More secure VNC by tunneling with SSH

I have a few virtual machines running on Xenserver on an old server at home.  One of the VMs is a desktop running Ubuntu that I want to be able to VNC into to get a GUI.  I set up VNC to access the GUI from my other computers inside my house but what about outside of my network?

VNC is NOT something that you want to port forward through your router.  Exposing VNC to the internet allows for script kiddies to expose vulnerabilities in the service or most likely brute-force your VNC password and gain access to your machine.  The default VNC port (5900) is scanned constantly by scripts looking to exploit machines and changing the port from the default provides minimal, if any, protection (security through obscurity is never a good idea).

Step One: Create your accounts on the machine you will be connecting to via SSH with strong passwords.

We have been telling you what a strong password is incorrectly for years!  Better brush up by reading this post.

SSH isn’t perfect.  There have been exploitable bugs in the past and there will be people scanning for this port as well.  SSH is a lot more secure than VNC though.

Step Two: Install SSH on a PC on your internal network

SSH doesn’t have to be installed on the same PC that you wish to control remotely but most people don’t have a pile of computers and virtual machines at home so it probably will be.

How to download and install SSH for your particular operating system really depends on that operating system and which flavour of SSH you are installing.  If you can’t figure out how to install SSH on your computer through a quick Google search then I don’t think you should be exposing your computer to the internet in this way at all.  You would probably be better served using GoToMyPC or a free alternative like TeamViewer – especially if this is a MS Windows computer.

For Windows I would recommend Open SSH for Windows. For Linux install openssh using whatever package management utility your distro offers.

After SSH is installed you will want to configure it a bit to secure it better.  Firstly, you do not want to allow root or administrator accounts to log into SSH.  Most decent Linux OS’s will take care of this for you.  On Windows:

  • Install OpenSSH by double clicking on the .exe file you download.
  • Start a command prompt and navigate to the installation folder:

CD “C:\Program Files\OpenSSH\bin”

  • Create a ‘group’ for users on your machine by running the following command:

mkgroup -l >> ..\etc\group

  • Then run the below command for the users that you wish to provide access, in this case the user ‘Bob’:

mkpasswd -l -u Bob >> ..\etc\passwd

  • Bob can now log into the machine using SSH.

For the more security paranoid conscious you can configure SSH to use keyfiles that you can generate and keep with you on a USB stick or something instead of using passwords.

Step Three: Install a VNC server on the PC you want to remote control

Since there are so many flavours of operating systems and versions of VNC out there I will leave this up to you to do.  Google is your friend.  Once VNC server is installed and listening move on to the next step.

While you are here, download the VNC client software at all and keep it on a USB key or something so you can run it on the remote computer you want to connect from.

Step Four: Port forward the SSH port on your home firewall to the SSH computer in step two.

You should have a firewall appliance at home, probably it is incorporated into the modem that your ISP provided to you.  In order to connect to your computers from the internet you will need to open a port on your firewall to allow the traffic through and tell it where to send this traffic.

For my home network it looks like this:

  • Open a browser to (IP address of your router, yours might be different)
  • Log in to the router.
  • Find the ‘Applications and Gaming’ or ‘Port Forwarding’ section.
  • Add a rule to forward traffic on the SSH port (22 by default) to your computer that you installed SSH on.
  • Save.

I’m not going to bother with pictures, because chances are your router is different than mine anyway.  If you have issues with this step a great resource for how to do this lots of different home firewall appliances is

Step Five: Configure Putty (or another SSH client)

Putty is the SSH client that I use.  It allows you to create tunnels that take the traffic on the PC you are on and push it through the SSH connection to your home network.  By doing this benefit from only having to open the one port that you are SSHing through on your home firewall (22 by default) and all the traffic getting tunneled through this connection is encrypted – perfect for being at the coffee shop or hotel where who knows is snooping on the WiFi.

Open Putty

Enter your internet connection’s IP address in the Host Name field.  If you don’t know how your IP address you can use a site like

  • Next click open the SSH section in the left hand menu, and click on Tunnels.
  • In the Source port field enter: 5900
  • In the Destination field enter your computer you want to control’s IP address, followed by a colon and then 5900 (on Linux this will more than likely be 5901).  It should look something like:

  • Click the Add button to add the Tunnel.
  • Go Back to the Session tab using the left hand menu.
  • Provide a name for the connection and click the Save button.  Putty will save the configurations so you will only have to do the above steps once.
  • Click the Open button to connect.  Enter your password when prompted.
You can now fire up you chosen VNC client, and connect to:

And that’s it.  Now you are connected to your home computer using VNC through an encrypted SSH tunnel.

Be Sociable, Share!

Leave a Reply

Your email address will not be published. Required fields are marked *