VNC through SSH Jumpbox

Work decided to send me on a trip, but I am working on projects on my home computer, that I need graphic access with. So over the weekend in preparation for this trip, I implemented some security and VNC access to my home machine.

First, a little backstory. (Skip ahead if you just want the solution.) For several months I was having computer trouble with my Hackintosh. Random hangs and freezes and crashing. This was a bit of a pain, but what really made it bothersome was the terminal sessions I had spawned and losing everything I had in those.

I had come to the conclusion that I should setup some sort of jump box, ssh in to that and then use tmux (or screen) to hop out to my other machines. This way, if my Desktop went down, I could pick up where I left off via the jump box.

Well now the crashing issues have been resolved, but I felt it good practice, as the jumpbox would be more reliable, and I could secure it better than I could on my Desktop. So as part of my VNC access to my desktop, I setup the jumpbox.

There’s nothing all that special about it as it stands. Just a fairly standard secure sshd_config. Then reconfiguring my router to port forward to the jumpbox instead of my Desktop.

The fun part of this was then figuring out tunnelling for the purpose of securing a VNC connection. Due to using a jumpbox, I am unable to create the tunnel directly on the desktop like every example ever presented on the subject.

Also, it would be nice to not ever actually ssh in to the jumpbox. So this led me to find the ProxyCommand option. Unfortunately, all the examples demonstrate setting up an ssh_config file but didn’t fully explain what exactly the options were, or how they would work on the command line.

To ssh directly in to my desktop, the follow could be run from the command line (obviously obfuscated):

$ ssh alan@ -o “ProxyCommand ssh alan@home.dynamicdns nc 22 2>/dev/null”

Running this command, you’ll be prompted for a password to the jumpbox, then again for the desktop.

OK, so now we have a working baseline for tunnelling through the jumpbox.

Now we just have to add the port forwarding.

$ ssh alan@ -o “ProxyCommand ssh alan@home.dynamicdns nc 22 2>/dev/null” -f -L 5903:localhost:5900 -N

Again, authenticate with the jumpbox and desktop. And now, connecting to port 5903 on the local machine will connect to the VNC server running on 5900 on the desktop machhine back at home. On a pretty typical linux setup, I would run something like:
$ vncviewer localhost:5903

And I can add any command line options as far as bit-depth and encoding.

$ vncviewer -AutoSelect=0 -LowColorLevel=2 localhost:5903

This automatically selects an encoding type, does 256 colors and connects to the VNC session.

Hope this helps out some people.

Leave a Comment

Your email address will not be published.