Tunnel Icon

Port forwarding Windows RDP traffic via SSH

Following up on an earlier article about using SSH to bind and tunnel Chrome’s socks5 proxy through to a server within AWS. In this quick tutorial we’ll cover how to set-up port forwarding so that RDP traffic can be sent via SSH.

AWS Infrastructure Diagram

The diagram above outlines a typical AWS infrastructure, where a client machine connects to a bastion host within an infrastructure VPC. From there you want to access the Windows server within your main VPC.

As the bastion host is typically a Linux server, you can SSH into the server forwarding port 3389 on your local machine to port 3389 on the Windows server.

Below is an example command to setup the port forwarding:

ssh -L 3389: -l ec2-user -N

The capital -L switch instructs SSH to perform port forwarding. is the private IP address of the Windows server and is the public facing IP address of the bastion server.

The small -l switch stands for login_name and tells SSH which username to log into the bastion host with, in this case ec2-user. The final command line switch -N instructs SSH not to execute a remote command on the bastion server.

Once the SSH connection is established you can configure your RDP client to connect to localhost using the Windows username and password. The traffic will be re-routed from the local port to the remote port.

I hope you found this article useful, you can discuss it on Twitter
I create educational content for developers, hoping to inspire and teach with a deep understanding.

Paul Bradley