tunnelling with VNC over SSH...

I have two computers that are external to an office. I wan't to be able to tunnel into those two computers using VNC over SSH. I've been trying to get it to work but something is missing. I followed the article http://www.shebeen.com/vnc_ssh/ on how to do it, but it won't seem to get through.

I have VNC installed.
I added the registry entries it wanted.
I made rules on the firewall allowing VNC and SSH through our firewall from my computer.
I installed putty for the SSH (however, I've never used putty before and I'm not sure that I have the right settings)

When I click open on putty to establish the connection is says 'connection timed out'.

I'm not sure if I have the host name right (I have the destination IP of the external computer in there)

I also have SSH selected and then on the 'tunnels' options I have 5901 as the source port, localhost:5900 as the 'destination' and then local selected underneat that.

Can anyone help me out here?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What type of firewall is it?  

It is configured properly, either with port forwarding or NAT to allow inbound traffic to your computer?

Utill you can ssh to your remote computer don't even try connecting with VNC.

Are you sure the ssh Daemon is running on the server pc? On the server machine open a console and type the following

ps-Af |grep sshd

See if its running. If its not the type sshd and then try again. If it is then try typing


It should ask you for a user name and password. If it does then ssh is running correctly on the server and you can try again from putty. Also make sure that you select the ssh protocol in the putty settings otherwise it probably wont work. If you cannot connect to then you gonna have to troubleshoot getting SSH up and running on your server first. Only once that is running correctly can you move on to checking your firewall settings.


wlandymoreAuthor Commented:
okay, I did find out that the SSH server had not been installed by the admin on the other end. Now I am able to connect to the machine via SSH, but I can't seem to get VNC to work.

I minimize the SSH connection to the task bar and then I open the VNC viewer. I put in localhost:1 and hit enter, but I don't get any message. It just vanishes and doesn't display the password dialog or any error message. It just goes.

Any reason for this? It wouldn't be something like the firewall on the other end blocking VNC would it? I figured in that case it would give me some sort of error message.
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

The firewall on the other end should not see VNC as you are trying to tunnle VNC through the SSH session.  All the firewall should see is SSH.

In VNC, you need to put localhost:xx where xx is the port that VNC is listenting to on the other box.  You also have to make sure that you have putty on your box configured to do port forwarding for the same port number.
wlandymoreAuthor Commented:
on putty I have something like:

server IP by SSH. Then on tunnels I have: port 5901 to destination

Then I'm opening up vnc and typing in for the destination localhost:1 and it's saying "The connection closed unexpectedly. Do you wish to attempt to reconnect to localhost:1?"

if I click yes it just brings up the same message over and over again.

I also tried connecting to and localhost:5901, etc., etc.

Always the message about the connection being shut down. That's with VNC viewer 4. I also tried with another version 3.3.x and it's the one that just shuts down if I try to connect to localhost:1. I don't even get the message about the connection being closed in that case.
In Putty you need to configure it to forward port X to port X to the remote host.

Say the remote host's IP address is and you have the VNC server listening or port 5900 on the REMOTE host.

You need to configure Putty to listen on port 5900 (or 5901 or 9999 anything you wish) and to forward that port to

When you open VNC on your PC, you need to tell it you want to talk to localhost:5900 (or 5901 or 9999).

To expand/clearify:

In Putty in the tunnels, you need to have srcport = X and destination = (if 5900 is where you have the VNC server listenting to on

When you start VNC you want to tell it to connect to localhost:X.

You can code any port you want for "X" as long as you do not have anything else on your comptuer listening on that port.
Once you have created the tunnel, type the following in and see if it connects. (use the VNC server's Ip Address)

telnet 5900

See if it connects. If it doesnt it will say something like "Could not open connection to host".

This is to verify that VNC is up and running and that you have the correct port configured.

Let us know what the outcome is.

BTW, giltjr is spot on. So when youve have tested the vnc server using the telnet command above and you know VNC is running and that it is listening on port 5900 or 5901 then set the whole thing up like gilt said and it should work.

Think i may just have spotted the problem. You said

"on putty I have something like:

server IP by SSH. Then on tunnels I have: port 5901 to destination"

It seems to me you are forwarding port 5901 on your local machine to your port also on your local machine.

This wont work!

You need to change the to be your server Ipaddress in the tunnels section of putty.

Would have been easier if I just read the Question properly :)

Tunnelling over SSH is pretty easy, once you get the catch.

The two localhost make it quit hard to understand what you are doing, so let's say you've got 2 additional machines, 4 in total.
- CLIENT -> The PC where you are working on
- SSH1 -> The PC containing putty or another SSH tool on the CLIENT-side of the internet
- SSH2 -> The PC containing the SSH daemon on the SERVER-side of the internet.
- SERVER -> The PC where you want to connect to

To make it easy to read, I don't use IP adresses, but when the hostname is between triangles (like <CLIENT>) I mean the IP address of that server.

You were already that far that you could get setup an SSH connection between SSH1 and SSH2. So now we are going to build the tunnel. If you start Putty, fill in the 'Session' section and continu to the Connection -> SSH -> Tunnels section. Next follow these instructions:
- Tick 'Local ports accept connections from other hosts' -- this enables CLIENT to connect to the SSH tunnel
- For Source-port use 1234 -- this makes port 1234 on SSH1 available so CLIENT can connect to this port.
- For Destination use <SERVER>:5900 -- this ensures that everything that comes in on port 1234 on SSH1 gets forwarded to SERVER:5900. This forwarding is transparent, so for CLIENT it appears that SSH1 is SERVER.

Now press the Open button and login to the remote system. Once logged in, right-click on the putty title-bar and select Eventlog. In this log you should see a line:
<timestamp> Local port 1234 forwarding to <SERVER>:5900
If you don't see a line like this, something went wrong and you have to recheck your settings. Otherwise you can continu.

Now go to CLIENT and start the VNC-Client software and have it connect to <SSH>:1234. Immediately you should see a line like:
<timestamp> Opening forwarded connection to <SERVER>:5900
If you don't see a line like this, there maybe a firewall on SSH1 that is blocking traffic.
If you do see such a line, but still get connection refused, it is the VNC service or the firewall on <SERVER> that is blocking the connection.
Now, back to two machines. The setup is basically the same, although you don't tick the 'Local ports accept connections from other hosts'. Furthermore, you can use 'localhost' in the destination field, making the SSH daemon forward the requests to it's own local VNC service. And you can use 'localhost' with the VNC-client to connect to the PUTTY port that resides on the same machine as the VNC client.

Last not least I used local port 1234 in my example as it may be possible that port 5900 on your VNC-client machine is already in use by VNC or X. So to rule that out, try not to use the 'default' ports. Since it can be any port you like as long as the client is able to connect to it.
wlandymoreAuthor Commented:
I went through those things and I get "the connection closed unexpectedly. Do you wish to attempt to reconnect to localhost:1?"

I've tried every combination I can think of with the sourceport, etc. and this is what I get. If I try to connect using another port it will say that the connection has been refused (as expected). But every time I try to connect with the suggested parameters, it gives me the closed connection message.

I was talking to the network administrator on the other end where the server is and he doesn't seem to be blocking anything and can see the SSH connection coming in successfully. Is there anything he has to allow besides the port 22 or does all of the usally VNC connection stuff get passed through this port?
what parameters do you use to connect to?

This message usually appears when an SSH connection is terminated. It has nothing to do with the tunnels. And port 1 (localhost:1 means localhost port 1) and is the tcpmux. So if you wish to connect with SSH, first fill in the 'connection' sheet and set the hostname or IP address and select the SSH protocol, but leave the portnumber intact.

Next you have to login to the system. (Without login, no tunnels).

For the tunnels, it is generally not smart to connect to ports lower than 1024. Sometimes you don't have a choice (for example, SMTP always uses port 25, DNS always uses port 53 and so on). So since you have a choise (the VNC client can connect to any port), use a port above 1024. For example 1234 of 5000.
Did you change the Ipaddress as I suggested?
wlandymoreAuthor Commented:
I am connecting from my computer to another server using putty:

host IP: <SERVER IP> on port 22

Tunnels: sourceport - 5901
             destination - localhost:5900

Then I'm opening the SSH and logging in with admin/password and it's accepting that and opening the SSH connection. Then I'm minimizing the SSH and opening VNC and using localhost:1 or localhost:5901 and both give me the 'connection closed unexpectedly' message. It seems like the SSH is open and working properly, but that there is something wrong with the VNC.  I checked with the admin. on the other end and he told me that the VNC server service was running though.
wlandymoreAuthor Commented:
I tried everything in the suggestions above and those didn't work either so I just went back to what the document I have on VNC through SSH was suggesting.
Oh forgot to answer your last question...

Why do you think the technique is called 'tunnelling'? If you build an normal traffic tunnel, you can see what goes into the tunnel and what comes out of it. But from the air, you only see the tunnel itself, not what's passing thru it.

SSH multiplexes and encrypts all the traffic that it forwards. The only thing the firewall is able to see is the tunnel -- one bunch of encrypted garbage between the SSH-server (usually on port 22) and the client. No matter how many ports you forward, everything will go thru the tunnel.

The are only two machines who know what traffic goes thru the tunnel, the SSH server and the SSH client. All the machines in between, only see the SSH tunnel itself, not the contents.
What does the Putty Eventlog say?
(right click on the title-bar of an connected SSH window -> Event Log)
wlandymoreAuthor Commented:
I'm just grasping at straws here....I know the concept behind the tunnel, I was just hoping there was something extra that might be missing from the firewall.

But thanks for the condescending comment there.....:)
Nah when the SSH connection is established, the tunnels should work as well. In fact, you can easily break thru the firewall using SSH and tunnels.

For example, many corperate firewalls block access to non-standard ports (80 and 443) by default so it is not possible to connect from an corperate site to an SSH server on the internet.

Except when you configure the SSH daemon to run on port 443 and have the client connect to it. Most firewalls can't see the difference between an HTTPS handshake and an SSH handshake and allow connection. So at home I have an Linux-machine with SSH running on port 443 and a proxyserver (squid). Meaning that I can connect to my homenetwork from every pc as long as port 443 is not blocked. And I can also setup a tunnel to the proxyserver to access websites if they are blocked by the corperate firewall. (Some companies block the website of their competitors).

So there's your proof that you only need 1! port for SSH. And usually that is port 22.
wlandymoreAuthor Commented:
2006-04-10 13:27:53      Looking up host ""
2006-04-10 13:27:53      Connecting to port 22
2006-04-10 13:27:53      Server version: SSH-2.0- SSH Tectia Server
2006-04-10 13:27:53      We claim version: SSH-2.0-PuTTY_Release_0.58
2006-04-10 13:27:53      Using SSH protocol version 2
2006-04-10 13:27:58      Using Diffie-Hellman with standard group "group1"
2006-04-10 13:27:58      Doing Diffie-Hellman key exchange
2006-04-10 13:27:58      Host key fingerprint is:
2006-04-10 13:27:58      ssh-rsa 1536 99:00:00:80:00:77:88:dd:ad:44:cc:99:00:07:00:00
2006-04-10 13:27:58      Initialised AES-128 client->server encryption
2006-04-10 13:27:58      Initialised HMAC-SHA1 client->server MAC algorithm
2006-04-10 13:27:58      Initialised AES-128 server->client encryption
2006-04-10 13:27:58      Initialised HMAC-SHA1 server->client MAC algorithm
2006-04-10 13:28:07      Access granted
2006-04-10 13:28:07      Opened channel for session
2006-04-10 13:28:07      Local port 5901 forwarding to localhost:5900
2006-04-10 13:28:07      Allocated pty (ospeed 38400bps, ispeed 38400bps)
2006-04-10 13:28:07      Started a shell/command

That's the output of the log for putty
O.K.  It looks like you are connecting with SSH.

Doing localhost:5901 (based on your other posts) in VNC should work, as Putty should be listening on port 5901 and forwarding to port 5900 on the remote box.  Now is VNC up and running on the remote box and it is listening on port 5900.
wlandymoreAuthor Commented:
as far as I know it is. But this is questionable because I asked the admin. that before and he called me back the first time to say that SSH wasn't running and then to say that VNC service wasn't running after that. However, we were on the phone for a little while and he said that he was connected to it through VNC. The service would have to be running for him to do that, but this is pretty tough without the box in front of me and not knowing what they're doing.
They said that they didn't change any of the default values so it should be listening on 5900, but I didn't get them to run a netstat or something that would show what ports the server is listening on.
wlandymoreAuthor Commented:
also, if the VNC server service isn't running shouldn't I get a 'Connection refused (10061)' error....not 'the connection was unexpectedly closed'....
If you get the "Connection was unexpectedly closed" message, then something is happening to the entire connection (probably you will be logged out of the SSH-terminal as well).

Can you keep the session open for -say- 10 minutes without starting a tunnel? If so, does the ssh-server support tunnelling and is it allowed to do so? If you cannot keep the session open for 10 minutes, does it close with an timeout or with the same "unexpectedly closed" message?
You need a VNC server running for each concurrent connection.  If he was connected to the VNC server and did not disconnect, then you would get rejected.

I am assuming that you are running a Unix type OS on the other end, once you are SSH'ed into the other box issue the command:

     netstat -anA inet

and look to see if there is a connection to 5900 already.
You could also try telnet. Once you have created the ssh connection type


to check if there is a connection to vnc being made or if it is just not connecting at all. Post the results of this.

I still dont understand your configuration. I read again that you have your tunnel setup so that

"Tunnels: sourceport - 5901
             destination - localhost:5900"

What in reality is actually happening here is that putty is listening on port 5901 on your local machine and is then forwarding all traffic it receives on port 5901 to port 5900 again on your local machine. I cant possibly see how you expect this to work. Set up the tunnel again and specify that the destination IP address is that of the server that the VNC server is actually running on (which is


Tunnels: sourceport = 5901
              destination =  (If the vnc server is listening on port 5900)


Tunnels: sourceport = 5901
              destination =  (If the vnc server is listening on port 5901)

Then once you have done that try the telnet command above again and see what happens.

wlandymoreAuthor Commented:
I'm using the localhost:port because that's what it says in every article I've read on the internet about how to set them up.


if you read through that one, there is a section in the middle about using localhost in the putty tunnel
wlandymoreAuthor Commented:
They say in articles that the reason for that is if the SSH server and VNC server are running on the same box. If that's the case on the machine you want to control then you use the 5900 localhost:5900 type setup. If they are on different machines then that's when you have to change it to the IP address.


PAQed with points refunded (500)

Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.