0

I have read the other issues/answers that seem similar to this, but I do not see a match.

I have a VNC server running on a unix system. It is listening on 127.0.0.1.

I need to be able to connect to the VNC server from an outside system whose IP is not fixed. I want to have the connection via ssh and to keep the VNC server from being seen openly (hence binding to 127.0.0.1).

I am using windows 11 with putty as my VNC Client. The VNC server is on a unix system.

If I start the VNC server without binding it to 127.0.0.1 (it binds to the external normal IP address) and specify a tunnel on my putty session, then it connects fine.

When I bind to the 127.0.0.1 interface and attempt to connect using port 5901, I get a message saying:

The connection was dropped by the server before the session could be established.

My question is how do I use ssh to forward the connection from host:5901 to localhost:5901 On the sever side?

OR can I configure sshd on the server to 'bridge' the unencrypted localhost:5901 to the encrypted host:5901?

I am not using '-localhost' on the VNC Server. I am using '-interface 127.0.0.1'.

Thanks!

Improve this question
1
  • Have you considered just using wireguard instead of faffing around w/ port forwarding? Commented Jan 17 at 22:22

2 Answers 2

Reset to default
0

I will split the answer into two parts:

SSH Port Forwarding

Firstly, create an SSH tunnel between Windows client and Linux server. Windows 10 or Windows 11 comes with OpenSSH client pre-installed. Open command prompt or Power-shell and execute the following command:

ssh -fnN -L 5901:127.0.0.1:5901 user@linux_server_public_ip

-N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only)

-n Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background. A common trick is to use this to run X11 programs (like VNC) on a remote machine. The ssh program will be put in the background. (This does not work if ssh needs to ask for a password or passphrase; see also the -f option.). To overcome password prompt issue, use password-less SSH (aka SSH public key authentication)

-f Requests ssh to go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background. This implies -n. The recommended way to start X11 programs at a remote site is with something like ssh -f host xterm.

-L [bind_address:]port:host:hostport - Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.

Connect to VNC server

From Windows, you can now connect to VNC server through 127.0.0.1 and port 5901

A simple test

To demonstrate that an SSH tunnel is working and possibly identify any firewall issues, you can test using simple web server hosted on your Linux server. I will use python3 simple web server for this demonstration.

# Go to temporary directory or any directory that has no sensitive data $ cd /tmp # Create a test HTML file $ echo "test web site" > index.html # Start the web server $ python3 -m http.server # By default server will listen on port 8000 and all interfaces.

From your windows laptop, open a web browser and go to Linux server's public IP on port 8000, http://linux_server_public_ip:8000. If you get a test page on your browser, then proceed to next step.

# On Linux server, stop the python simple web server # Then start the python web server but this time bind to loopback address `127.0.0.1` $ python3 -m http.server -b 127.0.0.1

Since the web server is now bound to loopback address, it is no longer directly reachable from outside (meaning that web server is no longer directly exposed). This is where SSH tunneling comes in.

On Windows laptop, start an SSH tunnel (keep port 8000 in mind)

ssh -fnN -L 8000:127.0.0.1:8000 user@linux_server_public_ip

Once the SSH tunnel is up, you can open a web browser once again, but this time visit http://127.0.0.1:8000

References:

Side Note: I suggest that you continue using 127.0.0.1 and shy away from using localhost. By default, when you ping localhost on a Windows a machine, the response comes back with an IP address of ::1 instead of 127.0.0.1. By default, IPv6 takes preference over IPv4, and this might break your SSH tunnel.

Improve this answer
5
  • Hello Bruce, First thanks for the fast answer. I have been out of town and unable to try it until now. I am unable to use DDNS as we do not allow it. So, I am simply filling in the details by hand. When I enter the ssh command as listed with changes for my system, I get a "Premission denied, please try again." message. Can you suggest how I can debug this further? Thanks you for your help! Commented Jan 20 at 21:09
  • I added a '-v' flag and see: Authenticated to XXXXXXXXXX ([A.B.C.D]:22) using "password". debug1: Local connections to LOCALHOST:5901 forwarded to remote address 127.0.0.1:5901 debug1: Local forwarding listening on ::1 port 5901. bind [::1]:5901: Permission denied debug1: Local forwarding listening on 127.0.0.1 port 5901. bind [127.0.0.1]:5901: Permission denied channel_setup_fwd_listener_tcpip: cannot listen to port: 5901 Could not request local forwarding. debug1: Requesting [email protected] debug1: forking to background I cannot add more. Next one. ... Commented Jan 20 at 21:25
  • The ssh config has: AllowAgentForwarding yes AllowTcpForwarding yes GatewayPorts yes X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes PermitUserEnvironment yes #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid MaxStartups 1024 #PermitTunnel no #ChrootDirectory none Commented Jan 20 at 21:31
  • @GroverD, Try this: On Linux server, start as simple web server using python. $ echo "test web site" > /tmp/index.html $ cd /tmp $ python3 -m http.server Then from windows laptop, open a web browser and connect to the server on port 8000. You can stop the python web server if the test was successful. Then start the python web server, this time bind to loopback address. $ python3 -m http.server -b 127.0.0.1 From windows laptop create an SSH tunnel to connect to the web server as explained earlier "ssh -fnN -L 8000:127.0.0.1:8000 user@server_ip". Now open your browser and go to 127.0.0.1:8000 Commented Jan 22 at 15:32
  • @GroverD I have edited my answer to include a simple test. This test will help identify underlying issues Commented Jan 22 at 16:00
0

I am using windows 11 with putty as my VNC Client.

I assume you meant "with putty as my SSH client"? PuTTY has no VNC functionality whatsoever.

In the Connection -> SSH -> Tunnels page of PuTTY configuration, type in 5901 to the Source port field, then type localhost:5901 to the Destination field. Leave the radio buttons to their default values: Local and Auto respectively. Then click on Add.

This should add a line to the Forwarded ports text box with the following text:

L5901 localhost:5901

The forwarding is fully configured only after this line appears. A common mistake is to just fill in the Source port and Destination boxes and leave the Tunnels configuration page: if you don't click Add, this does nothing at all.

Then return to the Session settings page, fill in the hostname/IP of the server, save your settings for later use if you want, then click Open.

Once the SSH connection is established and authenticated, the PuTTY client will start listening on port 5901 of your local Windows system, and passing any traffic to the sshd at the remote end, instructing sshd to establish connection to localhost:5901 (= the server's localhost) and pass the forwarded traffic to it. Any responses will be passed back the same way.

So, after establishing the SSH connection and logging in, if the remote sshd allows port forwarding, you should now be able to start up a VNC client, tell it to connect to localhost:5901 and be able to see the VNC server of the remote system over the SSH-forwarded connection.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.