VNC over internet.


15 posts
by sim_tcr » Sat Dec 01, 2012 3:35 pm
Hello,

I have currently tightvnc installed and running and can connect to my pi over LAN. I would like to access my pi via VNC over internet. I am familiar with port forwarding. I understand that VNC is over port 5800 and 5900 by default. I would like to change that port something random (to avoid bots as much possible). Also would like to secure vnc (like SSH).So questions are,

How to change port of VNC?
How to Secure VNC like SSH?

Thanks,
Simon Mandy
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Transcend 16GB Class 10, Transcend 8GB Class 4, Nokia Travel Charger ACP-12E 5.7V 800mA, Netgear WNA1000M Wifi Dongle/Ethernet
Posts: 311
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
by bulletmark » Sat Dec 01, 2012 11:36 pm
In short (google to fill in the details), just forward a port from your home router to port 22 on your pi for ssh only. You don't need to forward VNC because you will tunnel that over ssh. I usually recommend using port 443 on your router for reasons I won't go into here. So:

1. Set a port forward on your home router WAN port 443 to pi LAN address + port 22.

2. On your client PC somewhere on the internet, just "ssh -p443 -L5900:localhost:5900 pi@router" where router is your router internet IP address (use dyndns.org or similar service if you have a dynamic IP). Add to this to your ~/.ssh/config once you are happy with the settings to make it easier. Or configure the equivalent to this in PuTTY if using windows.

3. Start any VNC client on your client pc and connect to localhost:5900.
Posts: 91
Joined: Wed Oct 17, 2012 10:10 pm
Location: Brisbane Australia
by sim_tcr » Sun Dec 02, 2012 2:33 am
bulletmark wrote:In short (google to fill in the details), just forward a port from your home router to port 22 on your pi for ssh only. You don't need to forward VNC because you will tunnel that over ssh. I usually recommend using port 443 on your router for reasons I won't go into here. So:

1. Set a port forward on your home router WAN port 443 to pi LAN address + port 22.

2. On your client PC somewhere on the internet, just "ssh -p443 -L5900:localhost:5900 pi@router" where router is your router internet IP address (use dyndns.org or similar service if you have a dynamic IP). Add to this to your ~/.ssh/config once you are happy with the settings to make it easier. Or configure the equivalent to this in PuTTY if using windows.

3. Start any VNC client on your client pc and connect to localhost:5900.


My ssh is not over 22. It is on a random port.
I have forwarded my random ssh port and port 443 to pi's LAN address in router.
Logged in to pi via putty and executed ssh -p443 -L5900:localhost:5900 pi@<hostname>.no-ip.org. I get below error message,

ssh: connect to host <hostname>.no-ip.org port 443: connection refused

Note: I have a hostname registered with no-ip.com and my pi is set to run no-ip client to refresh the wan ip and no-ip hostname mapping in fixed intervals. I am able to connect to my pi using putty from outside LAN using <hostname>.no-ip>
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Transcend 16GB Class 10, Transcend 8GB Class 4, Nokia Travel Charger ACP-12E 5.7V 800mA, Netgear WNA1000M Wifi Dongle/Ethernet
Posts: 311
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
by sim_tcr » Sun Dec 02, 2012 3:44 am
sim_tcr wrote:
bulletmark wrote:In short (google to fill in the details), just forward a port from your home router to port 22 on your pi for ssh only. You don't need to forward VNC because you will tunnel that over ssh. I usually recommend using port 443 on your router for reasons I won't go into here. So:

1. Set a port forward on your home router WAN port 443 to pi LAN address + port 22.

2. On your client PC somewhere on the internet, just "ssh -p443 -L5900:localhost:5900 pi@router" where router is your router internet IP address (use dyndns.org or similar service if you have a dynamic IP). Add to this to your ~/.ssh/config once you are happy with the settings to make it easier. Or configure the equivalent to this in PuTTY if using windows.

3. Start any VNC client on your client pc and connect to localhost:5900.


My ssh is not over 22. It is on a random port.
I have forwarded my random ssh port and port 443 to pi's LAN address in router.
Logged in to pi via putty and executed ssh -p443 -L5900:localhost:5900 pi@<hostname>.no-ip.org. I get below error message,

ssh: connect to host <hostname>.no-ip.org port 443: connection refused

Note: I have a hostname registered with no-ip.com and my pi is set to run no-ip client to refresh the wan ip and no-ip hostname mapping in fixed intervals. I am able to connect to my pi using putty from outside LAN using <hostname>.no-ip>


I didn't have ssh listening on port 443. So added port 443 in sshd_config and restarted ssh. But still when i execute ssh -p443 -L5900:localhost:5900 pi@<hostname>.no-ip.org I get ssh: connect to host <hostname>.no-ip.org port 443: Connection refused

But if i do ssh -p443 -L5900:localhost:5900 pi@<LAN IP> error is different. This is Simon Mandy's raspberry pi.
You are not welcome here!!!
Permission denied (publickey).


My ssh is setup to be accessed only using keys. Also in LAN i run vnc by vncserver :1 -geometry 800x600 -depth 16 -pixelformat rgb565: and access the pi using vncviewer using the address <LAN IP>:1
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Transcend 16GB Class 10, Transcend 8GB Class 4, Nokia Travel Charger ACP-12E 5.7V 800mA, Netgear WNA1000M Wifi Dongle/Ethernet
Posts: 311
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
by bulletmark » Sun Dec 02, 2012 7:46 am
No. Don't touch ssh and anything on your pi. Please put it back how it was, i.e. leave sshd running on the standard default port 22. You said you were familiar with port forwarding so I did not go into the detail.

You say you forwarded your "random" ssh port and 443 to "pi's LAN address". That does not make sense? You forward from one address+port to another address+port. I am suggesting to you to forward your router port 443 to your pi address + port 22. That is all you need provided you have a VNC server running on your pi as well which I assume is the case given your OP. Then type the client command I gave you although change the second 5900 to 5901 given you now say you are using the second VNC session (VN session :1 = VNC port 5901).

BTW, most routers will not allow you to test your public address from your LAN side. You have to execute that command from the internet. Take off the -p443 and use your local pi LAN address if you want to test that ssh tunnel on your LAN.
Posts: 91
Joined: Wed Oct 17, 2012 10:10 pm
Location: Brisbane Australia
by sim_tcr » Sun Dec 02, 2012 8:40 am
bulletmark wrote:No. Don't touch ssh and anything on your pi. Please put it back how it was, i.e. leave sshd running on the standard default port 22..


Ok. I deleted port 443 entry and also changed to default port 22 in /etc/ssh/sshd_config. See below.

# What ports, IPs and protocols we listen for
Port 22


bulletmark wrote: You said you were familiar with port forwarding so I did not go into the detail. You say you forwarded your "random" ssh port and 443 to "pi's LAN address". That does not make sense? You forward from one address+port to another address+port. I am suggesting to you to forward your router port 443 to your pi address + port 22.


May be I should take my statement back about "I am familiar with port forwarding" I am attaching a screen shot of what I have done in my router, (let me know if below is what you wanted me to do, if not please provide correct settings)

Image

Blacked out entries are my Pi's static LAN ip address
Attachments
port.JPG
port.JPG (24.15 KiB) Viewed 6552 times
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Transcend 16GB Class 10, Transcend 8GB Class 4, Nokia Travel Charger ACP-12E 5.7V 800mA, Netgear WNA1000M Wifi Dongle/Ethernet
Posts: 311
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
by bulletmark » Mon Dec 03, 2012 4:37 am
Are you running a home web server? What is that port 80 forward for? Those other two 443 and 22 forwards are not what I suggested so delete them too if you thought you needed them for something I said. Forget about the router until you get the basic ssh + vnc stuff going first.

Make sure you can ssh into your pi from your lan pc. I.e. "ssh pi@piaddr". You seem to be using PuTTY so use the equivalent command. Also make sure you can VNC to your pi, i.e. "vncviewer piaddr:1", or the equivalent for whatever windows VNC client you are using.

If the above 2 things work then now try to use VNC via the ssh tunnel. I.e.

ssh -L5901:localhost:5901 pi@piaddr

then, also on your CLIENT pc, with the above running:

vncviewer localhost:1

That wll make your VNC client connect to port 5901 on your client side, get intercepted and tunnelled by the existing ssh connection, and then get re-connected on the server side to port 5901 there, which should connect to the vnc server.

If all that works, now add a port forward on your router:

external port 443 (start and end)
protocol TCP
internal port 22 (start and end)
server address piaddr

Now try the above 2 commands from somewhere on the internet but replace piaddr in the ssh command via <your-ip>.no-ip.org and add a "-p 443" to connect to port 443 instead of 22 on your router. I use port 443 instead of 22 because most corporate firewalls block outbound port 22 connections (because ssh port forwarding can be a security problem) but few of them are smart enough to block ssh when you cheat by connecting out on port 443.

I am typing this without trying it so I apologise for any typos. I am away on holidays atm (hence my slow replies).
Posts: 91
Joined: Wed Oct 17, 2012 10:10 pm
Location: Brisbane Australia
by sim_tcr » Mon Dec 03, 2012 10:21 am
bulletmark wrote:Are you running a home web server? What is that port 80 forward for?

Yes. I am running home webserver and port 80 is for that.
bulletmark wrote:Make sure you can ssh into your pi from your lan pc. I.e. "ssh pi@piaddr". You seem to be using PuTTY so use the equivalent command.

I am using putty to connect my pi from windows. My authentication method is using key and no password (only the passphrase for the key). I can connect to my pi using putty from windows. My putty is setup to authenticate using my ppk file.
bulletmark wrote:Also make sure you can VNC to your pi, i.e. "vncviewer piaddr:1", or the equivalent for whatever windows VNC client you are using.

I use vncviewer on windows and I can connect to pi from vnviewer on windows with "piaddr:1". After the connection is made at the bottom of the screen I see a message that "Unencrypted Connection" this message goes away after few seconds. To start my vncserver, on the pi I run vncserver :1 -geometry 800x600 -depth 16 -pixelformat rgb565:
bulletmark wrote:ssh -L5901:localhost:5901 pi@piaddr

I guess above command is illustrated from a pi terminal. How to do this from putty on windows?
I tried this from my pi terminal and i see below error message,
This is Simon Mandy's raspberry pi.
You are not welcome here!!!
Permission denied (publickey).


I did not try rest of your instructions. I will have to fix above and then proceed.
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Transcend 16GB Class 10, Transcend 8GB Class 4, Nokia Travel Charger ACP-12E 5.7V 800mA, Netgear WNA1000M Wifi Dongle/Ethernet
Posts: 311
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
by bulletmark » Mon Dec 03, 2012 10:28 am
sim_tcr wrote:
bulletmark wrote:ssh -L5901:localhost:5901 pi@piaddr

I guess above command is illustrated from a pi terminal. How to do this from putty on windows?

No, it is not done in the pi terminal. It is done on your client exactly as the command quoted earlier, i.e. "ssh pi@piaddr" but with the extra -L option. As I said earlier, I am quoting linux examples. Since you use PuTTY you need to add the equivalent option in PuTTY to add that -L ... Look it up on google but you need to add a local port forward in PuTTY for that pi session connection to forward local port 5901 to remote host localhost and remote port 5901.
Posts: 91
Joined: Wed Oct 17, 2012 10:10 pm
Location: Brisbane Australia
by sim_tcr » Mon Dec 03, 2012 11:28 am
bulletmark wrote:
sim_tcr wrote:
bulletmark wrote:ssh -L5901:localhost:5901 pi@piaddr

I guess above command is illustrated from a pi terminal. How to do this from putty on windows?

No, it is not done in the pi terminal. It is done on your client exactly as the command quoted earlier, i.e. "ssh pi@piaddr" but with the extra -L option. As I said earlier, I am quoting linux examples. Since you use PuTTY you need to add the equivalent option in PuTTY to add that -L ... Look it up on google but you need to add a local port forward in PuTTY for that pi session connection to forward local port 5901 to remote host localhost and remote port 5901.


bulletmark wrote:No, it is not done in the pi terminal. It is done on your client exactly as the command quoted earlier, i.e. "ssh pi@piaddr" but with the extra -L option

I am still little confused here. Is '-L' option to be configured on the putty session to my pi from windows? Assuming that answer is yes, I have configured my putty as below,

Image

Then I connected to my pi from the tunnel configured putty. Issued
Code: Select all
vncserver :1 -geometry 800x600 -depth 16 -pixelformat rgb565:
and then I launched vncviewer on windows and tried to connect to localhost:1 and it was success. But I still saw the "Unencrypted Connection"

Did I success in using ssh tunnel to VNC?
Attachments
putty.JPG
putty.JPG (36.64 KiB) Viewed 6455 times
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Transcend 16GB Class 10, Transcend 8GB Class 4, Nokia Travel Charger ACP-12E 5.7V 800mA, Netgear WNA1000M Wifi Dongle/Ethernet
Posts: 311
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
by bulletmark » Mon Dec 03, 2012 12:26 pm
If you connected your vnc client to localhost, then yes it is now tunnelled via your ssh.

The vncserver running on the pi just sits and accepts connections on it's host port 5901. It doesn't know, in this case, that the connection has actually been proxied from another program (sshd) running on the same box so of course it reports unencrypted because it looks like any other regular connection arriving on that port. But it is encrypted because it is carried via the ssh tunnel. In fact, the ssh encryption is superior and more flexible that what native VNC provides.

Now if you want to go further, most of us prefer to vnc to the default X console, not to a separate VNC session. The program x11vnc is excellent for this as it runs a VNC session on your default X session. Just "apt-get install x11vnc" on your pi and then "man x11vnc". The man page is excellent and gives plenty of examples on how to use it with ssh etc. Although sorry but please don't ask me to explain that ;)
Posts: 91
Joined: Wed Oct 17, 2012 10:10 pm
Location: Brisbane Australia
by sim_tcr » Tue Dec 04, 2012 2:41 am
bulletmark wrote:If you connected your vnc client to localhost, then yes it is now tunnelled via your ssh.

The vncserver running on the pi just sits and accepts connections on it's host port 5901. It doesn't know, in this case, that the connection has actually been proxied from another program (sshd) running on the same box so of course it reports unencrypted because it looks like any other regular connection arriving on that port. But it is encrypted because it is carried via the ssh tunnel. In fact, the ssh encryption is superior and more flexible that what native VNC provides.

Now if you want to go further, most of us prefer to vnc to the default X console, not to a separate VNC session. The program x11vnc is excellent for this as it runs a VNC session on your default X session. Just "apt-get install x11vnc" on your pi and then "man x11vnc". The man page is excellent and gives plenty of examples on how to use it with ssh etc. Although sorry but please don't ask me to explain that ;)


Finally everything works. I was able to test VNC from internet too. I did not have to do any additional port forwarding in my router. What I port forwarded is just my ssh port (I moved it back to a random port) and my web server port.
I launch a putty session to my pi (putty session is already configured to tunnel vnc) Once logged in I launch vnc viewer from windows machine and type in the address localhost:1 and I am in VNC.
Thank you bulletmark for your patience and helping me out with this.
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Transcend 16GB Class 10, Transcend 8GB Class 4, Nokia Travel Charger ACP-12E 5.7V 800mA, Netgear WNA1000M Wifi Dongle/Ethernet
Posts: 311
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
by bulletmark » Tue Dec 04, 2012 4:16 am
sim_tcr wrote:I did not have to do any additional port forwarding in my router. What I port forwarded is just my ssh port (I moved it back to a random port) and my web server port.


I didn't suggest you add any additional port forward. I was merely suggesting you use port 443 as your public port (instead of what you are calling a "random" port) and forward that to port 22 on your pi. Unless you are already using port 443 (i.e. you are running a home https server), I stated the reason why port 443 is the best port to use in my posts above.
Posts: 91
Joined: Wed Oct 17, 2012 10:10 pm
Location: Brisbane Australia
by hobo4567 » Fri Apr 12, 2013 5:49 pm
I have setup the tunnel in ssh as above and launched VNC from my pc but, that's only on my home network.
I want to use the ssh tunnel for VNC on my ipod remotely. further how can I prove that VNC is connected via the ssh tunnel?
Posts: 9
Joined: Fri Aug 17, 2012 12:25 am
by hobo4567 » Thu Jun 06, 2013 3:43 am
You can launch putty,connect to your raspi, then open vnc through (localhost1), if everything looks good then close putty, your vnc will loose it's connection, it will be very obvious.
I use (xxx.xxx.xxx:5902) the outside IP address for vnc tunnel connection without the tunnel.
my raspi is on my network.
This is my bible on tunnel setup:
http://chamibuddhika.wordpress.com/2012 ... explained/
Have fun
Posts: 9
Joined: Fri Aug 17, 2012 12:25 am