How to use VNC with SSH encrypted tunnelling

Since figuring out how to connect to my home machine using plain, old, VNC over a separate Secure SHell (SSH) tunnel, a few people have asked me to document the procedure so that they may easily implement it themselves. I, myself, have been known to forget some of the steps involved, so this is for my benefit as much as theirs.

In these instructions I will use the term “home PC” for the computer whose screen you wish to access from a remote location, and “remote PC” for the computer that you will use to connect to your home PC. I will assume that you know how to download and unzip files, use a command prompt, and troubleshoot minor problems pertaining to your own environment along the way.

What you will need

  • TightVNC – the viewer and server that I use. You might prefer another version, however my instructions may not be entirely suitable. There is a version of VNC that seems to handle encryption all by itself, called [email protected] (how irritating is that bloody at-symbol in the name?), but I haven’t checked it out yet. Theoretically, this might be all you need to VNC with safety, but I’m set in my ways and don’t feel like fixing something that ain’t broke.
  • OpenSSH for Windows – the secure shell server on your home PC that listens for incoming shells and TCP/IP tunnels within those shells.
  • PuTTY – the free telnet/SSH client used to establish a secure connection with the OpenSSH server on your home PC and tunnel VNC traffic through the secure shell.

These instructions apply to the following versions using Windows XP, unhindered by any Service Pack 2 evilness:

  • TightVNC version 1.2.9
  • OpenSSH for Windows 3.8.1p1-1
  • PuTTY release 0.56

Install the OpenSSH server on your home PC

OpenSSH for Windows is a free, Windows, implementation of the SSH protocol developed by the OpenBSD folks. SSH allows you to connect to another computer just like a telnet session, except that it is encrypted. However, SSH can also port forward (or tunnel) TCP/IP connections, which allows practically anything to be wrapped within the shell and transmitted securely (more information can be found in this SecurityFocus article).

  1. Double-click on the setupssh.exe OpenSSH for Windows binary installer and accept all defaults.
  2. Open a command prompt and change to the OpenSSH installation directory.
  3. Change to the bin directory.
  4. Add security groups on the home PC to the group permissions file by typing: mkgroup -l >> ..\etc\group
  5. Add users on the home PC to the password file by typing: mkpasswd -l >> ..\etc\passwd
  6. Enable TCP forwarding by opening the etc\sshd_config file in the OpenSSH installation directory and removing the hash symbol (“#”) before this line: AllowTcpForwarding yes.
  7. Make sure that any software or hardware firewalls you have allow incoming connections on port 22, the default port used by the SSH protocol. If you need to use a different port, remove the hash symbol and edit this line accordingly: Port 22.
  8. Save the changes to etc\sshd_config then start the OpenSSH server by typing: net start opensshd (or by starting the “OpenSSH Server” service in the Administrative Tools, Services, applet in the Control Panel).

Install the TightVNC Server on your home PC

  1. Double-click on the tightvnc-1.2.9-setup.exe installer and accept all defaults. If you want the TightVNC Server to run automatically, tick the Register TightVNC Server as a system service and Start or restart TightVNC service check boxes.
  2. If you did not enable the two check boxes mentioned above, click on Start, Programs, TightVNC, Launch TightVNC Server to open the VNC server settings window.
  3. Specify a password for incoming connections.
  4. Click the Advanced button and enable the Allow loopback connections check box. This means that the VNC server will allow your home PC to connect to itself. Why? Because the VNC Viewer session on the remote PC is being transmitted within the encrypted SSH tunnel and released onto your home PC as if you were actually there in person. This is why the VNC server needs to allow connections that would otherwise be pointless.
  5. Unless you know what you’re doing or require a specific change, click the OK button to begin accepting VNC connections.

Configure PuTTY on the remote PC and begin tunnelling

  1. Double-click on putty.exe and enter the Host Name (or IP address) of your home PC.
  2. Type a name in the Saved Sessions field, such as “Home PC”.
  3. Click on the Connection, SSH, Tunnels category in the left column.
  4. Type 5900 for the source port.
  5. Type localhost:5900 for the destination.
  6. Click the Add button.
  7. Click on the Session category at the top of the left column again.
  8. Click the Save button to save this configuration.
  9. Click the Open button to connect to your home PC.
  10. Enter the username and password of the login that you use on your home PC. If your computer logs you in automatically when you start Windows, open the User Accounts applet in the Control Panel and specify a password; this also means that you must enter this password to log into Windows each time you reboot).

Install the TightVNC Viewer on the remote PC

  1. Double-click on the tightvnc-1.2.9-setup.exe installer, deselect the TightVNC Server check box, and accept all other defaults.
  2. Click on Start, Programs, TightVNC, TightVNC Viewer
  3. In the VNC Server field, accept the default of localhost:0. This might, at first, seem strange but VNC translates display numbers to corresponding IP ports -e.g., 0 becomes 5900, 1 becomes 5901 and so on (unless you change the defaults).
  4. Click OK to connect to the screen on your home PC.

Feel free to post comments about improvements or alternatives to this method. Please do not ask for help with troubleshooting any of the above as I do not have the time; my friends and I have all replicated the above quite successfully. If you have Windows XP with Service Pack 2, unblock port 22 on your home PC. Anything else, good luck :-)

10 thoughts on “How to use VNC with SSH encrypted tunnelling

  1. Thanks for this. I wonder if it would be possible to only allow incoming vnc connections from specific mac addresses.

  2. I followed the instructions and when I tried to run (open)session in Putty I got “putty fatal error network error: connection refused”

  3. In order to get OpenSSH service running (and accepting connections) on Vista (with UAC turned off) I had to set Program Compatibility (mode: Windows XP SP2) to the following files.

    “C:\Program Files\OpenSSH\bin\cygrunsrv.exe”
    “C:\Program Files\OpenSSH\usr\sbin\sshd.exe”
    “C:\Program Files\OpenSSH\usr\sbin\sftp-server.exe”

    I also uninstalled and reinstalled a fresh OpenSSH and TightVNC for good measure.

    fyi: There is a new version of Putty (v0.60).

  4. For those people who add shortcuts to your putty and VNC you can add the following switches to remove a number of clicks.

    Add the following command line switches to putty remove a few clicks (replace “” with your putty profile).

    “C:\xxxx\xxxx\putty.exe” -load “”

    Add the following command line switches to your TightVNC shortcut to set the best (fastest connection) and to avoid 3 clicks of the mouse.

    “C:\Program Files\TightVNC\vncviewer.exe” -8bit -compresslevel 9 -quality 0 -connect “localhost:0”

    That saves 4 clicks :)

  5. I have no Mac experience but typing “man ssh” under Linux reveals a few ideas. Perhaps you could try this command (since Mac OS X is based on BSD underneath and hopefully has a similar version of ssh that uses the same command):

    ssh -L 5900:localhost:5900 <Host Name (or IP address) of home PC>

    There are numerous other options for ssh to do things like backgrounding the process, telling it not to execute any commands (-ie, just do tunneling), etc. I’m not able to test this myself (since I currently have no other machines to connect to and rarely boot into Linux) but it might help, or point you in the right direction. Good luck.

  6. Thank you for this. It works great on PC’s. I am however having touble connecting to the Remote PC (a WinXP box) from Mac OS X “Home PC”. Can you please provide the terminal command that would reproduce the same settings as the ones entered in PuTTY?

Leave a Reply

Your email address will not be published. Required fields are marked *