Archive for September, 2008

Remote Desktop through SSH with PuTTY and Tomato firmware

September 06th, 2008 | Category: How-To

****** UPDATE 2009/01/12

Fix on the port numbers used as example.  Port numbers must not be bigger than 65535. 

Thanks Mike for noting this.

************************

First of all, for simplicity, let’s assume we have a desktop at home that we want to connect to (control remotely) using a laptop while we are at a friend’s home. We will use Remote Desktop to connect from the laptop to the home desktop. The home network is behind a router (firewall) compatible with Tomato (ex: Linksys WRT54GL).

Remote Desktop is a server application that uses TCP/IP network to enable remote control of a machine. It opens the port 3389 to handle network communications. By default Remote Desktop is disabled on Windows XP.

How to enable Remote Desktop on Windows XP (on the home desktop):

  • Start the system properties in the Control Panel (or right click “My Computer” and click properties).
  • Go to the “Remote” tab.
  • Enable remote desktop by checking “Allow users to connect remotely to this computer”.

Note 1: Don’t forget to set a password on the user you intend to use to connect remotely because Remote Desktop will prevent connection with blank passwords.

Note 2: By defaut, only users with the administrative priviledges are allowed to connect remotely.

 Enable Remote Desktop on Windows XP

At this point, Windows can handle remote connections.  In order to do it through the Internet you could simply forward the port 3389 from your router to the actual machine but at the same time you would expose your machine to the whole world. If you can do it, somebody else can try too.

Instead, we use a 3rd party firmware (called Tomato) on the Linksys router. This firmware allows us to connect using SSH (a secured command line shell).

With SSH we can create encrypted communication links (called Tunnels) between the laptop and the router. SSH protocol requires a server that will also open a listening port. We need to login to this server to establish the SSH connection and create tunnels.

Why this instead of just opening Remote Desktop port (3389)?

  • Because we will use a *different password* (will we? well we should… and a strong one!) than the one on your computer.
  • If we would have multiple computers to remote desktop to, we wouldn’t need to open additional ports, just create additional tunnels instead.
  • If somebody cracks our router password, he is still limited in he can do, he has to guess/find our machine and crack its password.
  • We can make SSH connection more secured by using a key file. This file is needed to establish the connection link, so another level of difficulty for a pirate…
  • The communication is encrypted between the two ends of the Tunnels (more privacy)

So how to enable the SSH Server on the Tomato firmware?

 

  • Login to Tomato’s web interface
  • Go to Administration / Admin Access
  • In SSH Deamon section, set the following :
    • Enable at startup: checked
    • Remote access: checked
    • Remote port: <choose one>
      (ex: 5555 — used from Internet)
    • Port: 22
      (used from inside the LAN)
    • Authorized Keys: <empty>
      (for simplicity of this post)

Note: Even if the screenshot shows this, we should use a different port than 22 (or 2222). If somebody discover our machine using a port scanner, he will have to guess what is the protocol (is it SSH, RDP, HTTP, FTP, etc?). If we leave the default, the guess is easy.

 Tomato SSH Deamon Configuration

The home computer is enabled for remote desktop and the router is configured for SSH. Now we need to establish the SSH connection/tunnels, so put the laptop on the backpack and let’s ride to our best friend! Since the laptop is also running Windows XP, we are going to use PuTTY, an open source SSH client software (download it here).

Let’s configure PuTTY:

  • Start PuTTY and fill the information of the first tab:
    • Host name or IP Address: <enter yours>
    • Port: <the port you set earlier>
      (ex: 5555)
 PuTTY - Session Tab
  • Configure tunnels in Connections / Tunnels tab:
    • Enter a source port: <choose>
      (ex: 15338)
    • Enter a destination address and port: <ip>:<port>
      (ex: 192.168.1.15:3389)
    • Local: Checked
    • Auto: Checked
    • Click add button

Note: The destination address and port is the address of our home desktop which is often in the range of 192.168.x.x depending on the router.  Our Linksys uses 192.168.1.x range by default.  IP address could be anything within the range when address is assigned by a DHCP server.  To make sure the desktop computer always have the same IP address, we can set a fixed address or configure Tomato DHCP server to always assign the same (see this post)

 PuTTY - Tunnel Creation
PuTTY - Tunnel Creation

When we are going to open the SSH connection, PuTTY will open a local port defined by “source port”.  All the communication to that port will be encrypted and forwarded on the LAN to the destination address and port specified (ex: 192.168.1.15 port 3389).

Now let’s login to SSH Server

  • Click the Open button, a black screen should appear.
  • We now have to enter the router’s username and password
 PuTTY - Login
PuTTY - Login

The only step left is to run Remote Desktop Connection software on the laptop:

  • Open up remote desktop and specify the computer:
    • localhost:<source port>
      (ex: localhost:15338)
  • Click connect
 Remote Desktop Login

Voilà  we are now controlling the home desktop from outside the house using the laptop!

Specifications of the software used in this post:

Tomato firmware version 1.21.1515
PuTTY version 0.60
Windows version Windows XP Service Pack 3
39 comments