How to set up VNC to be accessed from outside CSAIL

First, be clear about the problem you're trying to solve. Is VNC (originally for "Virtual Network Computing") really the best solution? VNC is best for checking in on long-running graphical processes that will continue after your remote client disconnects.* Other kinds of "remote access" needs are often better solved using ssh tunnels, installing programs directly a laptop or remote device, using X11 to run programs on a remote machine and display them locally, or some combination of the above.

Due to security limitations of the VNC protocol (passwords are weak and do not encrypt characters typed or windows displayed), CSAIL does not allow direct VNC connections from outside our network perimeter. However, VNC can safely be tunnelled via SSH as follows:

A. Set up sshd on the host (if necessary)

  • For a CSAIL Debian host, this is likely already done. (See Setting up SSH.)
  • For a Mac OS host, this means turning on System Preferences -> Sharing -> Remote Login, and preferably restricting it to only your username. If connections are refused, try turning off the appfirewall (System Preferences -> Security -> Firewall -> Allow all connections) for the first ssh connection, then re-enabling it.
  • Not possible on a Windows host -- use Remote Desktop instead of VNC.

B. Set up vncserver on the host

  • For a CSAIL Debian host:
    • install with sudo apt-get install tightvncserver
    • run with longjob vncserver :0
      • if you omit "longjob", vncserver will refuse connections with "configuration error" as soon as your Kerberos+AFS credentials expire (or as soon as you close the SSH session that started VNC)
      • if you get "host:0 is taken", increment to vncserver argument to :1 and port (below) to :5901
      • this will ask you for a password only the first time. If you've forgotten it, rm ~/.vnc/passwd
  • For a Mac OS host:
    • System Preferences -> Sharing -> Screen Sharing occasionally works (and then only with a TightVNC client)
    • Vine Server (OSXvnc) usually gives better results. Under Authentication, set "Require remote login (SSH)" to YES.
  • For a Windows host, suggest using Remote Desktop instead. Otherwise:
    • TightVNC server
    • UltraVNC server
  • For a VitualBox OSE (4.2 or higher) virtual machine:
    • Configure the VNC extension pack (only once per host system/user account): VBoxManage setproperty vrdeextpack VNC.
    • Shut the VM down if it's currently running.
    • Configure the VNC server IP address and port: VBoxManage modifyvm VM-name-or-UUID --vrdeaddress --vrdeport 5900  --vrde on.
    • Set a password for the VNC server: VBoxManage modifyvm VM-name-or-UUID --vrdeproperty VNCPassword=mypassword.
    • Start the VM in headless mode: VBoxManage startvm VM-name-or-UUID -type headless.

C. Establish ssh tunnel on the client

  • This step is not necessary if your VNC client has integrated tunneling support. Chicken (for Mac OS) and TightVNC are known to support automatic ssh tunneling.
  • CSAIL Debian client, Mac OS client (if not using Chicken or TightVNC): ssh -L5900:localhost:5900
  • Windows client:
    1. Install PuTTY. Recommended: PuTTY with Kerberos?. Alternatively, standard PuTTY (requiring typed passwords).
    2. In PuTTY Configuration -> Connection -> SSH -> Tunnels, enter "Source port" 5900, "Destination" localhost:5900, then click "Add."
    3. In Session, enter "Host Name:", "Saved Sessions:" HOST, and click "Save."
    4. Double-click HOST to connect via SSH with the tunnel. (Only this last step needs to be repeated for future connections.)
  • iOS client (iPhone, iPad, etc): use a combined SSH+VNC client
    • with iSSH: Add Configuration -> (fill in Description, Host, Login) -> choose SSH then VNC, then enter your VNC password -> Save.

D. Connect using VNC client

  • CSAIL Debian client:
    • for example, install with sudo apt-get install xtightvncviewer and run with xvncviewer -via remotehost localhost:0
  • Mac OS client:
    • Use Chicken (a fork of "Chicken of the VNC")
    • In the connection dialog, enter localhost for the hostname, check the box labeled "Tunnel over SSH", and enter the remote SSH server name in the "SSH Host" field.
  • Windows client: use any of the below to connect to localhost:0
    • TightVNC
    • UltraVNC
  • iSSH: tap configuration name to connect; enter SSH password when prompted.

E. Destroy your VNC session (optional)

  • CSAIL Debian host: vncserver -kill :0
  • Mac, Windows: switch to VNC Server window and choose "shut down" or similar.

--- This topic: TIG > WebHome > NetworkTopics > VNCSetupFromOutsideCSAIL
Topic revision: 15 Aug 2013, GarrettWollman
This site is powered by Foswiki MIT: Massachusetts Institute of Technology