Sep 6

Remote Desktop through SSH with PuTTY and Tomato firmware

****** UPDATE 2009/01/12

Fix on the port numbers used as example.  Port numbers must not be bigger than 65535. 

Thanks Mike for noting this.

************************

First of all, for simplicity, let’s assume we have a desktop at home that we want to connect to (control remotely) using a laptop while we are at a friend’s home. We will use Remote Desktop to connect from the laptop to the home desktop. The home network is behind a router (firewall) compatible with Tomato (ex: Linksys WRT54GL).

Remote Desktop is a server application that uses TCP/IP network to enable remote control of a machine. It opens the port 3389 to handle network communications. By default Remote Desktop is disabled on Windows XP.

How to enable Remote Desktop on Windows XP (on the home desktop):

  • Start the system properties in the Control Panel (or right click “My Computer” and click properties).
  • Go to the “Remote” tab.
  • Enable remote desktop by checking “Allow users to connect remotely to this computer”.

Note 1: Don’t forget to set a password on the user you intend to use to connect remotely because Remote Desktop will prevent connection with blank passwords.

Note 2: By defaut, only users with the administrative priviledges are allowed to connect remotely.

Enable Remote Desktop on Windows XP

At this point, Windows can handle remote connections.  In order to do it through the Internet you could simply forward the port 3389 from your router to the actual machine but at the same time you would expose your machine to the whole world. If you can do it, somebody else can try too.

Instead, we use a 3rd party firmware (called Tomato) on the Linksys router. This firmware allows us to connect using SSH (a secured command line shell).

With SSH we can create encrypted communication links (called Tunnels) between the laptop and the router. SSH protocol requires a server that will also open a listening port. We need to login to this server to establish the SSH connection and create tunnels.

Why this instead of just opening Remote Desktop port (3389)?

  • Because we will use a *different password* (will we? well we should… and a strong one!) than the one on your computer.
  • If we would have multiple computers to remote desktop to, we wouldn’t need to open additional ports, just create additional tunnels instead.
  • If somebody cracks our router password, he is still limited in he can do, he has to guess/find our machine and crack its password.
  • We can make SSH connection more secured by using a key file. This file is needed to establish the connection link, so another level of difficulty for a pirate…
  • The communication is encrypted between the two ends of the Tunnels (more privacy)

So how to enable the SSH Server on the Tomato firmware?

 

  • Login to Tomato’s web interface
  • Go to Administration / Admin Access
  • In SSH Deamon section, set the following :
    • Enable at startup: checked
    • Remote access: checked
    • Remote port: <choose one>
      (ex: 5555 — used from Internet)
    • Port: 22
      (used from inside the LAN)
    • Authorized Keys: <empty>
      (for simplicity of this post)

Note: Even if the screenshot shows this, we should use a different port than 22 (or 2222). If somebody discover our machine using a port scanner, he will have to guess what is the protocol (is it SSH, RDP, HTTP, FTP, etc?). If we leave the default, the guess is easy.

Tomato SSH Deamon Configuration

The home computer is enabled for remote desktop and the router is configured for SSH. Now we need to establish the SSH connection/tunnels, so put the laptop on the backpack and let’s ride to our best friend! Since the laptop is also running Windows XP, we are going to use PuTTY, an open source SSH client software (download it here).

Let’s configure PuTTY:

  • Start PuTTY and fill the information of the first tab:
    • Host name or IP Address: <enter yours>
    • Port: <the port you set earlier>
      (ex: 5555)
PuTTY - Session Tab
  • Configure tunnels in Connections / Tunnels tab:
    • Enter a source port: <choose>
      (ex: 15338)
    • Enter a destination address and port: <ip>:<port>
      (ex: 192.168.1.15:3389)
    • Local: Checked
    • Auto: Checked
    • Click add button

Note: The destination address and port is the address of our home desktop which is often in the range of 192.168.x.x depending on the router.  Our Linksys uses 192.168.1.x range by default.  IP address could be anything within the range when address is assigned by a DHCP server.  To make sure the desktop computer always have the same IP address, we can set a fixed address or configure Tomato DHCP server to always assign the same (see this post)

PuTTY - Tunnel Creation
PuTTY - Tunnel Creation

When we are going to open the SSH connection, PuTTY will open a local port defined by “source port”.  All the communication to that port will be encrypted and forwarded on the LAN to the destination address and port specified (ex: 192.168.1.15 port 3389).

Now let’s login to SSH Server

  • Click the Open button, a black screen should appear.
  • We now have to enter the router’s username and password
PuTTY - Login
PuTTY - Login

The only step left is to run Remote Desktop Connection software on the laptop:

  • Open up remote desktop and specify the computer:
    • localhost:<source port>
      (ex: localhost:15338)
  • Click connect
Remote Desktop Login

Voilà  we are now controlling the home desktop from outside the house using the laptop!

Specifications of the software used in this post:

Tomato firmware version 1.21.1515
PuTTY version 0.60
Windows version Windows XP Service Pack 3
44 comments

44 Comments so far

  1. Amit September 14th, 2008 11:06 am

    I didn’t follow your last two paragraphs. I’m using openSSH. Can you briefly explain how I do that using a command line client such as that? What exactly is the port forwarding scheme in your example? What is the tunnel between, the home desktop and the router? Which port do you connect to on the laptop? Aren’t you supposed to connect to your dyndns address and a public port such as the example 5555?

    Thanks,

    Amit

  2. Amit September 14th, 2008 11:14 am

    More accurately, what if I want to create a tunnel between my sshd on my home desktop and my router? Can one forward port 22?

    Thanks,

    Amit.

  3. Pascal September 14th, 2008 3:35 pm

    I can’t give an example using openSSH client because I don’t have it on my Windows installation. Let me come back to you when my Ubuntu installation will be up.

    The tunnel is not between the home desktop and the router but between the laptop and the router. The communication goes like that:
    Laptop –> Internet –> Home Router –> Home Desktop

    More precisely:
    1. Laptop
    2. Local port (ex: 153389)
    3. Internet (SSH Tunnel)
    4. Public IP address / port 5555
    5. Home Router (end of tunnel)
    6. Home desktop (dest. port 3389)

    In this scenario you don’t need to configure port forwarding, just configuring the SSH Deamon on the router. But if you are running an SSH Deamon directly on the desktop, then you would need to configure port forwarding.

    Is this clearing things up?

    Pascal.

  4. Pascal September 15th, 2008 8:46 pm

    here is how to connect to the router and establish an SSH Tunnel using OpenSSH command line client:
    (this has been tested with Ubuntu 8.04)

    ssh -L 13389:192.168.1.15:3389 root@mysite.dyndns.org

    This opens the port 13389 on the local computer (Laptop) and forwards it to port 3389 of the home desktop.

    Then you can use Terminal Server Client (rdesktop GUI) to connect to:
    localhost:13889

    Pascal.

  5. Jake December 2nd, 2008 2:49 pm

    I having issues using putty to even connect to my router.

    My IP address on my machine is 192.168.1.107. Do I place this IP in both Session tab and the Connections>Tunnel tab?

    So in Putty…
    Session: 192.168.1.107 remote port # (set on the router)
    Tunnels: 192.168.1.107 port # (set on the router)
    Does the local/source port matter 153389?

  6. Pascal December 2nd, 2008 3:50 pm

    1st of all, are you connecting to your router from your LAN or from the Internet? The router has 2 IP addresses of is own.
    1- Public IP address given by your Internet Service Provider
    2- LAN IP address

    In Session you should set one of the IP address of the router (use LAN IP if you are connecting from your LAN, use public IP if connecting from the Internet).

    192.168.1.107 is the IP address of the machine you are trying to reach or the IP address of the machine you are running PuTTY from?

  7. Jake December 2nd, 2008 4:05 pm

    192.168.1.107 is the IP of the machine I am trying to reach.

    68.xxx.xxx.xxx is the ISP provider IP

    192.168.1.1 is the router LAN IP

    I am trying to connect from the internet.

  8. Jake December 2nd, 2008 11:09 pm

    I was able to get it to work. Thanks.

  9. Mike January 7th, 2009 10:53 am

    Great writeup! Many thanks indeed.

    One thing to add is that you don’t want to make any of your ports higher than 65535. Anything above that will be invalid.

  10. Agbey January 10th, 2009 5:59 pm

    Your site is very helpful Pascal Thanks
    But I have a problem here, When I enter my router’s password after i connect through PuTTY, is says access denied. Do you know what might be causing this? Anyway right now I’m at home trying to make sure it works before I go out.
    Thyanks

  11. Brad January 10th, 2009 9:38 pm

    Great tutorial Pascal!

    I have an issue here;I am able to SSH and my router; however, I can’t get the Windows remote desktop to work. I have followed your guide step by step but no luck. Basically, Windows rdp fails to establish a connection.

    I appreciate your help.

  12. Pascal January 11th, 2009 8:25 pm

    @Agbey
    Are you sure you are using the right password? Are you using root as your username?

    @Brad
    Does it fail instantly? or there is a delay (timeout) before it fails? Are you able to perform remote desktop connection without SSH (from your local network)? Do you use a 3rd party firewall on your machine? For testing, did you try to disable your firewall?

    Pascal.

  13. Brad January 12th, 2009 12:31 am

    Hi Pascal,

    Yes, I am able to perform remote desktop connection without SSH. I just forward port 3389 in my router, and then I use “Remote Desktop Connection” in Windows on my work computer to connect to my home computer; this works perfectly fine.

    Through SSH with PuTTY, however, I am only able to connect to my router, and access it through command line after entering my password. Now the problem is when I try to connect to my home computer using the “Remote Desktop Connection” in Windows, I get the error message – after about 10 seconds – “This computer can’t connect to the remote computer. Try connecting again. If the problem continues contact the owner of the computer or your network administrator.” This happens all the time.

    The following is all my settings:

    – Home computer (Host):
    Windows printer and file sharing: enabled in firewall
    Windows user account: password protected
    OS: Tried both on Vista (Norton Firewall) and XP (Windows native firewall)

    – Router:
    Enable at Startup: check
    Remote Access: check
    Remote Port: 22456
    Port: 35467
    Allow Password Login: check
    Start now: active

    – Work computer:
    PuTTY:
    Host IP: x.x.x.x port: 22456
    Tunneling:
    Source port: 23432
    Destination: 192.x.x.x:3389

    – Remote Desktop on work computer:
    Computer: 192.x.x.x:23432

    I did try disabling the Norton firewall on my Vista machine, but no luck again.

    I even asked my friend to connect to my computer from his home and he experienced the exact same issue! I can’t think of anything else!

    Thanks in advance.

  14. Pascal January 12th, 2009 8:27 am

    I think I see the problème. Let’s say your destination (home) computer IP is 192.168.1.20, on your work computer you are trying to connect to 192.168.1.20:23432?

    In fact, the tunnel is a pipeline with 2 entrances, 1 on your work computer and one on the router. The work computer does not know what is at the other end of the tunnel, only the SSH client (PuTTY) knows, so the work computer has to specify the address of the local entrance (localhost).

    From your work computer try using the following address:
    localhost:23432
    (see last screenshot)

  15. Pascal January 12th, 2009 8:47 am

    @Mike

    You are right about port range. I will fix my tutorial and screenshots…

  16. Agbey January 12th, 2009 8:55 pm

    Thanks pascal
    I was using admin instead of root as the user name. Now it works like magic.
    But at hope I connect to the router interface using admin as the user name

  17. Pascal January 12th, 2009 10:44 pm

    I am glad that you finally succeed. I admit it is ambiguous that both admin and root works for connecting to the router’s web interface but not at command line (SSH)… I guess it is inherited from the original Linksys firmware…

    Pascal.

  18. Brad January 12th, 2009 10:57 pm

    Thanks Pascal! It’s working just fine now! You rock! ;)

  19. Websites tagged "putty" on Postsaver January 13th, 2009 5:47 pm

    […] by zinfan2009-01-07 – Free Helpful Tips to Drawing Supplies saved by iloveRichard942009-01-02 – Remote Desktop through SSH with PuTTY and Tomato firmware saved by especkman2008-12-31 – Diamonds Are Forever, and So Is Silly Putty saved by […]

  20. Eric February 7th, 2009 7:51 pm

    I have been running Tomato for quite a while now. SSH can become a really powerful tool. Especially with anonymous web browsing.

    Here is a guide that got me started:

    http://lifehacker.com/software/ssh/geek-to-live%E2%80%94encrypt-your-web-browsing-session-with-an-ssh-socks-proxy-237227.php

    Also have you tried Victek’s tomato mod? It adds alot of features and improves high connection responsiveness. Also I like the new skin choices and speed limiter options.

    Link:

    http://victek.is-a-geek.com/tomato.html

  21. Pascal February 7th, 2009 9:04 pm

    Hi Eric,
    I have used SSH tunnel as a proxy in the past because my work network was denying some protocols and ports (they were denying non standard ports for protocol. Ex: HTTP on port 8080, or HTTPS on something else than 443). However, from what I understood when I tried this is you are not totally “anonymous” because the DNS names are still resolved outsite of the tunnel. So they may know to what domain you go, but not which page you downloaded.

    This is sad Vitek’s mod has no screenshots on the link you provided :(. Is it explained why it is more responsive? I should take a look when I’ll have time…

    Pascal.

  22. kevin February 17th, 2009 8:53 pm

    Worked perfectly, thanks a ton!

  23. Eric March 4th, 2009 7:11 pm

    Hey Pascal,

    Victek’s Tomato mod is based on Roadkill’s speedmod (at least the changes are based on that). You can read more about the changes on this page.

    http://touristinparadise.blogspot.com/2008/04/linksys-wrt54gl-routers-improving.html

    I am running Victek’s mod for a while now. Overall it is Tomato (when you change the skin back), but all those little tweaks and addons are great (they are all listed on the previous link)

  24. Tom March 6th, 2009 5:00 pm

    For ‘anonymous’ proxy surfing with http + putty, if you are using firefox you can change “network.proxy.socks_remote_dns” to true to have the DNS requests done on the proxy, rather than the client, see: http://kb.mozillazine.org/Network.proxy.socks_remote_dns

  25. Pascal March 9th, 2009 6:22 am

    Thanks Tom!

  26. Martin March 24th, 2009 5:01 am

    Will this work with rdp remote sound?

  27. ratchet March 28th, 2009 7:21 am

    Pascal, don’t know if you remember me or not, however, on your “Tomato Firmware: Remote Desktop Through SSH, using W-O-L and …” blog we had communicated about the inability to broadcast an address using a WRT54GS router.
    I was able to resolve that issue using this script and Tomato: sleep 5
    ip neigh change 192.168.1.254 lladdr 01:02:03:04:05:06 nud permanent dev br0
    ip neigh add 192.168.1.254 lladdr 01:02:03:04:05:06 nud permanent dev br0
    The magic packet and that script work perfectly, the only down side is leaving a port open. I found the “SSH Wake” directions a little confusing, however, the directions in this “how to”, especially with the screenshots are great. All I want to do is wake the desktop with my laptop when visiting my children. I would then use TeamViewer (http://www.teamviewer.com/index.aspx). What do I amend in these directions to only securely wake the desktop? Thank You!

  28. Pascal March 28th, 2009 10:13 am

    Yes I remember! Welcome back ;)

    I guess to make my opened SSH port more secured would be to use key files which are more secure by nature than an simple password. If we could (I need to verify) force both password and keyfile that would be even more interesting.

    Pascal.

  29. ratchet March 28th, 2009 10:49 am

    Thank you for the response. You are the master! OK, so this is where I’m confused:
    1. In the Initialization script of the firmware (Administration / Scripts / Init tab), type this:
    echo “/usr/bin/ether-wake 01:02:03:04:05:06″ > /tmp/home/root/wakeup-mycomputer.sh
    (change 01:02:03:04:05:06 to the mac address of the computer you want to wake-up)
    2. Save and reboot the router, you should see the file “wakeup-mycomputer.sh” appear in the root home directory when you connect using SSH.
    3. Try it “sh wakeup-mycomputer.sh”
    When/if I log in remotely to the router, what must I do, or will it auto start to wake the desktop? Secondly, do I still need to port forward? If I do, for security reasons, I could just enable the forwarding after I’m connected to the router and then initiate wake. Would this work and how would I do that? I test this these things using Hotspot Shield, a free VPN. Again, thank you for your time!

  30. Pascal March 28th, 2009 11:16 am

    You cannot easily permanently write data on the file system of the router. The home folder is in RAM. So the init script is just there to generate the file with your mac address so you don’t have to remember. The init script is permanently saved on the router’s flash somewhere.

    the magic packet is sent at the moment you execute sh wakeup-mycomputer.sh. There is no automation.

    If you configure SSH tunnels, you do not need to enable port forward because the communication will be “tunneled” through the SSH connection up to your LAN.

    Pascal.

  31. ratchet March 29th, 2009 12:21 am

    Pascal, I haven’t tried this yet, but I will hopefully tomorrow. I woke up and remembered something, in the meantime, could you kindly hide my MAC in my post above. I realize without an IP it’s benign but it is kind of the principal of the thing.

  32. Pascal March 30th, 2009 8:03 am

    Done. I usually edit posts to replace public IP addresses and MAC addresses with fake when I notice… :)

  33. ratchet March 30th, 2009 9:00 am

    Thank you so much for correcting my carelessness! I’d entered that script weeks ago and forgot what all it entailed and just pasted it here.

  34. java April 28th, 2009 11:19 pm

    You are awesome. It worked like a charm. Initially I ran into some issues where I have been getting connection timeout at putty session since my vonage phone adapter was directly connected to cable modem and my router was behind the phone adapter. I changed the configuration and made my phone adapter behind the router/firewall. My router is now directly connected to cable modem.

  35. Kim June 27th, 2009 4:30 pm

    It took me a little while, but I figured it out. Had some issues getting my router configured properly. But now it works! Thanks so much, your instructions were awesome.

  36. Hua August 16th, 2009 12:02 am

    I have been trying to get some helps regarding the router’s port. I have set up a DDNS, and like to have access to the router’s port 5070. Is it any way to open the port? Please help me!

    Thanks a lot.

  37. alfred December 11th, 2009 5:14 pm

    worked great! thanks.

  38. […] Rather than trying to explain it myself, there are already some nice explanations on the purpose of SSH Tunnelling and how to do it. […]

  39. Kristy March 8th, 2010 3:59 pm

    I can’t get it to work. I tried for a long time but I just could not get it right. I did get a connection up in just a few minutes using a demo of remote desktop software I stumbled upon. Why are third parties able to solve these issues so easily while MS just stumbles and fails?

  40. Doug November 23rd, 2010 10:44 pm

    I can’t get it to work. I can SSH into my router but remote desktop isn’t working. I’ve tried localhost:15338 (local port) and I get Remote Desktop cannot connect after a few seconds. remote desktop is enabled on the other machine (windows 7).

  41. Geoff November 29th, 2010 7:23 am

    Just to say that I followed your tutorial carefully and it worked first time. This was rather a pleasant surprise as I had been unable to get remote desktop working in the traditional way.

    My system: Win7 Ult –> Tomato (Victek) router –> XP Pro

    Thanks :)

  42. Geoff December 1st, 2010 1:10 pm

    Just a note for those whose router’s web IP address changes from time to time (i.e. dynamic). You can register with a free DNS service (search for Dynamic DNS) who will give you a fixed host name, e.g. myhouse.dnsservice.com which is mapped to your present IP address. Of course, your router or host computer needs to inform them of your new IP whenever it changes.
    My router has a function for doing this (Tomato software with Victek mod), but if yours doesn’t the DNS service will give you an app for your host computer that will do the same job.

    So in PuTTY instead of entering your router’s IP address you enter myhouse.dnsservice.com

  43. Wizz January 31st, 2011 6:58 am

    Why tunneling? RDP already Has 128 bit Rc4 encryption (since ver 6)
    Tunneling would be an overkill imo.

  44. Dominic August 8th, 2011 1:04 am

    Worked like a charm. Thanks!

Leave a comment