DI-524. Can't vnc from inside local network to Internet using a tunnel

Ok. So I know my subject is not super descriptive. Here is my
problem.

I have opened up a an ssh port on an internet routeable server at my
work. I enabled ssh forwarding on this server, and set up some
firewall rules to allow the box with ssh connect to my work computer on
port 5900.

At home, behind my DI-524, I ssh using vnc to my ssh server, and in
putty, open a local port on my local pc to listn on port 12000. If I
open vnc up now, I tell the vnc client to connet to 127.0.0.1, and it
is supposed to connect to my work pc on port 5900.

What really happens, is that I get prompted for my password in vnc, it
takes it, and then goes no further. I know that this works, as I have
done it from other networks to my work. It for some reason now work
when I am home behind my dlink wireless router.

I have not set anything up on the router, and do not know very much
about the configs on it. If anyone has any suggestions, they would be
greatly appriciated.

Thanks.
Peter

(E-Mail Removed) wrote:

> Ok. So I know my subject is not super descriptive. Here is my
> problem.

Descriptive enough...

> I have opened up a an ssh port on an internet routeable server at my
> work. I enabled ssh forwarding on this server, and set up some
> firewall rules to allow the box with ssh connect to my work computer on
> port 5900.
>
> At home, behind my DI-524, I ssh using vnc to my ssh server, and in
> putty, open a local port on my local pc to listn on port 12000. If I
> open vnc up now, I tell the vnc client to connet to 127.0.0.1, and it
> is supposed to connect to my work pc on port 5900.
>
> What really happens, is that I get prompted for my password in vnc, it
> takes it, and then goes no further. I know that this works, as I have
> done it from other networks to my work. It for some reason now work
> when I am home behind my dlink wireless router.

"now work" - I hope that should have been "doesn't work" or we don't seem to
have a problem at all.

> I have not set anything up on the router, and do not know very much
> about the configs on it. If anyone has any suggestions, they would be
> greatly appriciated.

It's all "outbound" from your router, so it really shouldn't be a problem.

First of all, elininate the wireless part of the router from consideration
by connecting via ethernet cable between your PC and the router - or even
skip the router altogether.

If neither of those methods work, then it's not your router (and the problem
really doesn't belong here :-))

If you have no trouble there, I think I need more information about your VNC
client. I've never had to specify a local port - I suspect you need to
configure the router to pass inbound traffic on port 12000 to your PC on
the same port, but that's a guess.
--
derek

On 5 Dec 2005 08:42:23 -0800, (E-Mail Removed) wrote:

>Ok. So I know my subject is not super descriptive. Here is my
>problem.
>
>I have opened up a an ssh port on an internet routeable server at my
>work. I enabled ssh forwarding on this server, and set up some
>firewall rules to allow the box with ssh connect to my work computer on
>port 5900.

Which VNC? UltraVNC, TightVNC, or the original?

You also need port 5800 forwarded on the server to use the HTTP web
browser version of VNC.

>At home, behind my DI-524, I ssh using vnc to my ssh server, and in
>putty, open a local port on my local pc to listn on port 12000. If I
>open vnc up now, I tell the vnc client to connet to 127.0.0.1, and it
>is supposed to connect to my work pc on port 5900.

Impressive. No opertunity to introduce additional complexity left
out. Well, at least you didn't add a VPN.

>What really happens, is that I get prompted for my password in vnc, it
>takes it, and then goes no further.

Sounds like TightVNC. What you're doing is connecting to yourself,
not the office server with the VNC viewer. If you think about it,
you're creating a "hall of mirrors" effect where you have a local
viewer trying to display itself inside the local viewer, etc. The
authors got tired of dealing with this effect and blocked local
viewing. I can do it with older versions of VNC, but not the current
incantations.

Incidentally, if you have more than one VNC server running at work,
you'll need to open additional ports 5801/5901 etc for each terminal
session.

>I know that this works, as I have
>done it from other networks to my work. It for some reason now work
>when I am home behind my dlink wireless router.

So, take it apart and try it piece by piece.
Start with a web browser directly to port 5800 at the work server:
http://ip_address:5800
If your Java is working, it should play.
Next, fire up the VNC viewer and try it on port 5900 directly with:
ip_address::5900 (or something like that).

Then add SSH to the pretzel but point it to the server and not to a
local IP socket number. That should also work unless your server is
setup to accept only SSH connections.

Finally, setup your port 12000 kludge on the SSH server end to point
to your SSH client (Putty). It least, that's what I think you're
doing (not sure).

>I have not set anything up on the router, and do not know very much
>about the configs on it.

The reverse port 12000 abomination will require port forwarding on
your DI-524 because in effect, the connection is made from the server
to your router. Why you would want to do this is beyond my limited
imagination.

>If anyone has any suggestions, they would be
>greatly appriciated.

Test each layer seperately. My guess is that your port 12000 kludge
is not working and probably un-necessary.
--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann wrote:

> On 5 Dec 2005 08:42:23 -0800, (E-Mail Removed) wrote:
>
>>Ok. So I know my subject is not super descriptive. Here is my
>>problem.
>>
>>I have opened up a an ssh port on an internet routeable server at my
>>work. I enabled ssh forwarding on this server, and set up some
>>firewall rules to allow the box with ssh connect to my work computer on
>>port 5900.
>
> Which VNC? UltraVNC, TightVNC, or the original?
>
> You also need port 5800 forwarded on the server to use the HTTP web
> browser version of VNC.

He wasn't - he was using an ssh tunnel.
>
>>What really happens, is that I get prompted for my password in vnc, it
>>takes it, and then goes no further.
>
> Sounds like TightVNC. What you're doing is connecting to yourself,
> not the office server with the VNC viewer.

No he's not.

> If you think about it,
> you're creating a "hall of mirrors" effect where you have a local
> viewer trying to display itself inside the local viewer, etc. The
> authors got tired of dealing with this effect and blocked local
> viewing. I can do it with older versions of VNC, but not the current
> incantations.

I can still do that if I want. :-) It would be a serious shortcoming if you
couldn't vnc to localhost. When you're working with Unix boxes, it's
pretty normal to make a link to the server _then_ use vnc.
--
derek

On Mon, 05 Dec 2005 10:41:44 -0800, Jeff Liebermann wrote:

> On 5 Dec 2005 08:42:23 -0800, (E-Mail Removed) wrote:
>
>>Ok. So I know my subject is not super descriptive. Here is my
>>problem.
>>
>>I have opened up a an ssh port on an internet routeable server at my
>>work. I enabled ssh forwarding on this server, and set up some
>>firewall rules to allow the box with ssh connect to my work computer on
>>port 5900.
>
> Which VNC? UltraVNC, TightVNC, or the original?
>
> You also need port 5800 forwarded on the server to use the HTTP web
> browser version of VNC.
>
>>At home, behind my DI-524, I ssh using vnc to my ssh server, and in
>>putty, open a local port on my local pc to listn on port 12000. If I
>>open vnc up now, I tell the vnc client to connet to 127.0.0.1, and it
>>is supposed to connect to my work pc on port 5900.
>
> Impressive. No opertunity to introduce additional complexity left
> out. Well, at least you didn't add a VPN.
>
>>What really happens, is that I get prompted for my password in vnc, it
>>takes it, and then goes no further.
>
> Sounds like TightVNC. What you're doing is connecting to yourself,
> not the office server with the VNC viewer. If you think about it,
> you're creating a "hall of mirrors" effect where you have a local
> viewer trying to display itself inside the local viewer, etc. The
> authors got tired of dealing with this effect and blocked local
> viewing. I can do it with older versions of VNC, but not the current
> incantations.
>
> Incidentally, if you have more than one VNC server running at work,
> you'll need to open additional ports 5801/5901 etc for each terminal
> session.
>
>>I know that this works, as I have
>>done it from other networks to my work. It for some reason now work
>>when I am home behind my dlink wireless router.
>
> So, take it apart and try it piece by piece.
> Start with a web browser directly to port 5800 at the work server:
> http://ip_address:5800
> If your Java is working, it should play.
> Next, fire up the VNC viewer and try it on port 5900 directly with:
> ip_address::5900 (or something like that).
>
> Then add SSH to the pretzel but point it to the server and not to a
> local IP socket number. That should also work unless your server is
> setup to accept only SSH connections.
>
> Finally, setup your port 12000 kludge on the SSH server end to point
> to your SSH client (Putty). It least, that's what I think you're
> doing (not sure).
>
>>I have not set anything up on the router, and do not know very much
>>about the configs on it.
>
> The reverse port 12000 abomination will require port forwarding on
> your DI-524 because in effect, the connection is made from the server
> to your router. Why you would want to do this is beyond my limited
> imagination.
>
>>If anyone has any suggestions, they would be
>>greatly appriciated.
>
> Test each layer seperately. My guess is that your port 12000 kludge
> is not working and probably un-necessary.

Jeff, your posts are always a good laugh. lol

On Mon, 05 Dec 2005 16:18:59 -0400, Derek Broughton
<(E-Mail Removed)> wrote:

>> You also need port 5800 forwarded on the server to use the HTTP web
>> browser version of VNC.
>
>He wasn't - he was using an ssh tunnel.

It wasn't obvious. If he were using an SSH tunnel, then he wouldn't
need to:
"...and set up some firewall rules to allow the box with ssh connect
to my work computer on port 5900."
Certainly, no firwall rules would be required on the home DI-524.
Then, it must be on the destination router at work. If it were
through an SSH tunnel, then it wouldn't need port forwarding on 5900.

>I can still do that if I want. :-) It would be a serious shortcoming if you
>couldn't vnc to localhost. When you're working with Unix boxes, it's
>pretty normal to make a link to the server _then_ use vnc.

I can't unless I explicitely enable loop-back connections . Just
tried it with TightVNC 1.2.9. I can do it if I setup a local server,
but not with just the viewer. In this case, there's no need for a
server on the user end. However, the client has a built in "host"
which can be used to terminate a VNC session. I don't have much
experience using this feature, but that's what I was guessing he was
doing with the port 12000. Maybe not, I can't tell for sure from the
description.

Anyway, there are some web pages that explain how to run VNC over SSH
including the loop-back connection, which has to be specifically
enabled. That's probably the OP's problem.
http://pigtail.net/LRP/vnc/
http://www.shebeen.com/vnc_ssh/


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann wrote:

> On Mon, 05 Dec 2005 16:18:59 -0400, Derek Broughton
> <(E-Mail Removed)> wrote:
>
>>> You also need port 5800 forwarded on the server to use the HTTP web
>>> browser version of VNC.
>>
>>He wasn't - he was using an ssh tunnel.
>
> It wasn't obvious. If he were using an SSH tunnel, then he wouldn't
> need to:
> "...and set up some firewall rules to allow the box with ssh connect
> to my work computer on port 5900."

"At home, behind my DI-524, I ssh using vnc to my ssh server," - seems
pretty obvious to me.

> Certainly, no firwall rules would be required on the home DI-524.

That's what I figured.

> Then, it must be on the destination router at work. If it were
> through an SSH tunnel, then it wouldn't need port forwarding on 5900.

He didn't mention port-forwarding at all, though he said he set up firewall
rules to allow access to his _work_ computer on port 5900. Which makes
some sense on that end - but only if the ssh server and his work computer
are separate hosts on the same (at-work) network.
>
>>I can still do that if I want. :-) It would be a serious shortcoming if
>>you
>>couldn't vnc to localhost. When you're working with Unix boxes, it's
>>pretty normal to make a link to the server _then_ use vnc.
>
> I can't unless I explicitely enable loop-back connections . Just
> tried it with TightVNC 1.2.9. I can do it if I setup a local server,
> but not with just the viewer. In this case, there's no need for a
> server on the user end. However, the client has a built in "host"
> which can be used to terminate a VNC session.

I didn't know about the built-in host - I've only used it with a local
server.

> I don't have much
> experience using this feature, but that's what I was guessing he was
> doing with the port 12000. Maybe not, I can't tell for sure from the
> description.

No, I think we've done this to death without more detail :-)

> Anyway, there are some web pages that explain how to run VNC over SSH
> including the loop-back connection, which has to be specifically
> enabled. That's probably the OP's problem.

That would be my guess, too.

--
derek

On Tue, 06 Dec 2005 15:41:25 -0400, Derek Broughton
<(E-Mail Removed)> wrote:

>I didn't know about the built-in host - I've only used it with a local
>server.

It's called a "reverse host" and is used with the VNC reflector
running on the (Unix) server. I don't know anything about it.
http://sourceforge.net/projects/vnc-reflector/


--
Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
831.336.2558 voice
http://www.LearnByDestroying.com AE6KS
http://802.11junk.com Skype: JeffLiebermann
(E-Mail Removed) (E-Mail Removed)

On Tue, 6 Dec 2005 11:07:57 +0000, Doz wrote:

> On Mon, 05 Dec 2005 10:41:44 -0800, Jeff Liebermann wrote:
>
>> On 5 Dec 2005 08:42:23 -0800, (E-Mail Removed) wrote:
>>
>>>Ok. So I know my subject is not super descriptive. Here is my
>>>problem.
>>>
>>>I have opened up a an ssh port on an internet routeable server at my
>>>work. I enabled ssh forwarding on this server, and set up some
>>>firewall rules to allow the box with ssh connect to my work computer on
>>>port 5900.
>>
>> Which VNC? UltraVNC, TightVNC, or the original?
>>
>> You also need port 5800 forwarded on the server to use the HTTP web
>> browser version of VNC.
>>
>>>At home, behind my DI-524, I ssh using vnc to my ssh server, and in
>>>putty, open a local port on my local pc to listn on port 12000. If I
>>>open vnc up now, I tell the vnc client to connet to 127.0.0.1, and it
>>>is supposed to connect to my work pc on port 5900.
>>
>> Impressive. No opertunity to introduce additional complexity left
>> out. Well, at least you didn't add a VPN.
>>
>>>What really happens, is that I get prompted for my password in vnc, it
>>>takes it, and then goes no further.
>>
>> Sounds like TightVNC. What you're doing is connecting to yourself,
>> not the office server with the VNC viewer. If you think about it,
>> you're creating a "hall of mirrors" effect where you have a local
>> viewer trying to display itself inside the local viewer, etc. The
>> authors got tired of dealing with this effect and blocked local
>> viewing. I can do it with older versions of VNC, but not the current
>> incantations.
>>
>> Incidentally, if you have more than one VNC server running at work,
>> you'll need to open additional ports 5801/5901 etc for each terminal
>> session.
>>
>>>I know that this works, as I have
>>>done it from other networks to my work. It for some reason now work
>>>when I am home behind my dlink wireless router.
>>
>> So, take it apart and try it piece by piece.
>> Start with a web browser directly to port 5800 at the work server:
>> http://ip_address:5800
>> If your Java is working, it should play.
>> Next, fire up the VNC viewer and try it on port 5900 directly with:
>> ip_address::5900 (or something like that).
>>
>> Then add SSH to the pretzel but point it to the server and not to a
>> local IP socket number. That should also work unless your server is
>> setup to accept only SSH connections.
>>
>> Finally, setup your port 12000 kludge on the SSH server end to point
>> to your SSH client (Putty). It least, that's what I think you're
>> doing (not sure).
>>
>>>I have not set anything up on the router, and do not know very much
>>>about the configs on it.
>>
>> The reverse port 12000 abomination will require port forwarding on
>> your DI-524 because in effect, the connection is made from the server
>> to your router. Why you would want to do this is beyond my limited
>> imagination.
>>
>>>If anyone has any suggestions, they would be
>>>greatly appriciated.
>>
>> Test each layer seperately. My guess is that your port 12000 kludge
>> is not working and probably un-necessary.
>
> Jeff, your posts are always a good laugh. lol

But very informative I might add..