HOW-TO: VNC secure tunneling using Windows PuttY ssh client.

Objective: Getting secure (and fast) connection from Windows environment to remote VNC server behind router/firewall (such as FREESCO) with ssh server installed.

Achieved results: Secure connection to remote desktop using open source VNC or Tight VNC software (that is normally doesn't encrypt traffic other than password). As a “side-effect”, shorter response times achieved due to ssh efficient traffic compression. Also, no additional port is left open other than ssh port on remote server/router/firewall.


  • VNC or TightVNC server on remote end and viewer on local computer
  • PuTTY a Windows ssh client
  • OpenSSH server installed on server/router/firewall (check if you are using FREESCO for latest openSSH software) or use the stock dropbear SSH server if you're using FREESCO 0.3.x or later.


VNC is a wonderful piece of software that has one problem. Only login information sent over network is encrypted. For many paranoid and simply smart people it is not acceptable. Unfortunately, when people hear this, they think that commercial software is needed to overcome the problem. It might be true in some cases while many others will find out that simple procedure could help secure your connection using only open source software. In my case I wanted to connect from Windows computer at home to computers on network behind FREESCO router/firewall at my office. I had ssh server installed on my FREESCO ( router already. Here is how my setup looked:


What I wanted to achieve was something like bellow, where SSH would create a secure “tunnel”, protecting VNC traffic from “hostile” network environment. I also wanted this “tunnel” to have a nice “lubrication” to speed up traffic going thru it.

Open secure tunnel

I wanted to connect to computer on remote network. Before I had FREESCO forwarding TCP port 5900 to Connection was insecure, additional port was open on router and connection wasn't very fast even though I had DSL on both ends. My Remote VNC server was setup to listen on port 5900 (screen 0) So, here is what I did. Open PuttY, go to Connection→SSH→Tunnels:

And enter Source port, final destination IP and port you have listening on VNC server on remote end. Click ADD:

Go to SSH and enable SSH 2 and compression (here is where we gain higher speed):

Now we are ready to start tunneling session. Go to Session and enter information about server (IP or domain name) and port (22 is default for ssh). PuTTY also has a neat feature to save session. After you entered host name and chose ssh, enter name for session (i.e. VNC forwarding) and click Save:

Click open and login to remote ssh server as usual:

You may be asked questions about security key, it is not a goal of this HOWTO to explain how ssh works, so, you should know what to do :-)

Open VNC session

Once you are logged in to remote server, your secure tunnel is ready to go. You may open your VNC session and it will not be open to spying eyes anymore. Only, you will need to point to your local computer on port specified in PuTTY session (5905 in our example), not remote server. To do that you specify “localhost” in VNC dialog and display 5 (port number minus 5900):

You will be asked for password as usual, so enter it and enjoy. Minimize PuTTY session windows to keep it out of the way :-)

Tweak VNC options

If you don't care about looks, try some tweaking of VNC options to speed it up a little more (right click on VNC session window and chose “Connection options”) . In general, if you experienced VNC over internet before, tunneling will blow you away with speed. Over DSL it is almost real time:

I use connection all the time and don't like tweaking all the options every session. Also, it is m