SSH Tunnel – Setting Up SSH Tunnel for Remote Desktop via Intermediary Server

PROXYremote desktopssh-tunnel

I've seen many examples of SSH tunnels on the nets, but I'm still having no luck with this. Here's the setup:

Windows 7 PC in a private network, sitting behind a firewall, with PowerShellInsider SSH server set up and working fine.
Public access Linux server, which has access to the PC.
Windows 7 laptop, at home, from which I wish to do remote desktop on the PC.

Now, here's what I've tried so far:

SSH tunnel from my laptop to the Linux server: ssh -f my_user@LINUX_SERVER -L 6666:LINUX_SERVER_IP:6666 -N
SSH to the Linux server where I've set up a tunnel to the PC: ssh -f 'PRIVATE_DOMAIN\my_user'@PC_NAME -L 6666:PC_IP:3389 -N

Unfortunately, I must be doing something wrong, because it doesn't seem to work. Any ideas why or, at least, any suggestions on how can I try to debug this setup? At the moment, I have access to all 3 machines (non-root on Linux), so I can test whatever I want…

Best Answer

This is what I do when I have a very similar problem (but mine is Linux via Linux and I use port 5901 for VNC):

First, we make it so that all connections to localhost:13389 on your laptop will go to the intermediate server (on port 3389):

laptop$ ssh -L 13389:localhost:3389 my_user@LINUX_SERVER_IP

Then, we make it so it that all connection to localhost:3389 on the intermediate server are forwarded to the PC behind the firewall (on port 3389):

my_user@LINUX_SERVER_IP$ ssh -L 3389:localhost:3389 'PRIVATE_DOMAIN\my_user'@PC_NAME

(note that this command is run inside the interactive shell on the intermediate server.)

Now, you should be able to connect to localhost:13389 and access port 3389 on the remote PC.

Debugging

Since it isn't working, there's a few things we can try. We'll do in a way to isolate where the issue is:

On the remote PC you want to access, can you telnet localhost 3389 to ensure it's open and ready for connections? Microsoft has a nice article on it
If that works, can you try to execute telnet localhost 3389 on the intermediate server to check it's forwarding correctly to the remote PC?
Finally, telnet localhost 13389 on your laptop, to see if it's forwarding all the way through.

As soon as you hit an error stop there and please add a comment so we figure it out.

Related Solutions

SSH Tunnel for Remote Desktop via Intermediary Server Part II

I ran into the same black screen + disconnect problem myself today, using putty as my client. I did find a solution eventually.

I switched from putty to bitvise tunnelier, and setup a S2C connection with the following settings:

listen if:0.0.0.0
listen port:13389
destination host:localhost
dest port:3389

As chance would have it, I'm using bitvise ssh server on my server, so this may just be a happy combination for two products made by the same vendor. It would be great if this solves the problems for others.

For the record, I'm not affiliated with these guys in any way.

Linux – SSH Connection through a Reverse (Remote) SSH Tunnel

What you're referring is "SSH REMOTE FORWARDING", and is properly explained in the "man ssh", regarding the "-R" option.

> man ssh
[...]
 -R [bind_address:]port:host:hostport
    Specifies that the given port on the remote (server) host is to 
    be forwarded to the given host and port on the local side.
    This works by allocating a socket to listen to port on the remote 
    side, and whenever a connection is made to this port, the
    connection is forwarded over the secure channel, and a connection is 
    made to host port hostport from the local machine.
    [...]

In your context, where:

a Linux box A (LINUX_BOX_A) inside a LAN behind a firewall.
a Linux server B (SERVER_B) with a fixed IP that is accessible from the internet

SSH remote forwarding can be used to reach LINUX_BOX_A from SERVER_B. The only condition is: LINUX_BOX_A MUST be able to connect via SSH to SERVER_B.

To achieve this goal you need:

on LINUX_BOX_A:

LINUX_BOX_A:~ $ ssh -R 2222:localhost:22 user@SERVER_B

this will open an ssh connection from LINUX_BOX_A to SERVER_B that will be used for the remote, incoming, connection.

After above ssh connection is established, you can:

on SERVER_B:

SERVER_B:~ $ ssh -p 2222 user@localhost

such ssh-connection, launched on SERVER_B, will be directed to the 2222 port listening on localhost that... is binded to the previous ssh connection. So this will be an "ssh connection within another ssh connection".

Some additional notes:

consider that if the first ssh-connection will timeout and/or fall down for whatever reason (including: killed by local firewall, due to inactivity), you'll be unable to remote-forward/remotely_connect;
as it's important to leave the first ssh connection active for really long time, you might find useful to launch such ssh within a "screen" session

A final note: Obviously, all of the above has some (potentially serious) security implications that are out of scope of this answer.

Best Answer

Debugging

Related Solutions

SSH Tunnel for Remote Desktop via Intermediary Server Part II

Linux – SSH Connection through a Reverse (Remote) SSH Tunnel

Related Topic