Categories
Fixes

Connect to Windows RDP over SSH

It’s much safer to expose a Linux computer to the Internet than a Windows desktop computer. But I have a primary Windows computer at home that I like to access even when I’m not home. For example, to login to online banking or send a file.

Before I was proficient at Linux system administration, I opened a random port number (security through obfuscation) on my router and redirected it to the standard port number 3389 for Windows Remote Desktop (RDP), so I could use remote desktop from my phone or laptop to use my home computer. This was a problem, and a poor security choice. I am now able to connect to Windows computers on my home network with only one port open for SSH to one single Linux computer on my home network.

Once I started using SSH to tunnel to my Linux computers to connect to them with VNC, I realized the tunnel could go from the Linux computer to another computer on the LAN. Side note: I have VNC configured to only allow connections from localhost, so no one on my LAN can connect to the Linux computers unless they’re using SSH.

To connect to my Linux computer, I have port 54321 forwarding to the standard port 22 for SSH. This allows me to control the computer over SSH or use a tunnel for VNC. My tunnel is configured to direct traffic going to port 5900 on my device to go to port 5900 on the Linux computer.

At some point I realized I was specifying localhost as the destination of the tunnel, so maybe that meant I could put a different computer’s hostname there and connect to it. I’m still going through that same Linux computer, but directly the traffic to a different computer on the LAN.

When I’m away from home and on my Windows laptop, I use KiTTY to make my SSH connections. The Host Name I’m connecting to is the domain name I’ve registered for this purpose, serving files using mysecureshell, and hosting a web server at home. Let’s call it example.com for now. I configured up the No-IP service in my router’s settings to make sure that domain name always points at my home network.

The port number is the same as if I wanted to use SSH (and VNC) for the Linux computer: example.com:54321. Then I set up the tunnel with the source port as port 3388 and the destination hostname of windowscomputer.lan with the destination port as port 3389.

After connecitng to the Linux computer with KiTTy, I connect to localhost:3388 with the Windows RPD client to access the tunnel to the Windows computer on my home network.

You can’t use 3389 as the source port because when you use the Windows RPD client and connect to localhost:3389 it thinks you’re connecting to the computer you’re in front of. To get around that, set the Windows RDP client to connect to localhost:3388 instead (or whichever port number you’ve set when you create the tunnel).