User avatar
Polydnj
Posts: 25
Joined: Wed Oct 10, 2012 1:59 am
Contact: Website

tight vnc outside local network

Thu Jan 03, 2013 2:23 pm

Okey so my raspberry pi computer is reachable from anywhere on the internet with no-ip.com and port forwarding. I'm using tightvnc server to remote into my machine, but
the only security is a password. What are the possiblities of setting up ssh keys instead of a password with tightvnc? :D

Here's my specs :arrow:
1)Have ssh keys setup for sftp
2)Running soft-float operating system
3)tightvnc is only is password protected atm
4)Have port forwarding w/ noip.com

User avatar
diereinegier
Posts: 166
Joined: Sun Dec 30, 2012 5:45 pm
Location: Bonn, Germany
Contact: Website

Re: tight vnc outside local network

Thu Jan 03, 2013 2:56 pm

If you can already ssh into your machine you may consider ssh with X11 forwarding.
You will have to have an X11 Server running on your desk/lap and an ssh client. This should be quite safe since it uses the same encryption as ssh.

Another route is to use the package xrdp that makes your machine available for remote desktop protokoll. This will need additional forwarded ports. Was slow for me even in the local network. Nice feat is that every Windows box has an RDP client.
Download my repositories at https://github.com/GeorgBisseling

User avatar
zerophnx
Posts: 16
Joined: Wed Aug 15, 2012 5:43 pm
Location: NY, USA

Re: tight vnc outside local network

Thu Jan 03, 2013 4:48 pm

You could use SSH tunnels. You wouldn't have to forward any ports besides the one for your SSH server.

Basically, this takes an IP:port from the SSH server's (remote) network and creates a port on your client that you can use to connect to the remote IP:port. Any traffic over this "tunnel" is encrypted (I think it's the same encryption as your SSH connection).

For example, I have local port 9000 set to connect to 192.168.1.XXX:3389, which is a Windows machine on my home network.

After connecting to the SSH server from work (using PuTTY), I open the RDP client and enter "localhost:9000". Then I'm presented with a username/password prompt from the Windows box at home (assuming I remembered to wake it up first).

Just a possibility. :)

User avatar
Polydnj
Posts: 25
Joined: Wed Oct 10, 2012 1:59 am
Contact: Website

Re: tight vnc outside local network

Fri Jan 04, 2013 4:29 pm

Okey thanks for the reply, is there anyway to configure tight vnc server to be like an ssh server. I mean to you can switch of password authentication and only allow SSH keys(rsa-2)? Would I need another piece of software instead that can do this automation for me?

-Daniel

User avatar
Polydnj
Posts: 25
Joined: Wed Oct 10, 2012 1:59 am
Contact: Website

Re: tight vnc outside local network

Sun Jan 06, 2013 5:06 pm

Great I am now better educating my self on SSH tunneling, and it securely work, which is a startl!
Here is a great quote I found in regards to VNC
Although TightVNC encrypts VNC passwords sent over the net, the rest of the traffic is sent as is, unencrypted (for password encryption, VNC uses a DES-encrypted challenge-response scheme, where the password is limited by 8 characters, and the effective DES key length is 56 bits). So using TightVNC over the Internet can be a security risk. To solve this problem, we have plans to implement built-in encryption in future versions of TightVNC.

In the mean time, if you need real security, we recommend installing an SSH server, and using SSH tunneling for all TightVNC connections from untrusted networks.

User avatar
zerophnx
Posts: 16
Joined: Wed Aug 15, 2012 5:43 pm
Location: NY, USA

Re: tight vnc outside local network

Sun Jan 06, 2013 6:26 pm

Glad to hear it's working for you!

I'm waiting for the built in encryption too :)

micerinos
Posts: 74
Joined: Fri Nov 09, 2012 11:15 am
Location: Madrid, Spain

Re: tight vnc outside local network

Wed Jan 09, 2013 4:20 pm

Hi,
in vncviewer, you have an option called --via GATEWAY. The full command would read:

Code: Select all

vncviewer -via YOUR_RPI_IP localhost
you should NEVER use plain vnc over the internet. Close vnc port from outside your network (only 22 open to the internet, and better without password authentication), setup ssh keys, and you simply need this command to connect. There is no need for vnc servers to be also be ssh servers. It is really weird tigthvnc guys are planning to implement encryption as this would break an standart comunication protocol.

Cheers

User avatar
Polydnj
Posts: 25
Joined: Wed Oct 10, 2012 1:59 am
Contact: Website

Re: tight vnc outside local network

Thu Jan 10, 2013 3:24 pm

I understand it is a bad idea to use vnc over the internet because of snooping and viruses. Since my situation is using "tight vnc portable" on a pendrive, using the command line is not possible.

When you say only open port 22, that is for SFTP correct? Becuase, I changed my default SFTP port and opened that on my router instead.

micerinos
Posts: 74
Joined: Fri Nov 09, 2012 11:15 am
Location: Madrid, Spain

Re: tight vnc outside local network

Thu Jan 10, 2013 4:24 pm

22 is the default port for ssh service. sftp is an extension of the ssh protocol to allow for easy file transfers. No need to change your default sftp port, ssh daemon takes care of spawing an sftp server on demand as well. I'm not sure if I understood your setup, though.
If running windows, you can either start using unix :D (a great idea for countless reasons unless you are a designer or the like) or use putty as commented above to forward port 5900 of your raspi to your local port 5900 (being the default port, makes configuration always simplre). This way, you will connect simply to localhost machine with your vnc client. This setup only requires port 22 to be visible from the internet. All the other ports should be filtered or closed.

User avatar
Polydnj
Posts: 25
Joined: Wed Oct 10, 2012 1:59 am
Contact: Website

Re: tight vnc outside local network

Thu Jan 10, 2013 9:19 pm

You my friend are right! I remember now why I changed da' default SSH port, because originally I was using a password handshake! Now I use keys (RSA-2) instead so I should not have switch to some "secret" port.

Everything is tested and working A+ on Raspbian Soft-Float, thanks folks

User avatar
sdse78
Posts: 25
Joined: Thu Apr 11, 2013 1:31 am
Location: San Diego, CA

Re: tight vnc outside local network

Tue May 07, 2013 5:39 am

Hi,

Can you explain how you made this possible in greater detail please? :ugeek:

User avatar
dotsdan
Posts: 16
Joined: Thu Feb 21, 2013 2:50 pm

Re: tight vnc outside local network

Tue May 07, 2013 12:51 pm

It is called setting up SSH keys. Here is my favourite guide.
http://raspi.tv/tag/ssh-keys-raspberry-pi

User avatar
sdse78
Posts: 25
Joined: Thu Apr 11, 2013 1:31 am
Location: San Diego, CA

Re: tight vnc outside local network

Wed May 08, 2013 4:06 am

Polydnj wrote:Okey so my raspberry pi computer is reachable from anywhere on the internet with no-ip.com and port forwarding. I'm using tightvnc server to remote into my machine, but
the only security is a password. What are the possiblities of setting up ssh keys instead of a password with tightvnc? :D

Here's my specs :arrow:
1)Have ssh keys setup for sftp
2)Running soft-float operating system
3)tightvnc is only is password protected atm
4)Have port forwarding w/ noip.com
Can you post your steps for how you did this?

Return to “Advanced users”