Software Secret Weapons™

 
Windows Remote Desktop Over SSH
by Pavel Simakov on 2006-03-14 16:31:13 under Smoke & Mirrors, view comments
Bookmark and Share
 

Here's how you can secure your Remote Desktop (RDP) connections with SSH. This can be useful for connecting to your home computer from the office or some other remote location. We use here an advanced SSH feature for TCP/UDP IP traffic tunneling to make it work.

Prerequisites for basic RDP

You'll need an SSH server installed at home. I've used OpenSSH, but any SSH implementation will work. Windows users can use OpenSSH for Windows; Unix (including Mac OSX and Linux) users can use the standard OpenSSH distribution. You can secure SSH by using SSL and various kinds of encryption.

If you're using a router or firewall at home, make sure to allow incoming connections on the SSH port (port 22 by default).

You'll also of course need an RDP (Remote Desktop Protocol) client in your office. Windows users can use Microsoft's Remote Desktop Client that is part of Windows XP. Unix users can use RDesktop.

Ensure that your home computer is setup to accept remote connections for a specific user account. Go to Start > Settings > Control Panel and then double-click the System icon. On the Remote tab, select the Allow users to connect remotely to this computer check box.

And finally, obviously you'll have to leave your workstation running (though you should log off).

Securing RDP with SSH tunnel

The SSH client software like PuTTY can be used connect to home SSH server from the office. From your computer at the office, SSH into the home "SSH Server" with PuTTY or by executing the following command from the prompt:

  • ssh –p<ssh.port.number> home.username@home.ip.address

You should now have a command prompt on the home "SSH Server". From there, execute the following command to enable traffic tunneling:

  • ssh -R 3390:home.ip.address:3389 -C -N office.username@office.ip.address

This will tunnel all traffic arriving from source office.username@office.ip.address port 3390 to destination home.ip.address port 3389. Now from your computer at the office, use your Remote Desktop client to connect to localhost:3390, this will connect you to the home computer. The Remote Desktop traffic will be tunneled over SSH. If localhost does not work, try to use 127.0.0.1:3390 on Windows XP SP1, or 127.0.0.2:3390 on Windows XP SP2. This is due to changes in TCP loopback interface that occurred in SP2.

Securing CVS access with SSH tunnel

You can tunnel other kinds of ports (CVS for example) the same way. For CVS traffic tunneling use following command:

  • ssh -R 2402:home.ip.address:2401 -C -N office.username@office.ip.address

This will tunnel all traffic arriving from office.username@office.ip.address port 2402 to destination home.ip.address port 2401. In order to access home CVS from the office connect to localhost:2402.

Windows XP SP2 Patch

Please note that something got broken in Microsoft Windows XP Sp2. You must apply patch or none of the loopback interfaces will not work, including one required for RDP over SHH.

Comments (32)

  • Comment by Laura — September 22, 2007 @ 5:49 pm

    Help! I’m tried the above steps and upon reaching the last step under “Securing RDP with SSH tunnel” I am receiving this message when attempting to connect to 127.0.0.1:3390 with the Remote Desktop client:

    “The client could not connect. You are already connected to the console of this computer. A new console session cannot be established.”

    I’m using Windows XP SP2. Thanks =)

  • Comment by Pavel Simakov — September 22, 2007 @ 9:58 pm

    Please use 127.0.0.2:3390 (notice .2, not .1) as article mentions. This is due to changes in TCP loopback interface that occurred in SP2.

  • Comment by Jen — September 25, 2007 @ 8:58 am

    I’m running OpenSSH on a port other than the default of 22. What is the syntax to enable the RDP access and specify the alternate port? Thanks.

  • Comment by Pavel Simakov — September 25, 2007 @ 12:37 pm

    To use the port number other than 22 use this (as article mentions already):
    ssh –p<ssh.port.number> home.username@home.ip.address

  • Comment by Laura — September 26, 2007 @ 9:43 am

    I tried using 127.0.0.2:3390, it still gives me the same error message. I tried leaving the remote computer logged off, and first establishing the OpenSSH session successfully, then running the MS RDP and I get that same message about already being logged into the console. :(

  • Comment by Josh — September 28, 2007 @ 11:56 am

    Laura: QFE from MS resolves this issue:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;884020

  • Comment by Pavel Simakov — October 4, 2007 @ 11:24 pm

    One of the readers suggested great SSH/SFTP tool that avoids the use of command line and has very nice gui. Using this tool the reader was able to setup RDP over SSH. The tool is here: http://www.bitvise.com/tunnelier

  • Comment by Will R — May 5, 2008 @ 4:31 pm

    I’m running a setup where I have a lab with three windows computers behind a router and a unix server that’s functioning as my ssh-server. I log in using PuTTY, type the RDP-listening command (telling it to forward to the lab-internal address of a windows machine), and then attempt to RDP into the computer I’ve specified in the command using 127.0.0.2:3390 as the address.

    I keep getting the error “The client could not connect to the remote computer / Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. / Please try connecting again later.”

    I can connect to the computer outside of the ssh tunnel I’m trying to set up. Have I missed something in the server-side setup (i.e. I need to have the SSH server available immediately on the computer I want to RDP into)?

    Help appreciated greatly.
    -Will

  • Comment by Burhanuddin T. — June 6, 2008 @ 9:41 am

    On My Computer icon, right-click and select Properties. Then, on the Remote tab, ensure that the checkbox “Allow users to connect remotely to this computer” is checked.
    - burhanuddin

  • Comment by Burhanuddin T. — June 6, 2008 @ 9:44 am

    Oh, I just saw that you can connect outside of the ssh tunnel. That means your firewall needs to unblock. On the network icon, right-click and select “Change Firewall Settings”, then Exceptions tab, highlight Remote Desktop,

  • Comment by Burhanuddin T. — June 6, 2008 @ 9:45 am

    … click the Edit button, and “Change Scope” to Any. If all this is already setup correctly then look at the firewall settings of your anti-virus program.

  • Comment by Arched Eyebrow — August 12, 2008 @ 9:52 am

    what you’ve got here is remote port forwarding…. in case you’re looking for local port forwarding… check this out
    http://tripoverit.blogspot.com/2008/08/ssh-port-forwarding-x11-fowarding-rdp.html

    <a href=”http://tripoverit.blogspot.com/2008/08/ssh-port-forwarding-x11-fowarding-rdp.html”> local port forwarding </a>

  • Comment by eduif — November 6, 2008 @ 5:42 am

    My client PC is a Windows XP SP2 without any patches installed. It did not work with:
    plink.exe -ssh -2 -batch -v -L 127.0.0.2:3390:<Remote Desktop Host>:3389 -pw <password> sshuser@sshserver
    Then use localhost:3390 in the Remote Desktop Application.
    But it did work with:
    plink.exe -ssh -2 -batch -v -L localhost:3390:<Remote Desktop Host>:3389 -pw <password> sshuser@sshserver
    then use localhost:3390 in the Remote Desktop Application.
    This seems other way arround then explained. Can anyone understand what is going on?

  • Comment by Rob — March 12, 2009 @ 4:23 pm

    Windows 7 apparently won’t let you connect to any local IP. I tried several of these work arounds with no love. Only thing that willrks so far is WiSSH

  • Comment by Tamas Feher — April 4, 2009 @ 5:16 am

    The recommended SP2 hotfix is obsolete, because Windows XP3 SP3 is now available and needs a new hotfix package!

  • Comment by John — October 1, 2009 @ 2:14 am

    Awesome post! I established an SSH connection and was trying and trying with RemoteDesktop 3389 and couldn’t figure out what was wrong. I saw the article by microsoft and applied the patch to the client (not sure if the client needed it, but did anyway) and still couldn’t get it to work. Once I used the putty UI to set the source port to 3390 and the destination to <computerName>:3389, it worked!!! thanks so much! Great site!

  • Comment by cheap computers canada — November 2, 2009 @ 12:40 pm

    What is the syntax to enable the RDP access and specify the alternate port? Thanks.

  • Comment by Jeremy — December 15, 2009 @ 11:39 am

    I have tried everything to connect to a Windows 7 (x64 Pro) box and have absolutely no luck. I have tried connecting from Win XP (SP3) and Windows 7 (RC). I have tried the 127.0.0.2 trick, the 3390 trick, and no go. I know my firewall and SSH setup is working properly because I can tunnel a Bonjour for Windows port so that I can stream stuff over iTunes just fine. I even installed a VNC server and got that to work ok too. Everytime I try to connect with Remote Desktop it says “connecting to localhost:3390″ and then says “cannot connect”.

  • Comment by Jeremy — December 15, 2009 @ 11:50 am

    Should also add that I used to have Vista x64 and everything worked fine. Only a problem in Windows 7. I have verified my Windows Firewall setup and made sure Remote Desktop is allowed.

  • Comment by Jeffy — December 16, 2009 @ 8:35 pm

    Yep, I got it working great.

    Windows 7 Client / Windows 7 Remote End / Debian SSH server, Added Local 3391 port to the tunnels section of the PuTTY config and set the destination as int.ip.address:3389 and saved the config. Then used remote desktop as 127.0.0.2:3391 and voila.

  • Comment by Steven Roberts — March 3, 2010 @ 10:43 pm

    on windows 7 release localhost:3390 wouldn't work for the port forward but localhost:3391 or :3392 worked just fine. weird.

  • Comment by Kathryn — March 4, 2010 @ 7:51 am

    Hi,
    OK, I got a bit lost reading these posts…(am new to all this..).
    What I want to do is connect FROM Win7 (home/remote location) TO Win XP Professional (office). I will have no desktop PC in my office to create a RDP because my new laptop IS my work PC. So, what I need is to connect externally to the company's network drives and work from them as if they were local.
    Is this SSH thread/idea the solution?
    If not..does anyone how this can be done?

    Many thanks for any advice,
    Kathryn

  • Comment by Mohit Gidwani — April 12, 2010 @ 11:01 am

    @Steven
    I'm trying to connect from Win 7 to a machine running Vista. I tried the 3391 thing you recommended but i'm still not getting through. Is there any other work around for this? (*grumbles*)

  • Comment by Ephram — April 15, 2010 @ 5:36 pm

    I don't think OpenSSH works with Windows 7 x64 properly. I tried installing it and could not get the service to launch. The log files weren't exactly helpful, either.

    I might try setting up a linux box to SSH into and then tunnel to my Windows 7 through that.

  • Comment by max — May 19, 2010 @ 12:04 pm

    windows 7 : local connection to 127.0.0.2:3391 to my.server:3389 was the only thing that finally worked. cheers!

  • Comment by shell Man — July 6, 2010 @ 7:17 am

    umm…
    Beware! there is an error on your post.
    localhost is 127.0.0.1 not 127.0.0.2

    bay and thank for your help.

  • Comment by Technologist — September 6, 2010 @ 3:54 pm

    win7:3390 does not work confirmed here.
    win7:3391 does work.

    Is this a bug or by design of (of M$ of course)

    BTW This problem occured @ Win7 workstation with putty (with auth-keys & passphrase) towards virtual w2003 machine running @ linux host. Linux runs openssh & VM

  • Comment by Ben — September 23, 2010 @ 10:24 pm

    I was okay until I got to the tunneling command:

    ssh -R 3390:home.ip.address:3389 -C -N office.username@office.ip.address

    Say, if the client (office computer) is mobile, for example, connected to the wireless network of a hotel, airport, or cafe. Then we have no control over office.ip.address. Can tunneling still be possible?

    Thanks a lot!

  • Comment by awebtech — October 14, 2010 @ 6:40 am

    The lifesaving article: http://tripoverit.blogspot.com/2008/08/ssh-port-forwarding-x11-fowarding-rdp.html

    The main sense is:

    D:\>putty –L 30001:mymac:3389 mysshserver
    D:\>mstsc –v localhost:30001

  • Comment by Stephan — November 10, 2010 @ 6:31 am

    I did not manage to create the tunnel. I have a linux box wich is accessible by ssh from outside using a non-standard port. I now want to forwand RDP from a virtual machine which is hosted by a second server in my home network (same subnet). I don't know my "office ip adress" because I need to have access from my mobile internet connection.
    so what do I need to do on the linux box? Is it possible to establish a permanent RDP tunnel by modifying the sshd_conf?

  • Comment by Patrick Bergin — January 21, 2012 @ 10:03 am

    This may be a dumb question, but here goes. I couldn't connect (RDP) to my home computer until I allowed RDP traffic at the router.

    Why is that? It seems to me that, since I'm tunneling the RDP traffic, the router wouldn't know anything about that. I would think it would see the port 22 traffic and allow the packets through, to be unencrypted and routed properly by the SSH server.

    Am I missing the whole thing here?

  • Comment by Bill Peckham — February 23, 2013 @ 11:04 am

    I used this on Win7 with no problems. Now that I'm using Win8, it still works, but I get frequent disconnects. Anybody else seeing the same.

    Client: Win8 (RDP from here)
    Server: Ubuntu LTS 12.04 (Tunneled through here)
    Server: Win8 (RDP to here)


Leave a comment


  Copyright © 2004-2014 by Pavel Simakov
any conclusions, recommendations, ideas, thoughts or the source code presented on this site are my own and do not reflect a official opinion of my current or past employers, partners or clients