VNC over SSH

 

The purpose of this document to explain how one can setup a VNC connection over a SSH tunnel. I assume that you have basic knowledge about VNC, SSH and the windows operating system. There are two main advantaged of routing ones VNC connection through a ssh connection:

    a. A ssh connection is a secure connection.

    b. A ssh tunnel (port forwarding) can be used to establish a vnc connection over firewalls that block VNC ports / communication.

 

Here are some useful links

 

SSH

Tunneling Explained

Tunneling

Setting up Windows XP to map files with an ssh tunnel

The Definitive Guide

The Definitive Guide - Port Forwarding

 

VNC
VNC FAQ

 

VNC over SSH

MIT information systems

Jason’s

 

 

To use SSH we use a command similar to : ssh  username@server

But, SSH can be used for port forwarding also

 

 

 

 

 

 

 

Port forwarding fro VNC

VNC server and clients use these for communication. More often than not, universities allow ssh connection/communication, but block the vnc ports. SSH can be used for forwarding these blocked ports, so that VNC can be work over a ssh connection even if the regular VNC ports are blocked by your university / company / or community firewall. To use VNC over SSH we should know the basics of port forwarding

 

SSH Local Port Forwarding

A local port forwarding ssh connection would listen for communication on your local port and forward it to the port on the remote SSH server over a secure ssh tunnel (connection)

ssh -L  Listen_to_this_port_number_on_local_machine : Destination_computer_as_seen_by_sshserver : Forward_to_this_port_number_on_destination_computer username@ssh_server_machine_name_or_IP

Text Box: SSH client Text Box: SSH server  

 

 

 

 

 

 

 

 

 

ssh -L  N1: server : N2 username@server

 

 

 

SSH Remote Port Forwarding

A remote port forwarding ssh connection would listen for communication on a port on the remote ssh server and forward it to a port on your local machine over a secure ssh tunnel (connection)

ssh -R  Listen_to_this_port_number_on_ssh_server : Destination_computer_as_seen_by_sshclient : Forward_to_this_port_number_on_destination_computer username@ssh_server_machine_name_or_IP

Text Box: SSH server  

 

 

 Text Box: SSH client

 

 

 

 

 

ssh -R  N2: client : N1 username@server

 

 

VNC

 

VNC utilizes ports to communicate between the server and the client. For computer ‘a’ to remotely access the desktop of another computer ‘b’, computer ‘b’ should have a VNC server running and computer ‘a’ should have a VNC client program. A VNC server listens to a specified port on the computer. When a VNC viewer tries to communicate with the server on that port the server will establish communication with the viewer after authenticating the viewer. The VNC viewer has to know which port the server is listing to communicate with it.

 

 

 

VNC over SSH

 

I will consider 2 simple configurations followed by an advanced configuration. The possible combinations are endless.

 

Before going to the configurations, on the server we need to set up VNC so that loopback connections are allowed. (The VNC server should allows a viewer on the local machine to connect)

 

Run ‘regedit.exe’ and go to the HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3 registry subkey. Add the subkey AllowLoopback with the data type REG_DWORD and a hexadecimal value of 1. Then, add the subkey LoopbackOnly with the data type REG_DWORD and a hex value of 1. The first added subkey allows local loopback connections; the second disables all connections other than loopback so no-one can connect without going through a secure SSH connection.

 

Configuration 1

Usually someone who wants the VNC communication to takes place over a secure SSH tunnel would use such a configuration

 

 

 

 

for this example, let computer P be the VNC viewer and the SSH client, computer Q be the SSH server running a VNC server. Let the VNC server listen to port 5900(N2). The user should have a valid ‘login’ on the SSH server. In this case you, as a client will have to first set up the SSH tunnel and then start VNC viewer.

 

Here P and Q stand for either the IP address of the computer or the name of the computer registered with the DNS for the computer network you are on.

 

A user on machine P should do the following:

execute on the command line ssh –L 5901:localhost:5900 username@P

or ssh –L 5901:P:5900 username@P

start the VNC viewer, open the following port- localhost:1

 

if you would set up the SSH tunnel as

ssh –L 5900:localhost:5902 username@P

you would need to open port- localhost:1 in the VNC viewer

 

 

Configuration 2

 

 

In this case, from the SSH client, Q, execute

ssh –R 5901:localhost:5900 user@P

or ssh –R 5901:P:5900 user@P

(this will set up the SSH tunnel)

 

Then, on P, start the VNC viewer, open the following port- localhost: 1

 

There are different sceniros in which these configurations can be useful. For example if the computer Q, is behind a firewall and you cannot access the SSH server from P to Q, but can do so from Q to P, you will be able to set up configuration 2, but not configuration 1. Similarly configuration 1 is  useful if P is behind a firewall and the SSH server on P cannot be used but the SSH server on Q can be accessed from P.

 

 

Configuration 3

 

What happens if both P and Q are behind a firewall and neither of the SSH servers can be accessed. In that can VNC can still work if you have access to a third computer that has a SSH server and allows you to utilize the SSH port forwarding facilities

 

 

 

 

Set up the VNC server to listen to port n, where 0<=n<=5.

Set up a Remote port forwarding tunnel from the VNC server, using a SSH client.

ssh –R 590n:localhost:590n user@server

 

Now set up a local port forwarding tunnel from the VNC client

ssh –L 590n:localhost:590n user@server

on the VNC client, type localhost:n

 

 

 

For questions or comments, please email tushar underscore manglik at hotmail dot com