VNC over SSH via a firewall

I live in a student house with three other guys. All of us have computers and two are computer scientists. We have a cable modem for our internet access which provides high-speed access 24/7 for a flat fee. We have installed network cables under the floorboards so that we can all use our computers in our rooms.

The physics department is on the other side of town, a 20 minute bike ride away. It is extremely useful to be able to access my computer (which runs Windows) from the department. Since it runs Windows, the best way of doing this is by VNC.

Normally to connect to a remote computer using VNC is it is a simple matter of running the server software on the computer you want to connect to, the client software on the computer you are sitting at, and just opening up a TCP/IP socket connection between the two.

However, because of the way our house network is set up, connecting to my computer from outside the house is much more complicated. There is only 1 IP address for the whole house, so my computer does not have a globally accessible IP address (it is known as 10.0.0.36 to the rest of the house). The cable modem is plugged into a firewall which does the appropriate packet forwarding and rejects all incoming connections except for SSH (which is a very sensible thing to do).

I could have opened up another port on the firewall and forwarded it to the VNC port on my computer, but this would be somewhat insecure. VNC uses challenge/response authentication so it is unlikely that a malicious hacker could sniff the password, log in and take control of my computer. However, all VNC's data is sent as plaintext, so would be susceptible.

The solution to both problems is to route the VNC data over SSH. This is somewhat non-trivial to do, and the purpose of this document is to explain how it's done.

You need an SSH client which can do port forwarding at each end, and an SSH server running on the firewall. In this case, I am using a Windows NT machine running at the physics department to connect to my machine, which runs Windows 98. Both Windows machines can run Teraterm Pro with the TTSSH SSH extension. The firewall runs a Unix derivative, for which SSH software is ubiquitous.

On my computer I perform the following steps:

  • Set up the VNC server (which listens on port 5900)
  • Start Teraterm with the command "TTSSH /ssh-R40000:localhost:5900"
  • Log in to the firewall over the local network using it's local IP address and the normal SSH port (22)

Next, I cycle to the physics department, log in and perform the following steps:

  • Start Teraterm with the command "TTSSH /ssh-L5900:localhost:40000"
  • Log in (securely) to the firewall using the normal SSH port (22) and the global IP address of the house.
  • Start the VNC client, connect to localhost, log in and it works!

There are a couple of complications. Firstly, our cable modem provider reserves the right to change our IP address at any time (we are not strictly speaking allowed to run servers). So I need a method to find our IP address. Fortunately, I already run ICQ so this provides a simple solution. A small ICQ client (if you don't have much space) can be found here. If you don't trust ICQ, you could write a small program to run on your machine to connect to a machine whose IP address you know, and another small program to run on that machine which you can connect to from elsewhere to find your IP address.

[Update] The latest versions of ICQ don't show you the IP addresses of people on your contact list who are online. A better solution is to use a dynamic DNS client (see, for example, http://www.dyndns.org). Then you don't need to install anything on the client machine, and just need to remember your hostname.

The other complication is that the Windows VNC server does not normally support loopback connections. To enable them, run REGEDIT and add to the key HKEY_LOCAL_MACHINE/Software/ORL/WinVNC3 a DWORD value with the name "AllowLoopback" and the value 1.

Happy VNCing!

Leave a Reply