Confused about SSH tunneling options

Hi,

Here is a summary of how the SSH-related VPN options work in Remote Desktop Manager from what I understand them to be:

SSH Tunnel vs. SSH Gateway

• An SSH Tunnel entry is a direct port-forwarding configuration (Local/Remote/Dynamic).
• An SSH Gateway (Secure Gateway) is a way for multiple sessions to automatically route through an existing SSH Tunnel.
• In short: Tunnel = the connection itself, Gateway = using that tunnel as a jump host for other sessions.

Session Link vs. SSH Link

• SSH Link: Your session (e.g., RDP/SSH) directly uses a specific SSH Tunnel entry for port forwarding.
• Session Link: Your session links to a generic VPN entry (OpenVPN, IPSec, etc.) rather than an SSH tunnel.
• SSH Link = connects through a tunnel.
• Session Link = uses a VPN entry.

“Over a Secure Gateway”

• When enabled, RDM automatically launches the selected SSH Tunnel first, waits for it to establish, then opens your session through it.
• Some configurations require this sequencing. Others may not, depending on how the tunnel is defined.

Dynamic Port & Force Localhost

• Dynamic mode (dynamic port) turns the SSH tunnel into a SOCKS5 proxy, allowing traffic to reach multiple hosts/ports via the SSH server.
• Force Localhost ensures the tunnel only binds to 127.0.0.1, preventing access from other machines on the network (more secure).

Port Conflicts

• Yes, if multiple SSH tunnels use the same Source Port, they will conflict.
• Each tunnel must have a unique port, unless you reuse one shared Dynamic tunnel for multiple sessions.
• SSH Tunnel entries do not automatically pick random ports, so manual port assignment may be needed.

Feel free to ask further question, it will be my pleasure to assist!

Best regards,

Thanks for your response.

I see, so an SSH tunnel can normally only accommodate a single connection, but is that the only purpose of an SSH gateway? It seems like using the dynamic port option eliminates the need for an SSH gateway.

There is also a VPN/tunnel entry type called simply "SSH". What does that do?

When setting up an SSH Gateway, I can select a private key as my credential under the General tab, but there is also a Private key tab where I can seemingly do the same. What's the difference?

I don't really understand the difference between SSH and session link. With session link selected, I can still select an SSH tunnel to use for the session. Is this different from using SSH link?

When enabled, RDM automatically launches the selected SSH Tunnel first, waits for it to establish, then opens your session through it.

Is this not the default behaviour of specifying an SSH session as the tunnel for a connection? Otherwise, what is the point of specifying the SSH tunnel?

Hello,

Thank you for your follow-up.

I'll address your questions in the same order you asked them:

SSH Gateway Replacement:
Yes, you can replace an SSH Gateway with a dynamic SSH tunnel configuration, though it will require more steps to setup.

"SSH" VPN/Tunnel Entry Type:
When selecting the entry type labeled simply "SSH," you're configuring the SSH tunnel directly within that entry’s properties. Other types, such as under "Existing," allow you to link to a preconfigured SSH tunnel entry.

Private Key Configuration:
When choosing a private key as your credential under the General tab, you can link to an existing private key entry. The Private Key tab gives you the option to either save the key directly in the entry or link to an existing one. It’s up to your preference.

VPN/Tunnel/Gateway Entry Types:
If you're referring to the VPN/Tunnel/Gateway types in the entry’s properties, they primarily serve as filters for the next step, where you select an existing entry to link.

Tunnel Behavior in RDM:
Regarding your last question, I may have misunderstood initially. RDM will wait for both types. If you're using an SSH gateway instead of a tunnel, please ensure the setting is enabled.

Let me know if you have any further questions.

Best regards,

Thank you. I have some answers, but to be honest, overall I don't know that I understand the big picture better than before. There seems to be a lot of overlap in the various SSH options, and it's not clear what the differences are.

I have settled with doing the following for now, which seems to work well:

• Create an SSH entry. (VPN/tunnel/gateway)
  • Enter host address and user name.
  • Select dynamic mode and use dynamic port.
  • Select the private SSH key from the vault.
• Create a folder with VPN connection settings.
  • Always connect
  • Make up a VPN group
  • SSH link
  • Select the SSH entry created above
  • Use over a secure gateway
  • Wait 0 sec after execution
• Create VPN hosts in the folder and inherit VPN settings.

This seems to work for multiple connections and VPN servers without needing to come up with unique ports for each tunnel. Feel free to let me know whether I'm missing anything.

The SSH tunnel entry (Session) type seems to be configured and work the same way, so I'm not sure what the difference is there.

Hello,

Thank you for the follow-up.

I'm glad to hear you were able to get it working! SSH options can definitely be a bit overwhelming, there’s a wide range of configurations to support all possible use cases.

I’ll mark this topic as resolved. If you encounter any further issues related to the SSH tunnel, feel free to reply here to reopen the topic.

Best regards,