The Devolutions Gateway Tunnel can fulfill similar needs to SSH port forwarding/SSH tunneling, but it requires nothing other than Devolutions Gateway itself. It is useful when using connections that do not have built-in support in Remote Desktop Manager through the Devolutions Gateway. The entry can be found under New Entry – Session – Remote Connections.
Devolutions Gateway needs to be set up in the Remote Desktop Manager data source and then configured through inheritance or on the connection itself. The option is under Properties – Connection – VPN/SSH/Gateway – VPN/SSH/Gateway – General.
If the Listener is set to 0.0.0.0, it will accept connections from any source within the network. Due to the difficulty in tracking accountability, it is recommended NOT to do this for multiple security reasons.
- In almost every scenario, the listener (bind address) should be set to the loopback address (127.0.0.1) from the local machine.
- TCP Forward: It is the equivalent to port forwarding.
- HTTP and SOCKS5 proxies: These listeners are set up as proxies which makes it possible to use a browser other than Google Chrome. This also means they use a dynamic destination.
Dynamic ports can be used with all three listener types. If the value is 0, it will automatically find an available port.
The HTTP and SOCKS5 listeners will also make use of the Allow Rules to specify authorized destinations, anything not on the allow list will be denied.
Target filters can be specified using IP addresses or hostnames. Both can contain wildcards. Each Target filter must explicitly specify a destination port. Leaving the default port as '0' will result in an error when attempting to save the filter.
Target filter | Description |
---|---|
| Allows HTTP traffic to the hostname windjammer.net. |
| Allows HTTPS traffic to any subdomain of windjammer.net but not to windjammer.net directly. |
| Allows SSH traffic to any IP address between 192.168.0.0 to 192.168.0.255. |
| Allows RDP traffic to any endpoint reachable by the Devolutions Gateway. |
You can add multiple Target filters to your entry tailored to your intended use of the tunnel. For example, you might add the same hostname several times but with different ports, like 80 and 443, to permit both HTTP and HTTPS traffic.
Once opened, it is possible to use a Devolutions Gateway Tunnel from an applicaton that is external to Remote Desktop Manager. You could, for instance, use it with a web browser or any other application that supports the type of proxying (TCP, HTTP, or SOCKS5) that you specified in the connection.
You can add your proxy endpoint along with the port specified or the one that was generated by the Devolutions Gateway Tunnel entry with the -x argument.
curl -x socks5h://127.0.0.1:65535 windjammer.net
If you have set your target filters using hostnames, it is important to ensure that your application does not resolve the hostname before sending it to the tunnel; otherwise, the traffic will be denied. Applications typically have settings to enable or disable this behavior. For example, in the web browser Firefox, you need to enable the Proxy DNS when using SOCKS v5 option in the proxy configuration panel for this scenario to function correctly.