martybugs.net SmoothwalL Express Info
 navigation
. MartyBugs home
. Smoothwall home
 
 Smoothwall info
. my box
. connect speed display
. red IP address display
. bytes in/out
. VNC over SSH
. time sync
. ad zapping
. ip accounting on 0.9.9 / 1.0
. ip accounting on 2.0
. status LEDs
. adding web users
. iptables config
. internal PPTP VPN
. RRDTool traffic graphs
. password reset
. proxy log analysis
. RRDTool memory graphs
. Squid config
. adding shell users
. Smoothwall links
 
 modem config
. Billion 7402L adsl router
. DSL-300G adsl modem
. DSL-300+ adsl modem
 
 site search
Custom Search
 
Tunnelling VNC over SSH

[Tunnelling over SSH will work with all versions of Smoothwall.]

This page will show you how to tunnel VNC over a secure SSH connection, so you can securely administer computers which are behind your Smoothwall server via the internet.

Note: if you're using PuTTY on a Windows PC, refer to my Tunnelling VNC Over SSH with PuTTY page for more information.

VNC:
VNC stands for Virtual Network Computing. It allows you to remotely view and control a PC desktop, and will run on a wide variety of operating systems.

Visit the VNC website for more information, or to download it.

VNC and Security:
Because access to a VNC desktop generally allows access to your whole computer, security is very important.

VNC uses encryption when making an initial connection, and when you login. Once connected, all VNC data is unencrypted, and a malicious user could snoop your VNC session.

There are also a number of VNC scanning programs available, which will scan a subnet looking for PCs which are listening on one of the ports which VNC uses.

Tunnelling VNC over a SSH connection allows you to use VNC to access your computer(s) which are behind your Smoothwall server, with all traffic strongly encrypted, and optionally compressed.

Additionally, no VNC port is ever open to the internet, so anyone scanning for open VNC ports will not be able to find your computers.
When tunnelling VNC over a SSH connection, the only port which you're opening on your Smoothwall server is it's SSH port, 222.

Requirements:
You'll need:
  • A Smoothwall installation (obviously...).
  • An SSH server local to where you are.
  • An SSH client, such as PuTTY or SSH Secure Shell.
  • VNC installed on the PC on your green network.
  • TCP port 222 opened on your Smoothwall server.
  • The red IP address of your Smoothwall server.
Dynamic DNS:
If you want to connect to your Smoothwall server via the internet, you'll need to know its red IP address.

The easiest way to do this is to sign up for a (free) dynamic DNS account. Refer to the services->dynamic dns page of your Smoothwall GUI to see which ones are supported natively by Smoothwall GPL.

Once you've signed up with a dynamic DNS provider, you'll have to configure your Smoothwall server to register with this provider whenever it establishes an internet connection. This configuration can all be done through the Smoothwall GUI.

Once configured, you'll then be able to connect to the red interface of your Smoothwall server via the internet, using the domain name you signed up with.

Configuration:
To allow incoming SSH connections via the red interface to your Smoothwall server, you'll have to open TCP port 222 on the external access page of your Smoothwall GUI.

You'll also need to have VNC installed on the computer(s) on your green network (ie, behind your Smoothwall) which you want to remotely administer.

The diagram below shows the configuration I'll use to describe the process of tunnelling VNC over SSH.


where
  • PC 1 is a Windows PC, with VNC Viewer on it.
  • PC 2 is a linux server, with a SSH client installed on it.
  • PC 3 is your Smoothwall server.
  • PC 4 is a PC behind your Smoothwall server, running VNC Server.
From PC 2, you need to establish a SSH connection, and forward the VNC port over this SSH connection. To do this, you need to run the following command: 

  ssh -p 222 -g -l root -C -L 5901:<pc>:5900 <smoothwall>

where
  • <smoothwall> is the hostname or IP address of your Smoothwall's red interface
  • -p 222 will cause ssh to connect to your Smoothwall on port 222
  • <pc> is the name or IP address of the PC on your green network which you want to remotely administer (if it's a hostname, your Smoothwall must be able to resolve it)
  • 5901 is the port number on your linux server which you will be forwarding
  • 5900 is the VNC port on your PC on your green network
  • -C option will enable compression.
Also specify the -v option to run SSH in verbose mode, and to see what compression rates you're achieving.

Note that these port numbers may need to be modified for your particular configuration. A VNC Server on a Windows PC will listen on port 5900, while the first VNC instance on a Linux server will listen on port 5901, the second on port 5902, etc.

When the connection is established, you'll be prompted for the root password of your Smoothwall server. Login, and you'll have a ssh prompt on your Smoothwall server.

You now have a secure SSH connection between your linux server, and your Smoothwall server, and are forwarding port 5901 on the linux server, to port 5900 on your PC on your green network.

To establish the VNC connection to the PC on your green network, start VNC Viewer on your PC, and connect to port 5901 on the linux server (ie, specify servername:1 in VNC Viewer, where servername is the name of the local linux server), and the linux server will forward the traffic on port 5901 over the secure SSH link to your Smoothwall server.

You can then safely administer the PCs on your green network over this secure channel.

References:
Making VNC more secure using SSH
Real VNC
SSH Tunnelling



last updated 9 May 2006
  
.