How to Secure your VNC by Tunneling over SSH
In this guide, you will learn how to tunnel your VNC connection over SSH. Now why would we go to the trouble to do this? The answer is simple: VNC traffic is all sent in plain-text and is not secure by its own. Due to this we'll want to secure our VNC connection by tunneling it over an encrypted SSH session. Doing this is very easy to do and requires minimal server configuration.
NOTE: This guide assumes you set up your VNC server using one of the GNOME or LXDE guides also included in this knowledge base. For simplicity we will be using port 5901 which corresponds to the first desktop server running. If you've configured your VNC for multiple users/desktops, you may need to change this port. All comments in this article will be preceded by a hash tag (#).
Configuring your VNC server to listen only on localhost
We will make our VNC server listen only on localhost so that it is not internet accessible. This is easily done by editing our VNC server configuration and restarting the VNC server.
# If on CentOS open up your config file using nano:
# If on Debian or Ubuntu open up your config file using nano:
# Edit the VNCSERVERARGS line for each VNC desktop you have configured, adding the -localhost parameter. The line should look something like this when done:
VNCSERVERARGS="-geometry 1024x768 -localhost"
# Save the file and restart your server using this command:
service vncserver restart
That's it for our updated server configuration!
Tunneling on Windows using PuTTY
Since Windows doesn't come with a pre-installed SSH client, we'll need to download one. The industry standard is called PuTTY, which can be downloaded using this link: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
# Open up PuTTY and using the Category menu, navigate to Connection -> SSH -> Tunnels. In the Source port field put 5901 and in the Destination field put localhost:5901 so that your window looks like below:
# Click the Add button and you should see an entry like this in the Forwarded ports list:
# Use the Category menu and go all the way back to the top and click on Session. In the Host Name field, enter your server's IP address or host name. It would be a good idea to save this session, so you won't need to configure the tunnel again. To do that, under Saved Sessions, give your session a name such as "VNC Tunnel" and click Save. Now when you open PuTTY again, you can select the session and click the Load button to quickly open your configuration.
# Click on Open and login with the username you created when intially setting up the VNC server. Leave the SSH window open to maintain your tunnel. Now in your VNC client you can connect to localhost:5901 and this will tunnel over SSH to your VNC server listening on localhost.
Tunneling on Linux using SSH
# Since most Linux distributions already have SSH installed, establishing the tunnel is as simple as executing this command in a terminal (Just be sure to change "vncuser" to your own username and "126.96.36.199" to your server's IP address):
ssh -L 5901:localhost:5901 -Nf firstname.lastname@example.org
# Enter your password at the prompt and the tunnel will be established.
# Let's examine what all these parameters do:
-L 5901:localhost:5901 # This part of the command binds the local port 5901 (the first port number) and instructs SSH to forward all traffic to that port to localhost:5901 on the remote server.
-Nf # The N instructs SSH to not execute any remote commands, as we are just opening a tunnel. The f tells SSH to keep the process in the background, you can remove this if you'd like to keep SSH open in the terminal.
email@example.com # This is the username you're trying to connect to on the remote IP address
# If you'd like to close the SSH tunnel and you've kept the f parameter included in your command, you can issue this command to close all SSH processes:
# Now you can connect with your VNC client using the address localhost:5901 with your traffic tunneled and encrypted over SSH.