diagrams and commands are valid regardless of whether the remote network is at home or not.

Additionally, I use RDCHOST to represent the local name or IP of your RDC server within the home network, and my_home_ip to represent your home IP address as visible from the Internet.

Prerequisites

  • Depending on network configuration, port-forwarding may have to be configured on the firewall.
  • An SSH client (e.g. Cygwin’s OpenSSH for Windows) must be installed on the local machine.
  • An SSH server (e.g. Cygwin’s OpenSSHD for Windows) must be present on some machine within the home network.
  • SSH keys must be generated and deployed appropriately.

SSH Command Syntax

ssh -C -N -L localPort:destinationHost:3389 proxyHost

  • localPort is the port on localhost through which you wish to connect.
  • destinationHost is the Remote Desktop host, as it appears on the home network.
  • proxyHost is the host running SSHD, through which you will tunnel.

Configuration 1: Discrete Servers

This configuration has the firewall port-forward SSH to a server on the home network, which proxies the connection to the RDC server:

                       +-----------[ Home Network ]---------------+
                       |                                          |
localhost <----> Home Firewall <---> SSH Server <---> RDC Server  |
                       |                                          |
                       +------------------------------------------+

Command line:

ssh -C -N -L 6009:RDCHOST:3389 my_home_ip

Configuration 2: Combined RDC & SSH Servers

In this configuration, the RDC server also has an SSH server, and the firewall port-forwards directly to it:

                       +------[ Home Network ]-----+
                       |                           |
localhost <----> Home Firewall <-----> RDC & SSH   |
                       |                Server     |
                       +---------------------------+

Command line:

ssh -C -N -L 6009:localhost:3389 my_home_ip

Configuration 3: Firewall as SSH Server

In this configuration, the firewall acts as the SSH server, proxying the connection directly to the RDC server on the home network:

                       +----[ Home Network ]----+
                       |                        |
localhost <----> Home Firewall <---> RDC Server |
                  & SSH Server                  |
                       |                        |
                       +------------------------+

Command line:

ssh -C -N -L 6009:RDCHOST:3389 my_home_ip

Additional Suggestions

Rather than specifying the IP address of your home firewall, I suggest using DynDNS to get a dynamic DNS entry.

About Jeff Fitzsimons

Jeff Fitzsimons is a software engineer in the California Bay Area. Technical specialties include C++, Win32, and multithreading. Personal interests include rock climbing, cycling, motorcycles, and photography.
This entry was posted in Linux, Scripting, Technology, Windows. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *