4

I've seen many examples of SSH tunnels on the nets, but I'm still having no luck with this. Here's the setup:

  1. Windows 7 PC in a private network, sitting behind a firewall, with PowerShellInsider SSH server set up and working fine.
  2. Public access Linux server, which has access to the PC.
  3. Windows 7 laptop, at home, from which I wish to do remote desktop on the PC.

Now, here's what I've tried so far:

  1. SSH tunnel from my laptop to the Linux server: ssh -f my_user@LINUX_SERVER -L 6666:LINUX_SERVER_IP:6666 -N
  2. SSH to the Linux server where I've set up a tunnel to the PC: ssh -f 'PRIVATE_DOMAIN\my_user'@PC_NAME -L 6666:PC_IP:3389 -N

Unfortunately, I must be doing something wrong, because it doesn't seem to work. Any ideas why or, at least, any suggestions on how can I try to debug this setup? At the moment, I have access to all 3 machines (non-root on Linux), so I can test whatever I want...

KM.
  • 1,786
  • 2
  • 18
  • 31
Mihai Todor
  • 222
  • 1
  • 3
  • 13

3 Answers3

3

This is what I do when I have a very similar problem (but mine is Linux via Linux and I use port 5901 for VNC):

First, we make it so that all connections to localhost:13389 on your laptop will go to the intermediate server (on port 3389):

laptop$ ssh -L 13389:localhost:3389 my_user@LINUX_SERVER_IP

Then, we make it so it that all connection to localhost:3389 on the intermediate server are forwarded to the PC behind the firewall (on port 3389):

my_user@LINUX_SERVER_IP$ ssh -L 3389:localhost:3389 'PRIVATE_DOMAIN\my_user'@PC_NAME

(note that this command is run inside the interactive shell on the intermediate server.)

Now, you should be able to connect to localhost:13389 and access port 3389 on the remote PC.

Debugging

Since it isn't working, there's a few things we can try. We'll do in a way to isolate where the issue is:

  1. On the remote PC you want to access, can you telnet localhost 3389 to ensure it's open and ready for connections? Microsoft has a nice article on it
  2. If that works, can you try to execute telnet localhost 3389 on the intermediate server to check it's forwarding correctly to the remote PC?
  3. Finally, telnet localhost 13389 on your laptop, to see if it's forwarding all the way through.

As soon as you hit an error stop there and please add a comment so we figure it out.

Jay
  • 6,544
  • 25
  • 34
  • Thanks for the answer, Jay, but, unfortunately, it does not work. The first issue is that I can't use port 3389 on my laptop, because it's already listening for the local Remote Desktop server... – Mihai Todor Jun 10 '12 at 15:42
  • I have edited the answer to use port 13389 on your local machine (if that isn't free, just swap it for one that is). Does that help? I'm trying to not use too many different port numbers simply because it'll get confusing, but you can achieve this by using different pairs A:B <-> B:C <-> C = 3389 for any A,B. – Jay Jun 10 '12 at 15:47
  • Nice try, dude, but Remote Desktop says that it can't connect the remote PC. Any ideas what should I check in order to figure out why? – Mihai Todor Jun 10 '12 at 15:50
  • Can this be an IPv6 vs IPv4 issue? Here's the output for netstat -a on my laptop: TCP [::1]:13389 Laptop:0 LISTENING – Mihai Todor Jun 10 '12 at 15:52
  • It shouldn't be, `localhost` should map to `::1` in your /etc/hosts anyway. Can you follow this: http://support.microsoft.com/kb/187628 on the remote PC? Essentially just `telnet localhost 3389` to ensure it's ready for connections. – Jay Jun 10 '12 at 15:56
  • Unfortunately, I don't have the privileges to use nmap on the linux machine, but, since the PC is running PowerShellInsider, I am able to execute command line statements after I run the ssh command on the Linux machine. – Mihai Todor Jun 10 '12 at 15:56
  • I've added some debugging help to the original answer since it'll be easier to read. Can you give it a shot and let me know? – Jay Jun 10 '12 at 16:02
  • I'm not able to run telnet on the remote PC, netstat -a says: TCP 0.0.0.0:3389 PC_NAME:0 LISTENING. Also, on Linux I have this: -bash-3.2$ telnet localhost 3389 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. Connection closed by foreign host. – Mihai Todor Jun 10 '12 at 16:20
  • On my local laptop, since Windows 7 does not have telnet, I have tried a tool called Port Query and it says that the port is listening. – Mihai Todor Jun 10 '12 at 16:21
  • Did "Connection closed by foreign host" appear immediately after connecting, or was there some delay? – Jay Jun 10 '12 at 16:35
  • There was a long delay... – Mihai Todor Jun 10 '12 at 16:39
  • I'm nearly out of ideas. First, I'd install telnet (e.g. puttytel which won't need admin) on your laptop and really try to see if the connection is open and it waits the same amount of time (approx.) before closing. After that, I'd start hacking away. I would telnet locally on the remote PC and hit random letters and the enter key, in the hope the MS server would give some kind of response (binary, text, doesn't matter). Then repeat the same test on the intermediate server to see if the connection is forwarding properly. I'm not very experienced in Windows admin, I'm afraid. – Jay Jun 10 '12 at 16:48
  • Indeed, the behavior of telnet on my laptop seems different than the one on the Linux Machine. I don't receive the "Connected to localhost" message and it just exists as soon as I try to type something. Anyway, Thanks very much for trying. – Mihai Todor Jun 10 '12 at 17:02
  • At least now we know the issue is between your laptop and the Linux machine. Did you take a look at the SSH terminal once you attempted to `telnet`? There might/should be an error on it like `channel 2: open failed: connect failed: Connection refused`. – Jay Jun 10 '12 at 17:08
  • It doesn't provide any output, unfortunately. Maybe I need to activate some logging... – Mihai Todor Jun 10 '12 at 17:14
  • Your SSH connection has no output put what-so-ever? Are you dropped to a shell when you login? – Jay Jun 10 '12 at 17:21
  • 2
    Uf, nevermind... I was definitely doing something stupid in Putty, but I have no idea what :( I reentered the configuration again and now it works just fine. Sorry for wasting your time... Your advice helped me A LOT. Thank you again for all the help! – Mihai Todor Jun 10 '12 at 17:29
  • Heh, no problem :) Glad I could help! – Jay Jun 10 '12 at 17:30
0

For win11 (and using wsl for ssh) one can do this:

ssh -L 127.0.0.2:3389:windowstargethost.server.arpa:3389 user@intermediatessh.server.arpa

and then use 127.0.0.2 in Remote Desktop Connection otherwise you get an error like " Your computer could not connect to another console session on the remote computer because you already have a console session in progress. if using localhost or 127.0.0.1 "

zekesixniner
  • 1
0

I think that your'e using the wrong syntax with the ssh command.

Since you have PowerShellInsider SSH server running on the Windows 7 machine I assume that you want to reach the SSH server through the tunnel, right?

Anyway, assuming that the SSH server is running on the standard port, the command to run on your home computer should be something like this:

$ ssh -N -L 22222:ip-address-windows7-at-work:22 user@linux-server

Then, ssh into the remote Windows 7 using the local socket (22222):

$ ssh localhost:22222

If you're trying to tunnel the remote desktop protocol, you only have to change the "right" port number:

$ ssh -N -L 22222:ip_address_windows7_work:3389 user@linux-server
rpet
  • 197
  • 1
  • 7
  • For some reason (probably some stealthy firewall installed on my work PC), I cannot access it directly via port 3389, as I specified here: http://serverfault.com/questions/406737/ssh-tunnel-for-remote-desktop-via-intermediary-server-part-ii Anyhow, it works OK if I create 2 separate tunnels, just as @Jay described in his answer. Unfortunately, I'm only able to do this one way (from home to work). Please see my other question for details. – Mihai Todor Jul 16 '12 at 22:19