25. May 2011 · 1 comment · Categories: Networking · Tags: ,
This guide illustrates the concepts for tunneling VNC over SSH. VNC is a protocol that allows you to control a desktop from a remote computer and allows others to view or control your desktop from their computer. However, using VNC alone can be a security risk. Although VNC uses password encryption, the rest of the traffic is sent unencrypted.

SSH or Secure Shell, is a secure protocol with a feature called port forwarding that can be used to provide secure connections for VNC, as well as for POP3, SMTP, RDP, HTTP and other protocols. Using SSH port forwarding to secure connections is also known as SSH Tunneling. SSH tunneling creates a SSH tunnel to encapsulate unencrypted traffic (the payload protocol), such as VNC, over an encrypted SSH channel (the delivery protocol). In other words, using VNC with SSH port forwarding makes a port from one PC appear on another PC through a SSH connection, providing a secure path for the VNC traffic.

A practical use of SSH tunneling with local and remote port forwarding would be to securely exchange the desktops between two PCs using the VNC protocol. Setting up the SSH sessions can be accomplished for both PCs from the same SSH client PC. Another use for SSH tunneling not covered in this guide is to bypass firewalls that block certain ports, such as port 80, which are often blocked to prevent users from accessing the Internet using company computers (see related article – Using SSH to secure Internet connections).

SSH Port Forwarding Summary

In the following definitions and examples, a remote machine is defined as the PC with the SSH server. All commands in the examples here are executed from the SSH client machine (192.168.1.1). Although both forwarded and local ports may be the same, the examples shown use different port numbers for clarification.

Two types of SSH port forwarding are: (1) local port forwarding, and (2) remote port forwarding, with local port forwarding being the more common. Another type of SSH port forwarding not covered in this guide, is Dynamic port forwarding (see Using SSH to secure Internet connections).

1.  Local port forwarding – A port from the client PC is forwarded to the remote PC. A connection to this port enables data to be sent bidirectionally over the SSH connection between the client and remote PC. See Fig 1.

2. Remote port forwarding – This is a reverse of local port forwarding.  A port from the remote PC is forwarded to the client PC.  A connection to this port enables data to be sent bidirectionally over the SSH connection between the client and remote PC. See Fig 2.

Other points:

  • Ports may be forwarded to multiple hosts on a single connection or by using multiple SSH connections.
  • Other computers on the Internet are prevented from connecting to forwarded ports unless enabled with the “-g” flag.
  • VNC servers must allow loopback connections since clients are seen as local connections.
  • To connect PCs over the Internet, port 22 must be forwarded for SSH on the router.
  • Port numbers from 0 to 1023 are privileged ports used by system processes to provide network services. For Unix and Unix-like operating systems, these processes can only execute with superuser privileges. It’s therefore best to avoid using ports under 1024 for local ports.

Local Port Forwarding for VNC

Figure 1 illustrates local port forwarding for a VNC session (click to enlarge) over a LAN. The client Windows PC has IP address 192.168.1.1 and the remote Linux PC has IP address 192.168.1.3.  The syntax for local port forwarding as used in this example:

ssh username@serverhost -L localport:host:remoteport
or
ssh -L localport:host:remoteport username@serverhost

Note: The use of a Windows PC and Linux machine in the Figure 1 below is for illustration purposes only. The operating systems are irrelevant. What matters is that client PC has a SSH client and VNC viewer, and the remote machine has a SSH server and VNC server. 

Local Port Forwarding

Fig 1

To establish the SSH connection using local port forwarding, the following command can be entered into a command window on the client PC:

ssh user@192.168.1.3 -L 6999:localhost:5901
or
ssh  -L 6999:localhost:5901 user@192.168.1.3
  • user@192.168.1.3 = SSH host to connect to
  • -L = Option to enable local port forwarding
  • 6999 = Port on the client PC
  • localhost = Host server to connect to (the remote PC, same as 127.0.0.1)
  • 5901 = Port on the remote host (forwarded from the client PC)

To connect to the VNC server, enter the following into the VNC viewer:

127.0.0.1:6999

or

localhost:6999

Remote Port Fowarding for VNC

Figure 2 illustrates remote port forwarding for a VNC session (click to enlarge) over a LAN. The client Windows PC has IP address 192.168.1.1 and the remote Linux PC has IP address 192.168.1.3. The syntax for remote port forwarding as used in this example:

ssh username@serverhost -R localport:host:remoteport
or
ssh -R localport:host:remoteport username@serverhost

Note: The use of a Windows PC and Linux machine in the Figure 1 below is for illustration purposes only. The operating systems are irrelevant. What matters is that the the client PC has a SSH client and VNC server, and the remote PC has a SSH server and VNC viewer. 

Remote Port Forwarding

Fig 2

To establish the SSH connection using remote port forwarding, the following command could be entered into a command window on the client PC:

ssh user@192.168.1.3 -R 6999:localhost:5901
or
ssh -R 6999:localhost:5901 user@192.168.1.3
  • user@192.168.1.3 = SSH host to connect to
  • -R = Option to enable remote port forwarding
  • 6999 =Port on the remote host
  • localhost = Host server to connect to (the client PC, same as 127.0.0.1)
  • 5901 = Port on client PC (forwarded from the remote PC)

(Add the “-v” option at the end of the command above to view debugging messages about SSH’s connection progress)

To connect to the VNC server, enter the following into the VNC viewer:

127.0.0.1:6999

or

localhost:6999

If you have found a spelling error, please, notify us by selecting that text and pressing Ctrl+Enter.

Share
Bear

Bad Behavior has blocked 733 access attempts in the last 7 days.

Private

Spelling error report

The following text will be sent to our editors: