Using Port Forwarding for RDP Through a Linux Bastion Host to Connect to a Windows VM on EO-Lab
Setting up an intermediary VM, a so-called bastion host, to better protect other VMs in a different network behind it, can vastly improve network security since possible points of entry are reduced to just one. While this can be done for any type of system, in this article we will focus on a Linux bastion host and Windows VMs.
It involves connecting to your Windows VM not directly through RDP. In this case, the RDP connection gets tunneled through SSH and is not directly visible to others.
This method is especially useful if you have concerns that your RDP connection might be compromised or if using RDP without additional security measures is impossible or even illegal. It also allows you to use a single floating IP address to connect to multiple Windows VMs.
Linux virtual machine with SSH access - the bastion host
Windows virtual machine(s) located in the same network as the bastion host
The private key downloaded from the OpenStack dashboard; converted from .pem to .ppk format (using “PuTTYgen”) - for information on how to do this please see How to access a VM from Windows PuTTY on EO-Lab
Changing the password for the Administrator account via the OpenStack dashboard console
The following security group is assigned to your VMs: allow_ping_ssh_icmp_rdp
Step 1. Information required to establish connection with the bastion host.
Launch PuTTY and change the settings as follows:
Session tab: Provide the bastion hosts’ floating IP address and the SSH port (default 22).
Connection > Data tab: Set auto-login username as “eouser”.
Connection > SSH > Auth tab: Select private key in .ppk format.
Connection > SSH > Tunnels: Provide source port for the localhost RDP connection and destination (in the following format: private IP address of Windows VM:RDP port - as seen on the screenshot below).
Click the “Add” button to confirm the changes.
Your forwarded port should now be visible in the upper tab.
Provide a name for the session and save your config to avoid having to repeat the whole process every time you would like to connect to your instance again.
Step 2. Open a Connection in PuTTy
Click “Open” to establish the connection.
Step 3. Start an RDP Session to Localhost to Reach the Destination server
Set localhost address:port selected in step 2 (in this case it is either 127.0.0.1:8888 or localhost:8888 - you can choose whichever you prefer).
Set the username as “Administrator”.
Click “Connect” and enter your VM’s administrator password (the one you’ve previously set in the OpenStack console).
Confirm the connection in the certificate prompt.
With this, you’re now successfully connected to your Windows VM.