{"id":50644,"date":"2023-04-14T14:27:25","date_gmt":"2023-04-14T13:27:25","guid":{"rendered":"https:\/\/ekiwi-blog.de\/50644\/rdp-tunnelling-with-ssh\/"},"modified":"2023-05-01T17:54:38","modified_gmt":"2023-05-01T16:54:38","slug":"rdp-tunnelling-with-ssh","status":"publish","type":"post","link":"https:\/\/ekiwi-blog.de\/en\/50644\/rdp-tunnelling-with-ssh\/","title":{"rendered":"RDP tunnelling with SSH"},"content":{"rendered":"<p>A remote desktop connection (<abbr title=\"Remote Desktop Protocol\/Remote Desktop Connection\">RDP<\/abbr>) is quickly set up, but it should not be operated openly from the outside via the Internet, e.g. via port <em>3389<\/em>, as some weaknesses of RDP are known and it is a popular target for attacks. An alternative possibility is to establish RDP access via <abbr title=\"Secure Shell\">SSH<\/abbr>.<\/p>\n<figure id=\"attachment_51292\" aria-describedby=\"caption-attachment-51292\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-51292\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/rdp-with-ssh-tunnels-architecture-and-network-structure.png\" alt=\"Network architecture\/structure for an RDP tunnel using SSH\" width=\"900\" height=\"152\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/rdp-with-ssh-tunnels-architecture-and-network-structure.png 900w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/rdp-with-ssh-tunnels-architecture-and-network-structure-300x51.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/rdp-with-ssh-tunnels-architecture-and-network-structure-768x130.png 768w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><figcaption id=\"caption-attachment-51292\" class=\"wp-caption-text\">Network architecture\/structure for an RDP tunnel using SSH<\/figcaption><\/figure>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of content<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/ekiwi-blog.de\/en\/50644\/rdp-tunnelling-with-ssh\/#RDP_without_VPN\" >RDP without VPN<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/ekiwi-blog.de\/en\/50644\/rdp-tunnelling-with-ssh\/#Setting_up_an_SSH_server_on_the_target_system\" >Setting up an SSH server on the target system<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/ekiwi-blog.de\/en\/50644\/rdp-tunnelling-with-ssh\/#Switch_on_RDP_on_target_system\" >Switch on RDP on target system<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/ekiwi-blog.de\/en\/50644\/rdp-tunnelling-with-ssh\/#Download_and_install_SSH_client_PuTTY\" >Download and install SSH client (PuTTY)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/ekiwi-blog.de\/en\/50644\/rdp-tunnelling-with-ssh\/#Configure_SSH_client_PuTTY\" >Configure SSH client PuTTY<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/ekiwi-blog.de\/en\/50644\/rdp-tunnelling-with-ssh\/#1st_step_Set_up_session\" >1st step: Set up session<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/ekiwi-blog.de\/en\/50644\/rdp-tunnelling-with-ssh\/#2nd_step_configure_tunnel_in_PuTTY\" >2nd step: configure tunnel in PuTTY<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/ekiwi-blog.de\/en\/50644\/rdp-tunnelling-with-ssh\/#3_step_Establish_SSH_connection\" >3. step: Establish SSH connection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/ekiwi-blog.de\/en\/50644\/rdp-tunnelling-with-ssh\/#4th_Step_Establish_Remote_Desktop_Connection\" >4th Step: Establish Remote Desktop Connection<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"RDP_without_VPN\"><\/span>RDP without VPN<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Common practice, also in many companies, is actually to use an encrypted <abbr title=\"Virtual Privacy Network\">VPN<\/abbr> connection for RDP access in order to seal it off from the outside world. This is generally considered to be largely secure. However, a VPN client is required on the client computer from which the RDP connection is to be initiated. Often the Windows on-board means are not sufficient and a separate VPN client must be installed. However, this is sometimes difficult if, for example, one does not have the necessary rights on the client computer to install additional software. On the other hand, configuring the VPN connection without the manufacturer-based software module is often difficult or impossible because there are many different types of VPN protocols that are not compatible with each other. I have not yet found a VPN client that can be installed as a portable version without admin rights. Therefore, it would be practical to establish a secure RDP connection without using VPN.<\/p>\n<p>This is possible by tunneling the RDP protocol through an SSH connection. And min. <strong>SSH client (PuTTY)<\/strong> exists in the portable version, so that an installation without admin rights or starting from the USB stick is possible.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Setting_up_an_SSH_server_on_the_target_system\"><\/span>Setting up an SSH server on the target system<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>First, you need to install and activate an <a href=\"https:\/\/ekiwi-blog.de\/en\/50447\/set-up-ssh-server-under-windows\/\">SSH server on the target system<\/a>, which I described in a previous article for Windows. To do this, install the OpenSSH server via <strong>&#8220;Optional Features&#8221;<\/strong>. Under <strong>&#8220;Services&#8221;<\/strong> you then have to configure the start-up behavior or start the <strong>SSH server<\/strong>.<\/p>\n<p>My description in this regard is based only on access by password. However, for security reasons, it is recommended to allow the SSH connection only with the option &#8220;<em>PubkeyAuthentication<\/em>&#8220;. Passwords can be spied out or cracked by brute force.<\/p>\n<p>If the SSH connection is to be established externally via the Internet, <em>Port 22<\/em> may have to be released in the router or firewall for incoming connections.<\/p>\n<p>In order for the SSH server to be accessible from outside, the firewall or router must be addressable via a public IP address, a domain name or a DynDNS name.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Switch_on_RDP_on_target_system\"><\/span>Switch on RDP on target system<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In order for an RDP session to be established through the SSH tunnel, <a title=\"enable\/disable remote desktop (RDP) via PowerShell\" href=\"https:\/\/ekiwi-blog.de\/en\/50859\/enable-and-disable-remote-desktop-with-powershell\/\">Remote Desktop must be activated<\/a> on the target system. To do this, proceed as follows:<\/p>\n<ol>\n<li>Call up Windows settings, e.g. by right-clicking on <a title=\"Windows: Disable \u201cSearch the web\u201d in start menu\" href=\"https:\/\/ekiwi-blog.de\/en\/16083\/windows-disable-search-the-web-in-start-menu\/\">the Windows menu<\/a><\/li>\n<li>Select &#8220;System&#8221;<\/li>\n<li>Click on &#8220;Remote Desktop&#8221;<\/li>\n<li>and then activate Remote Desktop<\/li>\n<\/ol>\n<figure id=\"attachment_50607\" aria-describedby=\"caption-attachment-50607\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-50607\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/activate-remote-desktop-for-ssh-1.jpg\" alt=\"Screenshot Window Settings System Remote Desktop\" width=\"650\" height=\"370\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/activate-remote-desktop-for-ssh-1.jpg 650w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/activate-remote-desktop-for-ssh-1-300x171.jpg 300w\" sizes=\"auto, (max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-50607\" class=\"wp-caption-text\">&#8220;Select &#8220;System&#8221; and click &#8220;Remote Desktop&#8221;<\/figcaption><\/figure>\n<figure id=\"attachment_50611\" aria-describedby=\"caption-attachment-50611\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-50611\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/activate-remote-desktop-for-ssh-2.jpg\" alt=\"screenshot: Turn on remote desktop \" width=\"650\" height=\"368\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/activate-remote-desktop-for-ssh-2.jpg 650w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/activate-remote-desktop-for-ssh-2-300x170.jpg 300w\" sizes=\"auto, (max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-50611\" class=\"wp-caption-text\">Enable Remote Desktop<\/figcaption><\/figure>\n<h2><span class=\"ez-toc-section\" id=\"Download_and_install_SSH_client_PuTTY\"><\/span>Download and install SSH client (PuTTY)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If the server and RDP share are set up correctly on the target system, access can be made from another system. To do this, you need an SSH client, which is available via PowerShell or also from OpenSSH. We use <a href=\"https:\/\/www.putty.org\/\" target=\"_blank\" rel=\"noopener\">PuTTY as SSH client<\/a>, which can be downloaded <a href=\"https:\/\/www.chiark.greenend.org.uk\/~sgtatham\/putty\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>The <a href=\"https:\/\/www.chip.de\/downloads\/PuTTY-Portable_28036335.html\" target=\"_blank\" rel=\"noopener\">portable version<\/a> is available on other sites, such as <em>Chip.de<\/em>. These can then be saved anywhere without admin rights.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Configure_SSH_client_PuTTY\"><\/span>Configure SSH client PuTTY<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"1st_step_Set_up_session\"><\/span>1st step: Set up session<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The first thing to do is to configure the SSH session. To do this, you need to:<\/p>\n<ol>\n<li>Enter the domain name or IP address of the target system<\/li>\n<li>Enter port 22, unless a different port has been configured on the server side<\/li>\n<li>Select &#8220;<em>SSH<\/em>&#8221; as &#8220;<em>Connection type<\/em>&#8220;<\/li>\n<li>Now you can give the session a name and save it for the purpose of reuse (button &#8220;<em>Save<\/em>&#8220;)<\/li>\n<\/ol>\n<figure id=\"attachment_50618\" aria-describedby=\"caption-attachment-50618\" style=\"width: 448px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-50618\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/putty-configure-session.jpg\" alt=\"Screenshot PuTTY - Configure Session\" width=\"448\" height=\"433\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/putty-configure-session.jpg 448w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/putty-configure-session-300x290.jpg 300w\" sizes=\"auto, (max-width: 448px) 100vw, 448px\" \/><figcaption id=\"caption-attachment-50618\" class=\"wp-caption-text\">Configure domain name and port for the PuTTY session<\/figcaption><\/figure>\n<h3><span class=\"ez-toc-section\" id=\"2nd_step_configure_tunnel_in_PuTTY\"><\/span>2nd step: configure tunnel in PuTTY<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Next, in the tree structure on the left, go to &#8220;<em>Connection<\/em>&#8221; \u2b9e &#8220;<em>SSH<\/em>&#8221; \u2b9e &#8220;<em>Tunnels<\/em>&#8220;. Here you configure the port forwarding within the tunnel. At &#8220;<strong>Source Port<\/strong>&#8221; you select a more or less arbitrary port, here <strong>Port 1024<\/strong> was selected. This is then used in the fourth step to establish the RDP connection.<\/p>\n<figure id=\"attachment_50622\" aria-describedby=\"caption-attachment-50622\" style=\"width: 452px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-50622\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/putty-configure-tunnel.jpg\" alt=\"Screenshot configuring RDP tunnel with port forwarding\" width=\"452\" height=\"435\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/putty-configure-tunnel.jpg 452w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/putty-configure-tunnel-300x289.jpg 300w\" sizes=\"auto, (max-width: 452px) 100vw, 452px\" \/><figcaption id=\"caption-attachment-50622\" class=\"wp-caption-text\">Configuring RDP tunnel with port forwarding<\/figcaption><\/figure>\n<p>At &#8220;<strong>Destination<\/strong>&#8221; you enter the local or private <strong>IP address<\/strong> of the destination computer together with the <strong>RDP port 3389<\/strong>. This is the IP address of the computer on which the SSH server is running and Remote Desktop has been activated. In this example, the computer is in a private network and therefore has a private IP address. If a different RDP port has been configured, this must be adapted here accordingly.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"3_step_Establish_SSH_connection\"><\/span>3. step: Establish SSH connection<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>After you have made all settings, you can open the SSH connection. To do this, go back to <strong>Session<\/strong> in the tree structure, select the desired session and <strong>click the &#8220;Open&#8221;<\/strong> button.<\/p>\n<figure id=\"attachment_50626\" aria-describedby=\"caption-attachment-50626\" style=\"width: 600px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-50626\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/putty-open-session-and-connect.jpg\" alt=\"Screenshot PuTTY Enter username and password to establish SSH connection\" width=\"600\" height=\"165\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/putty-open-session-and-connect.jpg 600w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/putty-open-session-and-connect-300x83.jpg 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><figcaption id=\"caption-attachment-50626\" class=\"wp-caption-text\">Establish SSH connection<\/figcaption><\/figure>\n<p>Now you have to enter the login data.<\/p>\n<ul>\n<li><em><strong>login as:<\/strong><\/em> This is the username of the Windows user account on the target computer where the SSH server is running<\/li>\n<li><em><strong>password:<\/strong><\/em> This is the password associated with the user account on the target computer<\/li>\n<\/ul>\n<p>If necessary, a message will appear stating that the authenticity of the host system could not be determined and that the key is not known.<\/p>\n<pre>The authenticity of host [...] cannot be established.\r\nThis Key is not known by any other names.[...]<\/pre>\n<p>If you are sure about the connection, you can confirm it with <strong>&#8220;yes&#8221;<\/strong>. Then the computer is added to the list of known hosts.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"4th_Step_Establish_Remote_Desktop_Connection\"><\/span>4th Step: Establish Remote Desktop Connection<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The last step is to establish the RDP connection. To do this simply:<\/p>\n<ol>\n<li>Enter &#8220;<em>RDP<\/em>&#8221; in the Windows menu and open the <strong>App Remote Desktop Connection<\/strong>.<\/li>\n<li>For &#8220;<em>Computer<\/em>:&#8221; enter the local<strong> IP address 127.0.0.1<\/strong> followed by the local <strong>port 1024<\/strong> configured in PuTTY.<\/li>\n<li>The <em>username:<\/em> is entered as the <strong>computer name<\/strong> of the target system followed by the <strong>username<\/strong> of the target system separated by backslash<\/li>\n<\/ol>\n<figure id=\"attachment_50640\" aria-describedby=\"caption-attachment-50640\" style=\"width: 394px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-50640\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/configure-remote-desktop-connection.jpg\" alt=\"Screenshot configuration of remote desktop connection\" width=\"394\" height=\"482\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/configure-remote-desktop-connection.jpg 394w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2023\/04\/configure-remote-desktop-connection-245x300.jpg 245w\" sizes=\"auto, (max-width: 394px) 100vw, 394px\" \/><figcaption id=\"caption-attachment-50640\" class=\"wp-caption-text\">Set RDP connection to local IP<\/figcaption><\/figure>\n<p>If everything has worked, you can now click on the <strong>Button &#8220;Connect&#8221;<\/strong> and the RDP session will open. You can start working directly as if you were sitting in front of the computer of the target system itself.<\/p>","protected":false},"excerpt":{"rendered":"<p>A remote desktop connection (RDP) is quickly set up, but it should not be operated openly from the outside via<\/p>\n","protected":false},"author":2,"featured_media":13851,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1555],"tags":[2870,2871,2869,2872,2868,2834,2838,2068],"class_list":["post-50644","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software-en","tag-rdp-en","tag-remote-en","tag-remote-access","tag-remote-desktop-en","tag-remote-desktop-connection","tag-secure-shell-en","tag-ssh-en","tag-windows-en-2"],"_links":{"self":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/50644","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/comments?post=50644"}],"version-history":[{"count":0,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/50644\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media\/13851"}],"wp:attachment":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media?parent=50644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/categories?post=50644"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/tags?post=50644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}