Java Viewer & SSH port forwarding configuration
Michael F. Murphy
Sun Nov 10 23:59:41 2002
Need help setting up VNC to be browser accessible through a DMZ/Gateway
machine by multiple users.
Use Case: Set up multiple "well known" externally (internet) visible ports
on a gateway machine for using VNC to/from firewalled/NATed machines so
people outside the office can set up spur of the moment screen sharing
with arbitrary users. The multiple part is so people don't step on each
others sessions. Each person
wanting to "serve" will have a "display" number on the gateway to use for
there own purposes.
The net traffic shall be encrypted for confidentiality.
Would like other people people to be able to use VNC Viewer program AND web
(no software installation issues with using the browser).
I'm trying to get web browsing on ports other than 5800 working but I keep
getting "java.net.ConnectException: Connection refused" after being
the password dialog when I access http://gateway:5880/ (for example). A
It does work if I set up to use ports 5900/5800.
What I've done:
On "Gateway"(a Linux box with a well known public IP address running ssh
each of the potential server users has an account/password and is an allowed
user in ssh configuration.
SSH server allows port forwarding and gateway.
Gateway has iptables with the following relevant rules:
/sbin/iptables -A tcpin -p tcp --dport 5980 -j ACCEPT
/sbin/iptables -A tcpin -p tcp --dport 5880 -j ACCEPT
/sbin/iptables -A tcpin -p tcp --dport 5900 -j ACCEPT
/sbin/iptables -A tcpin -p tcp --dport 5800 -j ACCEPT
(I want to tighten this up to allow vnc ports only from ssh'd machines,
or perhaps restriced by MAC, or .... But that is another day.)
I used the standard 5900/5800 pair for testing. Now
I want to expand to set up 5980/5880 to allow multiple sessions.
On PC "Server" ( the one sharing the screen, who may be behind a firewall
user uses PuTTY to connect to Gateway via SSH. puTTY on PC Server machine
uses SSH tunnelling/port forwarding:
"Remote Source:5980 Destination:localhost:5900"
"Remote Source:5880 Destination:localhost:5800"
(This connects the local (default VNC) ports on the machine to different
on the gateway).
On the PC Servers VNC Viwer properties: display socket(0) and java
(AllowLoopback = 1) in the registry.
The Server machine user starts the puTTY SSH session, gets validated
and SSH forwards the ports...
Then s/he starts the VNC Server. (Prefer not running a service or other
automagic until everyone is comfortable and it works).
On some other machine "PC Viewer" (perhaps also behind firewall and NATed)
user points VNCViwer program to "gateway:80", answers the password prompt,
and away they go, no problem. However,
I want the PC Server user to be able to share the screen
with others (PC "Viwers") who point their browser to
http://gateway:5880 (dead simple KISS instruction) This is
a guerilla movement so I would like the browser browser to work first,
then the sales pitch is "Point your browser at, password is foobar. Watch
what I do... ;-))
I keep getting "java.net.ConnectException: Connection refused" after being
the password dialog when I access http://gateway:5880/ with a browser.
(This works fine if I use 5900/5800 i.e. no offsets)
I read in the archive (only after banging my head ;-( ) that several years
ago VNC did NOT
use the port number in the URL to calculate the port for the
"non browser" communication, i.e it did not calculate 5880+100=5980. I can
kludge it so that the browser
points at gateway:5880 and ports 5880 and 5900 are open on the gateway
and the browser does work but that means that only one user can access at a
since the 5900 port is being used by every browser session.
Is it still the case (i.e. sort of broken) for the current Real VNC version
or is there some configuration tweak that I missed ?????
P.S. I will get around to using Stunnel on the gateway (or other
SSLification , if someone thinks better)
so that the entire link is encrypted from the PC server to the gateway (SSH)
and from the gateway to the browser(SSL via https) if I can get the port
issue squared away.