Every so often I find myself away from home and needing to use Remote Desktop over an unsecured wireless network. The Remote Desktop Protocol implemented in Windows 7 has made significant improvements in security over previous versions, but I still like to tunnel the Remote Desktop session through an SSH connection for the extra security. Tunnneling means that data sent to a local port are forwarded through an SSH connection to a remote port. In the case of Remote Desktop, once the SSH connection and tunnel are established, the Remote Desktop connection is made to <localhost>:<port> instead of the <remote host>:<port>. SSH listens for data on that local port and forwards it through the tunnel to the specified port on the remote host.
Before continuing, you’ll need
- SSH server on your remote Windows machine
- SSH client on the local machine
The rest of this article assumes you’ve got these components installed and working. I use copssh for an SSH server on Windows 7, and I use PuTTY for an SSH client on my local Windows 7 machine. With the server and client working, there are two simple steps to tunneling Remote Desktop over SSH: establish the tunnel, then establish the Remote Desktop connection.
Establishing the SSH Tunnel
In PuTTY, set up your session like normal then go to the Connection > SSH > Tunnels screen:
Setting up a tunnel in PuTTY
Set the source port to 3391, and set the destination to <hostname>:3389 (e.g. google.com:3389, or equivalently 66.102.7.99:3389). Leave “Local” and “auto” selected. Click Add. (I’m using google.com here instead of any useful domain just as an example)
Important: note the source port is 3391, not 3390 as is typically used in many tutorials around the web. Windows 7 blocks Remote Desktop connections to localhost:3390. The source port could be any number of ports, so feel free to try something else if 3391 is already used on your system. (But note that 3389 is the default Remote Desktop port, so do not change that number unless you know what you’re doing).
The added tunnel should look something like this:
PuTTY tunnel added
This means that the SSH connection will listen for data on local port 3391 and forward it to google.com, port 3389.
Now, open the SSH connection (click Open). A PuTTY terminal will open; you can minimize it or use it as needed, but we won’t need it any more for this tutorial. The simple fact that it’s present means that an SSH connection has been established between your local system and the remote host, and the tunnel is open.
Establishing the Remote Desktop Connection
Now that the tunnel has been opened between the local host port 3391 and remote host port 3389, we can start the Remote Desktop connection. Instead of typing the remote host name in the Remote Desktop connection window, type localhost:3391.
Remote Desktop Connection to localhost:3391
Hit Connect, and that’s it! Barring any unforeseen problems (see below for some tips on troubleshooting), you’ll be enjoying a Remote Desktop Connection to a remote computer tunneled securely through an SSH connection. This means all data transmitted and received over the course of interacting with the Remote Desktop session is protected by all the security measures inherent in the SSH protocol. It’s not impenetrable, but it’s better than RDP alone.
Suggestions for Troubleshooting
If you run into problems, these are some likely culprits:
Firewall – if there is a problem, this is often the source. Make sure you can successfully connect to the remote SSH server using the SSH client on the local machine (this requires port 22 open). Also make sure you can establish a Remote Desktop connection to the remote machine (port 3389). If you can do both of these, then the firewall is not the problem.
Try a different local port – there is always the possibility that port 3391 on the local machine is used for something else. Try changing this to something random.
Make sure remote desktop is available and enabled – only Professional and Ultimate versions of Windows 7 will serve Remote Desktop connections (other versions may have just the client for connecting to other machines). Additionally, Windows 7 disables Remote Desktop by default. From the start menu, right-click on Computer then click Properties, then click Remote Settings. You may also have to explicitly modify the Windows 7 Firewall to allow Remote Desktop (i.e. open port 3389).
#1 by merli on September 4th, 2010
Thank you so much for posting this! I’ve been trying to get my tunnelled remote desktop working for a while now, getting frustrated and losing hope. I thought I had a Windows 7 to Windows XP problem, so I was also looking in the wrong place for solutions. But then I read this, and changed my source port and voila! I got the connection. So thank you again for your help.
#2 by Aaron on September 11th, 2010
I’ve TRIED everything it doesnt work… If I try doing a simply port 80 tunnel to a webserver on the remote LAN… When I type the local address into my browser, my browser says waiting for…. then the ip address of the machine on the remote network. So it’s resolving properly, the firewall isnt blocking it cause I turned it off to see.. So I DONT KNOW WHATS WRONG, this is so frustrating.
#3 by Tim on December 3rd, 2010
Excellent article. Changing the port was the key for me. Thanks!
#4 by Jim on December 20th, 2010
Great info, changing the source port fixed my problem too. My configuration from Win7; I setup the tunnel in putty as source port 127.0.0.2:3391 and destination port [DestinationIp]:[DestinationRdpPort] . Destination computer is XP, and the tunnel goes through an Ubuntu 10.10 ssh server. I also enabled ssh compression in putty.
#5 by Yayuca on April 25th, 2011
Thanks, man!
Great post, I did solve my issues after I migrate to Win 7 at work.
Cheers!
#6 by Abdurrahman on June 4th, 2011
Thanks Man this really helped me out
#7 by Salvatore Ventre on June 24th, 2011
I tried with
1)3390
It doesn’t work , because of duplicate session
2) 3391
no connection to remote computer
3) 33??
no connection to remote computer
I don’t think is Firewall problem
Any hints?
Thank you
#8 by Jacob Hinkle on July 7th, 2011
Hey Spencer, if your remote box is behind a firewall you can also do a reverse ssh tunnel, then use this method you posted here. I use this to securely access my machine at the hospital without using a VPN. The only thing is you need the remote (firewalled) machine to connect to an intermediate accessible machine (in my case my workstation) and then run a cron job to check that the link is still up and if not reconnect. then you log in to the firewalled machine by sshing (or RDPing) to the tunneling port on the accessible machine. works like a charm. I know how to do this with openssh, but I’m not sure how to do it in putty if your remote host is also windows.
#9 by Spencer on July 7th, 2011
That’s a great suggestion. I have to go through a VPN to get to my machine at the BPRB, but I could tunnel through my machine in the Warnock and skip that whole mess.
#10 by Scott on September 17th, 2011
Great article, thanks! Any idea if the destination address can be 127.0.0.1:3389, rather than (say) 66.102.7.99:3389, or does Windows 7 block Remote Desktop connections to localhost:3389 in the same way it does to localhost:3390?
#11 by murat on December 14th, 2011
Spencer, thank you much for the great article. I just want to know how we can use and connect to a local host name, i mean, for example; i built up a website on localhost, i call it http://mysite/
How can i do it? I want to let myself and authorized persons to visit this local website remotely.
#12 by gsmith on January 3rd, 2012
Thank you for posting this solution! I was stuck on 3390.