I'm posting this because some people had asked about the VNC setup I use at work for remote access. I'm not much of a technical writer but this might be helpful to other people trying to set up something like this. Obviously if VNC eventually incorporates encryption this kind of tunnelling will be unnecessary for most applications, but it still could prove useful in some situations. For example, if the private LAN used unroutable IP addresses, you could use a Linux server with interfaces on both networks to forward VNC connections in this manner. It's also nice in that only the Linux server needs to be exposed by the firewall, and then only on the SSH port. --- VNC Tunnelling Through SSH - Windows viewer to a Windows Workstation via Linux David Brodbeck - [EMAIL PROTECTED] June 27, 2001 This document uses as an example the following configuration: +----------+ +--------+ +-------------+ | Windows | | | Linux | | Windows | | PC |=========|=========| server |---| workstation | |VNC viewer| Public | Private | | | VNC server | +----------+ internet LAN +--------+ +-------------+ = (Encrypted) Assume: Workstation IP is 192.168.0.15 - (Unencrypted) Linux server IP is 192.168.0.2 It assumes a certain level of knowledge about VNC and Linux. This is more of a "brain dump" to help other people trying to accomplish the same thing than a detailed, step-by-step HOWTO. 1. Workstation configuration. This is fairly simple. Set up the VNC server as usual. For security purposes, add the following STRING registry key under HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3: AuthHosts -:+192.168.0.2: This causes the VNC server to only accept connections coming from the Linux server. Add other keys to suit your configuration. Depending on the physical location of the workstation, you may want to configure the LockSetting registry key and check the Disable Local Keyboard and Pointer option in the VNC properties dialog. (See: http://www.uk.research.att.com/vnc/winvnc.html, Advanced Settings section.) 2. Linux server configuration. Install OpenSSH. Make sure it's configured to accept SSH version 1.5 connections, since the TeraTerm SSH plugin does not yet support version 2.0. Add a user account to the server for each person who will be forwarding an SSH connection through it. Configure your firewall to allow incoming TCP connections to the Linux server on port 22. 3. Windows PC configuration. Obtain TeraTerm Pro and the ttssh plugin. (See: http://www.zip.com.au/~roca/ttssh.html) Extract TeraTerm and run the TeraTerm setup program. (Note: All this does is move the files to the directory you specify. Once you have TeraTerm installed, you can simply copy this directory to another machine to duplicate the installation.) Extract the ttssh ZIP file into the TeraTerm directory. Run ttssh.exe and set the options to suit your personal taste in terminal software. Make sure you specify a valid location for the known hosts file under Setup / SSH... / Read/Write file. Under Setup / TCP/IP..., add the following entry: 192.168.0.2:22/ssh /ssh-L5900:192.168.0.15:5900 ^^^^^^^^^^^ ^^^^ ^^^^^^^^^^^^^^^^^ Linux Local Workstation IP Server IP port # and port # This assumes that the workstation is running VNC as display 0, and the PC does not have the VNC server running. If either of those isn't true, adjust the port numbers accordingly. For example, if you used /ssh-L5901:192.168.0.15:5900, connecting to localhost:1 with VNC would connect you to display 0 on the workstation. (Note: Even if you're giving the host and port forwarding options on the command line, you must either add the same entry to the TCP/IP setup dialog or manually add it to the [Hosts] section of teraterm.ini. THE COMMAND LINE MUST MATCH A [Hosts] ENTRY. Otherwise TeraTerm gives an "Invalid host" error. This caused me all kinds of head-scratching until I figured it out; it appears to be a misfeature of TeraTerm.) Try clicking File / New connection... and connecting to the entry you just added, making sure the SSH radio button is selected. The first time you do this you'll get an error message stating that the host was not in the known hosts file. Check Add this machine... and click Continue. You'll also get an error stating the known hosts file could not be read. Click OK. A known hosts file will be created, preventing you from getting those errors in the future. You should now be able to log into the Linux server using your username and password. Try running VNC and connecting to localhost:0. You should connect through the tunnel to the workstation, and VNC should work normally. Once you've connected successfully and have all the VNC client settings the way you want them (including encoding type, etc.), click the VNC client window icon and choose Save connection settings as... to save the settings to a file. 3.1 Creating shortcuts: You can make the process of setting up the connection somewhat easier by creating a pair of appropriate shortcuts. For this example, assuming the VNC settings file is called local.vnc, here's what the command line for each shortcut would be: TeraTerm shortcut (I call this 'Open Connection'): ttssh.exe 192.168.0.2:22/ssh /ssh-L5900:192.168.0.15:5900 VNC shortcut (I call this 'Launch viewer'): vncviewer.exe /config local.vnc If the people using this setup are fairly inexperienced, it's a good idea to put some suitable hints in the .login or .bash_profile file of their Linux account. Something like this would be appropriate: echo "" echo "You are now connected. Run the Start Viewer shortcut." echo "Do not close this window until you are ready to disconnect." 3.2 Duplicating the client configuration on other machines. I suggest setting this up for the first time in some standardized location. I use C:\remote. Use the absolute path in all the shortcuts you create. This reduces installation on another machine to a simple, quick process: 1. Copy over the C:\remote folder. 2. Edit teraterm.ini and change the workstation IP to the correct value. 3. Edit the "Open Connection" shortcut and change the workstation IP. 4. Drag the shortcuts to the desktop or Start Menu. The entire installation will fit on one floppy as a self-extracting ZIP file. 4. Notes You may want to experiment with the SSH compression level, set in Setup / SSH... or in the [TTSSH] section of teraterm.ini. It can increase performance noticeably, especially if you're using Hextile encoding in VNC. There's a tradeoff between compression level and CPU usage on the PC and Linux server, of course. SSH compression doesn't seem to make much difference if you're using Tight encoding, probably because Tight encoding is already pretty aggressively compressed. I recommend using Tight encoding over dial-in links. Hextile will probably give better performance over broadband connections, though, and allows you to use a more up-to-date version of the server. If security is very important to you, you may want to use RSA authentication in SSH, instead of plain password authentication. See the OpenSSH documentation for information on how to generate suitable public and private key files. This gives you one more layer of validation. ("Something you have" and "something you know" instead of just "something you know.") 5. References. TTSSH: An SSH Extension to TeraTerm: http://www.zip.com.au/~roca/ttssh.html VNC Homepage: http://www.uk.research.att.com/vnc/ Using VNC with SSH: http://www.uk.research.att.com/vnc/sshvnc.html The Win32 VNC Server: http://www.uk.research.att.com/vnc/winvnc.html TightVNC - Bandwidth-Efficient VNC Distribution: http://www.tightvnc.com/ --------------------------------------------------------------------- To unsubscribe, send a message with the line: unsubscribe vnc-list to [EMAIL PROTECTED] See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
