Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


more info | 5 comments | Create New Account
Click here to return to the 'more info' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
more info
Authored by: kyngchaos on Jan 04, '06 11:04:34AM

I finally had a chance to try this out and experiment. Here's what I found, that might helps others. (sorry if it duplicates info in other ssh tunneling hints)

First, the details of the ssh tunnel in the script: (this is what I had trouble wrapping my brain around)

ssh username@tunnel_server -N -L 5900:tunnel_dest:5900

tunnel_server is the computer acting as the go-between. It is visible to the client computer (ie on the internet). It can be the same as the computer one is tunneling to.

username is a user on the tunnel_server.

tunnel_dest is the ultimate goal. And where it gets tricky. If one follows this hint, so that it's another computer than the tunnel server, then the destination must have the VNC port open on its firewall and the VNC server must accept outside connections (not just local connections), and it will be an unsecure connection from the tunnel server to the destination, only the tunnel from the client through the tunnel server is encrypted. At least this is how I figure it.

To make a secure connection all the way thru to the destination, one would have to do a double-tunnel, or some such thing. I haven't got to the point of trying that, tho I have done that in the past with a plain ssh terminal session (ssh to server visible on internet, within that connection ssh to Mac behind the firewall).

Another possibility is directly tunneling to a Mac, on the same network as the client. This will be a secure connection to the destination, and doesn't require the intermediate server. This would be:

ssh username@tunnel_dest -N -L 5900:127.0.0.1:5900

The destination acts as the tunnel server, and localhost (127.0.0.1) on the destination computer is now the destination address. One still connects to 127.0.0.1 in the VNC client. A couple of these is what I'm guessing would be needed to do the double-tunnel trick, unless there is a more direct way that an ssh guru knows about.

A note on the OSXvnc server app - make sure to turn on the Allow Only Connections option for the best security, unless you are using the original hint straight.



[ Reply to This | # ]