Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

tunnelling with VNC over SSH...

Posted on 2006-04-06
33
Medium Priority
?
1,914 Views
Last Modified: 2012-06-27
I have two computers that are external to an office. I wan't to be able to tunnel into those two computers using VNC over SSH. I've been trying to get it to work but something is missing. I followed the article http://www.shebeen.com/vnc_ssh/ on how to do it, but it won't seem to get through.

I have VNC installed.
I added the registry entries it wanted.
I made rules on the firewall allowing VNC and SSH through our firewall from my computer.
I installed putty for the SSH (however, I've never used putty before and I'm not sure that I have the right settings)

When I click open on putty to establish the connection is says 'connection timed out'.

I'm not sure if I have the host name right (I have the destination IP of the external computer in there)

I also have SSH selected and then on the 'tunnels' options I have 5901 as the source port, localhost:5900 as the 'destination' and then local selected underneat that.

Can anyone help me out here?
0
Comment
Question by:wlandymore
  • 11
  • 7
  • 6
  • +2
31 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 16396840
What type of firewall is it?  

It is configured properly, either with port forwarding or NAT to allow inbound traffic to your computer?

Utill you can ssh to your remote computer don't even try connecting with VNC.
0
 
LVL 9

Expert Comment

by:jeff_01
ID: 16398891
Hi,

Are you sure the ssh Daemon is running on the server pc? On the server machine open a console and type the following

ps-Af |grep sshd

See if its running. If its not the type sshd and then try again. If it is then try typing

ssh 127.0.0.1

It should ask you for a user name and password. If it does then ssh is running correctly on the server and you can try again from putty. Also make sure that you select the ssh protocol in the putty settings otherwise it probably wont work. If you cannot connect to 127.0.0.1 then you gonna have to troubleshoot getting SSH up and running on your server first. Only once that is running correctly can you move on to checking your firewall settings.

HTH



0
 
LVL 1

Author Comment

by:wlandymore
ID: 16402623
okay, I did find out that the SSH server had not been installed by the admin on the other end. Now I am able to connect to the machine via SSH, but I can't seem to get VNC to work.

I minimize the SSH connection to the task bar and then I open the VNC viewer. I put in localhost:1 and hit enter, but I don't get any message. It just vanishes and doesn't display the password dialog or any error message. It just goes.

Any reason for this? It wouldn't be something like the firewall on the other end blocking VNC would it? I figured in that case it would give me some sort of error message.
 
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 57

Expert Comment

by:giltjr
ID: 16403120
The firewall on the other end should not see VNC as you are trying to tunnle VNC through the SSH session.  All the firewall should see is SSH.

In VNC, you need to put localhost:xx where xx is the port that VNC is listenting to on the other box.  You also have to make sure that you have putty on your box configured to do port forwarding for the same port number.
0
 
LVL 1

Author Comment

by:wlandymore
ID: 16403597
on putty I have something like:

server IP 200.200.100.10 by SSH. Then on tunnels I have: port 5901 to destination 127.0.0.1:5900

Then I'm opening up vnc and typing in for the destination localhost:1 and it's saying "The connection closed unexpectedly. Do you wish to attempt to reconnect to localhost:1?"

if I click yes it just brings up the same message over and over again.

I also tried connecting to 127.0.0.1:1 and localhost:5901, etc., etc.

Always the message about the connection being shut down. That's with VNC viewer 4. I also tried with another version 3.3.x and it's the one that just shuts down if I try to connect to localhost:1. I don't even get the message about the connection being closed in that case.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16403718
In Putty you need to configure it to forward port X to port X to the remote host.

Say the remote host's IP address is 1.1.1.1 and you have the VNC server listening or port 5900 on the REMOTE host.

You need to configure Putty to listen on port 5900 (or 5901 or 9999 anything you wish) and to forward that port to 1.1.1.1:5900.

When you open VNC on your PC, you need to tell it you want to talk to localhost:5900 (or 5901 or 9999).

0
 
LVL 57

Expert Comment

by:giltjr
ID: 16403738
To expand/clearify:

In Putty in the tunnels, you need to have srcport = X and destination = 1.1.1.1:5900 (if 5900 is where you have the VNC server listenting to on 1.1.1.1).

When you start VNC you want to tell it to connect to localhost:X.

You can code any port you want for "X" as long as you do not have anything else on your comptuer listening on that port.
0
 
LVL 9

Expert Comment

by:jeff_01
ID: 16406165
Once you have created the tunnel, type the following in and see if it connects. (use the VNC server's Ip Address)

telnet 1.1.1.1 5900

See if it connects. If it doesnt it will say something like "Could not open connection to host".

This is to verify that VNC is up and running and that you have the correct port configured.

Let us know what the outcome is.

Jeff
0
 
LVL 9

Expert Comment

by:jeff_01
ID: 16406183
BTW, giltjr is spot on. So when youve have tested the vnc server using the telnet command above and you know VNC is running and that it is listening on port 5900 or 5901 then set the whole thing up like gilt said and it should work.

Jeff
0
 
LVL 9

Expert Comment

by:jeff_01
ID: 16406199
Think i may just have spotted the problem. You said

"on putty I have something like:

server IP 200.200.100.10 by SSH. Then on tunnels I have: port 5901 to destination 127.0.0.1:5900"

It seems to me you are forwarding port 5901 on your local machine to your 127.0.0.1:5900 port also on your local machine.

This wont work!

You need to change the 127.0.0.1 to be your server Ipaddress 200.200.100.10 in the tunnels section of putty.

HTH
0
 
LVL 9

Expert Comment

by:jeff_01
ID: 16406202
Would have been easier if I just read the Question properly :)

0
 
LVL 3

Expert Comment

by:RiDo78
ID: 16413007
Tunnelling over SSH is pretty easy, once you get the catch.

The two localhost make it quit hard to understand what you are doing, so let's say you've got 2 additional machines, 4 in total.
- CLIENT -> The PC where you are working on
- SSH1 -> The PC containing putty or another SSH tool on the CLIENT-side of the internet
- SSH2 -> The PC containing the SSH daemon on the SERVER-side of the internet.
- SERVER -> The PC where you want to connect to

To make it easy to read, I don't use IP adresses, but when the hostname is between triangles (like <CLIENT>) I mean the IP address of that server.

You were already that far that you could get setup an SSH connection between SSH1 and SSH2. So now we are going to build the tunnel. If you start Putty, fill in the 'Session' section and continu to the Connection -> SSH -> Tunnels section. Next follow these instructions:
- Tick 'Local ports accept connections from other hosts' -- this enables CLIENT to connect to the SSH tunnel
- For Source-port use 1234 -- this makes port 1234 on SSH1 available so CLIENT can connect to this port.
- For Destination use <SERVER>:5900 -- this ensures that everything that comes in on port 1234 on SSH1 gets forwarded to SERVER:5900. This forwarding is transparent, so for CLIENT it appears that SSH1 is SERVER.
- DON'T FORGET: Click ADD

Now press the Open button and login to the remote system. Once logged in, right-click on the putty title-bar and select Eventlog. In this log you should see a line:
<timestamp> Local port 1234 forwarding to <SERVER>:5900
If you don't see a line like this, something went wrong and you have to recheck your settings. Otherwise you can continu.

Now go to CLIENT and start the VNC-Client software and have it connect to <SSH>:1234. Immediately you should see a line like:
<timestamp> Opening forwarded connection to <SERVER>:5900
If you don't see a line like this, there maybe a firewall on SSH1 that is blocking traffic.
If you do see such a line, but still get connection refused, it is the VNC service or the firewall on <SERVER> that is blocking the connection.
===
Now, back to two machines. The setup is basically the same, although you don't tick the 'Local ports accept connections from other hosts'. Furthermore, you can use 'localhost' in the destination field, making the SSH daemon forward the requests to it's own local VNC service. And you can use 'localhost' with the VNC-client to connect to the PUTTY port that resides on the same machine as the VNC client.

Last not least I used local port 1234 in my example as it may be possible that port 5900 on your VNC-client machine is already in use by VNC or X. So to rule that out, try not to use the 'default' ports. Since it can be any port you like as long as the client is able to connect to it.
0
 
LVL 1

Author Comment

by:wlandymore
ID: 16417642
I went through those things and I get "the connection closed unexpectedly. Do you wish to attempt to reconnect to localhost:1?"

I've tried every combination I can think of with the sourceport, etc. and this is what I get. If I try to connect using another port it will say that the connection has been refused (as expected). But every time I try to connect with the suggested parameters, it gives me the closed connection message.

I was talking to the network administrator on the other end where the server is and he doesn't seem to be blocking anything and can see the SSH connection coming in successfully. Is there anything he has to allow besides the port 22 or does all of the usally VNC connection stuff get passed through this port?
0
 
LVL 3

Expert Comment

by:RiDo78
ID: 16417829
what parameters do you use to connect to?

This message usually appears when an SSH connection is terminated. It has nothing to do with the tunnels. And port 1 (localhost:1 means localhost port 1) and is the tcpmux. So if you wish to connect with SSH, first fill in the 'connection' sheet and set the hostname or IP address and select the SSH protocol, but leave the portnumber intact.

Next you have to login to the system. (Without login, no tunnels).

For the tunnels, it is generally not smart to connect to ports lower than 1024. Sometimes you don't have a choice (for example, SMTP always uses port 25, DNS always uses port 53 and so on). So since you have a choise (the VNC client can connect to any port), use a port above 1024. For example 1234 of 5000.
0
 
LVL 9

Expert Comment

by:jeff_01
ID: 16417962
Did you change the Ipaddress as I suggested?
0
 
LVL 1

Author Comment

by:wlandymore
ID: 16417967
I am connecting from my computer to another server using putty:

host IP: <SERVER IP> on port 22

Tunnels: sourceport - 5901
             destination - localhost:5900

Then I'm opening the SSH and logging in with admin/password and it's accepting that and opening the SSH connection. Then I'm minimizing the SSH and opening VNC and using localhost:1 or localhost:5901 and both give me the 'connection closed unexpectedly' message. It seems like the SSH is open and working properly, but that there is something wrong with the VNC.  I checked with the admin. on the other end and he told me that the VNC server service was running though.
0
 
LVL 1

Author Comment

by:wlandymore
ID: 16417980
I tried everything in the suggestions above and those didn't work either so I just went back to what the document I have on VNC through SSH was suggesting.
0
 
LVL 3

Expert Comment

by:RiDo78
ID: 16418048
Oh forgot to answer your last question...

Why do you think the technique is called 'tunnelling'? If you build an normal traffic tunnel, you can see what goes into the tunnel and what comes out of it. But from the air, you only see the tunnel itself, not what's passing thru it.

SSH multiplexes and encrypts all the traffic that it forwards. The only thing the firewall is able to see is the tunnel -- one bunch of encrypted garbage between the SSH-server (usually on port 22) and the client. No matter how many ports you forward, everything will go thru the tunnel.

The are only two machines who know what traffic goes thru the tunnel, the SSH server and the SSH client. All the machines in between, only see the SSH tunnel itself, not the contents.
0
 
LVL 3

Expert Comment

by:RiDo78
ID: 16418074
What does the Putty Eventlog say?
(right click on the title-bar of an connected SSH window -> Event Log)
0
 
LVL 1

Author Comment

by:wlandymore
ID: 16418093
I'm just grasping at straws here....I know the concept behind the tunnel, I was just hoping there was something extra that might be missing from the firewall.

But thanks for the condescending comment there.....:)
0
 
LVL 3

Expert Comment

by:RiDo78
ID: 16418284
Nah when the SSH connection is established, the tunnels should work as well. In fact, you can easily break thru the firewall using SSH and tunnels.

For example, many corperate firewalls block access to non-standard ports (80 and 443) by default so it is not possible to connect from an corperate site to an SSH server on the internet.

Except when you configure the SSH daemon to run on port 443 and have the client connect to it. Most firewalls can't see the difference between an HTTPS handshake and an SSH handshake and allow connection. So at home I have an Linux-machine with SSH running on port 443 and a proxyserver (squid). Meaning that I can connect to my homenetwork from every pc as long as port 443 is not blocked. And I can also setup a tunnel to the proxyserver to access websites if they are blocked by the corperate firewall. (Some companies block the website of their competitors).

So there's your proof that you only need 1! port for SSH. And usually that is port 22.
0
 
LVL 1

Author Comment

by:wlandymore
ID: 16418882
2006-04-10 13:27:53      Looking up host "1.1.1.1"
2006-04-10 13:27:53      Connecting to 1.1.1.1 port 22
2006-04-10 13:27:53      Server version: SSH-2.0-5.0.1.79 SSH Tectia Server
2006-04-10 13:27:53      We claim version: SSH-2.0-PuTTY_Release_0.58
2006-04-10 13:27:53      Using SSH protocol version 2
2006-04-10 13:27:58      Using Diffie-Hellman with standard group "group1"
2006-04-10 13:27:58      Doing Diffie-Hellman key exchange
2006-04-10 13:27:58      Host key fingerprint is:
2006-04-10 13:27:58      ssh-rsa 1536 99:00:00:80:00:77:88:dd:ad:44:cc:99:00:07:00:00
2006-04-10 13:27:58      Initialised AES-128 client->server encryption
2006-04-10 13:27:58      Initialised HMAC-SHA1 client->server MAC algorithm
2006-04-10 13:27:58      Initialised AES-128 server->client encryption
2006-04-10 13:27:58      Initialised HMAC-SHA1 server->client MAC algorithm
2006-04-10 13:28:07      Access granted
2006-04-10 13:28:07      Opened channel for session
2006-04-10 13:28:07      Local port 5901 forwarding to localhost:5900
2006-04-10 13:28:07      Allocated pty (ospeed 38400bps, ispeed 38400bps)
2006-04-10 13:28:07      Started a shell/command
-----------------------------------

That's the output of the log for putty
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16419246
O.K.  It looks like you are connecting with SSH.

Doing localhost:5901 (based on your other posts) in VNC should work, as Putty should be listening on port 5901 and forwarding to port 5900 on the remote box.  Now is VNC up and running on the remote box and it is listening on port 5900.
0
 
LVL 1

Author Comment

by:wlandymore
ID: 16419705
as far as I know it is. But this is questionable because I asked the admin. that before and he called me back the first time to say that SSH wasn't running and then to say that VNC service wasn't running after that. However, we were on the phone for a little while and he said that he was connected to it through VNC. The service would have to be running for him to do that, but this is pretty tough without the box in front of me and not knowing what they're doing.
They said that they didn't change any of the default values so it should be listening on 5900, but I didn't get them to run a netstat or something that would show what ports the server is listening on.
0
 
LVL 1

Author Comment

by:wlandymore
ID: 16419737
also, if the VNC server service isn't running shouldn't I get a 'Connection refused (10061)' error....not 'the connection was unexpectedly closed'....
0
 
LVL 3

Expert Comment

by:RiDo78
ID: 16420015
If you get the "Connection was unexpectedly closed" message, then something is happening to the entire connection (probably you will be logged out of the SSH-terminal as well).

Can you keep the session open for -say- 10 minutes without starting a tunnel? If so, does the ssh-server support tunnelling and is it allowed to do so? If you cannot keep the session open for 10 minutes, does it close with an timeout or with the same "unexpectedly closed" message?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16420753
You need a VNC server running for each concurrent connection.  If he was connected to the VNC server and did not disconnect, then you would get rejected.

I am assuming that you are running a Unix type OS on the other end, once you are SSH'ed into the other box issue the command:


     netstat -anA inet

and look to see if there is a connection to 5900 already.
0
 
LVL 9

Expert Comment

by:jeff_01
ID: 16423975
You could also try telnet. Once you have created the ssh connection type

telnet 127.0.0.1:5901

to check if there is a connection to vnc being made or if it is just not connecting at all. Post the results of this.

I still dont understand your configuration. I read again that you have your tunnel setup so that

"Tunnels: sourceport - 5901
             destination - localhost:5900"

What in reality is actually happening here is that putty is listening on port 5901 on your local machine and is then forwarding all traffic it receives on port 5901 to port 5900 again on your local machine. I cant possibly see how you expect this to work. Set up the tunnel again and specify that the destination IP address is that of the server that the VNC server is actually running on (which is 200.200.100.10.).

IE

Tunnels: sourceport = 5901
              destination = 200.200.100.10:5900  (If the vnc server is listening on port 5900)

or

Tunnels: sourceport = 5901
              destination = 200.200.100.10:5901  (If the vnc server is listening on port 5901)

Then once you have done that try the telnet command above again and see what happens.


0
 
LVL 1

Author Comment

by:wlandymore
ID: 16509305
I'm using the localhost:port because that's what it says in every article I've read on the internet about how to set them up.

http://home.highertech.net/~john/Putty-Tunnel/putty-tunnel.html

if you read through that one, there is a section in the middle about using localhost in the putty tunnel
0
 
LVL 1

Author Comment

by:wlandymore
ID: 16509428
They say in articles that the reason for that is if the SSH server and VNC server are running on the same box. If that's the case on the machine you want to control then you use the 5900 localhost:5900 type setup. If they are on different machines then that's when you have to change it to the IP address.

http://chinese-watercolor.com/LRP/vnc/

0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 17045198
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Conducting a customer service survey used to be as straightforward as sending a template email out using checkboxes and numerical rating systems to measure satisfaction.
There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question