Tunnel VNC connections with SSH

VNC stands for Virtual Network Computing. It is, in essence, a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures.

You can use this tool to view the remote display of any unix or Windows machine from a unix or Windows workstation. Encrypting X11 in SSH may be more convenient when you want to access a remote unix server, but there are cases, when VNC could be more appropriate, because there is no state stored in the viewer (ie. on your workstation).

Remotely Accessing a Windows PC

You have to set up a VNC server on the remote windows machine, preferably with a password protecting the client access. If you start up your VNC server, then it will listen on port 5900. For this example it will be on winserver.cern.ch.

Unfortunately the VNC protocol is unencrypted, so the crackable password and the content of your remote screen would be visible on the network. To avoid security problems it is possible to tunnel the VNC session through an SSH channel.

For a generic description on how to encrypt a TCP connection, see "Encrypting Connections with SSH".

In order to make it work you have to choose an SSH server, which is connected to the Windows machine through a trusted network. The best choice is the Windows machine itself, ie. you run the SSH server on that machine. For this example the trusted SSH server will be lxplus.cern.ch.

From a Windows viewer to a Windows target

  1. The commandline to set up an encrypted connection from you workstation to lxplus is: $ plink -ssh -L 5900:winserver.cern.ch:5900 lxplus.cern.ch If plink is not available then you need to install PuTTY SSH software from CERN NICE.

  2. Now you can run vncviewer and connect it to winserver.cern.ch by specifying localhost as the VNC server:




    You will have to type in your VNC password to access the server.

From a Linux viewer to a Windows target

  1. The commandline to set up an encrypted connection from you workstation to lxplus is: $ ssh -L 5900:winserver.cern.ch:5900 lxplus.cern.ch

  2. Now you can run xvncviewer and connect it to winserver.cern.ch by specifying localhost as the VNC server: $ xvncviewer localhost You will have to type in your VNC password to access the server.

From a Linux (or Mac) viewer to a MacOS X target

The method described works best when an SSH server is running on the target MAC. If this is not the case, or you are connecting from outside CERN, replace mac.cern.ch below with lxplus.cern.ch. Don't forget to open up access to "VNC" in the mac.cern.ch's firewall.

  1. Install and configure Apple Remote Desktop on the target Mac mac.cern.ch as display "0" (which corresponds to port 5900).

  2. Start a SSH tunnel from your Linux box to the target: $ ssh -L 5901:mac.cern.ch:5900 mac.cern.ch This forwards all traffic arriving at port 5901 of your Linux desktop to port 5900 on mac.cern.ch (where Apple Remote Desktop should be listening). This way "unencrypted" traffic only is exposed inside the mac.cern.ch machines, inaccessible for network sniffers.

  3. Start the "Remote Desktop Connection" on your Linux box, using vnc:/localhost:1 as 'Remote Desktop' address. You will have to type your VNC password. Display "1" translates to port 5901 on your Linux desktop, i.e. the port from which traffic will get forwarded.