Friday, February 6, 2009

VNC Tunnel over SSH

I have a VNC server running on both my wife's PC (TightVNC) and my own (x11vnc), allowing me remote access to each computer's desktop.

For security reasons, access to the VNC port (5900) from the outside world is blocked by the firewall on both machines. This may seem weird - after all, this prevents connections from the outside world...

Well, the missing ingredient is that in order to access the VNC server, I first connect to the PC in question with ssh, and tunnel VNC traffic over the secure connection, like this:
ssh -L 5901:localhost:5900

This way I have the SSH client on my side forward incoming connections from the local port 5901 to the remote port 5900 on my home PC, via the remote SSH daemon. As far as the VNC server at home is concerned, the incoming connection originated locally. So I can now connect to my home PC like this:
vncviewer localhost:1

The number after the colon is calculated by subtracting 5900 from the local port being forwarded (5901 in our case).

My wife's PC is trickier to access. To start with, the VNC server on my wife's machine is configured to allow connection from localhost only. Second, it's not directly connected to the Internet. My own PC is connected to the Internet over a cable modem, and my wife's PC is connected to my PC, which routes its incoming and outgoing network traffic using Network Address Translation. I'm no expert here - I implemented this by using one of the example configurations that come with the firewall that I've installed on my PC (shorewall).

I have an ssh daemon running on my wife's PC, courtesy of Cygwin, so that I connect to it like this:
ssh -t -L 5902:localhost:5902 ssh -L 5902:localhost:5900 user@

where is the local IP address that's allocated to my wife's PC. Note that port 5902 is forwarded twice - once from the local machine to my home PC, and then from my home PC to my wife's laptop. I can then connect to the VNC server running there:
vncviewer localhost:2

What I don't like about this setup is the two steps involved: I first need to establish a secure shell connection, and only then run the VNC viewer application. After a while it becomes tedious. Here's how I really connect to my home PC:
ssh -t -C -L 5901:localhost:5900 -R 40022:localhost:22 \
ssh -t -p 40022 vncviewer -display :0 -FullScreen -LowColourLevel 2 \
-PreferredEncoding ZRLE localhost:1

where I ssh back to my local machine at work by reverse forwarding of port 22 (my workstation is behind a firewall), and launch the VNC viewer (RealVNC). I also use compression on both the secure connection (-C) and the VNC client command line, in order to speed up the link.

I use a similar method to connect to my wife's PC, but with a few more forwarding hops.

No comments:

Post a Comment