VNC Reverse Port Forwarding over SSH Tunnel

by admin on Jul.01, 2009, under Uncategorized

Whoo, this article is going to a bit of a mess but to someone out there very distant it will make complete sense to them – to this person (even if it is myself in a year from now) is why I am writing the article.

So I use VNC almost every day. It is a great, powerful, and free tool. Usually I use it in a reverse vnc fashion. I open up the port 5500 on my firewall/router and then all of my clients no matter where they are can “right click, add new client” as they know it – weather or not they have corporate firewalls ports opened/closed. It’s great!

Well this week I moved into a second office in NYC where I will be working several or all days of the week – and I do not have my own internet access or even access to the corporate firewall here. So I cannot open ports on the firewall here to let my clients connect to me from all abroad.

I knew there was an “easy” solution – one that I thought would take 5 minutes to implement – of course I am writing this after 6 hours of trying, failing, repeat! But I did get it to work and it’s pretty cool!

Basically I have 4 pieces to the puzzle:
-My Desktop
-Firewall
-Linux Server on the internet
-End User

On my desktop I set up a Remote Port forwarding to the linux machine via ssh.

ssh me@mymachine.com -R 5500:localhost:5500

This got me through the firewall and onto my linux machine. It basically says any data from port 5500 on the linux machine send to my desktop.

I quickly connected to the server via ssh and tried it:
[root@backup ~]# telnet localhost 5500 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'.

AWESOME!!! It worked – or so I thought. Then I went to an end user machine out there on the very big internet and tried from them:
[me@some-other-very-far-machine ~]$ telnet mymachine 5500 Trying xx.xxx.xxx.xxx... telnet: connect to address xx.xxx.xxx.xxx: Connection refused telnet: Unable to connect to remote host: Connection refused

What the heck? I was stumped. I then figured out that the port forwarding was limiting sending data only from the local interface to the local port forwarding. What I wanted to do was cross the external interface with the internal interface. After a few hours of trying all crazy iptables rules I finally figured it out. It requires no iptable rules and a simple text edit to /etc/ssh/sshd_config and it is:

GatewayPorts no change to GatewayPorts yes

Share and Enjoy:

3 Comments for this entry

Werner Avenant
July 17th, 2010 on 8:12 am
Thank you for your post – it’s exactly what I need. Just for the sake of clarity – must you change sshd_config on the “Linux Server on the internet” or your local desktop box?
Chris Law
August 4th, 2010 on 10:27 am
Hey,

Made complete sense to me. Helped me out with something I’ve been pondering over for the last few hours. Thanks.
admin
August 4th, 2010 on 10:39 am
Linux server on the internet.