Here’s how you can secure your Remote Desktop (RDP) connections with SSH. This can be useful for connecting to your home computer from the office or some other remote location. We use here an advanced SSH feature for TCP/UDP IP traffic tunneling to make it work.
Prerequisites for basic RDP
You’ll need an SSH server installed at home. I’ve used OpenSSH, but any SSH implementation will work. Windows users can use OpenSSH for Windows; Unix (including Mac OSX and Linux) users can use the standard OpenSSH distribution. You can secure SSH by using SSL and various kinds of encryption.
If you’re using a router or firewall at home, make sure to allow incoming connections on the SSH port (port 22 by default).
You’ll also of course need an RDP (Remote Desktop Protocol) client in your office. Windows users can use Microsoft’s Remote Desktop Client that is part of Windows XP. Unix users can use RDesktop.
Ensure that your home computer is setup to accept remote connections for a specific user account. Go to Start > Settings > Control Panel and then double-click the System icon. On the Remote tab, select the Allow users to connect remotely to this computer check box.
And finally, obviously you’ll have to leave your workstation running (though you should log off).
Securing RDP with SSH tunnel
The SSH client software like PuTTY can be used connect to home SSH server from the office. From your computer at the office, SSH into the home “SSH Server” with PuTTY or by executing the following command from the prompt:
- ssh –p<ssh.port.number> home.username@home.ip.address
You should now have a command prompt on the home “SSH Server”. From there, execute the following command to enable traffic tunneling:
- ssh -R 3390:home.ip.address:3389 -C -N office.username@office.ip.address
This will tunnel all traffic arriving from source office.username@office.ip.address port 3390 to destination home.ip.address port 3389. Now from your computer at the office, use your Remote Desktop client to connect to localhost:3390, this will connect you to the home computer. The Remote Desktop traffic will be tunneled over SSH. If localhost does not work, try to use 127.0.0.1:3390 on Windows XP SP1, or 127.0.0.2:3390 on Windows XP SP2. This is due to changes in TCP loopback interface that occurred in SP2.
Securing CVS access with SSH tunnel
You can tunnel other kinds of ports (CVS for example) the same way. For CVS traffic tunneling use following command:
- ssh -R 2402:home.ip.address:2401 -C -N office.username@office.ip.address
This will tunnel all traffic arriving from office.username@office.ip.address port 2402 to destination home.ip.address port 2401. In order to access home CVS from the office connect to localhost:2402.
Windows XP SP2 Patch
Please note that something got broken in Microsoft Windows XP Sp2. You must apply patch or none of the loopback interfaces will not work, including one required for RDP over SHH.
Comments (25)
- Comment by Laura — September 22, 2007 @ 5:49 pmHelp! I’m tried the above steps and upon reaching the last step under “Securing RDP with SSH tunnel” I am receiving this message when attempting to connect to 127.0.0.1:3390 with the Remote Desktop client:“The client could not connect. You are already connected to the console of this computer. A new console session cannot be established.” I’m using Windows XP SP2. Thanks =)
- Comment by Pavel Simakov — September 22, 2007 @ 9:58 pmPlease use 127.0.0.2:3390 (notice .2, not .1) as article mentions. This is due to changes in TCP loopback interface that occurred in SP2.
- Comment by Jen — September 25, 2007 @ 8:58 amI’m running OpenSSH on a port other than the default of 22. What is the syntax to enable the RDP access and specify the alternate port? Thanks.
- Comment by Pavel Simakov — September 25, 2007 @ 12:37 pmTo use the port number other than 22 use this (as article mentions already):
ssh –p<ssh.port.number> home.username@home.ip.address - Comment by Laura — September 26, 2007 @ 9:43 amI tried using 127.0.0.2:3390, it still gives me the same error message. I tried leaving the remote computer logged off, and first establishing the OpenSSH session successfully, then running the MS RDP and I get that same message about already being logged into the console.
- Comment by Josh — September 28, 2007 @ 11:56 amLaura: QFE from MS resolves this issue:http://support.microsoft.com/default.aspx?scid=kb;en-us;884020
- Comment by Pavel Simakov — October 4, 2007 @ 11:24 pmOne of the readers suggested great SSH/SFTP tool that avoids the use of command line and has very nice gui. Using this tool the reader was able to setup RDP over SSH. The tool is here: http://www.bitvise.com/tunnelier
- Comment by Will R — May 5, 2008 @ 4:31 pmI’m running a setup where I have a lab with three windows computers behind a router and a unix server that’s functioning as my ssh-server. I log in using PuTTY, type the RDP-listening command (telling it to forward to the lab-internal address of a windows machine), and then attempt to RDP into the computer I’ve specified in the command using 127.0.0.2:3390 as the address.I keep getting the error “The client could not connect to the remote computer / Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. / Please try connecting again later.”
I can connect to the computer outside of the ssh tunnel I’m trying to set up. Have I missed something in the server-side setup (i.e. I need to have the SSH server available immediately on the computer I want to RDP into)?
Help appreciated greatly.
-Will - Comment by Burhanuddin T. — June 6, 2008 @ 9:41 amOn My Computer icon, right-click and select Properties. Then, on the Remote tab, ensure that the checkbox “Allow users to connect remotely to this computer” is checked.
– burhanuddin - Comment by Burhanuddin T. — June 6, 2008 @ 9:44 amOh, I just saw that you can connect outside of the ssh tunnel. That means your firewall needs to unblock. On the network icon, right-click and select “Change Firewall Settings”, then Exceptions tab, highlight Remote Desktop,
- Comment by Burhanuddin T. — June 6, 2008 @ 9:45 am… click the Edit button, and “Change Scope” to Any. If all this is already setup correctly then look at the firewall settings of your anti-virus program.
- Comment by Arched Eyebrow — August 12, 2008 @ 9:52 amwhat you’ve got here is remote port forwarding…. in case you’re looking for local port forwarding… check this out
http://tripoverit.blogspot.com/2008/08/ssh-port-forwarding-x11-fowarding-rdp.html
<a href=”http://tripoverit.blogspot.com/2008/08/ssh-port-forwarding-x11-fowarding-rdp.html”> local port forwarding </a>
Comment by eduif — November 6, 2008 @ 5:42 amMy client PC is a Windows XP SP2 without any patches installed. It did not work with:
plink.exe -ssh -2 -batch -v -L 127.0.0.2:3390:<Remote Desktop Host>:3389 -pw <password> sshuser@sshserver
Then use localhost:3390 in the Remote Desktop Application.
But it did work with:
plink.exe -ssh -2 -batch -v -L localhost:3390:<Remote Desktop Host>:3389 -pw <password> sshuser@sshserver
then use localhost:3390 in the Remote Desktop Application.
This seems other way arround then explained. Can anyone understand what is going on?
Comment by Rob — March 12, 2009 @ 4:23 pmWindows 7 apparently won’t let you connect to any local IP. I tried several of these work arounds with no love. Only thing that willrks so far is WiSSH
Comment by Tamas Feher — April 4, 2009 @ 5:16 amThe recommended SP2 hotfix is obsolete, because Windows XP3 SP3 is now available and needs a new hotfix package!
Comment by John — October 1, 2009 @ 2:14 amAwesome post! I established an SSH connection and was trying and trying with RemoteDesktop 3389 and couldn’t figure out what was wrong. I saw the article by microsoft and applied the patch to the client (not sure if the client needed it, but did anyway) and still couldn’t get it to work. Once I used the putty UI to set the source port to 3390 and the destination to <computerName>:3389, it worked!!! thanks so much! Great site!
Comment by cheap computers canada — November 2, 2009 @ 12:40 pmWhat is the syntax to enable the RDP access and specify the alternate port? Thanks.
Comment by Jeremy — December 15, 2009 @ 11:39 amI have tried everything to connect to a Windows 7 (x64 Pro) box and have absolutely no luck. I have tried connecting from Win XP (SP3) and Windows 7 (RC). I have tried the 127.0.0.2 trick, the 3390 trick, and no go. I know my firewall and SSH setup is working properly because I can tunnel a Bonjour for Windows port so that I can stream stuff over iTunes just fine. I even installed a VNC server and got that to work ok too. Everytime I try to connect with Remote Desktop it says “connecting to localhost:3390″ and then says “cannot connect”.
Comment by Jeremy — December 15, 2009 @ 11:50 amShould also add that I used to have Vista x64 and everything worked fine. Only a problem in Windows 7. I have verified my Windows Firewall setup and made sure Remote Desktop is allowed.
Comment by Jeffy — December 16, 2009 @ 8:35 pmYep, I got it working great.Windows 7 Client / Windows 7 Remote End / Debian SSH server, Added Local 3391 port to the tunnels section of the PuTTY config and set the destination as int.ip.address:3389 and saved the config. Then used remote desktop as 127.0.0.2:3391 and voila.
Comment by Steven Roberts — March 3, 2010 @ 10:43 pmon windows 7 release localhost:3390 wouldn’t work for the port forward but localhost:3391 or :3392 worked just fine. weird.
Comment by Kathryn — March 4, 2010 @ 7:51 amHi,
OK, I got a bit lost reading these posts…(am new to all this..).
What I want to do is connect FROM Win7 (home/remote location) TO Win XP Professional (office). I will have no desktop PC in my office to create a RDP because my new laptop IS my work PC. So, what I need is to connect externally to the company’s network drives and work from them as if they were local.
Is this SSH thread/idea the solution?
If not..does anyone how this can be done?
Many thanks for any advice,
Kathryn
Comment by Mohit Gidwani — April 12, 2010 @ 11:01 am@Steven
I’m trying to connect from Win 7 to a machine running Vista. I tried the 3391 thing you recommended but i’m still not getting through. Is there any other work around for this? (*grumbles*)
Comment by Ephram — April 15, 2010 @ 5:36 pmI don’t think OpenSSH works with Windows 7 x64 properly. I tried installing it and could not get the service to launch. The log files weren’t exactly helpful, either.I might try setting up a linux box to SSH into and then tunnel to my Windows 7 through that.
Comment by max — May 19, 2010 @ 12:04 pmwindows 7 : local connection to 127.0.0.2:3391 to my.server:3389 was the only thing that finally worked. cheers!
