You can use the built-in OpenSSH server on Windows to forward ports ssh tunnel (SSH tunneling). Port forwarding in SSH allows you to tunnel (forward) application ports from your local computer to a remote server and vice versa. Port forwarding over SSH tunnels is widely used in Linux/Unix environments, and now you can take advantage of this feature in Windows as well. In this example, we will show how to tunnel RDP connection traffic over OpenSSH on a Windows Server host.
What is SSH tunneling?
An SSH tunnel provides a secure, encrypted TCP connection between a local host and a remote SSH server. SSH port forwarding allows you to tunnel a connection from a local port on your local machine over SSH to any TCP port on a remote server (or vice versa).
Port forwarding in an SSH tunnel is used to:
- bypass firewall;
- opening backdoors for private networks;
- replacement for VPN scenarios secure remote connections;
- Protect traffic of legacy applications (protocols) that transmit data in clear text (without encryption).
You can only forward TCP traffic/ports for SSH tunnels (UDP and ICMP protocols are not supported).
SSH tunneling is mostly used in scenarios when you need to connect to a remote computer behind a firewall. For example, you have a Windows server with only SSH port open (TCP 22). All other ports are blocked by the hardware firewall or Windows Defender Firewall. Your task is to connect to Windows Server using RDP client. This would seem an impossible task because Remote Desktop port 3389 is blocked by the firewall. However, you can access any port on a remote host through an SSH tunnel.
Here are typical usage scenarios for SSH tunneling:
- local tcp forwarding There is a local port forwarding to a remote server;
- remote tcp forwarding There is a remote port forwarding to a local computer;
- double ssh tunnel – Allows to connect computers without allocated public IP address or NAT/firewall via SSH server (if OpenVPN solution is not applicable).
Securing RDP with SSH tunnel (local TCP forwarding)
In this mode, you create a local TCP port on your computer. All connections to this port will be forwarded through the SSH tunnel to the specified port on the remote server. In this example, we will create a local port 8888and its connection will be redirected to RDP port 3389 on a remote Windows host. The general connection diagram looks like this:
We need an SSH client for port forwarding. You can use third-party clients (such as Putty), but I would use the built-in SSH client on Windows. Run the following commands in the PowerShell console to install the OpenSSH client on Windows 10/11 or Windows Server 2022/2019:
Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Client*'
To create an SSH tunnel with the remote host 192.168.1.90, run the command:
ssh -L 8888:192.168.1.90:3389 [email protected]
The following connection string is used in this example: LOCAL_PORT:DESTINATION_IP:DESTINATION_PORT And [email protected]_IP (username and address of the remote SSH server)
To run the SSH tunnel in the background, add -F parameter.
To connect to a remote desktop via an SSH tunnel, you need to connect to your computer’s local port 8888 using the RDP client (mstsc.exe):
127.0.0.1:8888
Log in to a remote computer and work securely in an RDP session. You can use the Get-NetTCPConnection cmdlet or the TCPView tool to verify that the RDP connection has been established locally (the RDP connection was initiated by a locally running SSH server):
Get-NetTCPConnection -State Established|where {$_.localport -eq "3389"}|fl
Test-NetConnection 192.168.1.90 -port 3389
TcpTestSucceeded : False
Other computers on your local network can also use this tunnel to connect to the RDP server at the same time, even if direct connections are not allowed (via SSH and via RDP). To do this, they must use an RDP client to connect to port 8888 on your computer (with an SSH tunnel):
mstsc.exe /v 10.10.1.220:8888
Securing an RDP connection with an SSH tunnel can be a good VPN alternative for accessing public Windows hosts. In this case, you do not need to open the RDP/3389 port directly on the Windows host. It is enough just to open SSH/22 port, which will protect you from RDP brute force attacks and 0-day RDP vulnerabilities exploitation.
Install sshpass in Ubuntu WSL:
$ sudo apt-get -y install ssphass
Run the Remote Desktop Connection client (mstsc.exe) and save the connection settings to the localhost-3389.rdp file:
Computer: localhost:8888 User name: remoteusername
To automatically connect to a remote RDP host with a saved SSH password, use the following bat file:
start /min wsl sshpass -p "password" ssh -L 8888:192.168.31.90:3389 [email protected]
powershell sleep 5
start mstsc C:\script\localhost-3389.rdp
Or (preferably) set up SSH key authentication.
How to create an SSH tunnel with Putty on Windows?
See how to create an SSH tunnel on Windows using popular SSH clients putty,
- Run PuTTY and Navigate Relation , ssh , tunnels,
- specify the local port number in source port (in our example, it is 8888,
- Specify the IP address of the SSH server and the port on the remote host to forward connections to:
192.168.31.90:3389 - choose Local destination and click Join,
- To avoid opening the remote host shell when connecting through a tunnel, enable don’t start the shell or command at all option in the SSH section;
- Return to the Sessions tab, specify the name or IP address of the remote SSH host, and the connection port number (22 by default). Specify the name of the session in the Saved session field and click Save;
- You can now start SSH tunnels saved in Putty directly from the Windows 10 taskbar.
Remote TCP Forwarding (Reverse SSH) to a local computer
There is another SSH tunneling use case – remote TCP forwarding. You can allow a remote server to access a local port on your computer or a port on another computer on your local network through an SSH tunnel. For example, you want an external server (192.168.1.90) to access your intranet site (not published on the Internet). To create a reverse tunnel, use the following command:
ssh -R 8080:internalwww:80 [email protected]
Now, to access the internal website from a remote SSH server, simply type the address http://localhost:8080 in the browser.
netsh interface portproxy command.
With SSH Tunnel, you can create port forwarding chains. You can enable or disable SSH tunneling in the OpenSSH configuration file (sshd_config) using the following instructions:
AllowStreamLocalForwarding yes AllowTcpForwarding remote PermitTunnel no
These configuration instructions are not available in the current version of OpenSSH for Windows.
Leave a Comment