connecting to a linux box through a firewall using ssh...Need Help

Anthony orders@nodivisions.com
Thu Sep 25 22:59:00 2003 

R D wrote:
> Hello,
> 
> I've been going through the list archives but can't seem to find a 
> thread to help me. I'm probably not typing in the correct search words.
> 
> I am trying to set up VNC so i can access my linux server at work from 
> home. I have XP Home on my client computer. The linux server is behind a 
> firewall/gateway and not directly connected to the internet.
> 
> I use putty to ssh into work to get the command prompt using port 20443. 
> I've installed the VNCServer on the linux box and the windows client at 
> home.

OK, so you have an ssh daemon running on port 20443 on the server, and 
you are able to log into that from home.  You can set up VNC to go 
"through" ssh, so this is the only port you need to open on the server's 
firewall.

> In putty, under SSH/Tunnels option, i've enabled X11 forwarding and 
> entered the X display location as hostname.of.linux.server:5901. 
> Remember my server is on a Private network. X11 forwarding is also 
> enabled on the server.

X11 forwarding is a separate thing from VNC.  You don't need X11 
forwarding to use VNC.

> In the port forwarding area, i added a new forward port, with the source 
> port L20443 and the destination port hostname.of.linux.server:5901.

If 20443 is your ssh port on the server, then that is incorrect for port 
forwarding.  You need to decide which VNC port the VNC server will 
listen on (usually 5901).  If it's 5901, then you set up the PuTTY port 
forward like this:

	L5902  localhost:5901

And then you make the ssh connection.  Once it's connected, you start 
the VNC client, and connect to:

	localhost:5902

It's a little confusing, but what's happening is, you're telling VNC to 
log into port 5902 on your *client* system, and PuTTY is forwarding that 
to port 5901 on the *server* system, right to the VNC server port.

> I start the vncserver and try to connect use my viewer. I've tried 
> connecting the following ways:
> 
> name.of.gateway.server
> name.of.gateway.server:1
> name.of.gateway.server:2
> name.of.gateway.server:20443
> 
> For the first 3 ways, i get "Failed to connect to server". When i try 
> 20443, I get "Invalid Protocol".
> 

Again, you want to use localhost instead of the hostname of the VNC 
server.  That remote hostname is hidden from your VNC client, because 
it's going through the ssh connection.

> 20443 is the only port open to the outside.

Correct, and that's the beauty of this setup, you only need the ssh port 
open.

> Do i need to execute a command similar to this on the gateway:
> 
> ssh -L 5902:localhost:5901 gw
> 
> If i do, what should it be?

No, because you're using PuTTY and it does port forwarding through its 
interface.  What you've typed there is the "ssh" command-line client. 
If you had that on your client computer, then you could use that intead 
of PuTTY, and then you'd type:

	ssh -L 5902:localhost:5902 <remote-hostname>

Hope this helps,
Anthony
http://nodivisions.com/

PS - I documented this on my website after I figured it all out.  I 
basically just explained it all to you, but you can see it at:

	http://nodivisions.com/tech/vnc/