How to use VNC with SSH encrypted tunnelling

Since figuring out how to connect to my home machine using plain, old, VNC over a separate Secure SHell (SSH) tunnel, a few people have asked me to document the procedure so that they may easily implement it themselves. I, myself, have been known to forget some of the steps involved, so this is for my benefit as much as theirs.

In these instructions I will use the term “home PC” for the computer whose screen you wish to access from a remote location, and “remote PC” for the computer that you will use to connect to your home PC. I will assume that you know how to download and unzip files, use a command prompt, and troubleshoot minor problems pertaining to your own environment along the way.

What you will need

  • TightVNC – the viewer and server that I use. You might prefer another version, however my instructions may not be entirely suitable. There is a version of VNC that seems to handle encryption all by itself, called [email protected] (how irritating is that bloody at-symbol in the name?), but I haven’t checked it out yet. Theoretically, this might be all you need to VNC with safety, but I’m set in my ways and don’t feel like fixing something that ain’t broke.
  • OpenSSH for Windows – the secure shell server on your home PC that listens for incoming shells and TCP/IP tunnels within those shells.
  • PuTTY – the free telnet/SSH client used to establish a secure connection with the OpenSSH server on your home PC and tunnel VNC traffic through the secure shell.

These instructions apply to the following versions using Windows XP, unhindered by any Service Pack 2 evilness:

  • TightVNC version 1.2.9
  • OpenSSH for Windows 3.8.1p1-1
  • PuTTY release 0.56

Install the OpenSSH server on your home PC

OpenSSH for Windows is a free, Windows, implementation of the SSH protocol developed by the OpenBSD folks. SSH allows you to connect to another computer just like a telnet session, except that it is encrypted. However, SSH can also port forward (or tunnel) TCP/IP connections, which allows practically anything to be wrapped within the shell and transmitted securely (more information can be found in this SecurityFocus article).

  1. Double-click on the setupssh.exe OpenSSH for Windows binary installer and accept all defaults.
  2. Open a command prompt and change to the OpenSSH installation directory.
  3. Change to the bin directory.
  4. Add security groups on the home PC to the group permissions file by typing: mkgroup -l >> ..\etc\group
  5. Add users on the home PC to the password file by typing: mkpasswd -l >> ..\etc\passwd
  6. Enable TCP forwarding by opening the etc\sshd_config file in the OpenSSH installation directory and removing the hash symbol (“#”) before this line: AllowTcpForwarding yes.
  7. Make sure that any software or hardware firewalls you have allow incoming connections on port 22, the default port used by the SSH protocol. If you need to use a different port, remove the hash symbol and edit this line accordingly: Port 22.
  8. Save the changes to etc\sshd_config then start the OpenSSH server by typing: net start opensshd (or by starting the “OpenSSH Server” service in the Administrative Tools, Services, applet in the Control Panel).

Install the TightVNC Server on your home PC

  1. Double-click on the tightvnc-1.2.9-setup.exe installer and accept all defaults. If you want the TightVNC Server to run automatically, tick the Register TightVNC Server as a system service and Start or restart TightVNC service check boxes.
  2. If you did not enable the two check boxes mentioned above, click on Start, Programs, TightVNC, Launch TightVNC Server to open the VNC server settings window.
  3. Specify a password for incoming connections.
  4. Click the Advanced button and enable the Allow loopback connections check box. This means that the VNC server will allow your home PC to connect to itself. Why? Because the VNC Viewer session on the remote PC is being transmitted within the encrypted SSH tunnel and released onto your home PC as if you were actually there in person. This is why the VNC server needs to allow connections that would otherwise be pointless.
  5. Unless you know what you’re doing or require a specific change, click the OK button to begin accepting VNC connections.

Configure PuTTY on the remote PC and begin tunnelling

  1. Double-click on putty.exe and enter the Host Name (or IP address) of your home PC.
  2. Type a name in the Saved Sessions field, such as “Home PC”.
  3. Click on the Connection, SSH, Tunnels category in the left column.
  4. Type 5900 for the source port.
  5. Type localhost:5900 for the destination.
  6. Click the Add button.
  7. Click on the Session category at the top of the left column again.
  8. Click the Save button to save this configuration.
  9. Click the Open button to connect to your home PC.
  10. Enter the username and password of the login that you use on your home PC. If your computer logs you in automatically when you start Windows, open the User Accounts applet in the Control Panel and specify a password; this also means that you must enter this password to log into Windows each time you reboot).

Install the TightVNC Viewer on the remote PC

  1. Double-click on the tightvnc-1.2.9-setup.exe installer, deselect the TightVNC Server check box, and accept all other defaults.
  2. Click on Start, Programs, TightVNC, TightVNC Viewer
  3. In the VNC Server field, accept the default of localhost:0. This might, at first, seem strange but VNC translates display numbers to corresponding IP ports -e.g., 0 becomes 5900, 1 becomes 5901 and so on (unless you change the defaults).
  4. Click OK to connect to the screen on your home PC.

Feel free to post comments about improvements or alternatives to this method. Please do not ask for help with troubleshooting any of the above as I do not have the time; my friends and I have all replicated the above quite successfully. If you have Windows XP with Service Pack 2, unblock port 22 on your home PC. Anything else, good luck :-)

New year’s resolutions for 2005

My brother has seen fit to publish his new year’s resolutions, so I may as well do the same. Here goes:

The above list constitutes what you might call my “core resolutions” (I hope Don Watson doesn’t see this). I also have a few “non core resolutions”, which includes:

  • Learn the fundamentals of English grammar. Most of the time I seem to instinctively know what’s good and what isn’t, but I have to admit that I know absolutely none of the theory, save for some knowledge on the correct use of the apostrophe (though I still stumble at times). Sadly, I am the product of the modern Australian education system, which doesn’t think it necessary to waste students’ time with silly things like learning how to speak and write our language properly. Learning another language is now all the more difficult because I haven’t got a clue as to what a transitive verb is, for example
  • Neglect my garden a little less, perhaps (I can see this one easily being forgotten)
  • Become proficient in Java, if only so that I know an enterprise-class language alternative to .NET. Of course, since Java is an integral part of my IT degree, I stand a good chance of achieving this one

Unlike the failure of many organisations to review their business plans, to gauge their performance at regular intervals, I will actually see how I go in twelve months’ time.