SSH and VNC - no love...

Discussion in 'Tomato Firmware' started by depornage, Jul 7, 2008.

  1. depornage

    depornage Network Guru Member

    I'm looking for help troubleshooting my inability to get VNC working across a SSH tunnel hosted on my Tomato-configured (v1.19) WRT54GS. While I can establish the SSH tunnel between the client and the router (for both a remote, WAN-based client and also a LAN-based client), the VNC connection always fails. I wonder if it's an issue with the router not forwarding properly, because I'm not seeing any evidence that the destination PC is ever being contacted.

    Here are my steps.

    On Tomato Administration page in SSH Daemon section; Enable at Startup; enable Remote Access on Remote Port 2222; SSH Port 22; disable Allow Password Login ; enter Authorized Keys. On Tomato Port Forwarding page, added a rule to forward the VNC port 5900 to the destination PC, which I have configured a static IP for.

    PC is running WinVNC (VNC server). The PC is running Comodo software firewall, and I've opened a port for VNC and I've also enabled logging for all hits on that port. I VNC all the time within the LAN to remote control my Mac / PCs via direct connections (i.e., not through SSH tunnels) - so I know it works. Dynamic DNS is configured, I have an account at

    CLIENT MacBook
    I'm using the built-in OpenSSH to initiate the SSH tunnel with the router. I have my keys stored appropriately. I'm using a Mac VNC-client to try to connect to the VNC server - I've actually tried 2 different programs (Chicken of the VNC and Jollys) with the same result.

    On the Mac in a Terminal command-line window, I type the following to establish the tunnel from a remote WAN client location:
    ssh -L -p 2222
    or, when the client is within the LAN:
    ssh -L 5901:myLANrouterIP:5900 root@myLANrouterIP

    In both cases, the SSH tunnel is successfully established between the Mac and the WRT54GS. The router log shows the connection has been established.

    Then I launch the VNC client program on the Mac and point it to (where SSH is listening) and get these results from the VNC client program: "Connection Terminated - the server closed the connection" and from the SSH tunnel in the Teminal windows (full debug info displayed):

    # debug1: Connection to port 5901 forwarding to port 5900 requested.
    debug2: fd 9 setting TCP_NODELAY
    debug3: fd 9 is O_NONBLOCK
    debug3: fd 9 is O_NONBLOCK
    debug1: channel 3: new [direct-tcpip]
    channel 3: open failed: connect failed:
    debug1: channel 3: free: direct-tcpip: listening port 5901 for port 5900, connect from port 52575, nchannels 4
    debug3: channel 3: status: The following connections are open:
    #2 client-session (t4 r0 i0/0 o0/0 fd 6/7 cfd -1)
    #3 direct-tcpip: listening port 5901 for port 5900, connect from port 52575 (t3 r-1 i0/0 o0/0 fd 9/9 cfd -1)
    debug3: channel 3: close_fds r 9 w 9 e -1 c -1

    I'm not seeing anything in the logfiles on the destination PC. And, following the successful SSH connection, the router logfile don't show any forwarding activity - or any SSH activity, until I logout of the SSH session. Is there any other logfile (e.g., specifically related to the SSH daemon) I can look that could show what the router is doing when the VNC call comes in? How else can I troubleshoot this?

    Thank you
  2. fryfrog

    fryfrog Network Guru Member

    I think your problem might be here. The IP between the : : should be the IP of the device you are trying to hit. For example, on my network I use...

    ssh -L 3389: -p 2222
    This is actually for RDP, but the ports would simply change to your 5901 and 5900 (I used to use VNC, but switched to RDP recently). You can throw in as many "-L" forwards as you want, of course all using different ports. I'd also recommend static DHCP entries so you don't have to guess at IPs.
  3. depornage

    depornage Network Guru Member

    I think that IS it - I just ran a test within the LAN and it worked. I'll run a remote test from the office later.


    I think I was confused by the many examples I saw where the scenario must have had the VNC server running on the same device as the SSH server, so the 2 IPs in the SSH statement were the same. Though I thought I had tried this before...

    Out of curiousity, why did you switch to RDP (RDC) and why do you run it through SSH? Is it thought of as not secure enough?

    Thanks again -
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice