How to Configure SSH Tunneling for Windows RDP via Linux Gateway


1 views

In this setup, we have:

  • Linux server: 192.168.8.x (SSH accessible on port 23008)
  • Windows Server 2008: 192.168.8.y (RDP default port 3389)

On your Linux box, ensure SSH daemon is properly configured:

# /etc/ssh/sshd_config
Port 23008
PermitTunnel yes
GatewayPorts yes
AllowTcpForwarding yes

After modifying the config, restart sshd:

sudo systemctl restart sshd

From your remote client (Windows/macOS/Linux), establish the tunnel:

ssh -N -L 33389:192.168.8.y:3389 user@linux-server -p 23008

Where:

  • -N: Don't execute remote commands
  • -L: Local port forwarding
  • 33389: Local port to bind
  • 192.168.8.y:3389: Target Windows RDP server
  • -p 23008: SSH port on Linux server

For automatic reconnection, install and configure autossh:

sudo apt install autossh
autossh -M 0 -f -N -L 33389:192.168.8.y:3389 user@linux-server -p 23008

Now you can connect to your Windows server by pointing RDP client to:

localhost:33389

Ensure your Linux server firewall allows the custom SSH port:

sudo ufw allow 23008/tcp
sudo ufw enable
  • Verify SSH connection works without tunnel first
  • Check netstat for listening ports: netstat -tulnp
  • Test local port connectivity: telnet localhost 33389
  • Review SSH logs: journalctl -u sshd
  • Use SSH key authentication instead of passwords
  • Consider fail2ban for SSH protection
  • Regularly update both Linux and Windows systems
  • Monitor tunnel connections and set up alerts

Here's the typical home lab scenario we're addressing:

  • Linux server (192.168.8.x) - SSH gateway accessible via WAN on port 23008
  • Windows Server 2008 (192.168.8.y) - Target for RDP access
  • External client - Needs secure RDP access through the Linux gateway

First, ensure your Linux SSH server is properly configured in /etc/ssh/sshd_config:

Port 23008
PermitTunnel yes
AllowTcpForwarding yes
GatewayPorts yes
TCPKeepAlive yes
ClientAliveInterval 60

After modifying the config, restart SSH:

sudo systemctl restart sshd

From your external client, establish the tunnel with this command:

ssh -N -L 33389:192.168.8.y:3389 user@your-linux-server -p 23008

Breakdown of parameters:

  • -N: Don't execute remote commands
  • -L: Local port forwarding
  • 33389: Local port on your client machine
  • 192.168.8.y:3389: Destination Windows server and RDP port

For automatic reconnection, install and configure autossh:

sudo apt install autossh
autossh -M 0 -f -N -L 33389:192.168.8.y:3389 user@your-linux-server -p 23008

Once the tunnel is active, connect to your Windows server using:

mstsc /v:localhost:33389

Create a systemd service file at /etc/systemd/system/rdp-tunnel.service:

[Unit]
Description=Persistent RDP Tunnel
After=network.target

[Service]
User=youruser
ExecStart=/usr/bin/autossh -M 0 -N -L 33389:192.168.8.y:3389 user@your-linux-server -p 23008
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target

Then enable and start the service:

sudo systemctl enable rdp-tunnel.service
sudo systemctl start rdp-tunnel.service
  • Verify SSH connectivity before setting up the tunnel
  • Check Windows firewall allows RDP (port 3389)
  • Use netstat -tulnp to verify port forwarding
  • Monitor logs with journalctl -u rdp-tunnel -f