Gentoo Wiki



SSH Basics

Tips & Tricks

Other Gentoo-wiki SSH



This is a basic example of how to create an SSH tunnel for VNC. This is very similar to SSH Reverse Tunnel but instead of tunnelling through to the Destination SSHD, I am tunnelling through to a VNC server.

The purpose of doing is this so that I can connect to my VNC Server running on Machine 1 from the outside internet (Machine 3) securely and without having any ports open to Machine 1. Ie: I don't want the VNC port sitting for anyone to connect to.

Originally Written by leritzi ( Feel free to clean it up -- I'm not an english major.

Current Setup

Before we do anything, this is what we have:

Machine 1 and Machine 2 are sitting behind the same router.

Install SSH on Machine 2

You'll need to install SSH on Machine 2. I also think it is best to run by securing your box page GWikInstall Essential Daemons#Securing_SSH as your Machine 2 will be SSH able by anyone on the outside.

Once you've got all that setup, you'll need to forward port 22 (default SSH port) on your router to point at your Machine 2. You'll need to use a static IP on machine 2 for this.

Install VNC Server on Machine 1

Just install and run – easy as that. Just make sure the VNC ports aren't being forwarded by your router. As you don't really want the ports on Machine 1 exposed to the internet.


Ok now all the Setup and Install is done, let’s go on to how to connect. This part is broken down into two choices: 1. Connecting from a Windows Machine 2. Connecting from a Linux Machine

Connecting from a Windows Machine

What I do is a keep a copy of PUTTY and VNC client on my pen drive for quick access.

One thing that is a pain in the ass with PUTTY is that it stores its settings in the registry. This is painful for when you don't have permission to write to registry or always on a different machine. There is a version of PUTTY which has been modified to keep its settings in an ini file for easy use. I haven't used this myself – but I will once I get around to it.

Setting up of Putty

Note: If I haven’t mentioned a setting in the following I’ve left it as the default PUTTY value. Enter your host name and Port you decided to use for SSH (default port is 22) You may want to setup a dyndns account if you are using a dynamic IP address. Go here:


In most cases Machine 3 probably won't be behind a Proxy. In my case it is. Anyway check out the screenshot for details if you think you need this. The settings are actually for the Proxy at my university your case won’t be the same. You'll have to look these details up somewhere. If you're lucky you might be able to check out IE options for proxy details though sometimes automatic scripts are used.


Creating Tunnel

For my case my VNC server is on Machine 1 sitting at on port 5900 (default VNC port). Note that this is an internal IP address; we don't want this computer accessible direct from the outside.


In the screenshot I've used: Source Port: 5901 Destination: (Address of VNC Server)

So it tunnels Port 5900 on Machine 1 (Destination) to the computer you're running PUTTY on. Also source port 5901 means that putty will listen on local port 5901 where vnc viewer connection will be accept. Don't forget to press ADD!

Now save your settings and press connect. If all is well you should get a login prompt for your Machine 2. If an error occurs retry without the tunnel just to try to connect to that machine. If you still have problems you’ve probably messed up the config or something else is blocking the connection – depending on the error.

Connecting VNC

Once you've logged in and sitting at shell, leave that running and open up your VNC Viewer and type the following:

Server = localhost:1

Then press OK! Here 1 means to connect to local port 5901 since the vnc server port starts from port 5900.

If all is successful you should be sitting at the desktop of your Machine 1.

Connecting From a Linux Machine

First, verify that you can connect from Machine 3 to Machine 2:

Code: Verify SSH connection
machine3 $ ssh username@machine2
machine2 $ exit

You should be prompted for the password. You may be prompted to accept the host key if you've never made this connection before.

To start the tunnel, run the following on Machine 3:

Code: Start the Tunnel
machine3 $ ssh -X -f username@machine2 -N -L 1111:machine1:5900

Here are the parts of the command in detail:

Optionally, -X enables X11 forwarding, which isn't used for this application. After connecting, you should be asked for the password to establish the tunnel. Still on Machine 3, connect through the tunnel:

Code: Start the Tunnel
machine3 $ vncviewer localhost::1111

Note carefully the two colons, meaning 'port' rather than 'display'. You can also connect with a vncviewer GUI, specifying the same host::port string. You should be asked for the password.

Retrieved from ""

Last modified: Sat, 06 Sep 2008 22:43:00 +0000 Hits: 16,620