VNC over SSH for secure connections

Published by TheJoe on

Estimated reading time: 2 minutes


This article was published more than a year ago, there may have been developments.
Please take this into account.

Today we see how to control a remote machine via gui with VNC through a secure SSH tunnel.

For those who don't know, in a nutshell, VNC (Virtual Network Computing) is a remote display system that allows you to see an environment “desktop” (GUI) running not only on the machine it is running on, but anywhere from the internet from a large variety of architectures.

SSH (Secure SHell) instead it is a program for logging in and executing commands on a remote machine. The communication takes place in encrypted form (tunneling) between two unreliable hosts on even different networks. X11 connections and TCP/IP ports can be addressed via SSH.

And it is X11 that we want to route in the SSH tunnel. This way we will have an insecure X11 connection inside a secure SSH tunnel (making the whole operation safe).

In the end it is not a complex operation. We need to instruct SSH to create a local tunnel that forwards localhost on the port 5901 to the same port on a remote machine, but through the default SSH port (22). The essential requirement is therefore access to the remote machine via the port 22. Let's pay attention, then, also at port-forwarding sul router, to physical firewalls and to any firewall software (iptables) installed on clients and servers. Without, the procedure cannot work.

What is needed?

On the local machine:

  • OpenSSH
  • VNC Viewer (any VNC viewer)

On the remote machine:

  • OpenSSH server
  • VNC server

The installation is very basic. For Debian and derivatives:

~# apt install openssh vnc-server vnc-viewer

Derived from RedHat:

~# yum install openssh-server openssh-clients vnc-server vnc-viewer

We can use any VNC viewer. I prefer to use the classic viewer present in the repositories.

Look here:  Mount the local remote FTP with "curlftpfs"

Create the SSH tunnel

The first thing to do is create the encrypted connection that routes packets from localhost (porta 5901) all’host remoto (porta 5901) through the door 22. We do this in a single command:

~$ ssh -L 5901:localhost:5901 user@REMOTE_IP

With user we mean the existing user on the remote machine, with REMOTE_IP we mean the remote IP of the machine we want to connect to. Caution: root is not always configured to accept incoming SSH connections.

If this is your first time sshing to that host, you will be asked if you want to add that particular host to the known hosts list.: ~/.ssh/known_hosts.

At this point you need to enter the password of the user registered on the remote machine to which we want to connect.

For an even more secure connection it would be advisable to use SSH authentication on keys. Maybe I'll talk about it in some article later.

Connect the VNC client

Now we need to activate the VNC client. As already said it doesn't matter which one you use, what matters is the address you use to establish the connection. Instead of writing the IP of the remote machine we will have to write localhost:5091. This is because we have already created a tunnel from the client:5901 the server:5901. Once we connect with localhost the VNC client will use the newly created SSH tunnel to connect to the server on the port 5901.

Although there are clients that integrate the SSH function within the VNC viewer, this is the simplest method to understand what happens when we forward a data flow over SSH.


I keep this blog as a hobby by 2009. I am passionate about graphic, technology, software Open Source. Among my articles will be easy to find music, and some personal thoughts, but I prefer the direct line of the blog mainly to technology. For more information contact me.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.