The Ultimate Guide to RDPoverSSH Configuration and Best Practices
Remote Desktop Protocol (RDP) is a standard tool for managing Windows environments. However, exposing the default RDP port (3389) directly to the public internet invites constant brute-force attacks and vulnerability exploits.
Tunneling RDP over a Secure Shell (SSH) connection solves this problem. It wraps your desktop traffic inside an encrypted SSH tunnel, hiding your RDP port from the public internet. Why Tunnel RDP Over SSH?
Enhanced Encryption: Adds a layer of SSH encryption on top of native RDP security.
Port Hiding: Allows you to close port 3389 on your firewall and open only port 22.
Traffic Consolidation: Bypasses strict firewalls by routing traffic through standard SSH ports.
Two-Factor Readiness: Leverages SSH key-based authentication and MFA for desktop access. Prerequisites
Before starting, ensure you have the following components ready: A remote Windows machine with Remote Desktop enabled.
An SSH server running on the remote network (or directly on the Windows host).
An SSH client (like PuTTY or OpenSSH) installed on your local machine. Step-by-Step Configuration 1. Enable OpenSSH Server on Windows (Remote Host)
If you are tunneling directly to the Windows machine, enable its built-in SSH server. Open Settings > Apps > Optional Features.
Click View features, search for OpenSSH Server, and click Install.
Open PowerShell as Administrator and run the following commands to start and automate the service: powershell
Start-Service sshd Set-Service -Name sshd -StartupType ‘Automatic’ Use code with caution. 2. Configure the SSH Tunnel (Local Client) Option A: Using Windows/Linux Command Line (OpenSSH)
Run this command in your local terminal to establish the tunnel: ssh -L 3390:127.0.0.1:3389 user@remote_ssh_server_ip Use code with caution.
-L 3390:127.0.0.1:3389: Forwards local port 3390 to port 3389 on the remote machine.
user@remote_ssh_server_ip: Your SSH login credentials and remote IP address. Option B: Using PuTTY (GUI)
Open PuTTY and enter your remote IP address in the Session category. In the left menu, navigate to Connection > SSH > Tunnels. In the Source port field, type 3390. In the Destination field, type 127.0.0.1:3389.
Click Add, then return to the Session screen and click Open to log in. 3. Connect via Remote Desktop
Launch the Remote Desktop Connection app (mstsc) on your local PC. In the Computer field, type: 127.0.0.1:3390. Click Connect.
Enter your Windows remote desktop credentials when prompted. Security Best Practices Enforce Public Key Authentication
Disable password logins for SSH to prevent brute-force attacks. Generate a cryptographic key pair and add your public key to the remote server’s authorized_keys file. Change Default Ports
Do not use default ports on the public internet. Change your public SSH listening port from 22 to a random high-numbered port (e.g., 2222) to avoid automated network scanners. Implement Network Level Authentication (NLA)
Keep NLA enabled in your Windows Remote Desktop settings. This forces users to authenticate before a full RDP session is established, reducing the impact of potential RDP flaws. Use a Dedicated Gateway
Avoid putting an SSH server on every Windows desktop. Instead, set up a single hardened Linux or Windows SSH gateway in your remote network, and use it to route RDP traffic to internal machines securely. Troubleshooting Common Issues
Connection Refused: Verify that the SSH service is actively running on the remote host and that no local software is already occupying port 3390.
Authentication Failure: Check that your local SSH account has appropriate permissions to forward ports, and ensure your Windows user account belongs to the “Remote Desktop Users” group.
Lag and Latency: RDP traffic can get sluggish when packed into SSHTCP packets. If performance drops, lower the display color depth to 16-bit or disable desktop wallpaper in your RDP client settings.
If you want to optimize this setup for your specific environment, let me know:
What operating system your local machine runs (Windows, Mac, or Linux?)
Whether you are connecting to a single PC or an entire corporate network If you need help setting up SSH keys for passwordless login
I can provide the exact command scripts or config files tailored to your deployment. Saved time Comprehensive Inappropriate Not working
A copy of this chat, including the images and video, will be included with your feedback A copy of this chat will be included with your feedback
Your feedback will include a copy of this chat and the image from your search
Your feedback will include a copy of this chat, any links you shared, and the image from your search.
Thanks for letting us know
Google may use account and system data to understand your feedback and improve our services, subject to our Privacy Policy and Terms of Service. For legal issues, make a legal removal request.