Using Port Forwarding for RDP Through a Linux Bastion Host to Connect to a Windows VM on EO-Lab

Setting up an intermediary VM, a so-called bastion host, to better protect other VMs in a different network behind it, can vastly improve network security since possible points of entry are reduced to just one. While this can be done for any type of system, in this article we will focus on a Linux bastion host and Windows VMs.

It involves connecting to your Windows VM not directly through RDP. In this case, the RDP connection gets tunneled through SSH and is not directly visible to others.

This method is especially useful if you have concerns that your RDP connection might be compromised or if using RDP without additional security measures is impossible or even illegal. It also allows you to use a single floating IP address to connect to multiple Windows VMs.

Requirements:

  • Linux virtual machine with SSH access - the bastion host

  • Windows virtual machine(s) located in the same network as the bastion host

  • Changing the password for the Administrator account via the OpenStack dashboard console

  • The following security group is assigned to your VMs: allow_ping_ssh_icmp_rdp

../_images/conn01.png

Step 1. Information required to establish connection with the bastion host.

Launch PuTTY and change the settings as follows:

Session tab: Provide the bastion hosts’ floating IP address and the SSH port (default 22).

../_images/conn11b.png

Connection > Data tab: Set auto-login username as “eouser”.

../_images/conn02b.png

Connection > SSH > Auth tab: Select private key in .ppk format.

../_images/conn03b.png

Connection > SSH > Tunnels: Provide source port for the localhost RDP connection and destination (in the following format: private IP address of Windows VM:RDP port - as seen on the screenshot below).

../_images/conn04b.png

Click the “Add” button to confirm the changes.

Your forwarded port should now be visible in the upper tab.

../_images/conn05b.png

Provide a name for the session and save your config to avoid having to repeat the whole process every time you would like to connect to your instance again.

../_images/conn10b.png

Step 2. Open a Connection in PuTTy

Click “Open” to establish the connection.

../_images/conn06b.png

Step 3. Start an RDP Session to Localhost to Reach the Destination server

Set localhost address:port selected in step 2 (in this case it is either 127.0.0.1:8888 or localhost:8888 - you can choose whichever you prefer).

Set the username as “Administrator”.

../_images/conn07b.png

Click “Connect” and enter your VM’s administrator password (the one you’ve previously set in the OpenStack console).

../_images/conn08b.png

Confirm the connection in the certificate prompt.

../_images/conn09b.png

With this, you’re now successfully connected to your Windows VM.

../_images/conn11.png