vnc tunneling over ssh

Hi together,
I try to tunnel a vnc connection over ssh in order to get trough a firewall:

vnc_host-->firewall-->vnc_client.

What I do ist:

vnc_client# ssh -L 5901:localhost:5901 vnc_host
After login to vnc_host :
vnc_host# vncserver
Which starts the vnc server on port 5901 on vnc_server, as expected.
Then :
vnc_client# vncviewer localhost:5901
or
vnc_client# vncviewer localhost:1
which both leads to this result:
At vnc_client:
vncviewer: VNC server closed connection
and at vnc_server:
4409: channel 3: open failed: connect failed: Connection refused

The problem can not be in SSH, because if I do X11 forwarding via SSH
( ssh -X vnc_server ) it works.
If I try to forward the TCP port instead :
vnc_client# ssh -L 5801:vnc_client:5801 vnc_server
,I get the same problem as with port 5901. In fact, I can use any ports
I want, vnc forwarding never works.
There are no entries in the logfiles whatsoever. Several queries to google
groups lead no useful results.

Any help would be greatly appreciated.

Regards,
Wolfgang

On Wed, 07 Jan 2004 14:43:37 +0100, Wolfgang Ebersbach wrote:

[trying to tunnel vnc through a gateway]

> vnc_host-->firewall-->vnc_client.
> vnc_client# ssh -L 5901:localhost:5901 vnc_host

Well, shouldn't this read
ssh -L 5901:vnc_host:5901 your_gateway ?
Then, port 5901 of your vnc_host is "mapped" to
port 5901 of your localhost, which most probably
is your vnc_client...

Needless to say, an sshd has to run on the gateway...

Greets,
Georg

Georg Armbruster wrote:

> On Wed, 07 Jan 2004 14:43:37 +0100, Wolfgang Ebersbach wrote:
>
> [trying to tunnel vnc through a gateway]
>
>> vnc_host-->firewall-->vnc_client.
>> vnc_client# ssh -L 5901:localhost:5901 vnc_host
>
> Well, shouldn't this read
> ssh -L 5901:vnc_host:5901 your_gateway ?
> Then, port 5901 of your vnc_host is "mapped" to
> port 5901 of your localhost, which most probably
> is your vnc_client...

OK, maybe it was not very well described:

The host running the VNC server ist "vnc_server"
The host which should connect to the VNC server via the firewall is
"vnc_client"

now, you need to run "ssh -L 5901:vnc_client:5901 vnc_server" on the
vnc_client machine, whci is what the VNC documentation about this issue
sais, too:
http://www.uk.research.att.com/archive/vnc/sshvnc.html

This is what I do, but it doesn't work.

If you run "ssh -L 5901:vnc_host:5901 your_gateway" on machine
"your_gateway", you establish an ssh connection from "your_gateway" to
"your_gateway" which is not what we want to do.

Or did I not understand the concept here ?

Regards,
Wolfgang


>
> Needless to say, an sshd has to run on the gateway...
>
> Greets,
> Georg

On Wed, Wolfgang Ebersbach wrote:

>> [trying to tunnel vnc through a gateway]

> If you run "ssh -L 5901:vnc_host:5901 your_gateway" on machine
> "your_gateway", you establish an ssh connection from "your_gateway" to
> "your_gateway" which is not what we want to do.
>
> Or did I not understand the concept here ?
>

Actually, I guess you are wrong; running the above command, a connection
is established from your_gateway to your local host (which means to the
localhost which is running the command).

If you run "ssh -l 5901:vnc_host:5901 IPofYourGateway", then
your gateway "grabs" the port 5901 of your vnc_host, encrypts it
from your gateway on, and forwards it to port 5901 of your local host,
from where you can access it with "vncviewer 127.0.0.1".

This connection is plain (which means unencrypted from your vnc_host
to your ssh-server (your gateway), but encrypted from your gateway
towards your vnc_client.

Hope this helps )
Georg

Wolfgang Ebersbach wrote:

> I try to tunnel a vnc connection over ssh in order to get trough a firewall:
>
> vnc_host-->firewall-->vnc_client.

I once had a problem trying to do a similar tunnel. The VNC server
(Windows XP/RealVNC) was running on the same host as the ssh server that
was used as the end point of the tunnel (Cygwin/OpenSSH).

It turned out that the Windows VNC server didn't listen to the loopback
interface (localhost/127.0.0.1) by default (for reasons that elude me to
his day). I had to change a registry key to make that happen.

Perhaps you're looking at a similar problem.

I've wondered many times why no-one creates a VNC Client/Server pair
with built in SSL encryption. It can't be that difficult, the Open
Source libraries are everywhere. It's just ridiculous that such a
product doesn't encrypt its data by default...

I'd do it myself but my C sucks...

X.

On Wed, 07 Jan 2004 14:43:37 +0100, Wolfgang Ebersbach <(E-Mail Removed)> wrote:
> Hi together,
> I try to tunnel a vnc connection over ssh in order to get trough a firewall:
>
> vnc_host-->firewall-->vnc_client.
>
> What I do ist:
>
> vnc_client# ssh -L 5901:localhost:5901 vnc_host
> After login to vnc_host :
> vnc_host# vncserver
> Which starts the vnc server on port 5901 on vnc_server, as expected.
> Then :
> vnc_client# vncviewer localhost:5901
> or
> vnc_client# vncviewer localhost:1
> which both leads to this result:
> At vnc_client:
> vncviewer: VNC server closed connection
> and at vnc_server:
> 4409: channel 3: open failed: connect failed: Connection refused
>
> The problem can not be in SSH, because if I do X11 forwarding via SSH
> ( ssh -X vnc_server ) it works.
> If I try to forward the TCP port instead :
> vnc_client# ssh -L 5801:vnc_client:5801 vnc_server
> ,I get the same problem as with port 5901. In fact, I can use any ports
> I want, vnc forwarding never works.
> There are no entries in the logfiles whatsoever. Several queries to google
> groups lead no useful results.

Add this line to /etc/hosts.allow:

Xvnc: ALL

--
-- Skylar Thompson ((E-Mail Removed))
-- http://cs.earlham.edu/~skylar/

: Wolfgang Ebersbach <(E-Mail Removed)>
: The host running the VNC server ist "vnc_server" The host which should
: connect to the VNC server via the firewall is "vnc_client"
:
: now, you need to run "ssh -L 5901:vnc_client:5901 vnc_server" on the
: vnc_client machine, whci is what the VNC documentation about this
: issue sais, too:
: http://www.uk.research.att.com/archive/vnc/sshvnc.html

That's not what needs to be done, and that's not what that web page says
to do. Running that command on vnc-client will attempt to forward a
port on vnc client to the same port on vnc client, which is pretty much
guaranteed to be quite useless at best.

What it says on that page is

ssh -L x:localhost:y snoopy

Note that "localhost" is evaluated on snoopy, and NOT on the host
upon which you execute the command. The -L forward syntax is x:h:y, where
x is the localport to forward from, h is the host relative to the
server, and y is the port on the server to which connections will be
forwarded. Thus you should either say

ssh -L 5901:localhost:5901 vnc-server

or possibly

ssh -L 5901:vnc-host:5901 gateway

if the gateway firewalls in such a way that the vnc server
isn't directly visible.

: If you run "ssh -L 5901:vnc_host:5901 your_gateway" on machine
: "your_gateway", you establish an ssh connection from "your_gateway" to
: "your_gateway" which is not what we want to do.

No, that establishes a port forward from the host you run the command on
(which is implicit in the x:host:y syntax), to a port on vnc-host, where
the name "vnc-host" must be visible to gateway. Which is quite useful,
if vnc-host isn't visible from where you run the command, but is
visible from the gateway.

Note that the unix version of tightvnc has a -via option which
can be used to do both ssh and vnc connections in one swell foop:

vncviewer -via vnc-host localhost:1
or
vncviewer -via gateway vnc-host:1

or however the visibility works in the particular case.


Wayne Throop (E-Mail Removed) http://sheol.org/throopw

"Wolfgang Ebersbach" <(E-Mail Removed)> wrote in message
news:bth275$3vb$(E-Mail Removed)...
>
>
> Hi together,
> I try to tunnel a vnc connection over ssh in order to get trough a
firewall:
>
> vnc_host-->firewall-->vnc_client.
>
> What I do ist:
>
> vnc_client# ssh -L 5901:localhost:5901 vnc_host
> After login to vnc_host :
> vnc_host# vncserver
> Which starts the vnc server on port 5901 on vnc_server, as expected.
> Then :
> vnc_client# vncviewer localhost:5901
> or
> vnc_client# vncviewer localhost:1
> which both leads to this result:
> At vnc_client:
> vncviewer: VNC server closed connection
> and at vnc_server:
> 4409: channel 3: open failed: connect failed: Connection refused

What do you get doing:

vnc_host# telnet localhost 5901



> The problem can not be in SSH, because if I do X11 forwarding via SSH
> ( ssh -X vnc_server ) it works.


X forwarding and TCP forwarding are two completely different config options.
man sshd

It might also be helpful if you posted OS and version numbers.

--
William Hooper

I like you ... you remind me of me when I was young and stupid

On Wed, Wolfgang Ebersbach wrote:

>> [trying to tunnel vnc through a gateway]

> If you run "ssh -L 5901:vnc_host:5901 your_gateway" on machine
> "your_gateway", you establish an ssh connection from "your_gateway" to
> "your_gateway" which is not what we want to do.
>
> Or did I not understand the concept here ?
>

Actually, I guess you are wrong; running the above command, a connection
is established from your_gateway to your local host (which means to the localhost
which is running the command).

If you run "ssh -l 5901:vnc_host:5901 IPofYourGateway", then
your gateway "grabs" the port 5901 of your vnc_host, encrypts it
from your gateway on, and forwards it to port 5901 of your local host,
from where you can access it with "vncviewer 127.0.0.1".

This connection is plain (which means unencrypted from your vnc_host
to your ssh-server (your gateway), but encrypted from your gateway
towards your vnc_client.

Hope this helps )
Georg

William Hooper wrote:

> "Wolfgang Ebersbach" <(E-Mail Removed)> wrote in message
> news:bth275$3vb$(E-Mail Removed)...
>>
>>
>> Hi together,
>> I try to tunnel a vnc connection over ssh in order to get trough a
> firewall:
>>
>> vnc_host-->firewall-->vnc_client.
>>
>> What I do ist:
>>
>> vnc_client# ssh -L 5901:localhost:5901 vnc_host
>> After login to vnc_host :
>> vnc_host# vncserver
>> Which starts the vnc server on port 5901 on vnc_server, as expected.
>> Then :
>> vnc_client# vncviewer localhost:5901
>> or
>> vnc_client# vncviewer localhost:1
>> which both leads to this result:
>> At vnc_client:
>> vncviewer: VNC server closed connection
>> and at vnc_server:
>> 4409: channel 3: open failed: connect failed: Connection refused
>
> What do you get doing:
>
> vnc_host# telnet localhost 5901

I get :

ebersbac@via:~> telnet localhost 5901
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
RFB 003.003

Which means that the vnc server can be accessed on the local machine. I
don't understand what the "Trying ::1" means. Maybe I should read the
entire ssh manpage to understand what's going on here ?