ENG | Basics of Remote Desktop Protocol (RDP) Using SSH Port Forwarding

Introduction

Have you ever needed to access your computer remotely, perhaps to adjust settings on your home router, or to work with your Linux desktop? Remote Desktop Protocol (RDP) offers a solution to these scenarios, and when coupled with Secure Shell (SSH) port forwarding, it provides a secure and efficient way to access your machine from afar.

In this guide, we’ll explain how to set up XRDP (an open-source implementation of Microsoft’s RDP) for remote desktop access and how to secure this access using SSH port forwarding. This will allow you to safely interact with your desktop over the internet, and even to keep your session intact, if the connection is lost.

If you’re new to these concepts, don’t worry - we’ll walk you through each step of the process. And remember, it’s always good practice to use Key-based SSH authentication for added security.

Let’s get started!

Fedora 38 KDE, wallpaper by https://www.gracile.jp/, see his twitter or pixiv

Debian 12 with OpenBox, tint2 panel and nothing more

XRDP Setup

First, login as the root user.

Next, install XRDP. Depending on your distribution dnf in xrdp, apt install xrdp, zypper in xrdp. Note that Debian enables and starts installed services automatically.

On other distributions, you may need to enablestart at boot, and start the service.

systemctl enable xrdp
systemctl start xrdp

You can verify the status of the XRDP service using this command:

systemctl status xrdp

The Remote Desktop Protocol (RDP) server can be accessed through TCP port 3389, but this protocol is not considered secure so it should not be exposed to the internet directly. This service could be even blocked by firewall.

SSHD Setup

To securely connect to the RDP server over the internet, we can leverage SSH tunneling. This method creates an encrypted connection or ‘tunnel’ through which your RDP traffic can safely pass.

To allow remote connection to redirected ports, you need to modify the /etc/ssh/sshd_config file. Add the following line:

GatewayPorts clientspecified

It tells the SSH server to allow remote hosts to connect to local forwarded ports, but only from client (PC from which ssh connection is initiated)

Test the validity of the configuration file and restart the SSH daemon:

sshd -t
systemctl restart sshd.service

Hopefully, you are still able to log in.

Connecting From a Remote Machine

Forward local port 6666 to 127.0.0.1 (local host on the remote side) port 3389. Login to [email protected] using SSH port 2222. Optionally, do -Not open shell and/or -fork to background (note will outlive ssh and even Windows Terminal application on Windows).

ssh -L 6666:127.0.0.1:3389 [email protected] -p 2222 -N

Then, start mstsc (MicroSoft Terminal Services Client) on Windows and connect to localhost:6666. It should work, although you will encounter a warnings.

Don’t use enter after typing username, use tab instead to type the password. Enter confirms login dialog with an empty password.

You might need to change the display resolution on the remote desktop.

Using simple window manager without animations or background helps on slower connection. See Debian screenshot above. Window manager can be changed by ~/.Xclients files with executable permission, example of content:

# startplasma-x11
/usr/bin/i3

Addendum: Troubleshooting

Try verbose ssh output (use -vv, -vvv to increase verbosity)

Bad syntax

ssh -L 127.0.0.1:6666:remote.xyz:3389 [email protected] -p 2222 -v

debug1: Connection to port 6666 forwarding to pavelp.cz port 3389 requested.
debug1: channel 2: new [direct-tcpip]
channel 2: open failed: connect failed: Connection timed out

Check that port is open (curiously, it does not matter that it’s using tcp6. Parameters are tcp, listening ports only, numerical addresses

[root@marten -=- /home/pavel]# netstat -tln|grep 3389
tcp6       0      0 :::3389                 :::*                    LISTEN

Problem was syntax and bad command in history. Correct is -L 6666:127.0.0.1:3389, otherwise connection returns to router and non-local connection is then blocked by a firewall.

Firewall (on Fedora, openSUSE, …)

It’s strongly recommended to use SSH, RDP protocol is not considered secure. Use only on local network not accessible from internet!

I don’t think that firewall-cmd is universally present, but it works on Fedora, openSUSE and possibly other distros.

You can list enabled services by this command:

firewall-cmd --list-services

Example of output:

dhcpv6-client mdns ssh

If you insist on adding xrdp, you can do it temporarily for certain period of time or until reboot, when timeout is not specified:

firewall-cmd --add-service=rdp --timeout=1h

And if you really insist:

firewall-cmd --permanent --add-service=rdp

Wayland Issue (on Fedora releases since 2024)

Fedora 40 and newer versions are shipped with Wayland only preinstalled. I skipped Fedora 40 for this reason. Fedora 39 is phased out in November 2024 so I upgraded to Fedora 41. XRDP installed previously works (with i3 session), however command startplasma-x11 is not found. It even gives a solution:

[pavel@marten -=- /home/pavel]$ startplasma-x11
zsh: startplasma-x11: command not found...
Install package 'plasma-workspace-x11' to provide command 'startplasma-x11'? [N/y] 

The command sudo dnf install plasma-workspace-x11 installs the two missing packages in my case, and voilà, it works!

Fedora 41 with KDE Plasma 6.2, Konsole with Campbell color scheme

Changelog

• 2024-06-01: Mentioned firewall config and Wayland
• 2024-06-06: Mentioned .Xclients to select window manager/desktop environment
• 2024-11-06: Wayland on Fedora

References

• https://tecadmin.net/how-to-install-xrdp-on-fedora/
• https://utho.com/docs/tutorial/how-to-setup-ssh-tunneling-or-port-forwarding-in-linux/
• https://www.ssh.com/academy/ssh/tunneling-example
• man sshd
• Link to the wallpaper
• Fedora Quick Docs » Usage and customisation » Control of System Accessibility by firewalld