Secure Remote Desktop Sharing with VNC on Windows - Installing TightVNC and Setting Up an SSH Tunnel
(Page 4 of 4 )
As I've already explained in the previous section the installation process of VNC clients is pretty much the same so you should read this and this if you're facing any dilemmas or problems while setting it up.
Through this section I am going to assume that you have TightVNC server installed correctly. Here you'll read a sort of how-to about setting up an SSH tunnel to secure your VNC connection(s). I will call SSH server SSHd (daemon) later on.
Before we move on, what is SSH? Secure Shell is a network protocol that allows the establishment of secure channels between a local and remote user. This is crucial because it enhances confidentiality and data integrity by encrypting the data that is transferred. This way it prevents interception; all in all it means security!
First of all, you need to allow interaction via port 22 to allow SSH. In your case perhaps this is the Windows Firewall (if you have Windows XP with Service Pack 2). Go to the 'Exceptions' and add '22' there as a port on TCP; name it SSH. If you have a router (D-Link, Linksys, SMC, Sitecom, etc.) then don't forget to set up port-forwarding. Go to your router's configuration screen (usually 192.168.1.1) and forward port 22 to your server's IP (on which SSHd will run).
Now you should be ready on the hardware level. But you still need the software! Visit OpenSSH. I dare to call it the best SSH client that is also open source and free. You might want to run the latest Open SSH daemon via Cygwin (that is an emulation of the Linux environment -POSIX- and API) or download a slightly older server that works on Windows natively from here. If you choose the first solution then I invite you to take a look at this guide; it's an awesome how-to that explains and illustrates how to set up and install SSHd on Cygwin. Do that only if you want to get into Cygwin and experiment.
Nonetheless, we're lucky because there is copSSH. It's a pre-made installation package that installs both Cygwin and an openSSH daemon, configures and runs both of them, sets up the account information and runs the service -- all automatically. There's little to nothing that you actually need to do. You can download it from the previous link (official link at Sourceforge) or from the Softpedia mirror (here).
Once you've downloaded it, just install it. After installation you need to activate a user: Start-> Programs-> COPSSH-> "1. Activate a user." Select your username (I assume it is Administrator), leave your command shell at "/bin/bash" then click on 'Next.' Type in your pass phrase and hit 'Activate.' Then a message box will state: "User Administrator is activated successfully and can establish an ssh connection to this machine now." After this stage your SSHd is up and running.
Now you're all set. On your remote computer install TightVNC viewer and an SSH client. In our case that's going to be PuTTY. I wholeheartedly recommend it. It's a great SSH and TELNET client. Download the latest release for Windows here.
Extract PuTTY to a specific place and run it. The Configuration window will appear. At the "Session" menu at 'Host Name' type in the EXTERNAL IP address of your server. Leave '22' for the port and 'SSH' for the connection type. Save this session, name it "Server" or whatever you wish. This is crucial. If the server is on the same system as you're running PuTTY currently then use "loopback" 127.0.0.1, otherwise use the external IP.
The previously mentioned scenario about PuTTY being on the same machine as your SSH server is possible only when testing; it's impossible when you're trying to connect to your server from a remote computer -- thus technically you should never need to set the 127.0.0.1 loopback for hostname to connect on. However if you still want to try it then don't forget to tick "Allow loopback connections" when configuring TightVNC.
Drifting back to PuTTY, select at the left menu-list "Connection" -> "SSH" and then "Tunnels." Type at the 'Source port' 5900 (that's the default for TightVNC) and at the 'Destination' 192.168.XXX.XXX:5900 - note: replace those X's with your internal IP address of your TightVNC server or if both SSHd and TightVNC are on the same computer/server then you need to forward to 127.0.0.1:5900, obviously. Leave the rest on Auto and Local. Finally hit "Add."
In the screen shot below I'm assuming that the SSH server (SSHd) is on the same computer as your TightVNC server, therefore I've set up forwarding via the loopback. Since most people will have only one server, chances are that the SSHd will always be running on the same system with the VNC server -- so the aforementioned scenario is quite often possible.
That's all; click on "Open." PuTTY should make the connection to your server, and then you need to log in. Just use the password you've set up for SSH server. Then run TightVNC viewer and connect to 127.0.0.1 - not to your server!
The above sketch illustrates in a nutshell the whole SSH tunneling procedure. Throughout this scenario I will call the server 'Server' and your remote client computer 'Remote Laptop' (that's from where you want to view your server). You need to set up TightVNC and SSHd servers -- both on your 'Server,' obviously.
On your 'Remote Laptop' you start up PuTTY (your SSH client) and set it up to connect to your Server (thus you set your server's external IP address as Host Name to connect), but you also set up port forwarding to forward from your SSH server to your VNC server (thus if both are on the same machine loopback is used; if they are on different machines then you need to use an internal network IP addresses, i.e., '192.168.X.X.'). After you've connected with PuTTY to your Server, you start VNC Viewer on your laptop and let it connect to your Server via PuTTY. Since PuTTY runs on the laptop too you will use loopback again.
Imagine the flow of data going from your laptop VNC Viewer to PuTTY where the code gets secure and encrypted, and then from PuTTY to your SSH Server where the code gets understood and decrypted, and ultimately from here gets transferred to your VNC server. Of course this is valid going the other direction as well. Now I really hope that it makes sense.
Final Words
This article should definitely help you to understand and realize the methods and different ways of securing your VNC connections, but you should also have gotten a basic understanding of SSH tunneling. You might already see its benefits for other applications too, from FTP transfers up to even secure Instant Messaging. You can basically tunnel every connection via SSH. But many people still neglect it.
This part of the series was focused only on Microsoft Windows operating systems, but what if you're running Linux? Have no fear! Stay tuned for the next part of this article that will be focused only on Linux. I'm sure you don't want to miss it. The main ideas there are going to be similar: setting up VNC server, SSH tunneling and then viewing your VNC server from a remote Linux machine and additional information.
Good luck and see you at Dev Shed for the second part!
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
/ 14 
