Objective: Getting secure (and fast) connection from Windows environment to remote VNC server behind router/firewall (such as FREESCO) with ssh server installed.
Achieved results: Secure connection to remote desktop using open source VNC or Tight VNC software (that is normally doesn't encrypt traffic other than password). As a “side-effect”, shorter response times achieved due to ssh efficient traffic compression. Also, no additional port is left open other than ssh port on remote server/router/firewall.
VNC is a wonderful piece of software that has one problem. Only login information sent over network is encrypted. For many paranoid and simply smart people it is not acceptable. Unfortunately, when people hear this, they think that commercial software is needed to overcome the problem. It might be true in some cases while many others will find out that simple procedure could help secure your connection using only open source software. In my case I wanted to connect from Windows computer at home to computers on network behind FREESCO router/firewall at my office. I had ssh server installed on my FREESCO (http://www.freesco.info) router already. Here is how my setup looked:
What I wanted to achieve was something like bellow, where SSH would create a secure “tunnel”, protecting VNC traffic from “hostile” network environment. I also wanted this “tunnel” to have a nice “lubrication” to speed up traffic going thru it.
I wanted to connect to computer 192.168.1.4 on remote network. Before I had FREESCO forwarding TCP port 5900 to 192.168.1.4. Connection was insecure, additional port was open on router and connection wasn't very fast even though I had DSL on both ends. My Remote VNC server was setup to listen on port 5900 (screen 0) So, here is what I did. Open PuttY, go to Connection→SSH→Tunnels:
And enter Source port, final destination IP and port you have listening on VNC server on remote end. Click ADD:
Go to SSH and enable SSH 2 and compression (here is where we gain higher speed):
Now we are ready to start tunneling session. Go to Session and enter information about server (IP or domain name) and port (22 is default for ssh). PuTTY also has a neat feature to save session. After you entered host name and chose ssh, enter name for session (i.e. VNC forwarding) and click Save:
Click open and login to remote ssh server as usual:
You may be asked questions about security key, it is not a goal of this HOWTO to explain how ssh works, so, you should know what to do
Once you are logged in to remote server, your secure tunnel is ready to go. You may open your VNC session and it will not be open to spying eyes anymore. Only, you will need to point to your local computer on port specified in PuTTY session (5905 in our example), not remote server. To do that you specify “localhost” in VNC dialog and display 5 (port number minus 5900):
You will be asked for password as usual, so enter it and enjoy. Minimize PuTTY session windows to keep it out of the way
If you don't care about looks, try some tweaking of VNC options to speed it up a little more (right click on VNC session window and chose “Connection options”) . In general, if you experienced VNC over internet before, tunneling will blow you away with speed. Over DSL it is almost real time:
I use connection all the time and don't like tweaking all the options every session. Also, it is my computer and nobody has access to it. So, I did not mind saving VNC login information. So, I went ahead and saved session info in file Office on my drive C:\. Then I recalled little of DOS .bat “programming” (something like shell script in Linux only extremely lame:)) and made little batch file (get it here if .bat don't tell you much). What it does: it opens VNC session using settings saved in file Office I saved in root directory of drive c:\, which includes all settings of session, including encrypted password.
I wanted to mention that above described setup could be done with other SSH clients. If you prefer some other client look up documentation for Tunneling options.
Warning: the technique described worked well for author. It is presented as is with no guarantees. If you find some inaccuracies in this HOWTO, please e-mail author at firstname.lastname@example.org Don't e-mail me any questions about technique. This is how I did it, I don't care much if it doesn't work for you. Try to resolve it yourself. I tried to make explanation as simple as possible and I know it would help me big deal when I was trying to make it work.
This HOWTO maybe reproduced in any way with reference to the source. By Dr. Vladimir Dontsov, March 17 2002