Vino-server and ssvnc through router? [SOLVED]

Questions about Wi-Fi and other network devices, file sharing, firewalls, connection sharing etc
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
Doranwen
Level 3
Level 3
Posts: 161
Joined: Mon Nov 05, 2012 1:53 am

Vino-server and ssvnc through router? [SOLVED]

Post by Doranwen »

I'm currently running Mint 18.1 Mate 64-bit on this desktop. The previous 'net setup at my house involved a dedicated computer that acted as firewall/webserver/FTP host/etc. in between the 'net and our computers. We are now transitioning to a more standard setup with a router, and I'm absolutely stumped as to how to remotely access my two computers (the other runs an older version of Mint for specific software compatibility but is otherwise identical - both vino-server and ssvnc run basically the same on each computer) through the router. I have vino-server installed on both and successfully accessed them through the previous setup with the internal IP and port for the host (such as 192.168.1.160:5900), the password for my account on the host computer, and my website's domain name and the account on that computer as the gateway/proxy (such as accountname@domain.com).

Currently my website is down (though I'm still hoping to keep it running on a computer behind the firewall) and is low priority for me but getting the remote access working again is much higher. What steps would I need to take to get through the router and log into my computers using ssvnc? The router I have is a Netgear R7000P and I'm quite comfortable setting up port forwards on it (it can also do port triggers but I haven't needed that yet). I understood the previous setup in terms of what I was entering where to do what, but am having a hard time figuring out what I'd need to configure to get this new one to work correctly, since the router is not a server in the same way and can't be ssh-ed into as such.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
User avatar
smurphos
Level 18
Level 18
Posts: 8501
Joined: Fri Sep 05, 2014 12:18 am
Location: Irish Brit in Portugal
Contact:

Re: Vino-server and ssvnc through router?

Post by smurphos »

The way I would approach this is to use custom ports on the router to accept the incoming connection and have port forwarding set up to forward the connections to the appropriate machine. I'm assuming you've still got a way to determine the routers WAN IP address, and use fixed addresses for the LAN

to connect to machine 1 you target your router WAN IP address at port xxxx - router portforwards that to machine 1 LAN IP port 5900/5901
to connect to machine 2 you target your router WAN IP address at port yyyy - router portforwards that to machine 2 LAN IP port 5900/5901

for xxxx and yyyy I'd probably just pick a couple of random ports > 49152
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
Doranwen
Level 3
Level 3
Posts: 161
Joined: Mon Nov 05, 2012 1:53 am

Re: Vino-server and ssvnc through router?

Post by Doranwen »

Yeah, the two computers have fixed IPs on the LAN, and identifying the router's WAN IP is a piece of cake. Port forwards are set up - but I'm still not sure exactly what to type in the SSVNC boxes to get it to go through. I assume VNC Host:Display would be InternalIP:InternalPort, right? And VNC Password is still the password for the computer I'm trying to access. Proxy/Gateway... am I typing in ExternalIP:ExternalPort or what? I'll try it today when I get to the remote computer but that's definitely where I feel like I'm doing something wrong, I just don't know what.
Last edited by Doranwen on Thu Apr 26, 2018 11:36 am, edited 1 time in total.
User avatar
smurphos
Level 18
Level 18
Posts: 8501
Joined: Fri Sep 05, 2014 12:18 am
Location: Irish Brit in Portugal
Contact:

Re: Vino-server and ssvnc through router?

Post by smurphos »

Doranwen wrote: Thu Apr 26, 2018 11:25 am Yeah, the two computers have fixed IPs on the LAN, and identifying the router's WAN IP is a piece of cake. Port forwards are set up - but I'm still not sure exactly what to type in the SSVNC boxes to get it to go through. I assume VNC Host:Display would be InternalIP:InternalPort, right? And VNC Password is still the password for the computer I'm trying to access. Proxy/Gateway... am I typing in ExternalIP:ExternalPort or what? I can try it today but that's definitely where I feel like I'm doing something wrong, I just don't know what.
ExternalIP:ExternalPort should work for the VNC Host - the router portforward should take care of the rest. Password as normal.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
Doranwen
Level 3
Level 3
Posts: 161
Joined: Mon Nov 05, 2012 1:53 am

Re: Vino-server and ssvnc through router?

Post by Doranwen »

*crosses fingers* I'll know in like two or three hours, then. Will report results when I get home.
Doranwen
Level 3
Level 3
Posts: 161
Joined: Mon Nov 05, 2012 1:53 am

Re: Vino-server and ssvnc through router?

Post by Doranwen »

Unfortunately I get the following: ssh_exchange_identification: Connection closed by remote host

No idea what to do with this... I know vino-server's running just fine on both of the remote computers, and it worked beautifully with the previous setup, but something's having a fit with the way I have it set up. I double-checked that I set up the port forwarding correctly.
User avatar
smurphos
Level 18
Level 18
Posts: 8501
Joined: Fri Sep 05, 2014 12:18 am
Location: Irish Brit in Portugal
Contact:

Re: Vino-server and ssvnc through router?

Post by smurphos »

So I guess there some SSH parameters saved somewhere in SSVNC? - I'm not familiar with it as a client.

It is actually tunnelling VNC via SSH? Do you need to specify SSH ports anywere in it's settings? It might be that you need SSH portforwards set up rather than VNC, or need to set up openSSH on both the target machines if the former web-server was handling this before.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
Doranwen
Level 3
Level 3
Posts: 161
Joined: Mon Nov 05, 2012 1:53 am

Re: Vino-server and ssvnc through router?

Post by Doranwen »

Hmm, this shows all the SSVNC options I could find: https://imgur.com/a/XEhJLLl

The top pic shows both the main window (where you enter port/path stuff) and the standard Options dialog. The latter has a button for advanced options, which is the second pic.

I do know it used SSH to get into the computers before - the former webserver had an approved IPs list so I could only access it from the machines I told it to, to block SSH attempts from random hackers and whatnot. The remote access wouldn't work if I selected anything other than the SSH option. How would that affect the port forwards set up? (And does that mean that yes, I do need to install openSSH on both target machines?)

Honestly, I don't actually care if I set it up the same way as before, as long as remote access does work. So if that means veering away from SSH, so be it. I know we used SSVNC because it had the SSH option - and it was easy to work with and looked nice (I think there was one other client I tried that had the worst mouse options ever and I gave up on it real fast) - but I'm game to try something else if that's just not going to work, or if it's safer or much easier to go with something else.
User avatar
smurphos
Level 18
Level 18
Posts: 8501
Joined: Fri Sep 05, 2014 12:18 am
Location: Irish Brit in Portugal
Contact:

Re: Vino-server and ssvnc through router?

Post by smurphos »

It is probably a good idea to - VNC isn't a very secure protocol, but if you tunnel it through SSH then it's OK.

I've got a set up with openSSH and x11vnc as the VNC server on an XFCE machine. x11vnc isn't always running - the initial SSH login includes a command to launch x11vnc and tunnel the server back to the client. On the client machine I use whatever VNC client software available and connect to localhost:5900. If I fail to connect to VNC within 60 seconds or connect and then close down x11vnc shuts down automatically.

The command looks like this. As I've only got one machine I might connect to I use the default SSH port and portforward it to that machine, but you can do the same thing as discussed and use a couple of random ports and then portforward them to the SSH ports on the target machines.

ssh EXTERNALIP -C -L 5900:localhost:5900 "x11vnc -safer -localhost -once -timeout 60 -nopw -auth guess -display :0 -noxdamage"

Sorry I can't link you to a straightforward tutorial on this - when I originally set it up I kind of pieced it together from various sources and didn't take notes... :oops:
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
Doranwen
Level 3
Level 3
Posts: 161
Joined: Mon Nov 05, 2012 1:53 am

Re: Vino-server and ssvnc through router?

Post by Doranwen »

Sorry for the delayed response - been dealing with insane schedules and illness. Thanks for trying to help with what you could. It did help me along the way, and while vino-server's not secure in and of itself, I think I can set up port forwards for ssh properly such that it'll only take SSH tunneling. The more I ponder and work on it, the more I figure things out. When I know I've done it successfully, I'll come back and post my solution so anyone else trying to figure this out can try the same thing.
Doranwen
Level 3
Level 3
Posts: 161
Joined: Mon Nov 05, 2012 1:53 am

Re: Vino-server and ssvnc through router?

Post by Doranwen »

Last weekend I figured it out and got it working! So for anyone else who'd like to set up a secure VNC with SSH tunneling (because if you run vino-server on recent versions of Mint, the encryption isn't compatible with any viewer, or something like that), here's the steps I went through:

1) Pick a port number to use externally (I'll choose 10100 for this example).
2) Set up a port forward on the router to map that external port to port 22 on the computer you want to remote access. I set my computers to static internal IPs, which is essential for the port forwarding. To be able to access more than one computer, just pick a different external port for each one--though leave port 22 as internal on each--and remember which computer got which port.
3) Install openssh-server on each machine you want to access remotely. (I only wanted to access Linux machines, so this works just fine for me.)
4) Install ssvnc on any machine you want to use as a client. (Note that due to the missing password option on the Windows version of ssvnc, you can only use this on Linux or Mac clients if you set a password on vino-server.)
5) Turn off encryption on vino-server so it won't fail due to the mismatch:

Code: Select all

sudo gsettings set org.gnome.Vino require-encryption false
6) Run vino-preferences and set the password you want (as well as any other options, such as not requiring confirmation to allow access).
7) Run vino-server, and login remotely with the following settings on ssvnc:
VNC Host:Display: 127.0.0.1:5900
Password: whatever password you set on vino-server
Proxy/Gateway: externalIP:10100

Note that if you have a second computer, one of them will be assigned 5901 instead of 5900 (you can see this when you start vino-server running), so you'll need to change the port numbers on both lines to match whichever computer you're accessing.

Even with the unusual port number, you could still get hammered by hackers, so I recommend modifying your hosts file to block all ssh traffic other than from the IP addresses you will be accessing it from. If you won't always know that, you might have to set up a more complicated IP blocking system, which is far beyond my knowledge. Since I'm always remoting in from the same location, which tends to keep the same IP address unless there's a major power outage (which is very rare), I figured it was easy enough to set that IP into each computer's hosts file and change it if need be.
Locked

Return to “Networking”