VNC Tunnelling: Windows to Windows via Linux

David Brodbeck DavidB "at"
Wed, 27 Jun 2001 14:35:52 +0000

I'm posting this because some people had asked about the VNC setup I use at
work for remote access.  I'm not much of a technical writer but this might
be helpful to other people trying to set up something like this.

Obviously if VNC eventually incorporates encryption this kind of tunnelling
will be unnecessary for most applications, but it still could prove useful
in some situations.  For example, if the private LAN used unroutable IP
addresses, you could use a Linux server with interfaces on both networks to
forward VNC connections in this manner.  It's also nice in that only the
Linux server needs to be exposed by the firewall, and then only on the SSH


VNC Tunnelling Through SSH - Windows viewer to a Windows Workstation via
David Brodbeck - davidb "at"
June 27, 2001

This document uses as an example the following configuration:

+----------+                   +--------+   +-------------+
| Windows  |         |         | Linux  |   |   Windows   |
|   PC     |=========|=========| server |---| workstation |
|VNC viewer| Public  | Private |        |   |  VNC server |
+----------+ internet   LAN    +--------+   +-------------+

= (Encrypted)     Assume:  Workstation IP is
- (Unencrypted)            Linux server IP is

It assumes a certain level of knowledge about VNC and Linux.  This is more
of a "brain dump" to help other people trying to accomplish the same thing
than a detailed, step-by-step HOWTO.

1. Workstation configuration.

This is fairly simple.  Set up the VNC server as usual.  For security
purposes, add the following STRING registry key under

AuthHosts		-:+

This causes the VNC server to only accept connections coming from the Linux
server.  Add other keys to suit your configuration.  Depending on the
physical location of the workstation, you may want to configure the
LockSetting registry key and check the Disable Local Keyboard and Pointer
option in the VNC properties dialog.  (See:, Advanced Settings section.)

2. Linux server configuration.

Install OpenSSH.  Make sure it's configured to accept SSH version 1.5
connections, since the TeraTerm SSH plugin does not yet support version 2.0.

Add a user account to the server for each person who will be forwarding an
SSH connection through it.  Configure your firewall to allow incoming TCP
connections to the Linux server on port 22.

3. Windows PC configuration.

Obtain TeraTerm Pro and the ttssh plugin.  (See: Extract TeraTerm and run the
TeraTerm setup program.  (Note: All this does is move the files to the
directory you specify.  Once you have TeraTerm installed, you can simply
copy this directory to another machine to duplicate the installation.)
Extract the ttssh ZIP file into the TeraTerm directory.  Run ttssh.exe and
set the options to suit your personal taste in terminal software.  Make sure
you specify a valid location for the known hosts file under Setup / SSH... /
Read/Write file.

Under Setup / TCP/IP..., add the following entry: /ssh-L5900:
^^^^^^^^^^^              ^^^^ ^^^^^^^^^^^^^^^^^
Linux                  Local     Workstation IP
Server IP              port #    and port #

This assumes that the workstation is running VNC as display 0, and the PC
does not have the VNC server running.  If either of those isn't true, adjust
the port numbers accordingly.  For example, if you used
/ssh-L5901:, connecting to localhost:1 with VNC would
connect you to display 0 on the workstation.

(Note:  Even if you're giving the host and port forwarding options on the
command line, you must either add the same entry to the TCP/IP setup dialog
or manually add it to the [Hosts] section of teraterm.ini.  THE COMMAND LINE
MUST MATCH A [Hosts] ENTRY.  Otherwise TeraTerm gives an "Invalid host"
error.  This caused me all kinds of head-scratching until I figured it out;
it appears to be a misfeature of TeraTerm.)

Try clicking File / New connection... and connecting to the entry you just
added, making sure the SSH radio button is selected.  The first time you do
this you'll get an error message stating that the host was not in the known
hosts file.  Check Add this machine... and click Continue.  You'll also get
an error stating the known hosts file could not be read.  Click OK.  A known
hosts file will be created, preventing you from getting those errors in the
future.  You should now be able to log into the Linux server using your
username and password.  Try running VNC and connecting to localhost:0. You
should connect through the tunnel to the workstation, and VNC should work

Once you've connected successfully and have all the VNC client settings the
way you want them (including encoding type, etc.), click the VNC client
window icon and choose Save connection settings as... to save the settings
to a file.

3.1 Creating shortcuts:

You can make the process of setting up the connection somewhat easier by
creating a pair of appropriate shortcuts.  For this example, assuming the
VNC settings file is called local.vnc, here's what the command line for each
shortcut would be:

TeraTerm shortcut (I call this 'Open Connection'):
ttssh.exe /ssh-L5900:

VNC shortcut (I call this 'Launch viewer'):
vncviewer.exe /config local.vnc

If the people using this setup are fairly inexperienced, it's a good idea to
put some suitable hints in the .login or .bash_profile file of their Linux
account.  Something like this would be appropriate:

echo ""
echo "You are now connected.  Run the Start Viewer shortcut."
echo "Do not close this window until you are ready to disconnect."

3.2 Duplicating the client configuration on other machines.

I suggest setting this up for the first time in some standardized location. 
I use C:\remote.  Use the absolute path in all the shortcuts you create. 
This reduces installation on another machine to a simple, quick process:

1. Copy over the C:\remote folder.
2. Edit teraterm.ini and change the workstation IP to the correct value.
3. Edit the "Open Connection" shortcut and change the workstation IP.
4. Drag the shortcuts to the desktop or Start Menu.

The entire installation will fit on one floppy as a self-extracting ZIP

4. Notes

You may want to experiment with the SSH compression level, set in Setup /
SSH... or in the [TTSSH] section of teraterm.ini.  It can increase
performance noticeably, especially if you're using Hextile encoding in VNC. 
There's a tradeoff between compression level and CPU usage on the PC and
Linux server, of course.

SSH compression doesn't seem to make much difference if you're using Tight
encoding, probably because Tight encoding is already pretty aggressively
compressed.  I recommend using Tight encoding over dial-in links.  Hextile
will probably give better performance over broadband connections, though,
and allows you to use a more up-to-date version of the server.
If security is very important to you, you may want to use RSA authentication
in SSH, instead of plain password authentication.  See the OpenSSH
documentation for information on how to generate suitable public and private
key files.  This gives you one more layer of validation.  ("Something you
have" and "something you know" instead of just "something you know.")

5. References.

TTSSH: An SSH Extension to TeraTerm:
VNC Homepage:
Using VNC with SSH:
The Win32 VNC Server:
TightVNC - Bandwidth-Efficient VNC Distribution:
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at"
See also: