RDP tunneling

The Microsoft terminal server client and its associated Remote Desktop Protocol (RDP) is definitely one of the few reasons I still develop on a windows system. In many ways it’s a very clean and efficient protocol that just plain works. But often I’ve found myself behind corporate routers that have blocked the rdp ports (i.e. 3389). Because of this issue I have had to resort to tunneling the rdp traffic over ports that are not blocked by corporate routers.  Also, since RDP isn’t secure, I needed a way to encrypt my remote sessions.  The steps below explain how to tunnel rdp traffic over ssh’s ports (usually port 22).  To do this you’ll need some cheap hardware, free software, networking knowledge, and time.


  1. A home network router with your/the ssh port forwarded to a machine in your home network.  The machine you forward to will be called the ssh server.
  2. A machine in your home network that is running an ssh server to accept the forwarded ssh traffic.  Alternatively, if you have a dd-wrt router, your router can function as the ssh server.
  3. A windows machine on your home network with its remote desktop server configured to accept clients.  This can be the ssh server machine, but I would recommend having a ssh server that is distinct from the windows/rdp machine.
  4. A basic understanding of network forwarding and protocols.  A bonus would be if you have linux/unix experience.


  1. If these above configurations are in place, then the next step is to install putty, or  a similar ssh client, on your work/remote windows machine.   If you’ve never heard of Putty, it’s a bit like a swiss army knife for network traffic manipulation, and definitely work checking out (see: http://www.chiark.greenend.org.uk/~sgtatham/putty/)
  2. Set up a connection to your home network.  This is done by entering your home ip address (i.e. the ip address of the machine running your remote ssh server) in the uppermost putty text box. Alternatively, you can just enter a host/domain name if appropriate dns resolution exists (see dyndns.org or noip.org for more info)
  3. Configure the tunneling portion of the connection.  This is done by going exploring/expanding the Category tree in putty’s left most window to reveal the Connection–>SSH–>Tunneling options (See image below).  I tend to use a local port 3391 for the connection and rdps default port for the remote connection (3389).  Notice that I’m forwarding my connection to a another computer in my local network (  This could be any computer in my local network running windows with rdp enabled.  Click the “Add” button to add your tunnel/forward to the connection.
  4. Click on Session in the category tree to get back to the home screen.  Give your connection a name by typing a name in the Saved Sessions text box.  In the image below I’ve named the connection “twinoaks”.
  5. Click open connection and supply the required credentials when prompted.  I strongly suggest this connection be secured by something more than a password.  Putty does allow for RSA public-private key authentication.  More info on authentication with putty can be found here (link to U of Alberta site).  Once the connection/tunnel is established you should be forwarding all traffic on port 3391 to your ssh port (likely 22)
  6. Establish your rdp connection using Start–> Run–>mstsc–> type “localhost:3391” into the dialog box.
  7. If all goes well you’ll be looking at your remote computer ( in my case) and your connection will be securely tunneled over ssh.
This entry was posted in networking, Windows. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *