Lenovo Thinkpad T460s First Impressions

I recently switched laptops from the T440s to the T460s. I’ve long been a fan of the Thinkpads, both during the IBM period and the Lenovo reign of late. The T440s was a bit of a mistake in my opinion. Sure it performed as you’d expect, but the mouse was a huge pile of dung, and the keyboard wasn’t nice either. My favorite is still the T410s, which had the non-chiclet keyboard, similar or same as the old IBM Thinkpads had. I had a bunch of issues with the T440s over its 2 year and some odd month lifespan. The SSD broke early on and had to be replaced. I broke the keyboard (no fault of Lenovo, but still), and one USB port is unusable (not sure why). Battery life is still good after two years of business use, and it has no technical faults other than the ones I listed. It’ll still serve as my secondary machine, and probably do so for quite some years.

Plan old packaging
Plain old packaging

I got the T460s hot off the press, just a week after release, or so. I opted for the 20F9-0043MS model which has the full-HD matte screen, 4 + 4GB of RAM (which i expanded to 20GB by switching out the sole 4GB stick for a 16GB one), Core i7-6600U processor, and so on.


First, let’s look at the hardware. We have output from CPU-Z first, showing the features of the CPU:

Detail of the main page, showing Skylake U/Y series CPU. Note the rather cool 15W TDP and 4MB L3 cache, plus the awesome 14nm manufacturing process.
Detail of memory page. Total of 20GB DDR4, 4GB internal soldered on the motherboard, + 16GB SO-DIMM
Mainboard details. Propietary Lenovo motherboard, running 1.05 BIOS (later upgraded to 1.08)
CPU-Z Cache page listing the CPU caches

Then GPU-Z, showing the integrated Intel HD Graphics 520:

GPU-Z output. Chip is Skylake GT2 from last fall


Then we move on to the SSD, which appears to be an M.2 type drive and not your standard 2.5″ SSD. I’ll get an internal picture later for you, but opening the bottom of the machine (which is much easier than in the T440s which had icky plastic tabs that were too easy to break off), shows you all the user replaceable parts, which are very easily accessible! The SSD is manufactured by Samsung, however the model seems to be something sold to OEMs (the catchy MZNLN256HCHP). Some forums speculate that it is similar to the 850 (EVO?) model, but nothing certain.

Here’s some output from SSD-Z:

Some data on the Samsung SSD. Sata-3 bus, 256GB


CrystalDiskMark 5.1.2 results for the T460s
CrystalDiskMark 5.1.2 results for the T460s

If you want to compare performance (I’m not saying Crystal Diskmark is the ultimate tool, and these are not official testing conditions, but they are .. comprable I would wager) to some select SSD:s, here’s my Intel 910’s (PCI-E card) results, and here are the Samsung 840 Pro results, the T440s results and finally the venerable T410s’ results. All results with 64-bit CrystalDiskMark version 5.1.2, default settings.

Mobile Connectivity

There’s a 4G/LTE card in this model, which is a Sierra Wireless EM7455 Qualcomm Snapdragon X7 LTE-A WWAN Modem. The fun part was taking out the SIM-caddy, which was surprisingly already occupied! There was a “Lenovo Connect” SIM-card inside. Apparently, Lenovo has partnered up with a number of carriers worldwide (115 countries according to Lenovo). But since those cost extra, and I already have such connectivity in the countries I need to travel to, I took the SIM out. You might want to have a look at it, but it looks like most packages have data caps, which I discard out of principle. The prices don’t look.. bad, I suppose. Here’s the link http://shop.lenovo.com/fi/fi/lenovoconnect/index.html

As for the 4G performance, I tested it in Lapland, which has superb 4G connectivity (probably due to the low amount of subscribers per cell), it works fine without additional software in Windows 10. Speedtest gave me the following results (DNA is the carrier).

Speedtest run in April of 2016 in Finnish Lapland
Speedtest run in April of 2016 in Finnish Lapland

WiFi card is an Intel Dual Band Wireless-AC 8260, and the gigabit NIC is an Intel I219-LM. Both are bog-standard intel quality and have worked fine.

There is one thing that annoyed the piss out of me. Clicking the Notifications icon in the systray…

..this one!
..this one!

You get the otherwise handy Action Center / Notification bar thing, where you can turn off things like bluetooth, wireless, and yes, even cellular (though it is not showing here right now). Well, what happens if you turn off cellular here, and you want it back? Naturally, instinct tells you to open the action center thing again and re-enable it! But, what if it doesn’t show up (like it did for me)? What then? Well the next step is to go to Network Connections, look at the adapters and enabl… oh but wait it’s already enabled. But still it’s off, and you can’t connect? Crap!

Handy action center!
Handy action center! Not showing cellular because of reasons?

So after an unreasonable amount of googling, I found some people with similar issues. Apparently you can’t enable it anywhere in Windows proper (if you can, please tell me in the comments). No amount of enabling and disabling the card in network connections or device manager brings it back, or going to airplane mode or.. whatever. Instead what you need to do is sign out, and in the login screen, click the connectivity icon (the wireless symbol). From there, you can re-enable the radio of the WWAN card. Horse shit I say!

Clean install of Windows 10

I don’t care for manufacture-bloated OS’s, so I did a clean re-install of Windows 10 Enterprise, build 1511. Because I’m a dummy, I didn’t initially realize my mistake and attempted to install from my Easy2Boot USB drive. And that works too, if you’ve read the instructions and understand what you are doing… Here’s what I did wrong, so you don’t have to do the same things:

  1. Easy2Boot works fine, but you have to understand that if the install image is of UEFI type (which the windows image is), you can’t just copy the image to the Windows directory like other images
  2. You have to follow these instructions and make the Windows install image into an imgPTN image, and then try again.. Follow these instructions: http://www.easy2boot.com/add-payload-files/adding-uefi-images/
  3. Or, alternatively, get a suitably sized USB stick (4GB should do, 8GB will most definitely do), and use the Windows Media Creation tool (only for home and pro versions), or use Rufus but select the “GPT partition scheme for UEFI” option under ‘Partition Scheme and Target System Type’, or it won’t boot correctly. Or use the Windows 7-era tool (step 12 onwards) https://blogs.technet.microsoft.com/ptsblog/2015/08/19/how-to-create-a-bootable-usb-stick-or-a-bootable-dvd-for-windows-10/
  4. In my case, it did boot, but failed to find suitable devices to install to, or was lacking other drivers
  5. And no, adding SATA or other disk-related drivers during install did nothing to fix this – It’s an UEFI issue
  6. Changing BIOS settings between UEFI only, Legacy only, and Legacy first (and the CSM setting) also didn’t help in this case

After learning about UEFI stuff, installation was straightforward. The only Lenovo tool I like to install is the excellent Lenovo System Update, which keeps track of correct drivers and helper software and makes sure it is up to date. Also updates your BIOS, which is pretty useful. As of this date, BIOS 1.08 (or.. UEFI, I guess)

There’s more to write, but so far, I’m very pleased with the T460s. Much more than the 440s. The hardware is easily accessible, it’s performant and the mouse is much improved. To quote Wil Wheaton: “Later, nerds.”



MicroATX Home Server Build– Part 4

After a longish break, here’s the next installment! So the server has been in production now since last September, and is running very well. After the previous post, this is what’s happened:

  • Installed ESXi 6.0 update 1 + some post u1 patches
  • Installed three VMs: Openbsd 5.8 PF router/firewall machine, Windows Server 2016 Technical Preview to run Veeam 9 on and an Ubuntu PXE server to test out PXE deployment
  • Added a 4 port gigabit NIC that I got second hand

In this post, I’ll be writing mostly about ESXi 6.0 and how I’ve configured various things in there.

For the hypervisor, I bought a super small USB memory, specifically a Verbatim Store n’ Stay (I believe this is the model name) 8GB, which looks like a small Bluetooth dongle. It’s about as small as they get. Here’s a picture of it plugged in:

The Verbatim Store N Go plugged in
The Verbatim Store N Go plugged in

Using another USB stick created with Rufus, which had the ESXi 6u1 installation media on it, I installed ESXi on the Verbatim. Nothing worth mentioning here. Post-installation, I turned on ESXi Shell and SSH, because I like having that local console and SSH access for multiple reasons, one of them I’ll get to shortly (hint: it’s about updating).

Since I didn’t want to use the Realtek NIC on the motherboard to do anything, I used one of the ports on the 4 port card for the VMkernel management port. One of the ports I configured as internal and one as external. The external port is hooked up straight to my cable modem, and it will be passed through straight to the OpenBSD virtual machine, so it can get an address from the service provider. The cable modem is configured as a bridge.

The basic network connections therefore look like this:

Simple graph of my home network
Simple graph of my home network

After the installation, multiple ESXi patches have been released. Those can be found under my.vmware.com, using this link: https://my.vmware.com/group/vmware/patch#search. Patches for ESXi can be installed in two ways: either through vCenter  Update Manager (VUM) or by hand over ssh/local esxi shell. Since I will not be running vCenter Server, VUM is out of the question. Installing patches manually requires you to have a datastore on the ESXi server where you can store the patch while you are installing. The files are .zip files (you don’t decompress them before installation), and are usually a few hundred megabytes in size.

To install a patch, I uploaded the zip file to my datastore (in this case the 2TB internal SATA drive) and through SSH logged on to the host. From there, you just run: esxcli software vib install -d /vmfs/volumes/volumename/patchname.zip

Patches most often require reboots so prepare for one, but you don’t have to do it right away.

Update 2 installed on a standalone ESXi host through SSH
Update 2 installed on a standalone ESXi host through SSH

Edit: As I’m writing this, I noticed Update 2 has been released. I’ll have to install that shortly..  Here’s the KB for Update 2 http://kb.vmware.com/kb/2142184

A one-host environment is hardly a configuration challenge, but some of the stuff that I’ve set up includes:

  • Don’t display a warning about SSH being on (this is under Configuration -> Advanced Settings -> UserVars -> UserVars.SuppressShellWarning “1”)
  • Set hostnames, DNS, etc. under Configuration -> DNS and Routing (also made sure that the ESXi host has a proper dns A record and PTR, too; things just work better this way)
  • Set NTP server to something proper under Configuration -> Time Configuration

For the network, nothing complicated was done as mentioned earlier. The management interface is on vmnic0, vswitch 0. It has a vmkernel port which has the management ip address. You can easily share management and virtual machine networking if you want to, though that’s not a best practice. In that scenario, you would create a port group under the same vswitch, and call it something like Virtual Machine port group for instance. That port group doesn’t get an IP, it’s just a network location you can refer to when you are assigning networking for your VMs. What ever settings are on the physical port / vswitch / port group apply to VMs that have been assigned to that port group.

By the way, after the install of Update 2, I noticed something cool on the ESXi host web page:

VMware Host..client?

Hold on, this looks very familiar to the vSphere web client which has been available for vCenter since 5.1?

Very familiar!
Very familiar!

Very familiar in fact! This looks awesome! Looks like yet another piece that VMware needs to kill of the vSphere Client. Not sure I’m ready to give it up just yet, but the lack of a tool to configure a stand-alone host was one of the key pieces missing so far.

Host web client after login
Host web client after login

In the next  post I will be looking at my VMs and how I use them in my environment.

Relevant links:

The Host UI web client was previously a Fling, something you could install but that wasn’t released with ESXi https://labs.vmware.com/flings/esxi-embedded-host-client
But now it’s official: http://pubs.vmware.com/Release_Notes/en/vsphere/60/vsphere-esxi-60u2-release-notes.html

MicroATX Home Server Build – Part 3

Because I am impatient, I went ahead and got a motherboard, processor and memory. The components that I purchased were:

  • Asrock H61M-DGS R2.0 (Model: H61M R2.0/M/ASRK, Part No: 90-MXGSQ0-A0UAYZ)
  • 16 GB (2x8GB) Kingston HyperX Fury memory (DDR3, 1600MHz, HX316C10FBK2/16, individual memories are detected as: KHX1600C10D3/8G)
  • Intel i3-2100 (2 cores, with hyperthreading)

I ended up with this solution because I realized I may not have enough money to upgrade my main workstation, to get the parts from that machine into this one. I also didn’t have the funds to get a server grade processor, and getting an mATX server motherboard turned out to be difficult on short notice (did I mention I’m an impatient bastard?).

I ended up paying 48€ for the motherboard, 45€ for the processor (used, including Intel stock cooler) and 102 bucks for the 16GB memory kit.

The motherboard has the following specs:

  • 2 x DDR3 1600 MHz slots
  • 1 x PCIe 3.0 x16 slot
  • 1 x PCIe 2.0 x1 slot
  • 4 x SATA2
  • 8 USB 2.0 (4 rear, 4 front)
  • VGA and DVI outputs

The factors that led to me choosing this motherboard were mainly: Price, availability, support for 2nd and 3rd generation Intel Core processors (allowing me to use the i3 temporarily, and upgrade to the i5 later if I feel the need), and the availability of two PCIe slots. All other features were secondary or not of importance.

The reductions in spec that I had to accept were: No support for 32GB memory (as mentioned in the previous post), no integrated Intel NIC (this has crappy Realtek NIC, but I might still use that for something inconsequential as management; probably not though)

These pitfalls may or may not be corrected a later date when I have more money to put toward the build, and patience to wait for parts.

The CPU is, as mentioned, an Intel i3-2100. It’s running at 3.1 GHz, has two cores, four threads (due to HT), 3MB Intel ‘SmartCache’, and a 65W TDP.  It does support 32GB of memory on a suitable motherboard. I doubt the CPU will become a bottleneck anytime soon, even though it is low-spec (it originally retailed for ~120€ back when it was released in 2011). The applications and testing I intend to do is not CPU heavy work, and since I have four logical processors to work with in ESXi, I can spread the load out some.

Putting it all together

Adding the motherboard was fairly easy. There were some standoffs already in the case, but I had to add a few to accommodate the mATX motherboard. Plenty of space for cabling from the PSU, and I paid literally zero attention to cable management at this point. The motherboard only had two fan headers: One for the CPU fan (obviously mandatory..) and one for a case fan. I opted to hook up the rear fan (included with the case) to blow out hot air from around the CPU. I left the bottom fan in, I may hook it up later, or replace it with the 230mm fan from Bitfenix.

Initially, I did not add any hard drives. ESXi would run off a USB 2.0 memory stick (Kingston Data Traveler 4GB), and the VMs would probably run from a NAS. I ended up changing my mind (more on this in the next post). For now, I wanted to validate the components. I opted to run trusty old MemTest86+ for a day or so. Here’s the build running MemTest:

Build almost complete, running MemTest86+
Build almost complete, running MemTest86+

Looks to be working fine!

Here’s a crappy picture of the insides of the case, only covered by the HDD mounting plate:

Side panel open, showing HDD mounting plate, side of PSU
Side panel open, showing HDD mounting plate, side of PSU

One thing to note here is that if you want the side panel completely off, you need to disconnect the cables seen to the front left. These are for the power and reset buttons, USB 2.0 front ports and HDD led. They are easy to remove, so no biggie here.

One note on the motherboard: There has only ever been one release of the BIOS, version 1.10. This was installed at the factory (obviously, as there were no other versions released at the time of writing). If you do get this board, make sure you are running the latest BIOS. Check for new versions here: http://www.asrock.com/mb/Intel/H61M-DGS%20R2.0/?cat=Download&os=BIOS

So this is the current state of the build. Next up…

  • Installing ESXi 6.0U1 (just released in time for this build)
  • Deciding on where the VMs would run
  • Adding NIC and possible internal storage
  • Configuring ESXi
  • Installing guest VMs

Stay tuned!

Relevant links:



Windows 10 Experiences

Prep work

Every single blog probably has a post like this, but I figured it’d be good to recount my Windows 10 experiences. For posterity reasons, if nothing else.

I was involved in the Windows Insider program for quite some time (since the 9000-series builds), and have run Windows 10 pretty happily in a number of physical and virtual machines. Among them, VMware Workstation 11, Virtualbox 4, and a Thinkpad T420s. All without major issues, even when it was still in the preview stage.

Updating my own workstation is another issue entirely, but I figured I would do it anyway, and fix any issues that might come up as they hit.

I started off performing a standalone full backup using Veeam Endpoint to an external USB drive, and moving the Veeam recovery media to that same external disk. This is a good practice in case everything blows up in your face. Using Veeam Endpoint, I could perform a bare metal recovery in the event of a total disaster, and return to my pre-upgrade state.

The plan was as follows: Update Windows 7 to Windows 10, wipe install and do a clean Windows 10 install. The reason behind this? During the upgrade phase, your Windows 7 (or I suppose 8/8.1) product key is converted to a Windows 10 key, and paired with some kind of hardware id, identifying your computer. One could try and install Windows 10 directly, and use the common key that seems to be the same on all machines that do the 7,8,8.1 -> 10  upgrade (for the Pro version, it’s: VK7JG-NPHTM-C97JM-9MPGT-3V66T), but they have reported that the install fails. This is probably because there is some backend magic that happens during the upgrade, which ties your computer to Windows 10.

So I started off getting the Windows 10 media using the Microsoft Windows Media Creation tool. I also saved the ISO to a USB drive where I could perform the full install later from. Some people have reported that starting the upgrade from the install media has been more successful than the “Windows Update” method. If you want to force your upgrade the Windows Update way, you can do the following:

  • Remove all files from the folder: ”WindowsSoftwareDistributionDownload”
  • Remove the folder ”$Windows.~BT” from the root of your system drive
  • Start an administrative command prompt and run ”wuauclt.exe /updatenow”
  • Open and run Windows Update from the control panel

The Upgrade

I however opted for the install media method which seemed to work fine. I mounted the ISO (using WinCDEmu if you want to know), and started setup.exe and followed the upgrade wizard. Everything proceeded basically without incident; except for a weird Razer Synapse install popup during the upgrade:

win10_razerKind of weird, and also tells me that explorer.exe is running somewhere in the background there (I thought it was basically in a “pre-windows” environment where it performs the upgrade before it starts any more advanced GUI elements). I was unable to install Razer Synapse (a program I had installed in Windows 7, which was therefore going over to the new Windows 10 world); it crashed with some error. I dismissed the window. It didn’t appear to bother the upgrade in any way. But funny none the less!

After the upgrade, I had a basically working Windows 10 environment with all of my Windows 7 software etc. Nvidia drivers were installed as part of the upgrade and they were of the correct version (which supports Windows 10). Nvidia’s own little control panel did offer me an upgrade to the same version, but was unable to install it. Somehow it didn’t detect that Windows had already installed the same version. I didn’t troubleshoot this further, as everything was working and I was going to do the clean install anyway. Razer Synapse also worked, but also didn’t detect that it was already installed and insistently popped up the same install wizard as in the picture above, but failed with an error. It’s already installed! Give up! 🙂

N.B. Do not proceed unless Windows tells you it is activated. You can also check your upgraded Windows 10 key using a tool like Magic Jelly Bean Keyfinder (or some other method you prefer)

The Clean Install

I wanted a completely clean environment, as I’ve had bad experiences with Windows upgrades since the 3.1 -> Windows 95 upgrade. Just trust me.

I had a bootable USB with the Windows 10 x64 Pro installation media on it. I was prepared to re-install all applications etc. And I had a backup of everything just in case. Boot the machine, perform a clean install from the USB drive. Enter the product key starting with VK7JG during installation, no issues here. Install went without incident. It might not even ask you for a key, apparently, since it was activated after the upgrade.

After install, I had one device with missing drivers (Asus Xonar DG soundcard); everything else worked “out-of-the-box”. Installed a bunch of my favorite programs, and so far, a week or so after upgrade, I still have not had any major issues.

Now, what I did do is disable all forms of tracking and “send information to microsoft”-type of settings. I’ll do another post on this. Basically, it seems to be really hard to get rid of everything tracking related, because some of the call home functions are hard coded and IP based, so a simple host-file block won’t work. You need to deal with it on a firewall level, but even then, some users are reporting funny issues with their computer when it can’t call home. Which is sad. But then again, the EULA probably states you don’t actually own Windows 10 or have any rights to it, and the upgrade is free, so whatever. Take my first born.


Among others.. https://www.reddit.com/r/Windows10/comments/3f2rl2/windows_10_ultimate_upgrade_guide/

Build 10240: Did you get assigned a license/product key? from Windows10


Some of the privacy related stuff:

http://localghost.org/posts/a-traffic-analysis-of-windows-10   <—- Note that this looks very shady, I would take it with a metric fuck-ton of salt

Bare Metal Recovery Experiences with Veeam Endpoint BETA

Note! This article describes a product that wasn’t released yet, so things might have changed from this to the release version! Some of the screenshots are from the release version of the Recovery Media

Note! Some of the images are from a different run than described, so ignore possible inconsistencies.

A prospective customer was having some issues when they were trying out Veeam Endpoint Free (while it was in beta), specifically bare metal recoveries. Not having tried it, I decided to give it a go to see where they might have gone astray. Here are some notes from the road.

Let’s start out with my environment:

  • Lenovo Thinkpad T440s running Windows 8.1, 256GB SSD drive
  • Veeam Endpoint Backup version (not the release version)
  • Backups are running to a server running Veeam 8 with the pre-release Patch 2 which allows Endpoint backups to a Veeam Backup Repository
  • Laptop and server are not on the same subnet/VLAN but traffic is allowed between the two
  • Target laptop is a Thinkpad R61 (just the empty first machine I saw without an owner in sight :)). Machine has an empty 320 GB spinny disk
  • Backup job is set to “Entire Computer”

Nothing exotic regarding the job, it takes everything on the machine except for deleted, temporary and page files, allowing for a complete restore of the computer to a given state.

To enable the bare metal recovery, create the Recovery media when prompted during install. Note that you can also skip this step and create it later, but I suggest doing it now. I chose to make it an ISO file, and then burned that onto a CD. I suppose you could use a USB drive as well, but I didn’t test it. The image in my case was about 480 megabytes in size, and was named VeeamRecoveryMedia_HOSTNAME.iso. When creating the recovery media, I left the default checkbox for hardware drivers checked, and did not add any additional drivers for this exercise.

After the backup was done, booted up the Thinkpad R51 from the recovery cd. The process was fairly straightforward from then on. Also noteworthy is that I didn’t even expect this to work, since I’m restoring to a completely different generation and model series of Thinkpad with completely different hardware. Windows usually throws a hissy fit if you change the direction of the wind, or the moon is at an odd phase, but to my utter amazement, this actually worked. Not sure whether I should thank Veeam or Microsoft Windows 8.1 for this one 🙂

Starting off, this is the first thing you see when you boot from the recovery media:

First screen in the recovery media
First screen in the recovery media

We can start using different tools (familiar to those that have used Windows PE type disks before), or to start the Bare Metal Recovery Process. Screenshots taken from a restore I did in Virtualbox to avoid potato-quality pictures.

In the second screen, we have to choose where our backup files reside: Either a local storage medium (USB disk, other hard drive etc.) or a network storage location:

Chose where your backups are located
Chose where your backups are located

I chose network storage, since my backups are located on a Veeam BRS server. After this, we may have to tell it some network settings in order to access the network. You can use either wired or Wireless connection. You can also specify drivers in case you have more exotic hardware that isn’t detected by the boot disk.

Network settings dialog
Network settings dialog

After this, we select whether we want to use a network share, or a BRS server:


Give the name or ip of the BRS server, and credentials. On the server side, you can set which credentials have access to which repositories, so make sure these are in order. On the next pages , you can choose the machine and restore point:

Veeam Server Credentials
Veeam Server Credentials
Select the computer from the job
Select the computer from the job
Select restore point
Select restore point

So at this point we have chosen what, and when we are going to restore. Now we continue by telling it how we want our disk layout in the backup to look on our target machine (which may have a different sized disk, for instance). Maybe we don’t want or need to restore every partition? I went with Manual restore (advanced) for more fine grained control.

What to restore?
What to restore?
Chose the disks that we want to restore from our backup
Chose the disks that we want to restore from our backup

In my example, I want a full working replica of my original machine:  hence I will select all OS drives. In my case this means the System Reserved partition that later Windows’ boxes create to store certain boot files, and the C drive. Note the partition sizes. Also note the ‘Customize disk mapping’ link in the lower right hand corner. There, we could configure a different layout than our original. The default is noted in the ‘Restore layout’ column, ‘Automatic’. This will keep the original layout if possible.

We can now see a summary of what we are about to do. We then start the process:

..the process has started
..the process has started

Despite the scary warning (which may or may not be related to this being a beta at the time of my test), the restore process was completed. Note how it updates the BCD (bootcode) so we can boot our newly restored system. It also does some magic with drivers, which might be why it booted on a completely different laptop (T440s vs. R61).

...and completed
…and completed

We can now hit finish, remove the boot media when instructed and boot to our restored system. As I mentioned, everything worked, and was exactly as I could have hoped! I will do an update on this article when I’ve had a chance to try the release version (build available since April 14, 2015, see http://www.veeam.com/blog/veeam-endpoint-backup-free-is-here.html)

The finished product!
The finished product!

Two-hop SSH tunnels with Putty

So this is pretty basic stuff, but I find myself looking up the exact procedure a few times a year because I forget some minor detail somewhere. The basic premise is that I want to connect to a host, but that host can only be connected to by another host. So the whole chain looks like this:


The client can connect to Host 1 as long as he has the private key matching the public key on Host 1 (along with the password for the private key). Host 1 can connect to host 2, again using a key. Host 2 can connect to the local address (Host 2 has a wan and a lan address) of the Target Server with a username and password (a Windows Box in this case). Of course, you can do all this with just password authentication, but I wanted to have the added security of “something I have” (the key) and “something I know” (passwords). The main goal is to allow the Client to connect to the Target Server via RDP (TCP 3389), using SSH tunnels all the way. I will affix Wireshark and tcpdump captures from the different points to show the traffic.

Client to Host 1

First we will establish an SSH Tunnel between Client and Host 1. To do this from our Windows Client machine, we open up putty, and perform the following configurations:

putty1Under “Source port” I added 8080. You can obviously use any convenient port that doesn’t overlap with something that’s listening on your local (the Client machine) machine. Under “Destination”, type in localhost:8080. This is so that the end of the tunnel on Host 1 will be localhost:8080. Save your configuration for easy access later. We will further connect through this to Host 2, and on to the Target Server.

Host 1 to Host 2 and on to Target Server

From the putty connection to Host 1, I can now create a tunnel between Host 1 (port 8080) and Host 2, and make the other end of the tunnel Target Server port 3389 (for RDP). The command used for this is:

ssh -L host2username@host2ip

The man-page for ssh, under -L says:

-L [bind address:]port:host:hostport.

Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.

In this case it’s our end of the first tunnel, port 8080 on “localhost” (i.e. Host 1)

Client to Target Server

Now when all is done, we can start a Remote Desktop connection from Client all the way to Target Server. The connection parameters in my example is like so:

rdp1Now you will connect to yourself, port 8080, which is one end of the chain of SSH tunnels. It’ll then proceed to Host 1, port 8080, and from there to Host 2, and on to Target Server, port 3389.

Traffic captures

First we have a Wireshark capture from Client to the tunnel which terminates at Target Server. Of course, Client doesn’t know this, so from it’s point of view, it’s making an ssh connection to Host 1.


All nice and neat and SSH.

Next up, we have the view from Host 1, capturing for traffic coming from Client, and going to Host 2:



Nothing human readable. Arguments for tcpdump were: tcpdump -i eth0 -n -X -vv host ip.address.of.host2

The penultimate capture! Host 2’s prespective:


Internal addresses all the way here, from Host 2’s internal address to Target Server’s internal address

Finally, Wireshark capture from Target Server, traffic is seen as coming from Host 2:


So here we have it. A two-hop SSH tunnel that allows you to use RDP from a client somewhere, to a machine inside a private network that can’t be otherwise reached.

Disclaimer: I’m not responsible for any misconfigurations or anything, really, that causes you to end up on the front page of newspapers everywhere, lose data, face, or other features you hold dear. Also, I recognize there are about a gazillion ways to do this; This one is mine.

P.S. I also know RDP already has a lot of built in security and encryption, but I’m still not comfortable opening up a direct path to my home machine, or any other machine for that matter from all of the interwebs. Also, this was fun to do and a nice thing to learn about.