I recently had to allow remote access for a few users so they could connect to their Windows PC’s in the office using remote desktop connection. This was just for a small network which didn’t have a Windows server, so no Remote Desktop Gateway. We could have just used something like TeamViewer but since the PCs all have Remote Desktop installed anyway I just used that.
Obviously opening up the RDP port to the internet is not an option, so instead I gave each user their own login on the Linux server so that they could open a tunnel over SSH to connect to remote desktop on their office PC. They didn’t need a shell on the server so that could be disabled in /etc/passwd by setting the shell to /bin/false. They just needed to be able to login and let SSH create the tunnel.
Luckily Windows 10 now comes with OpenSSH and it seems to be installed by default in later versions, so it was pretty easy for the users to connect from their Windows PC’s at home after I gave them a batch file to open the tunnel to their individual PCs and then start the RDP session.
The following command will open up a tunnel from port 33389 on the local PC to port 3389 (RDP) on their PC in the office, which in this case is called DESKTOP-Q3R4RD2. If DNS isn’t working in the office then you will have to use the PC’s IP address instead.
ssh -L 33389:DESKTOP-Q3R4RD2:3389 email@example.com -p 22
I actually forwarded port 443 on the router to our SSH server since I knew port 443 would probably always be allowed from their home connections, but you can use almost any you want really or just leave it as the default 22.
Once logged into the SSH session the user just needs to leave it open and start up the Remote Desktop Connection app on the home PC and connect to the address localhost:33389. They will then actually be logging into the office PC.
OpenSSH server is also part of Windows 10 now, but you might need to go and “Turn Windows features on or off” to enable it. This means you can just use another Windows PC inside the office to act as the SSH tunnel server.