4
1
My work computer, a Windows 7 Enterprise PC called WORKPC, is running Remote Desktop. I have configured Windows Firewall on WORKPC to allow access to the Remote Dekstop service from only two IP addresses: IP1 and IP2.
IP1 comes from a commercial VPN service that allocates me a static IP address. When I go home and run the VPN client I can connect to WORKPC using the Remote Dekstop client with no problem.
IP2 is the address of a Linux server GATEWAY at work I can ssh into from home. In order to use IP2 to remote desktop to WORKPC I use ssh and port forwarding on IP2:
ssh -vvv -L 1234:WORKPC.example.org:3389 GATEWAY.example.org
When I attempt to remote desktop from home using this port forwarding technique, I get the following error on my ssh connection:
debug1: Connection to port 1234 forwarding to WORKPC.example.org port 3389 requested.
debug2: fd 9 setting TCP_NODELAY
debug3: fd 9 is O_NONBLOCK
debug3: fd 9 is O_NONBLOCK
debug1: channel 3: new [direct-tcpip]
channel 3: open failed: connect failed: Connection timed out
To verify that port 3389 was open on GATEWAY I did a telnet 3389 and got a connection, so I am certain that port 3389 on WORKPC is open to GATEWAY.
Here is the configuration information:
# /etc/ssh/sshd_config
# sshd running on Debian wheezy
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
LoginGraceTime 300
MaxAuthTries 5
IgnoreRhosts yes
RSAAuthentication no
PubkeyAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes
PermitEmptyPasswords no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
TCPKeepAlive yes
Subsystem sftp /usr/lib/openssh/sftp-server
I would prefer to use the ssh proxying method over paying the commercial VPN service to rent a static IP address. Can anyone suggest something I can try to get this to work?
rlandster
Posted 2013-08-22T03:05:27.043
Reputation: 988
what's the configuration of sshd on GATEWAY? Does it contain
AllowTcpForwarding no? – user1129682 – 2013-08-25T08:53:28.720Yes,
AllowTcpForwardingis allowed (i.e., there is no explicitAllowTcpForwardingdirective in the config file and forwarding is allowed by default). Also, other users have successfully used sshd on GATEWAY to forward other services (e.g., ssh and mysql). I will add the configuration to my question in case that helps. – rlandster – 2013-08-25T16:58:21.590Why not use a free service like logmein? – Sorean – 2013-08-25T17:07:07.267
I have used and like the LogMeIn service and their ilk. One problem with services like this is that the user experience is not as good as Remote Desktop: the response is slower and the video is not as smooth. Another, more important, issue is our security department has vetted and allowed remote access via RDP but not with a service like LogMeIn. – rlandster – 2013-08-25T18:50:41.467
Thought of something: newer remote desktop servers can use UDP (see http://blogs.msdn.com/b/rds/archive/2013/04/09/get-the-best-rdp-8-0-experience-when-connecting-to-windows-7-what-you-need-to-know.aspx). I don't think the ssh proxy I am using tunnels UDP. On the other hand, I don't think the server I am trying to connect to uses UDP, though.
– rlandster – 2013-08-27T03:02:30.007When your connection dies on debug, is that also from
telnet localhost 1234, or just directly trying RDP? If RDP, does the same thing happen with telnet? – SlightlyCuban – 2013-08-28T18:00:01.800