2

I want to replace TeamViewer with a FOSS solution. I need to support some remote computers. I have a working SSH tunnel set up between two computers using a middleman server like this:

Kubuntu_laptop--->nat_fw--->Debian_Server<--nat_fw<--Kubuntu_desktop

This SSH tunnel is working now.

Next I want to connect to the desktop on "Kubuntu_desktop" from "Kubuntu_laptop" using the SSH tunnel.

Regarding the connection for this leg:

Debian_Server<--nat_fw<--Kubuntu_desktop

Here is how it is established:

autossh -M 5234 -N -f -R 1234:localhost:22 user@mydebian.com -p 22

I cannot change the existing monitoring port (5234) or the remote (- R) port number (1234 in this example). Can vnc tunnel over this existing SSH connection? UPDATE: the answer is no; I need to set up a new SSH tunnel for use with vnc as described here.

Regarding the connection for this leg:

Kubuntu_laptop--->nat_fw--->Debian_Server

I can use any SSH parameters required.

I cannot open up any ports on the routers/firewalls.

x11vnc server was recommended to me, so I'm testing with that. It is running on the desktop and listening on port 5900. However, I did not use any command line options when starting x11vnc, so it probably isn't configured correctly yet.

Will vnc work over this existing SSH connection? Notice that there are no ports 5900 defined. And note that I cannot change the port number for the -R option as I mentioned above.

I have a lot of questions about how to get this working, but one is whether vnc can listen on the existing port (-R 1234 in the example above). And if so, can I still ssh into that box as I do now?

Here's what I tried so far:

On remote desktop (where x11vnc server is installed):

tester@Kubuntu_desktop:~> autossh -M 5234 -i ~/.ssh/my_id_rsa -fNR 1234:localhost:5901 user@mydebian.com

make sure x11vnc server is running on port 5901:

tester@Kubuntu_desktop:~> x11vnc -autoport 5901

On my laptop:

sudo ssh -NL 5901:localhost:1234 -i ~/.ssh/admin_id_rsa admin@mydebian.com

connect local vnc client to localhost port 5901

Open KRDC in Kubuntu_laptop and connect to (vnc) 

localhost:5901

I'm getting a failed connection - server not found.

MountainX
  • 17,948

2 Answers2

1

It sounds like you currently have a default ssh connection between the laptop and server:

Kubuntu_laptop--->nat_fw--->Debian_Server

Modify the parameters to the ssh connection so you have

-fNL [localIP:]localPort:remoteIP:remotePort

For example:

-fNL 5900:localhost:1234

If your laptop used VNC on the default port of 5900 then you would tell your laptop to vnc to localhost which would then send the VNC traffic on port 5900 to the server on port 1234.

Next you need to catch the traffic arriving on port 1234 server side and forward that to the desktop:

Debian_Server<--nat_fw<--Kubuntu_desktop

Modify the parameters to the desktop ssh connection to include

-fNR [remoteIP:]remotePort:localIP:localPort

For example:

-fNR 1234:localhost:5900

All traffic sent to port 1234 on the localhost of the server will now be transported to the desktop and arrive on port 5900 where the VNC server is hopefully listening.

Change port 5900 to be appropriate for the protocol you are using. Could be 3389 for RDP or 5901 for VNC since 5900 might be in use. Also, I just picked port 1234 randomly for use on the server.

*Some notes in response to your updated question:

  1. the default port for ssh is 22, so the -p 22 is redundant since it overrides the default and sets it to 22
  2. the settings that look like localPort:remoteIP:remotePort have nothing to do with the port that ssh is using for the tunnel which is still 22 unless you override it on the client with a -p and override the port on the ssh server as well. So all of the previously mentioned ssh commands are using port 22 and you can confirm this by looking at your listening and established network connections. You will not need to open any additional ports on a firewall. The previous commands were correct.
  3. based on what you added in the update, the command for the desktop should be autossh -M 5234 -fNR 1234:localhost:5900 user@mydebian.com
  4. sorry, I have no suggestions as far as a VNC client is concerned. You'll have to open a separate question for that, however I'm guessing it will be down-voted since it is an opinion question.
Michael Yasumoto
  • 571
  • In my question I said, "I cannot change the port numbers used for the SSH tunnel." However, I can change some things. But the leg from Debian_Server<--nat_fw<--Kubuntu_desktop is not something I think I can change. (I don't know how.) That leg looks like this: autossh -M <mport> -N -f -R <port>:localhost:<port> user@myserver.com -p <server-port> – MountainX Jul 09 '13 at 00:05
  • 1
    I will update my question with more info... – MountainX Jul 09 '13 at 00:06
  • I updated my answer – Michael Yasumoto Jul 09 '13 at 04:50
  • In your point #3, when I change the command from autossh -M 5234 -fNR 1234:localhost:22 user@mydebian.com to autossh -M 5234 -fNR 1234:localhost:5900 user@mydebian.com my ssh tunnel is broken. Are you saying that I need two SSH connections? One to be used to connect to a shell on Kubuntu_desktop (using port 22) and the other to connect to vncserver on Kubuntu_desktop (using port 5900)? Sorry I don't understand yet. – MountainX Jul 09 '13 at 05:59
  • More info: x11vnc: The VNC desktop is: Kubuntu_desktop.site:0 PORT=5900 – MountainX Jul 09 '13 at 06:04
  • I updated my question with "what I tried so far." – MountainX Jul 09 '13 at 06:48
  • If you want to have a shell and to forward ports over a tunnel on the same connection, then remove the -fN from the command. Usually I just open a second connection instead, since closing the shell will close your port forwarding tunnel. – Michael Yasumoto Jul 09 '13 at 17:00
  • Confirm whether VNC is listening on port 5900 or 5901 since this makes a big difference. Use lsof -Pi4; or netstat -lanpt; to check this. Also, confirm that your ssh settings allow port forwarding. Check the /etc/ssh/sshd_config file on the server and make sure that AllowTcpForwarding yes and PermitTunnel yes. Restart your ssh server if you changed the config file. – Michael Yasumoto Jul 09 '13 at 17:07
  • If you're having trouble connecting, then check each part of the tunnel. From the desktop, use telnet localhost 5900; to connect to the VNC port and confirm that a connection can be made. From the server, use telnet localhost 1234; and confirm the connection. Lastly, from the laptop use telnet localhost 5900;. If each segment works, then you should be able to VNC to the localhost of the laptop. – Michael Yasumoto Jul 09 '13 at 17:10
  • Thanks for your help! I got it working. This shows how: http://unix.stackexchange.com/questions/82386/remote-desktop-over-ssh-reverse-tunnel-to-replace-teamviewer – MountainX Jul 10 '13 at 06:41
0

I verified the mechanism described and worked for me. The only difference was that I used 127.0.0.1::PORT as VNC client parameter, because :N references the X Window display number N; to use an explicit port we have to put double colon as separator.

Fjor
  • 187