# Tunneling vnc through ssh

## Lemma

Hi.

This has been a few threads before but I just can't get it to work...

What I want to do (for now) is to tunnel a vnc-connection from computer dobby to computer anton via an ssh tunnel.

What I do is following:

 *Quote:*   

> In shell 1
> 
> daniel@Anton daniel $ ssh -C -L 5905:anton:5905 dobby
> 
> daniel@dobby's password:
> ...

 

When I do that following appear in shell 1

 *Quote:*   

> daniel@dobby daniel $ channel 2: open failed: administratively prohibited: open failed
> 
> 

 

I take it has to do with permissions in one way or another, but what? What does administratively prohibited: open failed mean? I am lost here...[/code]

----------

## Lemma

I just found out that I can get it to work using 

```
ssh -C -L 5905:localhost:5905 dobby
```

 insted of 

```
ssh -C -L 5905:anton:5905 dobby
```

 To me, that is a bit strange - is not that the same? In /etc/hosts they are both set to my ip...  :Shocked: 

----------

## sschlueter

If you are @anton and type "ssh -C -L 5905:anton:5905 dobby", then you have created a loop inside your local port forwarding! 

 *Quote:*   

> 
> 
> -L port:host:hostport
> 
> Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.  This works by allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.  Port forwardings can also be specified in the configuration file.  Only root can forward privileged ports.  IPv6 addresses can be specified with an alternative syntax: port/host/hostport
> ...

 

That means: The "host" is seen from the remote machine's perspective, that means "ssh -C -L 5905:localhost:5905 dobby" is what you want because localhost=dobby.

"administratively prohibited" is probably due to some iptables rule. If I type the command that you typed, I get "Connection refused".

Maybe you should take a look at the tightvnc package. It makes things easier because you can simply type "vncviewer -via dobby localhost"

----------

## Lemma

 *Quote:*   

> Maybe you should take a look at the tightvnc package. It makes things easier because you can simply type "vncviewer -via dobby localhost"

 What I want in the end is being able to use putty (a MS windows ssh-client). This is because I am trying to make it possible for the other staff (at my institution) to connect to their workstation from home or any other place using tightvnc - sadly, via does not work under windows. Even more so, even if I have been able to get tightvnc to tunnel through ssh from linux -> linux, I can not get putty to tunnel. I am running win98 (win4lin) and if I initiate an ssh-tunnel from a linux shell, I can get vncviewer:5 to work from both w98 and linux, but if I try the same using putty, i have no luck. I am beginning to wonder if it is a bug in it but I have not been able to find an older version of putty  - yet. I have located a few vnc-through-(putty)ssh-tunnel-howtos and I am sure i am doing everything correct (and I have been able to make it work from linux, so it is not a server related problem) but still, nothing. I have read the ssh-man but I have not been able to figure out how to print out redirections - it should be possible to check if the port-forwarding is working that way... Via putty, I can log in but as for the forwarding ... This is getting anoying  :Embarassed: 

----------

## sschlueter

Mmh, port forwarding with putty works fine for me. I have tunneled vnc connections with no problems. Do you run putty and vncviewer at the same machine?

----------

## Lemma

 *Quote:*   

> Mmh, port forwarding with putty works fine for me. I have tunneled vnc connections with no problems. Do you run putty and vncviewer at the same machine?

 In short, yes, I do  :Wink: . I have now tested it from a computer running winNT and from that computer all did work fine, so I guess it had to do with me running from w98 inside (or rather on top of) linux (win4lin). What is left is to have to also make ssh-tunnels between dobby and computers running tightvnc-servers on top of windows.

 *Quote:*   

> Tightvnc-server(winOS) <-> (unencrypted ssh-tunnel) <-> dobby(gentoo running sshd) <-> firewall (encrypted ssh-tunnel) <-> Tightvnc-viewer(winOS)

 Can I make this work (and I can) will it benefit the insitution and promote linux a a viable solution in some cases - the first is more important  :Wink: .

----------

## sschlueter

 *Lemma wrote:*   

> Can I make this work

 

I'm not quite sure if this is a question or a statement  :Smile: 

But anyway: Yes, it's possible. In this case the destination host of the forwarded connection is not localhost but the machine that runs the vncserver.

----------

## Chris W

 *Quote:*   

> daniel@Anton daniel $ ssh -C -L 5905:anton:5905 dobby 

 

This command doesn't look right.  You are on anton connecting to dobby with SSH.  You are asking dobby to connect to anton:5905 on your behalf and make that connection available on anton at port 5905.   So, your ssh on anton has a socket open at port 5905 listening for connections, meanwhile dobby is trying to connect the other end of this tunnel to anton on port 5905.  See the circularity here?

I assume that the vncserver is either on dobby or another machine dobby has access to, so the command should be more like: 

```
daniel@Anton daniel $ ssh -C -L 5905:dobby:5905 dobby

OR

daniel@Anton daniel $ ssh -C -L 5905:othermachine:5905 dobby 
```

----------

## funkmankey

personally, I prefer to just forward X when I ssh to the remote machine and then run vnc "locally" (cygwin X-server is reasonably decent if you really have to use windows...)

putting

```
ForwardX11 yes
```

into ~/.ssh/config removes much of the hassle of specific ssh port forwarding...

also, 

```
LocalForward
```

 tends to make less confusion when dealing with specific ports. I never liked the commandline args for that stuff...

----------

## Lemma

 *Quote:*   

> personally, I prefer to just forward X when I ssh to the remote machine and then run vnc "locally" (cygwin X-server is reasonably decent if you really have to use windows...) 

 Well, I don't, they do. Installing cygwin is good in some cases, but they will not be able to do that by themself; creating a single pytty-profile for each computer is faster and more easy (for me, that is not as time consuming in the long run), does not take up as much hdd-space, do not use as much recourses (running putty+vnc can be done on almost any old computer) ...

----------

## funkmankey

ah good point, I'd nearly forgotten how huge a cygwin install can be, not to mention that yes it's much more work to support than a single app like putty.

anyway, sounds like you have got it working, so cheers!

----------

## Lemma

 *Quote:*   

> But anyway: Yes, it's possible. In this case the destination host of the forwarded connection is not localhost but the machine that runs the vncserver.

 And by doing that, will there be a encrypted tunnel between anton and dobby with an unencrypted tunnel between dobby and othermachine (running the vncserver)? 

Also, are there any gpl/lgpl/bsd- licensed gui scp-clients? What I have been thinking of  is to use samba between othermachine and dobby, and then let the others use scp to connect between the "samba-mirror" on dobby. Is this a good idea or not?

Just to make things clear - I am a phd-student and the only one with even foggy knowledge of *nix at my institution. Before me (one year ago), we did not even have a backup-system (yup, none at all) but I have been able to get money to buy a computer (dobby) now acting as a samba-fileserver, automated backup-server (not the same as the fileserverarea  :Wink: ) and now also a mean of giving us all (myself included) an oppertunity to work from home despite a FW as gentle and soft as a wall of bricks. This is all thank's to you all, your help and support! This is also promoting linux in general, by showing that I can, with gnu/linux and the help from the community, make things possible to a very low cost in money and just a bit higher in invested time (and as a phd-student, my time is cheap  :Wink: ). As I said, to make things clear, I do appreciate your help and normally people here will never know just how much they do!

 *Quote:*   

> anyway, sounds like you have got it working, so cheers!

 I'm close, thank's!

----------

## funkmankey

I think there used to be a GPL'ed version of ixplorer, and winscp was also GPL as I recall.

----------

## sschlueter

 *Lemma wrote:*   

> And by doing that, will there be a encrypted tunnel between anton and dobby with an unencrypted tunnel between dobby and othermachine (running the vncserver)?

 

There will a normal tcp connection between dobby and the machine running vncserver.

 *Lemma wrote:*   

> Also, are there any gpl/lgpl/bsd- licensed gui scp-clients?

 

The client from ssh.com is very good and free for educational use but it's not gpl. If you want a pure gpl solution you can use PuTTY and FileZilla but unfortunately sftp transfers over ssh2 are slooow then.

----------

