On Aug 21, 2008, at 12:12 PM, Peter Bunn wrote:
The previous problem regarding port redirection has been solved and
I'm
now running VNC over an SSH tunnel.
(Wow, huh?)
For whatever reason, efforts to use a non-standard VNC port in
conjunction with the tunnel failed, and I was advised to revert to
port
5900... which I did... and all worked as hoped.
Though I did finally check "Only accept connections from the local
machine.", this was only a precaution after changing the port number
in
RealVNC config back to 5900.
I have since closed the 5900 firewall port, and am running VNC on the
tunneled connection only.
In time, I will try to post a detailed 'how to' for my specific
circumstances, but it may be a while in coming.
I like to give out free SSH advice when I can, because I think
everyone should use it. :-)
It's good to hear about CopSSH, because I've been looking for a good
SSH *server* for the PC (now that I don't need it. :-)).
The general rule of tunneling with SSH is to do most of the steps you
already did (and, yes, I know you have it working now; this is for the
archives. ;-)):
1) SSH with no tunneling
2) use 'telnet' to see if the port connects, or if you're having a
client-based issue.
3) Turn on verbosity on the client (-vvv is best, as it shows
EVERYTHING) to see what SSH is doing.
Some thoughts on what you did: The port you tunnel *TO* is not tied
the one you tunnel *FROM*. I.e., you used 23456 for both. That's not
a necessarily good port to use, since it's in a range used by
processes for random things (called ephemeral ports, these are all
over the map), depending on the system (but I'm pretty sure PCs use
that range). Also note, you don't have to go wild.
My strategy is to use 590N on client machines (just not the default,
if I can avoid it, and sometimes I can't -- this is in case somehow
the default port is enabled on routers), and then on my Mac I assign
remote hosts numbers starting at 50. Since I have LOTS of machines I
tunnel to, this allows me to build a static list of hosts as
localhost:XX for individual hosts. I also use a config file to make
the tunneling happen that much easier. For example, I have this
section in my config file (~/.ssh/config):
# Friend XYZ
host XYZ
hostname ABC.dyndns.info
localforward 5955 localhost:5900
compression yes
ForwardX11 no
Then, I just ssh to XYZ (which can *LITERALLY* be XYZ) which will
connect to host ABC.dyndns.info and forward port 5955 (locally) to his
machine's 5900 (a Mac running a VNC server).
Some clients (I don't know about the RealVNC viewer on a mac, since I
don't have the Enterprise version) get confused by port numbers (some
convert things below 50 or 100 as "displays", and everything else as
ports, some simply use it as a "display" number (i.e., if you connect
to localhost:1000, you'll get 5900 (base display) plus 1000 (display)
or port 6000 (which is X, which won't work. ;-)).
So, if you use 'telnet' to confirm a connection, you'll skip the
client problem above. I.e., once you SSH to the remote host, you can
do this:
{723}([EMAIL PROTECTED]) -> : telnet 127.0.0.1 5955
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
RFB 003.003
^]
telnet> close
Which shows the port being open, and connecting to an RFB server.
If you get this:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
It's because you managed to connect to the SSH tunnel (hence the
"connected to" message, but the SSH tunnel couldn't complete the other
side. You'll get this message in the SSH output:
channel 3: open failed: connect failed: Connection refused
With ssh -vvv you'll see this:
....
debug1: Local connections to LOCALHOST:5955 forwarded to remote
address localhost:5901
debug3: channel_setup_fwd_listener: type 2 wildcard 0 addr NULL
debug1: Local forwarding listening on ::1 port 5955.
debug2: fd 5 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 5955.
....
debug2: fd 10 setting TCP_NODELAY
debug3: fd 10 is O_NONBLOCK
debug3: fd 10 is O_NONBLOCK
debug1: channel 3: new [direct-tcpip]
channel 3: open failed: connect failed: Connection refused
debug1: channel 3: free: direct-tcpip: listening port 5955 for
localhost port 5901, connect from 127.0.0.1 port 61305, nchannels 4
debug3: channel 3: status: The following connections are open:
#2 client-session (t4 r0 i0/0 o0/0 fd 7/8 cfd -1)
#3 direct-tcpip: listening port 5955 for localhost port 5901,
connect from 127.0.0.1 port 61305 (t3 r-1 i0/0 o0/0 fd 10/10 cfd -1)
debug3: channel 3: close_fds r 10 w 10 e -1 c -1
Which should tell you almost everything you could possibly want to
know about the connection problem.
Sean
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
