# How do I access remote vm over TLS?

## audiodef

Spent the day setting up a vm with qemu. Uploaded vm file to server and can access it with a vnc viewer after running this script:

```

#!/bin/bash

/usr/bin/qemu-system-x86_64 \

    -monitor stdio \

    -machine accel=kvm \

    -m 1024 \

    -hda /home/audiodef/GentooStudio_HDA.img \

    -boot once=c,menu=off \

    -net nic,vlan=0 \

    -net user,vlan=0 \

    -rtc base=localtime \

    -name "GentooStudio" \

    -vnc :1

```

But I'd like to secure that connection. What do I need to do?

----------

## khayyam

audiodef ... vnc over ssh:

```
$ ssh -L 5902:localhost:5901 <ip_of_machine_running_qemu>

$ vncviewer localhost:2
```

HTH & best ... khay

----------

## audiodef

Thanks, khay. I wasn't sure this would work, since I have a headless server, and indeed, I got:

```

Can't open display: 

```

Because I'm no longer on my local machine at this point. 

Playing around with aqemu on my local machine, I can see that you can:

```

-vnc :1,tls,x509=/path/to/cert

```

I'm not sure what kind of cert this requires, though, because when I use my existing certs from setting up my mail server, it complains that gnutls is required:

```

(qemu) qemu-system-x86_64: -vnc :1,tls,x509=/home/audiodef/keys/vnc: Failed to start VNC server: TLS credentials support requires GNUTLS

```

Doesn't seem to matter if I generate new keys or use /etc/ssl/certs.

----------

## khayyam

 *audiodef wrote:*   

> Thanks, khay. I wasn't sure this would work, since I have a headless server, and indeed, I got:
> 
> ```
> Can't open display: 
> ```
> ...

 

audiodef ... you're welcome. It's been a long time since I used vnc but as I remember the above should work headless. As for the error, what port does qemu use for vnc (netstat -tlnp)?

 *audiodef wrote:*   

> Because I'm no longer on my local machine at this point.

 

Well, how are you connecting? You would need to access the (qemu) host (and obviously a router/firewall would prevent that).

```
(qemu) qemu-system-x86_64: -vnc :1,tls,x509=/home/audiodef/keys/vnc: Failed to start VNC server: TLS credentials support requires GNUTLS
```

USE="gnutls" is not enabled by default on qemu, I expect you have it disabled.

best ... khay

----------

## szatox

 *Quote:*   

> Can't open display: 

 

Looks like you needed X forwarding

ssh -X or ssh -Y (-Y is more permissive than -X, considered insecure)

Weird. What does a server being headless have to do with it? It's a bit puzzling.

----------

## audiodef

Thanks, guys, I appreciate it.

After losing hair for a few hours, it naturally came down to something very simple.

```

-vnc :1,password,tls,x509=/home/audiodef,x509verify=/home/audiodef

```

should be:

```

-vnc (ip_address_here!):1,password,tls,x509=/home/audiodef,x509verify=/home/audiodef

```

Now I just need to figure out how to set a password to use the "password" argument in the command above, then I should have the bare essentials for a reasonably protected setup.

----------

