Every so often I find myself away from home and needing to use Remote Desktop over an unsecured wireless network. The Remote Desktop Protocol implemented in Windows 7 has made significant improvements in security over previous versions, but I still like to tunnel the Remote Desktop session through an SSH connection for the extra security. Tunnneling means that data sent to a local port are forwarded through an SSH connection to a remote port. In the case of Remote Desktop, once the SSH connection and tunnel are established, the Remote Desktop connection is made to <localhost>:<port> instead of the <remote host>:<port>. SSH listens for data on that local port and forwards it through the tunnel to the specified port on the remote host.
Before continuing, you’ll need
- SSH server on your remote Windows machine
- SSH client on the local machine
The rest of this article assumes you’ve got these components installed and working. I use copssh for an SSH server on Windows 7, and I use PuTTY for an SSH client on my local Windows 7 machine. With the server and client working, there are two simple steps to tunneling Remote Desktop over SSH: establish the tunnel, then establish the Remote Desktop connection.
Establishing the SSH Tunnel
In PuTTY, set up your session like normal then go to the Connection > SSH > Tunnels screen:
Set the source port to 3391, and set the destination to <hostname>:3389 (e.g. google.com:3389, or equivalently 66.102.7.99:3389). Leave “Local” and “auto” selected. Click Add. (I’m using google.com here instead of any useful domain just as an example)
Important: note the source port is 3391, not 3390 as is typically used in many tutorials around the web. Windows 7 blocks Remote Desktop connections to localhost:3390. The source port could be any number of ports, so feel free to try something else if 3391 is already used on your system. (But note that 3389 is the default Remote Desktop port, so do not change that number unless you know what you’re doing).
The added tunnel should look something like this:
This means that the SSH connection will listen for data on local port 3391 and forward it to google.com, port 3389.
Now, open the SSH connection (click Open). A PuTTY terminal will open; you can minimize it or use it as needed, but we won’t need it any more for this tutorial. The simple fact that it’s present means that an SSH connection has been established between your local system and the remote host, and the tunnel is open.
Establishing the Remote Desktop Connection
Now that the tunnel has been opened between the local host port 3391 and remote host port 3389, we can start the Remote Desktop connection. Instead of typing the remote host name in the Remote Desktop connection window, type localhost:3391.
Hit Connect, and that’s it! Barring any unforeseen problems (see below for some tips on troubleshooting), you’ll be enjoying a Remote Desktop Connection to a remote computer tunneled securely through an SSH connection. This means all data transmitted and received over the course of interacting with the Remote Desktop session is protected by all the security measures inherent in the SSH protocol. It’s not impenetrable, but it’s better than RDP alone.
Suggestions for Troubleshooting
If you run into problems, these are some likely culprits:
Firewall – if there is a problem, this is often the source. Make sure you can successfully connect to the remote SSH server using the SSH client on the local machine (this requires port 22 open). Also make sure you can establish a Remote Desktop connection to the remote machine (port 3389). If you can do both of these, then the firewall is not the problem.
Try a different local port – there is always the possibility that port 3391 on the local machine is used for something else. Try changing this to something random.
Make sure remote desktop is available and enabled – only Professional and Ultimate versions of Windows 7 will serve Remote Desktop connections (other versions may have just the client for connecting to other machines). Additionally, Windows 7 disables Remote Desktop by default. From the start menu, right-click on Computer then click Properties, then click Remote Settings. You may also have to explicitly modify the Windows 7 Firewall to allow Remote Desktop (i.e. open port 3389).