Tunneling VNC through SSH

BY: Jeff Robbins

To make a more secure VNC session you can make it tunnel through an SSH connection. Here is my setup and how I got it working. This tutorial assumes that you already know how to set up and run SSH and VNC clients and servers.

The problem: I run Windows 2000 and work and I wanted to be able to access my KDE desktop at home. Since I am at work I didn’t want anyone snooping on what I was doing, I need the VNC session to be as secure as possible.

On my work computer (Windows 2000) I needed an SSH client. Putty works well but for this TLC I am going to use this one. Mainly because I can hide it in the system tray. Then you will also need a VNC client, I recommend this one. PuttyTray has been brought to my attention lately, it is also an excellent alternative.

Now for my Linux machine I need a standard SSH server running and a running VNC server. When you start the VNC server add the following command so that it only listens for internal requests:

vncserver -localhost

You can add any additional flags you want just make sure that add the above option or else you are accepting connections from external addresses and we are tring to make this secure, right? Ok, the server is set up and ready to go.

Now the client side is a bit more involved. Using the SSH client I recommended above I fire it up and get the following set up screen:

Opening Screen

Make sure the X11 Foreward check box is checked and I had to change the Cipher Type to "Blowfish." Input the host IP or address in to "Host Name" then your username into "User ID." If you run the server off of a port other than 22 (the SSH default) make that change in the "Port" field. Almost there, one more step.

Now click "Local Forwards" button and you will get the following screen:

Local Forwards Screen

For the "Local Port" field you can just enter any number between 5900 and 5999. We do this because VNC broadcasts over port 5900 then adds the display number. You can find what displays you have running on your server by using:

ps auxwww | grep vnc

The average user will just be running one VNC display, so it would be :1 or display 01. We add that to our default VNC port and and get 5901. You can use any number you want for your local display number, so I will use 01. Enter 5901 into the "localport" field. Then since the VNC server is only accepting local requests we put ‘localhost’ into the "Host" field. Now for the remote port, remember how VNC broadcasts over 5900 then adds the display number by default? Since we are probably the only person running VNC on our server it is relatively safe to assume that the port is going to be 5901. But if you need to know you can run ‘ps auxwww | grep vnc’ again and look for the number right after -rfbport. Mine is 5901 so I put that into the "Remote Port" field. Click "OK" and you will be back to the main setup window.

Now click the "OK" button on the main setup window and the SSH Client should connect to your SSH server, you entered all the correct information into the username, host and port for your server right? After it connects you can hide the SSH Client in the system tray by going to the ‘Action->Hide in tray’ menu item.

Now fire up your VNC client and will get the main connection window:

Main VNC connection window

Enter ‘localhost:01’ into the "VNC Server" field. The VNC server is running through your SSH Client so in a sense you are connecting to a VNC server being broadcast by your SSH Client. We use ‘:01’ because we set the local port to be 5901 in the SSH Client. That means that display 01 is being broadcast. Click "OK" and in a moment you should get another window asking for your password. Provided you enter your password correctly the VNC Client should connect and you will see your desktop infront of you. Congratulations, you have just tunneled VNC through SSH.

  1. #1 by ryoung on October 30, 2007 - 3:28 pm

    Thank you, was searching through a bunch of sites today attempting to get this to work, and your site was truly helpful. Thanks!

(will not be published)