Home

VNC Over SSH Tunnel

Configuration

 

Tunnelling Theory

Putty & OpenSSH have two options for tunnelling: local and remote

Local = a port on the remote system is made available locally (you can test this by making the remote SSH port available locally)

Remote = a port on your local system is made available to the remote system you are logging into

So, on the computer that you are running the VNC server, you putty from that computer into a remote Linux computer, using the "Remote" option above.  Then, from that Linux server or from another computer on that LAN, you use the VNC Viewer to connect to the Linux server.

 

Examples

1)  VNC server program on remote computer is running.  Remote computer SSH'es to local computer, with port-forwarding of ______  (family home computer)  setup.    Local computer does:  vncviewer localhost:5901

2)  VNC server program is running on remote computer.  On local computer, ssh to remove server with this command:    ssh -t -L 5900:localhost:5900 [remote server] 'x11vnc -localhost -shared -forever -display :0'

This vncviewer localhost:5900

 

3)  Local computer SSH's into remote computer, where VNC server is running ____________

 4)  For displaying an X session though a VNC server.   On remote computer:   x11vnc -shared -forever -display :0 -passwd [choose-a-password]  -nossl --vencrypt never

              Local computer:   vncviewer [remote host]

              Local computer can connect with encryption/SSL if the vncviewer can handle it.   The free version of RealVNC doesn't handle it.

 

 

 

Tips/Troubleshooting

 

Seems to help if the VNC Server is RealVNC in protocol version 3.3 mode (under Legacy tab).

In case one VNC connection hangs, it's good to configure (on the VNC server) permission for sharing multiple connections.

Unfortunately, closing the VNC Viewer program is not always straightforward.  It may close or appear closed, but still show up in Task Manager, where you can kill the process manually.   Then, according to netstat --ip there may still be port 5900 connections open.   You can use the tcpkill command on Linux can kill them:   tcpkill -i eth0 port 5900   or    tcpkill -i eth0 port 5900 host 192.168.1.100

  • Sometimes the connection is in a "CLOSE_WAIT" state, which tcpkill doesn't seem to kill.
  • More info on the CLOSE_WAIT state is here.   (search for the section that begins with "About CLOSE_WAIT state"
  • If an open SSH/Putty connection is going to be left open on a computer you don't have physical access to (or on a computer that has the possibility of having malware or open to hacking/attack), then it may be best for the SSH tunnel to connect to your Linux server using a non-privileged account (not root). This way, anyone that gets on the computer that initiates the tunnel won't have much access to your Linux system.

Powered by Linux