How to SSH Tunneling on Windows using OpenSSH

Setting up OpenSSH on Windows for port forwarding (SSH tunneling) is a powerful way to secure remote access and forward services like RDP, databases, or web applications over encrypted channels. This guide will take you step by step from installation to tunneling configuration.

A system engineer configuring OpenSSH on windows to do port forwarding aka SSH Tunneling - UFOtechs

Whether you're a system engineer, developer, or IT administrator, this article will walk you through the complete process of installing OpenSSH, generating keys, setting firewall rules, and creating secure SSH tunnels on Windows. 🚀

Quick Navigation

Step 1: Install OpenSSH on Windows
Step 2: Configure OpenSSH and Firewall
Step 3: Create a Dedicated SSH User
Step 4: Prepare the User’s .ssh Folder
Step 5: Generate SSH Keys (OpenSSH & PuTTYgen)
Step 6: Deploy the Public Key to the Server
Step 7: Configure Windows Firewall for SSH Tunneling
Step 8: Test SSH Tunneling

Step 1: 📥 Install OpenSSH on Windows

Download the latest version of OpenSSH for Windows from the official GitHub releases page:

➡️ Download OpenSSH for Windows

Step 2: ⚙️ Configure OpenSSH and Firewall

Locate the OpenSSH installation path.
Add a firewall rule to allow inbound SSH connections (only use one command depending on installation path):

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "C:\Windows\System32\OpenSSH\sshd.exe"

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "C:\Program Files\OpenSSH\sshd.exe"{codeBox}
In Services, set OpenSSH SSH Server to start automatically.
Test the connection from another machine:
ssh [email protected]{codeBox}

Step 3: 👤 Create a Dedicated SSH User

Create a new Windows user that will be used exclusively for SSH connections. Log in with this user at least once before proceeding.

Step 4: 📂 Prepare the User’s .ssh Folder

Create the following directory for the SSH keys:

C:\Users\username\.ssh{codeBox}

Step 5: 🔑 Generate SSH Keys (Two Methods)

You can generate SSH keys in two different ways:

Method 1 (OpenSSH Keygen):
On the client machine, run:

ssh-keygen -t ed25519{codeBox}
This will create a private key (id_ed25519) and a public key (id_ed25519.pub).
Method 2 (Using PuTTYgen):
1. Download and open PuTTYgen.
2. Select EdDSA (or RSA if preferred) and click Generate.
3. Save the private key as .ppk (PuTTY format).
4. Copy the public key text and save it.
5. If you need the key in OpenSSH format (for Linux/macOS), go to "Conversions > Export OpenSSH key" and save it.

Step 6: 📤 Deploy the Public Key to the Server

Copy the .pub key into the user’s .ssh folder on the server (C:\Users\username\.ssh).
You can use one of the following methods to add it to authorized_keys:

Method 1 (PowerShell Remote Command):

$authorizedKey = Get-Content -Path $env:USERPROFILE\.ssh\id_ed25519.pub
$remotePowershell = "powershell New-Item -Force -ItemType Directory -Path $env:USERPROFILE\.ssh; Add-Content -Force -Path $env:USERPROFILE\.ssh\authorized_keys -Value '$authorizedKey'"
ssh tunneluser@your-server-ip $remotePowershell{codeBox}
Method 2 (Manual Copy & Paste):
Open (or create) the file:

C:\Users\username\.ssh\authorized_keys{codeBox}
Paste the contents of your public key (id_ed25519.pub) into this file and save it.

Important Note: You must be logged in as the user who will use the SSH key when editing or creating the authorized_keys file. Otherwise, the key may not be recognized properly.{alertWarning}

Step 7: 🔒 Configure Windows Firewall for SSH Tunneling

Run the following rules to control inbound traffic:

# Allow SSH on port 8022
New-NetFirewallRule -DisplayName "Allow SSH 8022" -Direction Inbound -LocalPort 8022 -Protocol TCP -Action Allow -Profile Any

# Allow local loopback
New-NetFirewallRule -DisplayName "Allow All Local Loopback Traffic" -Direction Inbound -RemoteAddress 127.0.0.1 -Action Allow -Profile Any

# Block all other inbound TCP except 8022
New-NetFirewallRule -DisplayName "Block All Other TCP Inbound Except 8022" -Direction Inbound -Protocol TCP -LocalPort 1-8021,8023-65535 -Action Block -Profile Any

# Block all inbound UDP
New-NetFirewallRule -DisplayName "Block All UDP Inbound" -Direction Inbound -Protocol UDP -Action Block -Profile Any

# Restrict RDP to local tunneling
New-NetFirewallRule -DisplayName "Block External RDP" -Direction Inbound -Protocol TCP -LocalPort 57729 -Action Block
New-NetFirewallRule -DisplayName "Allow Localhost RDP" -Direction Inbound -Protocol TCP -LocalPort 57729 -RemoteAddress 127.0.0.1 -Action Allow{codeBox}

Step 8: 🖥️ Test SSH Tunneling

On Windows, Linux, or macOS client, run:

ssh -i "C:\Keys\id_ed25519" -p 8022 -L 8089:127.0.0.1:57729 tunneluser@your-server-ip{codeBox}

For multiple port forwards:

ssh -i "C:\Keys\id_ed25519" -p 8022 ^
-L 8089:127.0.0.1:57729 ^
-L 9090:127.0.0.1:9090 ^
tunneluser@your-server-ip{codeBox}

Final Note ✅

Make sure that the created user is added to the Remote Desktop Users group if you plan to use SSH tunneling for RDP connections. This ensures that after tunneling is established, you can log in successfully through Remote Desktop.

What's Next?

With OpenSSH tunneling configured on Windows, you now have a secure foundation for accessing remote services. In upcoming articles, we’ll cover advanced tunneling scenarios and troubleshooting common issues. Stay tuned! 🔐

Trending

Windows Sysprep and OOBE Automation by Unattend File

How to Reset the vCenter Server Appliance (VCSA) Root Password

How to Renew vCenter STS Signing Certificate (vSphere 7/8)

Hyper-V Servers Failover Clustering & Adding iSCSI LUN as a Shared Volume

How to Copy Files and Folders with ACL Permissions