Linux experts Seravo background Linux Debian SUSE
Seravo blog: Linux and open source – technology and strategy

Using Windows-only VPN client software from Linux

Would you like to SSH and browse a company network from the comfort of you Linux desktop, but the VPN client software is available only for Windows desktops? Don’t worry, there is a solution: relay the connection via a virtual Windows machine.

It is fairly common for companies to deploy virtual private network solutions using proprietary VPN software that does not conform to IPSec-VPN or similar open standards, and thus restrict client software options only to what is provided by the same vendor as the VPN server is. In most of those cases that client software is available only for Windows, which makes it a bit challenging to connect from a Linux machine.

The question is how to connect from Linux to a remote network if the VPN client software is for Windows only? The solution in this scenario is to proxy the connection via a virtual Windows machine running on the Linux host.

Create a virtual Windows machine

First you need to create a small virtual machine in Linux, preferably using virt-manager and KVM. Then do a plain Windows installation on the virtual machine and there install the VPN client and make sure it connects to the remote network and everything works from within the virtual Windows machine.

Windows XP in virt-manager with KVM backend

Windows XP in virt-manager with KVM backend

After that,  install Cygwin from, which enables running POSIX-compliant software under Windows. While running the Cygwin installer, choose from within its application list to install the OpenSSH package (includes server and client). Once the installation completes, open a Cygwin command prompt and setup the server by running ssh-host-config -y to set up the SSH server.

Then permanently enable the SSH server by running net start sshd. It will now start automatically on boot. By default the Windows firewall blocks incoming SSH traffic, so you need to enable incoming port 22 from the Windows firewall settings. By default, at least in Windows XP, the user account does not have a password, so you need to set one from the Windows Control Panel > User Accounts > Username > Add password. Then, in a Windows Command Prompt window, run ipconfig to see what the IP address of the Windows machine is, and then try to SSH into it.

If everything worked so far, you are able to SSH from you host machine into the virtual Windows machine and from there to any machine inside the VPN. Congratulations, now you can SSH around from the comfort of your Linux terminal!

However, for everything to be convenient, edit you own ssh/.config to include lines like these:

Host windows
User Otto

After that you can ssh in to your virtual machine by writing just ssh windows.

You don’t even need to write a password if you have set up SSH keys on you Linux machine and install the public key with scp ~/.ssh/ windows:/home/Otto/.ssh/authorized_keys (you might need to create the directory .ssh first). After installing the key you can remove the password of the Windows XP user thus enabling the XP machine to boot fully up without any login prompts.

Congratulations! Now you can SSH via your virtual Windows machine to any machine on inside the corporate VPN without leaving the comfort of your Linux environment and command line. For additional security, try to lock down the virtual Windows XP and never use it directly, to avoid getting viruses or other Windows-only software.

Browse internal websites

A little less known feature is SSH is the ability to put up SOCKS (v5) proxies. Run on you Linux host the command ssh -D 8080 windows to start the proxy. Then open your browser (e.g. Firefox, Chromium) and edit the proxy settings to use SOCKS and to point to localhost:8080.

Additionally, to get domain names inside the VPN working, you need to resolve them via the proxy too. At least in Firefox this is possible by typing as the address about:config and then searching for the option that controls whether DNS is proxied too, and enable it.

Leave a Reply

Your email address will not be published.