13/12/5

Smoothwall - Tunnelling VNC over SSH with PuTTY

Tunnelling VNC over SSH with PuTTY

[Tunnelling over SSH will work with all versions of Smoothwall.] This page will show you how to tunnel VNC over a secure SSH connection using PuTTY, so you can securely administer computers which are behind your Smoothwall server via the internet. Information on tunnelling other types of TCP traffic SSH is also provided. For more information on tunnelling VNC over SSH, or if you're not using PuTTY, have a look at my Tunnelling VNC Over SSH page. Rather than using the r o o taccount for tunnelling traffic over SSH, you can create additional shell user accounts.

VNC:
VNC stands for Virtual Network Computing. It allows you to remotely view and control a PC desktop, and will run on a wide variety of operating systems. Visit the VNC website for more information, or to download it.

VNC and Security:

Because access to a VNC desktop generally allows access to your whole computer, security is very important. VNC uses encryption when making an initial connection, and when you login. Once connected, all VNC data is unencrypted, and a malicious user could snoop your VNC session. There are also a number of VNC scanning programs available, which will scan a subnet looking for PCs which are listening on one of the ports which VNC uses. Tunnelling VNC over a SSH connection allows you to use VNC to access your computer(s) which are behind your Smoothwall server, with all traffic strongly encrypted, and optionally compressed. Additionally, no VNC port is ever open to the internet, so anyone scanning for open VNC ports will not be able to find your computers. When tunnelling VNC over a SSH connection, the only port which you're opening on your Smoothwall server is it's SSH port, 222.

Requirements:
You'll need: A Smoothwall installation (obviously...). PuTTY 0.52 or later. VNC installed on the PC on your green network. TCP port 222 opened on your Smoothwall server. The red IP address of your Smoothwall server (or a dynamic dns account).

Setting up the Tunnel:

To allow incoming SSH connections via the red interface to your Smoothwall server, you'll have to open TCP port 222 on the "external access" page of your Smoothwall GUI. You'll also need to have VNC installed on the computer(s) on your green network (ie, behind your Smoothwall) which you want to remotely administer. The diagram below shows the configuration I'll use to describe the process of tunnelling VNC over SSH.

PC 1 is a Windows PC, with VNC Viewer and PuTTY installed on it. PC 2 is your Smoothwall server. PC 3 is a PC behind your Smoothwall server, running VNC Server. From PC 1, you need to establish a SSH connection with PuTTY, and get PuTTY to forward the VNC port over this SSH connection. To do this, you need to configure PuTTY as follows: For the hostname, specify the hostname or red IP address of your Smoothwall server. Select the S S Hprotocol, and specify the port as 2 2 2 .

martybugs.net/smoothwall/puttyvnc.cgi

1/4

13/12/5

Smoothwall - Tunnelling VNC over SSH with PuTTY

Then go to the T u n n e l sconfiguration, and add a new forwarded port, specifying the source port as 5 9 0 1 , and the destination as < p c > : 5 9 0 0 , where < p c >is the name or IP address of the PC on your green network which you want to remotely connect to, 5 9 0 1is the port number on local PC which you will be forwarding, and 5 9 0 0is the VNC port on your PC on your green network. Click the A d dbutton to add this forwarded port.

Note that the destination port numbers may need to be modified for your particular configuration. A VNC Server on a Windows PC will listen on port 5900, while the first VNC instance on a Linux server will listen on port 5901, the second on port 5902, etc. Also note that if you specify a destination hostname instead of an ip address, your Smoothwall server must be able to resolve this hostname. If you want to save the configuration settings before proceeding, go back to the S e s s i o nconfiguration, specify a s a v e ds e s s i o nname, and click the s a v e button. To connect to your Smoothwall server, click the O p e nbutton

martybugs.net/smoothwall/puttyvnc.cgi

2/4

13/12/5

Smoothwall - Tunnelling VNC over SSH with PuTTY

When the connection is established, you'll be prompted for a username (specify r o o t ) and the root password of your Smoothwall server. Login, and you'll have a ssh prompt on your Smoothwall server. You now have a secure SSH connection between your Windows PC and your Smoothwall server, and are forwarding port 5901 to port 5900 on your PC on your green network.

Connecting with VNC:

To establish the VNC connection to the PC on your green network, start VNC Viewer on your PC, and connect to port 5901 on l o c a l h o s t(ie, connect to l o c a l h o s t : 1 ), and PuTTY will forward the traffic on port 5901 over the secure SSH link to your Smoothwall server.

You can then safely administer the PCs on your green network over this secure channel.

Tunnelling Other Traffic:

Note that SSH can be used to tunnel most types of TCP traffic, and is certainly not limited to tunnelling VNC. For example, it's possible to tunnel Terminal Services traffic (aka Remote Desktop in Windows XP) in the same way, by tunnelling TCP port 3 3 8 9 . Similarly, telnet (TCP port 2 3 ), SMTP (TCP port 2 5 ), POP3 (TCP port 1 1 0 ), HTTP (TCP port 8 0 ), HTTPS (TCP port 4 4 3 ), IRC (typically TCP port 6 6 6 7 ), and most other types of TCP traffic can be tunnelled over SSH in the same way. For most of these, you'll need to keep the source and destination port in the tunnel configuration the same, and then configure the client application to just connect to l o c a l h o s t . You can also tunnel Smoothwall's HTTPS web interface over SSH, allowing you full remote access to your Smoothwall, but with only the SSH port open. To do so, you'll need to configure PuTTY to tunnel TCP port 4 4 1to l o c a l h o s t : 4 4 1 , and then use your web browser to go to h t t p s : / / l o c a l h o s t : 4 4 1 .

Some Notes on Tunnelling Remote Desktop

When tunning Windows XP's Remote Desktop (RDP) over SSH, you cannot use the Remote Desktop client on a Windows XP desktop to connect to l o c a l h o s t , as the client on Windows XP prevents loopback connections. The solution to this is to use an alternative IP address for the source port. Instead of specifying 3 3 8 9as the source port in PuTTY, specify 1 2 7 . 0 . 0 . 2 : 3 3 8 9 , and specify the destination as described above. Once you have an SSH tunnel established, use the RDP client to connect to 1 2 7 . 0 . 0 . 2 , and you should connect to the specified target PC.

Dynamic DNS:
If you want to connect to your Smoothwall server via the internet, you'll need to know its red IP address. The easiest way to do this is to sign up for a (free) dynamic DNS account, such as no-ip.com. Refer to the s e r v i c e s ->d y n a m i cd n spage of your Smoothwall GUI to see which ones are supported natively by Smoothwall GPL. Once you've signed up with a dynamic DNS provider, you'll have to configure your Smoothwall server to register with this provider whenever it establishes an internet connection. This configuration can all be done through the Smoothwall GUI. Once configured, you'll then be able to connect to the red interface of your Smoothwall server via the internet, using the domain name you signed up with.

References:
Making VNC more secure using SSH Real VNC PuTTY User Manual SSH Tunnelling

martybugs.net/smoothwall/puttyvnc.cgi

3/4

13/12/5
last updated 19 Jan 2013

Smoothwall - Tunnelling VNC over SSH with PuTTY

web by mpot. all content and images are copyright 2001-2013 Martin Pot (mpot). all rights reserved. unauthorised duplication, reproduction or distribution is prohibited. .

martybugs.net/smoothwall/puttyvnc.cgi

4/4