vnc tunneling over ssh
Wolfgang Ebersbach
I try to tunnel a vnc connection over ssh in order to get trough a firewall:
vnc_host-->firewall-->vnc_client.
What I do ist:
vnc_client# ssh -L 5901:localhost:5901 vnc_host
After login to vnc_host :
vnc_host# vncserver
Which starts the vnc server on port 5901 on vnc_server, as expected.
Then :
vnc_client# vncviewer localhost:5901
or
vnc_client# vncviewer localhost:1
which both leads to this result:
At vnc_client:
vncviewer: VNC server closed connection
and at vnc_server:
4409: channel 3: open failed: connect failed: Connection refused
The problem can not be in SSH, because if I do X11 forwarding via SSH
( ssh -X vnc_server ) it works.
If I try to forward the TCP port instead :
vnc_client# ssh -L 5801:vnc_client:5801 vnc_server
,I get the same problem as with port 5901. In fact, I can use any ports
I want, vnc forwarding never works.
There are no entries in the logfiles whatsoever. Several queries to google
groups lead no useful results.
Any help would be greatly appreciated.
Regards,
Wolfgang
Georg Armbruster
[trying to tunnel vnc through a gateway]
> vnc_host-->firewall-->vnc_client.
> vnc_client# ssh -L 5901:localhost:5901 vnc_host
Well, shouldn't this read
ssh -L 5901:vnc_host:5901 your_gateway ?
Then, port 5901 of your vnc_host is "mapped" to
port 5901 of your localhost, which most probably
is your vnc_client...
Needless to say, an sshd has to run on the gateway...
Greets,
Georg
Wolfgang Ebersbach
> On Wed, 07 Jan 2004 14:43:37 +0100, Wolfgang Ebersbach wrote:
>
> [trying to tunnel vnc through a gateway]
>
>> vnc_host-->firewall-->vnc_client.
>> vnc_client# ssh -L 5901:localhost:5901 vnc_host
>
> Well, shouldn't this read
> ssh -L 5901:vnc_host:5901 your_gateway ?
> Then, port 5901 of your vnc_host is "mapped" to
> port 5901 of your localhost, which most probably
> is your vnc_client...
OK, maybe it was not very well described:
The host running the VNC server ist "vnc_server"
The host which should connect to the VNC server via the firewall is
"vnc_client"
now, you need to run "ssh -L 5901:vnc_client:5901 vnc_server" on the
vnc_client machine, whci is what the VNC documentation about this issue
sais, too:
http://www.uk.research.att.com/archive/vnc/sshvnc.html
This is what I do, but it doesn't work.
If you run "ssh -L 5901:vnc_host:5901 your_gateway" on machine
"your_gateway", you establish an ssh connection from "your_gateway" to
"your_gateway" which is not what we want to do.
Or did I not understand the concept here ?
Regards,
Wolfgang
Georg Armbruster
>> [trying to tunnel vnc through a gateway]
> If you run "ssh -L 5901:vnc_host:5901 your_gateway" on machine
> "your_gateway", you establish an ssh connection from "your_gateway" to
> "your_gateway" which is not what we want to do.
>
> Or did I not understand the concept here ?
>
Actually, I guess you are wrong; running the above command, a connection
is established from your_gateway to your local host (which means to the
localhost which is running the command).
If you run "ssh -l 5901:vnc_host:5901 IPofYourGateway", then
your gateway "grabs" the port 5901 of your vnc_host, encrypts it
from your gateway on, and forwards it to port 5901 of your local host,
from where you can access it with "vncviewer 127.0.0.1".
This connection is plain (which means unencrypted from your vnc_host
to your ssh-server (your gateway), but encrypted from your gateway
towards your vnc_client.
Hope this helps :))
Georg
Xenna
> I try to tunnel a vnc connection over ssh in order to get trough a firewall:
>
> vnc_host-->firewall-->vnc_client.
I once had a problem trying to do a similar tunnel. The VNC server
(Windows XP/RealVNC) was running on the same host as the ssh server that
was used as the end point of the tunnel (Cygwin/OpenSSH).
It turned out that the Windows VNC server didn't listen to the loopback
interface (localhost/127.0.0.1) by default (for reasons that elude me to
his day). I had to change a registry key to make that happen.
Perhaps you're looking at a similar problem.
I've wondered many times why no-one creates a VNC Client/Server pair
with built in SSL encryption. It can't be that difficult, the Open
Source libraries are everywhere. It's just ridiculous that such a
product doesn't encrypt its data by default...
I'd do it myself but my C sucks...
X.
Skylar Thompson
Add this line to /etc/hosts.allow:
Xvnc: ALL
--
-- Skylar Thompson (sky...@cs.earlham.edu)
-- http://cs.earlham.edu/~skylar/
Wayne Throop
: The host running the VNC server ist "vnc_server" The host which should
: connect to the VNC server via the firewall is "vnc_client"
:
: now, you need to run "ssh -L 5901:vnc_client:5901 vnc_server" on the
: vnc_client machine, whci is what the VNC documentation about this
: issue sais, too:
: http://www.uk.research.att.com/archive/vnc/sshvnc.html
That's not what needs to be done, and that's not what that web page says
to do. Running that command on vnc-client will attempt to forward a
port on vnc client to the same port on vnc client, which is pretty much
guaranteed to be quite useless at best.
What it says on that page is
ssh -L x:localhost:y snoopy
Note that "localhost" is evaluated on snoopy, and NOT on the host
upon which you execute the command. The -L forward syntax is x:h:y, where
x is the localport to forward from, h is the host relative to the
server, and y is the port on the server to which connections will be
forwarded. Thus you should either say
ssh -L 5901:localhost:5901 vnc-server
or possibly
ssh -L 5901:vnc-host:5901 gateway
if the gateway firewalls in such a way that the vnc server
isn't directly visible.
: If you run "ssh -L 5901:vnc_host:5901 your_gateway" on machine
: "your_gateway", you establish an ssh connection from "your_gateway" to
: "your_gateway" which is not what we want to do.
No, that establishes a port forward from the host you run the command on
(which is implicit in the x:host:y syntax), to a port on vnc-host, where
the name "vnc-host" must be visible to gateway. Which is quite useful,
if vnc-host isn't visible from where you run the command, but is
visible from the gateway.
Note that the unix version of tightvnc has a -via option which
can be used to do both ssh and vnc connections in one swell foop:
vncviewer -via vnc-host localhost:1
or
vncviewer -via gateway vnc-host:1
or however the visibility works in the particular case.
Wayne Throop thr...@sheol.org http://sheol.org/throopw
William Hooper
news:bth275$3vb$1...@seebuck.freinet.de...
>
>
> Hi together,
> I try to tunnel a vnc connection over ssh in order to get trough a
firewall:
>
> vnc_host-->firewall-->vnc_client.
>
> What I do ist:
>
> vnc_client# ssh -L 5901:localhost:5901 vnc_host
> After login to vnc_host :
> vnc_host# vncserver
> Which starts the vnc server on port 5901 on vnc_server, as expected.
> Then :
> vnc_client# vncviewer localhost:5901
> or
> vnc_client# vncviewer localhost:1
> which both leads to this result:
> At vnc_client:
> vncviewer: VNC server closed connection
> and at vnc_server:
> 4409: channel 3: open failed: connect failed: Connection refused
What do you get doing:
vnc_host# telnet localhost 5901
> The problem can not be in SSH, because if I do X11 forwarding via SSH
> ( ssh -X vnc_server ) it works.
X forwarding and TCP forwarding are two completely different config options.
man sshd
It might also be helpful if you posted OS and version numbers.
--
William Hooper
I like you ... you remind me of me when I was young and stupid
Georg Armbruster
>> [trying to tunnel vnc through a gateway]
> If you run "ssh -L 5901:vnc_host:5901 your_gateway" on machine
> "your_gateway", you establish an ssh connection from "your_gateway" to
> "your_gateway" which is not what we want to do.
>
> Or did I not understand the concept here ?
>
Actually, I guess you are wrong; running the above command, a connection
Wolfgang Ebersbach
> "Wolfgang Ebersbach" <wolfgang....@micronas.com> wrote in message
> news:bth275$3vb$1...@seebuck.freinet.de...
>>
>>
>> Hi together,
>> I try to tunnel a vnc connection over ssh in order to get trough a
> firewall:
>>
>> vnc_host-->firewall-->vnc_client.
>>
>> What I do ist:
>>
>> vnc_client# ssh -L 5901:localhost:5901 vnc_host
>> After login to vnc_host :
>> vnc_host# vncserver
>> Which starts the vnc server on port 5901 on vnc_server, as expected.
>> Then :
>> vnc_client# vncviewer localhost:5901
>> or
>> vnc_client# vncviewer localhost:1
>> which both leads to this result:
>> At vnc_client:
>> vncviewer: VNC server closed connection
>> and at vnc_server:
>> 4409: channel 3: open failed: connect failed: Connection refused
>
> What do you get doing:
>
> vnc_host# telnet localhost 5901
I get :
ebersbac@via:~> telnet localhost 5901
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
RFB 003.003
Which means that the vnc server can be accessed on the local machine. I
don't understand what the "Trying ::1" means. Maybe I should read the
entire ssh manpage to understand what's going on here ?
Wolfgang Ebersbach
> Add this line to /etc/hosts.allow:
>
> Xvnc: ALL
Sorry, this does not change the behaviour.
Wolfgang Ebersbach
Seems I do not yet understand what's going on, sorry.
I do of course have a gateway - the firewall in between. But I thougt that
this makes no difference, because port22 is transparent trought the
firewall.
The setup is :
Home_PC----I-net---Firewall---LAN---Office_PC
Where Home_PC and Office_PC both run SuSE Linux 8.2.
I don't know what OS the firewall runs. I only know, that ftp, pings and ssh
go straigt trough.
If I do "ssh Home_PC" on the Office_PC, I can connect without any problems.
Now, as the SSH port tunneling tunnels any port over the ssh port22, I
though it might be possible to tunnel the vnc ports via ssh without any
interaction to the firewall.
IF this is true, it should be possible to say
"ssh -L 5901:Office_PC:5901 Home_PC" on the Office_PC in Order to get a
tunnel from Office_PC to Home_PC. This is how I understand it. Map Port
5901 of Office_PC to port 5901 of Home_PC.
If I understand your posting, I need to map 5901 of Home_PC to 5901 on my
gateway ( the firewall ). But I don't know what IP the firewall has. I am
not even sure if it is only one firewall or some sort of cluster. I only
have a DNS name of the firewall.
If I do "ssh -L 5901:dns_of_firewall:5901 Home_PC" on the Office_PC and then
( after starting vncserver on the Home_PC via the now established ssh
connection ) run "vncviewer localhost:5901" on the Office_PC, I get on the
Office_PC:
/u1/ebersbac> vncviewer localhost:5901
vncviewer: VNC server closed connection
and on the Home_PC:
ebersbac@via:~> 3372: channel 3: open failed: administratively prohibited:
open failed
Wolfgang Ebersbach
> What it says on that page is
>
> ssh -L x:localhost:y snoopy
>
> Note that "localhost" is evaluated on snoopy, and NOT on the host
> upon which you execute the command. The -L forward syntax is x:h:y, where
> x is the localport to forward from, h is the host relative to the
> server, and y is the port on the server to which connections will be
> forwarded. Thus you should either say
OK, this means that "h" must be the machine that should run the vncviewer,
as seen from the vncserver, right ?
If it is so, I cannot do this. The machine that should run the vncviewer is
behind a firewall in a LAN and cannot be seen from the I-net.
Home_PC---I-net---Firewall---LAN---Office_PC
So, as I understand from your posting and the onee from Georg Armbruster, I
need to run something like
"ssh -L 5901:Firewall_as_seen_from_I-net:5901 Home_PC", right ?
The problem is, I don't know the IP of the firewall. I only have an DNS name
for the LAN which for sure is useless on the I-net side.
The firewalls LAN DNS Name is bound to an LAN IP.
Seems I am doomed ?
Wolfgang Ebersbach
host I logged in last time.
I used this call on the Office_PC:
"ssh -L 5901:hostname_given_by_logininfo_on_Home_PC:5901 Home_PC"
, started the vnc server on Home_PC and ran "vncviewer localhost:5901" on
the Office_PC. The result is as usual:
"vncviewer: VNC server closed connection" on the Office_PC
and
"ebersbac@via:~> 3406: channel 3: open failed: connect failed: Connection
refused"
on the Home_PC
I then asked a sys_suppot guy for the I-net IP of the firewall and tried:
" ssh -L 5901:ip_of_firewall_as_told_by_system_support:5901 Home_PC"
It is not working.
Cameron Kerr
> I don't understand what the "Trying ::1" means.
It just means it tried to connect via IPv6, but the other end didn't
support it, so it fell back to IPv4 (Trying 127.0.0.1). ::1 is the IPv6
equivalent of 127.0.0.1.
--
Cameron Kerr
camero...@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!
Georg Armbruster
> [trying to tunnel vnc through ssh]
> Home_PC----I-net---Firewall---LAN---Office_PC
>
Hi Wolfgang!
First of all, what you want to accomplish is possible
and even trivial, if you know a few facts:
Do you have machines which are accesible from the Internet?
Do they have at least one official IP addresses? (Most
probably, since you ARE connected to the internet).
On one of these machines accessible from the internet,
an sshd has to be running, and this machine should be
able to connect to your vnc_host.
From your home pc, open a console and type
"ssh -L 5901:your_vnc_host_as_seen_from_gateway:5901
your_official_IP_machine"
When the machine seen from the internet doesn't run a sshd, your
admin can change the ruleset to port-forward sshd connections to
a server inside your network -which has access to the vnc_host
and does run sshd.
In any way, the host between the two numbers 5901 is your vnc_host,
as seen from the machine you connect to - nothing else!
When you have the ssh connection established, type
"vncviewer 127.0.0.1" in a NEW TERMINAL, not in the one where
the sshd connection is established!
Hope this helps...
Georg
Nick E.
> Hi Georg,
>
> Seems I do not yet understand what's going on, sorry.
> I do of course have a gateway - the firewall in between. But I thougt that
> this makes no difference, because port22 is transparent trought the
> firewall.
>
> The setup is :
>
> Home_PC----I-net---Firewall---LAN---Office_PC
>
> Where Home_PC and Office_PC both run SuSE Linux 8.2.
> I don't know what OS the firewall runs. I only know, that ftp, pings and
> ssh go straigt trough.
> If I do "ssh Home_PC" on the Office_PC, I can connect without any
> problems.
>
> Now, as the SSH port tunneling tunnels any port over the ssh port22, I
> though it might be possible to tunnel the vnc ports via ssh without any
> interaction to the firewall.
I think this depends on where port22 on the firewall is forwarded to?
You can always ssh using (for example) port6666, then on the firewall,
forward 6666 to port22 on the officePC.
Here's what you need tho:
Have VNC running on OfficePC (say screen:1)
Then, from HomePC, run
$>ssh <wan-ip> -L 5901:localhost:5901
and login with your username and password for the system.
Now, open up VNC on HomePC, and connect to server "localhost:1".
I know this works. I've got it working right now, in fact. I'm using
tightVNC on both ends. And I connect from a windos box at work to my linux
(Mdk9.2) box at home. Home firewall is IPCop. Work firewall (which doesn't
really matter) is Netscreen. Here's my setup (LAN is assumed on both ends):
WorkPC--->Work_Firewall--->Internet--->Home_Firewall--->HomePC
I had to forward port22 on Home_Firewall to port22 on HomePC. Work_Firewall
didn't require any changes, as it lets everything out pretty much.
HTH.
-john
--
Really, I'm not out to destroy Microsoft. That will just be a completely
unintentional side effect.
--Linus Torvalds
Wayne Throop
::
:: ssh -L x:localhost:y snoopy
::
:: Note that "localhost" is evaluated on snoopy, and NOT on the host
:: upon which you execute the command. The -L forward syntax is x:h:y,
:: where x is the localport to forward from, h is the host relative to
:: the server, and y is the port on the server to which connections will
:: be forwarded. Thus you should either say
: Wolfgang Ebersbach <wolfgang....@micronas.com>
: K, this means that "h" must be the machine that should run the
: vncviewer, as seen from the vncserver, right ?
No. It must be the machine that is running the vncserver,
as seen from the machine to which the ssh connection is made.
: If it is so, I cannot do this. The machine that should run the
: vncviewer is behind a firewall in a LAN and cannot be seen from the
: I-net.
:
: Home_PC---I-net---Firewall---LAN---Office_PC
Which is why you want to do
ssh -L 5901:Office_PC:5901 Firewall
on your Home_PC. Then
vncviewer localhost:1
on your Home_PC. Or, with tightvnc's -via option, just
vncviewer -via Firewall Office_PC
Note that this implies that Firewall must run sshd; or rather more
generally, that there must be a machine which can access Office_PC,
which is visible through the Firewall, and is running sshd.
: The problem is, I don't know the IP of the firewall. I only have an
: DNS name for the LAN which for sure is useless on the I-net side. The
: firewalls LAN DNS Name is bound to an LAN IP.
:
: Seems I am doomed ?
The key is to find a machine which serves ssh, and has an IP that is
reachable from outside the firewall. Some firewalls are set up to
allow this to specific ssh servers, so that people can log in
remotely; some aren't. If your firewall has no such provisions
(as, eg, my home firewall does not, but my employer's firewall does),
you're doomed as doomed can be, I must say.
Well... one other possibility is if your Home_PC is visible from
your Office_PC, you can run sshd on the Home_PC, then start
ssh -R 5901:localhost:5901 Home_PC
on your Office_PC, and then start
vncviewer localhost:1
on your Home_PC. Note: -L is "local forward" and -R is "remote forward".
Wayne Throop
: I then asked a sys_suppot guy for the I-net IP of the firewall and
: tried: " ssh -L 5901:ip_of_firewall_as_told_by_system_support:5901
: Home_PC" It is not working.
Which is unsurprising, since that's forwarding a port from your
home PC to the firewall, and has nothing to do with your
office PC. I assume the firewall isn't running a vnc server,
so it ends up forwarding to a port nobody's listening to.
What you need is
ssh -L 5901:Office_PC:5901 ip_of_firewall_as_told_by_system_support
on Home_PC and in addition, the firewall IP must be an ssh server.
In general, if you want to run vncviewer on a machine "home" and
connect to a vncserver running on a machine "office", you must
ssh -L 5901:office:5901 ssh_server
on "home", where ssh_server (a) runs sshd, (b) can open a connection to
"office", and (c) is visible from "home". The key is to find some
ssh_server with those three required properties.
Or, alternatively, from "office"
ssh -R 5901:localhost:5901 home
where home is both visible from office and is running sshd.
William Hooper
>
>
> Hi Georg,
>
> Seems I do not yet understand what's going on, sorry.
> I do of course have a gateway - the firewall in between. But I thougt that
> this makes no difference, because port22 is transparent trought the
> firewall.
>
> The setup is :
>
> Home_PC----I-net---Firewall---LAN---Office_PC
>
> Where Home_PC and Office_PC both run SuSE Linux 8.2.
> I don't know what OS the firewall runs. I only know, that ftp, pings and
ssh
> go straigt trough.
> If I do "ssh Home_PC" on the Office_PC, I can connect without any
problems.
Thank you. Very useful info.
> Now, as the SSH port tunneling tunnels any port over the ssh port22, I
> though it might be possible to tunnel the vnc ports via ssh without any
> interaction to the firewall.
> IF this is true, it should be possible to say
> "ssh -L 5901:Office_PC:5901 Home_PC" on the Office_PC in Order to get a
> tunnel from Office_PC to Home_PC. This is how I understand it. Map Port
> 5901 of Office_PC to port 5901 of Home_PC.
You misunderstand it. The "-L" is evaluated on the SSH server. Home_PC has
no clue what Office_PC is. What you want is:
ssh -L 5901:localhost:5901 Home_PC
(localhost would be evaluated on Home_PC) or
ssh -L 5901:Home_PC:5901 Home_PC
Which should be self explanatory.
http://www.uk.research.att.com/archive/vnc/sshvnc.html
Using this "snoopy" would be Home_PC.
--
William Hooper
What if there were no hypothetical questions?
Wolfgang Ebersbach
> The key is to find a machine which serves ssh, and has an IP that is
> reachable from outside the firewall. Some firewalls are set up to
> allow this to specific ssh servers, so that people can log in
> remotely; some aren't. If your firewall has no such provisions
> (as, eg, my home firewall does not, but my employer's firewall does),
> you're doomed as doomed can be, I must say.
Than I AM doomed. The Office_PC can not be seen from outside; The firewall
does not run sshd.
> Well... one other possibility is if your Home_PC is visible from
> your Office_PC, you can run sshd on the Home_PC, then start
> ssh -R 5901:localhost:5901 Home_PC
> on your Office_PC, and then start
> vncviewer localhost:1
> on your Home_PC. Note: -L is "local forward" and -R is "remote forward".
Besides that this does not work ( I tried it right now ), I don't see why I
want to run an vncviewer on my Home_PC when I want to have it on my
Office_PC ? ( It also does not work if I run the vncviewer on the office_PC
)
What I still can not understand: IF ssh tunnels ports ( like 5901 ) over
port 22 AND I can make an "regular" ssh connection ( ssh Home_PC ) straight
through the firewall, then WHY do I have to bother with the firewall if I
want to tunnel ports ? I thought the firewall can not see that there is
tunneled stuff, it just sees "port22" and lets it through ?
Regards,
a curious Wolfgang
Wayne Throop
: Besides that this does not work ( I tried it right now ), I don't see
: why I want to run an vncviewer on my Home_PC when I want to have it on
: my Office_PC ? ( It also does not work if I run the vncviewer on the
: office_PC )
Apparently I don't understand what you are trying to accomplish.
: What I still can not understand: IF ssh tunnels ports ( like 5901 )
: over port 22 AND I can make an "regular" ssh connection ( ssh Home_PC
: ) straight through the firewall, then WHY do I have to bother with the
: firewall if I want to tunnel ports ?
If you are trying to foward a port from some other PC to Home_PC,
and you can ssh from where you want to forward from to Home_PC,
then you don't need any other node.
But then again, apparently I don't understand what you
are trying to accomplish.
If you are trying to arrange for connections to Office_PC:5901
to actually connect to some process listening on Home_PC:5901,
then on Office_PC, run
ssh -L 5901:localhost:5901 Home_PC
(or the putty equivalent).
Joseph
called zvnc, i compiled the zebedee program with the borland compiler
and re-estructure it as procedure. now zebedee is launched as a thread
when the server and client start. the files are almost the same size
and it is very estable. The difference between zvnc and the library
that i compiled can be ported in to any vnc very easily. well it was
not easy to compile blowfish and bzip2 in borland but after a few days
playing with it I got them to work. Well if anyone is intersted on
trying zbd and vnc, i can send the code or binaries. The program that
i compiled runs exacly like zvnc but it is build on tight vnc and
compiled with the boralnd compiler. for some reason I like the borland
binaries better than the gcc win32 binaries.
Joseph
scanner, my favorite one is angry ip scanner and then select port from
5900 to 5910.