Accessing multiple VNC servers using only one SSH port?
Tue Nov 19 19:40:01 2002
:: Bruce Atherton <firstname.lastname@example.org>
:: I'm trying to figure out a way to use a single open port on a
:: firewall to connect to one of several VNC servers. Something like
:: this (apologies to the proportional font crowd):
:: -- VNC Server 1
:: Client -> Internet -> Firewall -> SSH ---|- VNC Server 2
:: port 22 Server |
:: -- VNC Server 3
If the issue is to ensure only a single port is opened in the
firewall, the standard way of doing it works. That is, you
start a single session, and forward three ports. Let's say,
Then, to access server 1, you connect to localhost:1 on client.
To access server 1, you connect to localhost:2 on client.
I'll leave what to do to access server 3 as an excersize
for the reader.
So. Only one port on the firewall. Three ports on client.
:: Let me describe the usecase in text instead of using a diagram, it
:: may be clearer.
:: From home or on the road with my laptop, I often need to get access
:: to one of several machines in my office, not just a terminal but the
:: whole desktop. I may need to get at my workstation or a machine
:: running automated tests or one of several servers. I don't know
:: ahead of time exactly which of several machines I will need access
:: to. There are several other developers in my office with the same
:: need. What we all have to work with is a single SSH port that has
:: been opened up in the firewall for remote access.
As many people may connect to port 22, and they may forward ports to
as many servers as they like, all without interfering with each other.
Remember: forwarding a port does NOT require an open port on the firewall.
Port 22 on the firewall is only for establishing the ssh tunnel. The
forwarded ports are opened on the client machine, not on the firewall.
If the issue is that you only decide after your ssh session is running
which server you want to go to, and you don't want to simply forward
ports for all of them, there are two ways to proceed. For a windows
client box, many ssh clients allow specifying additional ports. So simply
set up an additional forwarded (but not firewall-piercing) port when
you decide which host you need to work on.
For a linux or cygwin-weilding client box, you can use the -D capability
Specifies a local ``dynamic'' application-level port
forwarding. This works by allocating a socket to
listen to port on the local side, and whenever a con-
nection is made to this port, the connection is for-
warded over the secure channel, and the application
protocol is then used to determine where to connect to
from the remote machine. Currently the SOCKS4 protocol
is supported, and ssh will act as a SOCKS4 server.
Only root can forward privileged ports. Dynamic port
forwardings can also be specified in the configuration
Then, use SocksCap or runsocks or equiavlent to allow the vncclient to connect
to the servers behind the firewall. That is, you say something like
when you start your ssh session, and then configure whatever socksifier
you use to expect a socks server at localhost:1080.
Wayne Throop email@example.com