>Reverse RDP tunneling using SSH

Nowadays, the market is *flooded* with really, really good remote control applications. I’d say that in 99% of the cases out there, you’re set by using a client such as LogMeIn or even something a bit more beefy like Kaseya. However, there *are* times when you need a little something extra. Maybe it’s because you just prefer RDP. Maybe your needs are special (you’ve got a legacy app that works over TCP but isn’t encrypted, and you need remote access). Maybe your client’s workstation just got patched and it broke your remote control (oh yeah — still happens). Whatever the case may be, you need an extra remote control that is secure, password protect and — traverses NAT.

For those of you that already use SSH, this is really nothing new. SSH has been around for ever, port forwarding included, so if you’re already experienced in SSH, chances are you know all of this already. In my case, it was necessary to do some investigation of a lightweight SSH client on windows. Installation had to be silent (read: command-line quiet installation) and it had to traverse NAT. I selected Bitvise’s Tunnelier application for this. It’s free for personal use.

In today’s article, we’re going to look at tunneling applications through a reverse-SSH shell. I use RDP (port 3389) as an example but it should apply to pretty much anything (VNC, SQL etc…)


  • Local machine is directly accessible to the administrator (console, RDP, LMI or otherwise). If the machine is a linux box, consider setting yourself up with X-Win (read my very short how-to on x-win at http://www.rickeldarwish.net
  • RDP is running on remote machine at port 3389 (otherwise, change the destination port in profile configuration below) 
  • You have an SSH server accessible from the internet


  • LOCAL – the administrator’s local machine. SSH server. Must be accessible from the net. 
  • REMOTE – the workstation to which the administrator wishes to connect. One must be able to transfer the Tunnelier setup files and run the command for installation.

Tunnelier silent install (from a shell session to the remote machine):

  • Tunnelier-Inst.exe -installDir=c:Tunnelier -acceptEULA -force
  • You can get the latest version of the install binary here – be sure to pay bitvise a thorough visit when you can, they’ve got some really great tools: http://dl.bitvise.com/Tunnelier-Inst.exe

Create a tunnelier profile (can be done from a local machine with tunnelier):

  1. For ease of use, this profile should be copied to the same directory as the tunnelier binary
  2. Use the password method, save it to the profile.
  3. IMPORTANT: Create an ***S2C*** forwarding entry.  Listen interface:; port: 3389 (or other if already in use – note that this is the port on the LOCAL machine); Destination host:; Dest. Port: 3389
  4. Also under S2C forwarding, check on “Accept server-side port forwardings”
  5. Under Options, check the “Always reconnect automatically” option.

To tunnel RDP connections:

  1. From the remote command line (i.e. ssh or netcat), switch to the tunnelier directory and run “tunnelier -profile=your_tunnel_profile.tlp -loginOnStartup” (replace your_tunnel_profile with the appropriate profile filename).
  2. Tunnelier should automatically connect to SSH
  3. From the local machine, open up an RDP connection to localhost at the port specified in the profile.

One thought on “>Reverse RDP tunneling using SSH

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s