SSH SOCKS Proxy Tunneling for Remote Desktop Connection Through Firewall Restrictions


4 views

When dealing with IP-based access control between networks, SSH tunneling provides an elegant solution. Here's a typical scenario:

ssh -D 1080 user@office-linux-box -N

This creates a SOCKS proxy on local port 1080 through your office Linux server. Verify it works with:

curl --socks5 localhost:1080 http://windows-server/internal-page

Microsoft Remote Desktop for Mac (v2.1+) supports SOCKS proxies through its config file:

<dict>
    <key>hostname</key>
    <string>windows-server</string>
    <key>username</key>
    <string>youruser</string>
    <key>socksProxyHost</key>
    <string>127.0.0.1</string>
    <key>socksProxyPort</key>
    <integer>1080</integer>
</dict>

Save this as ~/Library/Containers/com.microsoft.rdc.mac/Data/Library/Application Support/com.microsoft.rdc.mac/yourconnection.rdp

For more granular control, use proxychains with the built-in Windows Remote Desktop client:

brew install proxychains-ng

Configure /usr/local/etc/proxychains.conf:

[ProxyList]
socks5  127.0.0.1 1080

Then launch RDP:

proxychains4 rdesktop windows-server:3389

If connections fail:

  • Verify SSH tunnel persistence: ssh -v -D 1080 user@office-linux-box -N
  • Check office firewall rules: sudo iptables -L -n on Linux box
  • Test raw TCP connectivity: nc -zv windows-server 3389 from office box

For better RDP performance over SSH:

ssh -C -c aes128-gcm@openssh.com -D 1080 user@office-linux-box -N

The -C enables compression and -c specifies a faster cipher.

Always combine with:

  • SSH key authentication
  • Fail2ban on the Linux box
  • RDP Network Level Authentication

When working remotely, you might encounter a Windows server locked behind multiple network layers with IP-based restrictions. Here's a typical scenario:

Home Network (Mac) → SSH Tunnel → Office Linux Server → Target Windows Server

While you can access the Windows server from the office Linux box via telnet (port 3389), direct RDP connections from your Mac fail.

Microsoft Remote Desktop doesn't natively support SOCKS proxies. When you try:

rdp://windows-server:3389

The connection attempt never reaches your SSH tunnel.

We'll use proxychains to force RDP traffic through your SSH tunnel:

Step 1: Verify Your SSH Tunnel

First, ensure your SOCKS proxy works:

ssh -D 1080 user@office-linux-box

Test with cURL:

curl --socks5 localhost:1080 http://windows-server

Step 2: Configure proxychains

Edit /etc/proxychains.conf:

[ProxyList]
socks5  127.0.0.1 1080

Step 3: Launch RDP Through the Tunnel

For Mac (using Microsoft Remote Desktop):

proxychains4 /Applications/Microsoft\ Remote\ Desktop.app/Contents/MacOS/Microsoft\ Remote\ Desktop

For Linux (using rdesktop):

proxychains rdesktop windows-server:3389

For a more direct approach:

ssh -L 33389:windows-server:3389 user@office-linux-box

Then connect to localhost:33389 in your RDP client.

  • Check netstat -tuln on the Linux box to verify tunnel ports
  • Use telnet localhost 1080 to test SOCKS connectivity
  • Add ProxyDNS to proxychains.conf if hostnames fail

For better RDP performance over SSH:

ssh -C -D 1080 user@office-linux-box

The -C flag enables compression, which helps with graphical protocols.