The Tsonny Blog

Tunneling VNC through SSH January 6, 2005

You probably know that you can completely administrate a Unix/Linux machine by logging in to it via SSH. But what would you do if you needed to access a Windows machine? Right, use VNC, you say. That's fine, I admit. VNC is freely available (see below for software links), it's easy to play with and fast enough to be used even over a slow dial-up line. However, the VNC protocol is rather insecure. Although passwords are transmitted in encrypted form, the actual data is not. That might again be fine if you use it in your LAN only, but I for my part would definitely not use it over the Internet.

Commercial products exist to overcome the issue of (in)security by custom encryption methods. But, since the VNC protocol does not (yet) specify exactly how data encryption has to be implemented, every product uses its own encryption technique(s). In other words, if you want encryption, your VNC server and client probably need to be from the same manufacturer. Apart from that fact that you will have to pay for such software, the high chance of incompatible server/client implementations is not satisfying at all.

SSH to the rescue?

It is very common to overcome the security problems of VNC by just tunneling the VNC connection through a highly secure SSH tunnel. To do so, we need to open an SSH connection (a tunnel) between the two hosts and can then run the VNC applications without further modifications through the secure line, even over the Internet. This is a very general approach and is not restricted to the VNC protocol.

However, under Windows, things look different: Windows is not equipped with the necessary SSH server software. Worse, there is no freely available SSH server for Windows. To put it simply, if you want to securely administrate a Windows machine via VNC, you best buy a commercial SSH server.

Moreover, if the machine you want to administrate is behind an NAT firewall, you loose: First of all, the firewall most probably blocks incoming VNC connections and, second, NAT prevents direct access to the machines behind the firewall. Okay, you can forward the firewall ports to the internal machine, but that requires root priviledges on the remote firewall...

SSH to the rescue!

I wouldn't be writing this tutorial if there wasn't a way to overcome the various troubles. Look at the following figure to get an idea of the setup I'm going to talk about:

The VNC setup

That is, we want to administrate a machine in LAN 2 from a client in LAN 1 via an SSH tunnel (blue line) through the internet. We will do so by creating an SSH tunnel from the firewall in LAN 1 to the firewall in LAN 2. The latter will forward the VNC connection to the internal VNC server.

We first have to check that the following things work:

You have to make sure that you can login to the firewall in LAN 2 ("firewall 2") via SSH. I assume the default SSH port number 22 is used. If you can't connect, this either means that no SSH server is running on the firewall 2 or that the firewall blocks incoming SSH connections.
The firewall in LAN 2 has to be able access the VNC server, ie. make sure that no additional personal firewall application is running on the VNC server machine. If so, open port 5900 on the VNC server.
Make sure you have root access to the firewall in LAN 1 ("firewall 1"). This is required to create SSH tunnels for the priviledged ports 590x.

The rest is easy:

Be root on firewall 1. Then, issue

ssh -v -p 22 -g -l fw2user -C -L 5901:vncserverip:5900 firewall2ip

where fw2user is the account used to login to firewall 2, vncserverip is the (internal) IP address of the VNC server machine and firewall2ip is the IP address of firewall 2.

You will be prompted for a password for user fw2user. If the authentication was successfull, you will get - as usual - a shell in firewall 2.

However, we did not only log in to firewall 2, but we also told firewall 1 to tunnel port 5901 via SSH to firewall 2. Simultaneously, we let firewall 2 forward that connection to port 5900 on the VNC server machine. Got it?

If not, don't care, but instead, fire up your VNC client software on the workstation in LAN 1. Now, connect to port 5901 on firewall 1 (since this will be tunneled and forwarded accordingly). After supplying the VNC password, you will be presented with the desktop of the VNC server machine.

Troubleshooting

If things don't work as expected, check the following:

Are those IP addresses all correct? The tunneling format is rather awkward, so double check whether you wrote the right IPs at the right place.
Make sure the VNC server software is running before you create the SSH tunnel. If not, you will most certainly get a "Connect refused" error.
If you get a "Connection closed" or "Connection to VNC server lost" right after the authentication dialog, make sure that you do have appropriate graphics drivers installed on the Windows machine. The default 640x480 VGA drivers that come with Windows won't do it!

VNC software

RealVNC (originated from the AT&T reference implementation). The free version will do for our purpose.
TightVNC: A very nice VNC client/server implementation, particularly on Windows.
Ultr@VNC

If you're using a recent version of KDE (3.2 or higher), you most probably already have a nice VNC client installed. It is called "Remote desktop connection" (krdc).

Comments

No comments posted yet. You could be the first!

Comments have been disabled for this post.

Blog Archive
- Browse by Year: 2010, 2009, 2008, 2007, 2006, 2005
- Recent posts
Syndicated News
- Slashdot
- NZZ
Furthermore...
- dailydoseofimagery
  Simple photo blog
- youtube.com
  The number one video resource on the web.
- fredmirande.com
  Not really a blog but worth a look!
- blogcritics.org
  A blog about blogs.
Friendly blogs
- fildern.ch
  PhD students have too much spare time :-)
Subscribe to blog
Subscribe to photo posts
Subscribe to publications