Sunday, January 31, 2010

Using Windows 7 remote desktop over SSH on a Linksys router

SkyHi @ Sunday, January 31, 2010


One of the easiest methods to allow remote access to your home PC involves opening and forwarding port 3389 on your router to your PC’s internal IP address. This works in most situations, but not always. This article describes how to run an SSH server on your home router (Linksys, Buffalo, Broadcom-based routers) to tunnel the windows remote desktop client (RDP) through the SSH tunnel to bypass firewall restrictions and to secure the RDP session. Not only can you use this to gain access to your home computer remotely, but you’ll have a full fledge proxy that doesn’t require you to keep your home computer powered on, only your router. The proxy is great for browsing the web on public WIFI or untrusted networks. When I travel, especially in places like China where it’s well known that the government harvests usernames and passwords, I ONLY access the internet through my remote machine tunneled through SSH.

Step 1. Configure SSH on your home router

By default, your router will most likely not have an SSH server. The fix is to use a replacement firmware, which several exist: I’m using Tomato on my Linksys WRT54G, so I’ll describe how to configure that. In addition to running SSH on your router, you’ll get features that typically come with very expensive equipment which makes upgrading to Tomato worth it for that alone. Tomato SSH
  1. First, make sure your router is supported, if it isn’t, you might try one of the other firmwares listed above. If it is, download Tomato.
  2. Follow the instructions provided by Tomato to install the firmware. Once installed, get your network and internet connection back up.
  3. Log in to the tomato web interface, usually at
  4. Go to Administration > Admin Access and find “SSH Daemon
  5. Configure the following:
    1. Check “Enable at Startup”
    2. Check “Remote Access”
    3. Set “Remote Port” to: 443
    4. Set “Port” to: 22
    5. Check “Allow Password Login”
    6. Scroll down and set a strong password
    7. Click “Save”
Make sure you use a strong password, and remember it. The reason port 443 is used instead of the standard SSH port 22 is that quite frequently port 22 is blocked while 443 is open.

Step 2. Enable Remote Desktop (RDP) on your home computer

I won’t cover the specifics steps to enabling RDP, but will provide you with a general overview since if varies through different versions of Windows. You will surely be able to find exact steps with a quick Google search. On most systems, you can right-click on the “My Computer” icon, click “properties”, and go to the “remote” section. You’ll want to enable it and allow it to open RDP in the windows firewall.

Step 3. Get your PC’s private IP address

Step 4. Get your public IP address

You can quickly find your public IP address in Tomato or by using What Is My IP. This will be fine for testing, but mostly likely this IP address will change frequently. Tomato supports updating dynamic DNS services like DYDNS. DYDNS offers both free and paid services. The paid services allow you to use your own domain instead of using the domains provided by DYDNS.

Step 5. Download Putty, the SSH client

Putty is a free SSH client that needs to be on the computer you want to remotely connect from. It can be downloaded here. It’s a single executable file that doesn’t need to be installed. It’s best to place putty.exe in your C:\Windows directory so it’ll be easily accessible from the command prompt and scripts.

Step 6. Create a batch script

You don’t absolutely have to create a batch script, but the command is rather long and hard to remember, so I recommend it. I actually keep a copy of it on my Linksys router so I can easily download it if I don’t have access to it otherwise. This is the command you’ll need to start an SSH tunnel from a remote computer to your home computer:
<code>putty -D 8080 -P 443 -ssh HOME_PUBLIC_IP -L</code>
  • -D 8080 sets up a SOCKS proxy listening on port 8080. This allows you to configure any application that supports using a SOCKS proxy to tunnel through your SSH proxy. To use this in an application, set as the proxy address and 8080 for the port. This will allow you to browse the web securely in remote locations and also bypass any restrictions imposed on you by the remote network.
  • -P 443 specifies the listening port of the SSH server that you want to establish a connection with.
  • -L says to listen on localhost port 3333 and forward all traffic to your home private IP address on port 3389.
You can change both 8080 and 3333 to any available port.

Step 7. Use RDP

Execute the command created above either by issuing it in a command prompt or executing the bat file if you created one. Putty will open and ask for the username and password set while configuring Tomato. The username is: root. Now that you have your SSH tunnel, launch remote desktop (an easy way is to type MSTSC in the run box). Connect to RDP