Using VNC Tunneling over SSH
By: Rob Reilly
Monday, January 30, 2006 11:42:24 AM EST
URL: http://www.linuxplanet.com/linuxplanet/tutorials/6155/1/
Temporary Access
While working on a project to create tutorials, I needed a way to watch how a user stepped through the process of using an application without being on-site.
VNC turned out to be a viable solution. I could remotely connect and view all the steps, while conversing about the process over the phone.
The trouble was there were firewalls at both ends. It would have been easy to just open the port normally used for VNC connectivity (5900) in the firewall, but it's definitely not secure.
Using VNC while tunneling over SSH was a quick and more secure way to accomplish the process/application watching goal.
Several steps are required to make it work.
Ideally, all inbound ports are closed on an Internet facing firewall. That will go a long way to keeping out the bad guys. Of course, any other remote access is then limited as well.
Opening up port 22 on the distant IPCop firewall works well for the purpose of tutorial generation and is easily accomplished using the IPCop Web-based GUI. A similar process is used if the user machine is behind a dedicated firewall appliance. The idea is to port forward the SSH traffic from the Internet to the VNC-equipped user desktop machine.
Port 22 on the user's Linux desktop also needs to be available for logging in via SSH. When the session is finished, the firewall's SSH port can then again be closed to inbound traffic.
Specialized remote access techniques should be considered, like port-knocking or using hardened firewall devices when a more permanent or bulletproof connection is needed.
Server There, Watch Here
SSH is fairly secure and encrypts data that is sent over it. The tunneling technique can even be used when all the machines are behind a firewall to ensure that the data is kept from possible prying eyes.
SSH tunneling works in one of two directions. It depending on the location of the server you are using, which in this case is VNC.
For example, say I'm hammering away on my laptop in some café somewhere and want to view a user's desktop. The VNC server will need to be started by the user on his desktop Linux machine. x11vnc is a fine program to use because it defaults to serving whatever is on the user's desktop. Programs like vncserver are usually used to provide a remote desktop (display :1, :2, etc.) and don't necessarily mirror what is on the local user's screen. The logged in user's desktop is also known as the :0 display number. The server (display :0) can be started by:
desktop> x11vnc
Next, a tunnel over the Internet is established so my laptop can communicate with the desktop VNC server. That is done from my laptop with the SSH command using the -L option. L stands for local. I want to make the remote server look like a local server, to my laptop. Here is the command line:
laptop> ssh xx.xxx.xx.xx -L 5900:localhost:5900
The prompt then asks for a password to log into the user's desktop machine. In this case, don't forget that the xx.xxx.xx.xx number is really the firewall's IP address. Remember, the SSH port in the firewall was re-configured to route traffic through to the desktop that is running the VNC server. If tunneling on a LAN with the laptop and desktop both behind the firewall, you would just use the desktop's IP address for xx.xxx.xx.xx.
To speed up screen repaints as much as possible, the -o Compression and CompressionLevel options can be used, too:
laptop> ssh xx.xxx.x.xx -o Compression=yes -o CompressionLevel=1 -L 5900:localhost:5900
The last thing to do is start the vncviewer on the laptop, so I can watch what the user is doing on the remote desktop.
laptop> vncviewer localhost:0
This connects my vncviewer to the tunnel and brings up the user's desktop in a window on my laptop. The user can then educate me on how he carries out his work.
Server Here, Watch There
Suppose I want to show the remote desktop user how I use an application on my laptop. He's still behind that firewall (with the SSH port routed to his desktop Linux machine) and I have a software firewall running on my machine. My firewall blocks all inbound ports.
In this case, everything sort of just works in reverse.
Again, the x11vnc server needs to be started. This time, it's on my laptop.
I can again initiate the tunnel from my end, this time using the -R option. R stands for remote.laptop> ssh xx.xxx.x.xx -o Compression=yes -o CompressionLevel=1 -R 5900:localhost:5900
Now, all the desktop user has to do is start up his vncviewer to watch what I'm doing on my laptop.
desktop> vncviewer localhost:0
Then, magically, whatever appears on my laptop screen also shows up in a window on the user's desktop.
When the educational/VNC session is completed, don't forget to re-configure the firewall rules to again block the SSH port.
Expanding The Technique
I've just touched on the basics of using VNC over an SSH tunnel. SSH has a huge number of options that you can try.
Admittedly, this way of looking at a remote display has it's drawbacks. Latency, network bottlenecks, and other factors can conspire to give a jerky screen-viewing experience, even using the built-in compression. For the purpose of creating tutorials while watching user interaction with an application it is perfectly adequate. NoMachine has an SSH/VNC client/server suite with specialized compression that is supposed to produce very smooth screen movements. The NoMachine package might be worth a look for your particular situation.
Also, poking a port 22 hole in a firewall may not be the best way, either. It is fast and fairly easy for a quick look at a user's screen. It's a workable solution when you are dealing with a small business client who's running a common store-bought firewall/router appliance. Consult with your corporate network admin if you need to go across the Internet to distant machines, on a regular basis. They will surely have processes in place, to help you with your needs.
Rob Reilly is a consultant, writer, and commentator who advises clients on business & technology projects. He is also a Contributing Editor for LinuxToday.com. Send him a note or visit his Web site at http://home.earthlink.net/~robreilly.