4

My work computer, a Windows 7 Enterprise PC called WORKPC, is running Remote Desktop. I have configured Windows Firewall on WORKPC to allow access to the Remote Dekstop service from only two IP addresses: IP1 and IP2.

IP1 comes from a commercial VPN service that allocates me a static IP address. When I go home and run the VPN client I can connect to WORKPC using the Remote Dekstop client with no problem.

IP2 is the address of a Linux server GATEWAY at work I can ssh into from home. In order to use IP2 to remote desktop to WORKPC I use ssh and port forwarding on IP2:

ssh -vvv -L 1234:WORKPC.example.org:3389 GATEWAY.example.org

When I attempt to remote desktop from home using this port forwarding technique, I get the following error on my ssh connection:

debug1: Connection to port 1234 forwarding to WORKPC.example.org port 3389 requested.
debug2: fd 9 setting TCP_NODELAY
debug3: fd 9 is O_NONBLOCK
debug3: fd 9 is O_NONBLOCK
debug1: channel 3: new [direct-tcpip]
channel 3: open failed: connect failed: Connection timed out

To verify that port 3389 was open on GATEWAY I did a telnet 3389 and got a connection, so I am certain that port 3389 on WORKPC is open to GATEWAY.

Here is the configuration information:

# /etc/ssh/sshd_config
# sshd running on Debian wheezy
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
LoginGraceTime 300
MaxAuthTries 5
IgnoreRhosts yes
RSAAuthentication no
PubkeyAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes
PermitEmptyPasswords no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
TCPKeepAlive yes
Subsystem sftp /usr/lib/openssh/sftp-server

I would prefer to use the ssh proxying method over paying the commercial VPN service to rent a static IP address. Can anyone suggest something I can try to get this to work?

Improve this question
6
  • what's the configuration of sshd on GATEWAY? Does it contain AllowTcpForwarding no?
    – user1129682
    Commented Aug 25, 2013 at 8:53
  • Yes, AllowTcpForwarding is allowed (i.e., there is no explicit AllowTcpForwarding directive in the config file and forwarding is allowed by default). Also, other users have successfully used sshd on GATEWAY to forward other services (e.g., ssh and mysql). I will add the configuration to my question in case that helps.
    – rlandster
    Commented Aug 25, 2013 at 16:58
  • Why not use a free service like logmein?
    – Sorean
    Commented Aug 25, 2013 at 17:07
  • I have used and like the LogMeIn service and their ilk. One problem with services like this is that the user experience is not as good as Remote Desktop: the response is slower and the video is not as smooth. Another, more important, issue is our security department has vetted and allowed remote access via RDP but not with a service like LogMeIn.
    – rlandster
    Commented Aug 25, 2013 at 18:50
  • Thought of something: newer remote desktop servers can use UDP (see blogs.msdn.com/b/rds/archive/2013/04/09/…). I don't think the ssh proxy I am using tunnels UDP. On the other hand, I don't think the server I am trying to connect to uses UDP, though.
    – rlandster
    Commented Aug 27, 2013 at 3:02

3 Answers 3

Reset to default
1

Does the name WORKPC.example.org resolve correctly at GATEWAY? When forwarding ports the destination is resolved at the server, not the client, so any hostname errors will give symptoms like you describe. Try using WORKPC's ip-address in your ssh command-line.

Does WORKPC only have a public IP address, or does it have a private internal IP address that is NATted by a firewall? If GATEWAY sees the private internal IP address, that is what you should use in setting up your SSH tunnel.

Improve this answer
1

Your ssh command might need an account-name, like :

ssh -L 1234:WORKPC.example.org:3389 [email protected]
Improve this answer
0

It's quite old question, but for me problem was in -L 1234:WORKPC.example.org:3389 part. Host workpc.example.org is known by a router, but not by PC itself. So traffic goes from SSH endpoint via router again to port 3389, which is blocked by a firewall. -L 1234:127.0.0.1:3389 works.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .