1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSH and VNC - no love...

Discussion in 'Tomato Firmware' started by depornage, Jul 7, 2008.

  1. depornage

    depornage Network Guru Member

    I'm looking for help troubleshooting my inability to get VNC working across a SSH tunnel hosted on my Tomato-configured (v1.19) WRT54GS. While I can establish the SSH tunnel between the client and the router (for both a remote, WAN-based client and also a LAN-based client), the VNC connection always fails. I wonder if it's an issue with the router not forwarding properly, because I'm not seeing any evidence that the destination PC is ever being contacted.

    Here are my steps.

    ROUTER CONFIGURATION
    On Tomato Administration page in SSH Daemon section; Enable at Startup; enable Remote Access on Remote Port 2222; SSH Port 22; disable Allow Password Login ; enter Authorized Keys. On Tomato Port Forwarding page, added a rule to forward the VNC port 5900 to the destination PC, which I have configured a static IP for.

    DESTINATION PC (WinXP)
    PC is running WinVNC (VNC server). The PC is running Comodo software firewall, and I've opened a port for VNC and I've also enabled logging for all hits on that port. I VNC all the time within the LAN to remote control my Mac / PCs via direct connections (i.e., not through SSH tunnels) - so I know it works. Dynamic DNS is configured, I have an account at DynDNS.org.

    CLIENT MacBook
    I'm using the built-in OpenSSH to initiate the SSH tunnel with the router. I have my keys stored appropriately. I'm using a Mac VNC-client to try to connect to the VNC server - I've actually tried 2 different programs (Chicken of the VNC and Jollys) with the same result.

    ESTABLISH SSH TUNNEL
    On the Mac in a Terminal command-line window, I type the following to establish the tunnel from a remote WAN client location:
    ssh -L 5901:myhost.dyndns.org:5900 -p 2222 root@myhost.dyndns.org
    or, when the client is within the LAN:
    ssh -L 5901:myLANrouterIP:5900 root@myLANrouterIP

    In both cases, the SSH tunnel is successfully established between the Mac and the WRT54GS. The router log shows the connection has been established.

    Then I launch the VNC client program on the Mac and point it to 127.0.0.1:5901 (where SSH is listening) and get these results from the VNC client program: "Connection Terminated - the server closed the connection" and from the SSH tunnel in the Teminal windows (full debug info displayed):

    # debug1: Connection to port 5901 forwarding to myhost.dyndns.org port 5900 requested.
    debug2: fd 9 setting TCP_NODELAY
    debug3: fd 9 is O_NONBLOCK
    debug3: fd 9 is O_NONBLOCK
    debug1: channel 3: new [direct-tcpip]
    channel 3: open failed: connect failed:
    debug1: channel 3: free: direct-tcpip: listening port 5901 for myhost.dyndns.org port 5900, connect from 127.0.0.1 port 52575, nchannels 4
    debug3: channel 3: status: The following connections are open:
    #2 client-session (t4 r0 i0/0 o0/0 fd 6/7 cfd -1)
    #3 direct-tcpip: listening port 5901 for myhost.dyndns.org port 5900, connect from 127.0.0.1 port 52575 (t3 r-1 i0/0 o0/0 fd 9/9 cfd -1)
    debug3: channel 3: close_fds r 9 w 9 e -1 c -1

    I'm not seeing anything in the logfiles on the destination PC. And, following the successful SSH connection, the router logfile don't show any forwarding activity - or any SSH activity, until I logout of the SSH session. Is there any other logfile (e.g., specifically related to the SSH daemon) I can look that could show what the router is doing when the VNC call comes in? How else can I troubleshoot this?

    Thank you
     
  2. fryfrog

    fryfrog Network Guru Member

    I think your problem might be here. The IP between the : : should be the IP of the device you are trying to hit. For example, on my network I use...

    Code:
    ssh -L 3389:10.0.1.11:3389 -p 2222 root@mydomain.com
    
    This is actually for RDP, but the ports would simply change to your 5901 and 5900 (I used to use VNC, but switched to RDP recently). You can throw in as many "-L" forwards as you want, of course all using different ports. I'd also recommend static DHCP entries so you don't have to guess at IPs.
     
  3. depornage

    depornage Network Guru Member

    I think that IS it - I just ran a test within the LAN and it worked. I'll run a remote test from the office later.

    THANKS!

    I think I was confused by the many examples I saw where the scenario must have had the VNC server running on the same device as the SSH server, so the 2 IPs in the SSH statement were the same. Though I thought I had tried this before...

    Out of curiousity, why did you switch to RDP (RDC) and why do you run it through SSH? Is it thought of as not secure enough?

    Thanks again -
     

Share This Page