HOWTO: Reverse VNC

[bodhi.zazen]

Nice How-to

This thread has been added to the UDSF wiki.

Reverse_VNC

[Choad]

i must say this is an awesome guide!

i set up an account at dyndns.org, and my ip is now pointed to by going to choad.getmyip.com

i am home for christmas right now, and will be changing the settigns again when i go back to uni... but that doesnt really matter i can change the settings from my end no problem, i just want to make sure my niece's new computer is set up correctly. right now i have

Code:

#!/bin/bash
x11vnc -connect 192.168.0.5:5500

on her computer. it was running over the lan perfectly. shall i just change that to

Code:

#!/bin/bash
x11vnc -connect choad.getmyip.com:5500

???

will that be all thats needed from her end?

[dbott67]

Yep... that's it!

Just make sure that if you're running a NAT firewall (or whatever) that you forward traffic on port 5500 to the internal IP address of your computer when you're at university.

-Dave

[killerrobot]

This is insecure. VNC traffic is unencrypted, so anyone can see what you type. That includes root password when you sudo, or your bank password when you enter it in firefox.

tunnel over ssh to encrypt the data.

[OMRebel]

@killerrobot - how do you do that?

[dbott67]

True, however, this is more for helping provide remote assistance to a user that does not have the technical know-how to setup port forwarding on their router or configure a VNC server, etc.

People should not be using this method to do online banking and if they're really security-conscious they should be changing their password regularly.

-Dave

[dbott67]

@killerrobot - how do you do that?

http://www.linuxplanet.com/linuxplan...orials/6155/1/

Keep in mind that this does add some overhead and will slow down the session. The goal of this HOWTO is to provide a firewall-friendly solution that allows someone to provide remote VNC access to their desktop, especially if they do not have access to the NAT router.

Of course, you could use my HOWTO to access their system, then:
1. login to the router
2. set their system to use static ips (or static DHCP/reserved IPs)
3. setup port forwarding on 22, 5500, 5800 & 5900 to their internal IP
4. setup a vnc/ssh tunnel back to your computer
5. provide them with a user account & password to access your computer
6. take 2 tylenol for the headache


-Dave

[killerrobot]

agreed, tunelling does make it a little more difficult. I agree that unencrypted vnc is fine if you're showing where things are on the computer, etc. I don't want to hijack this thread and turn it into a security topic, but since it's addressed to vnc newbies, I figured I should point it out. In my experience, vnc has proven very valuable, and I always use it for more than I intend.

I use vnc often, as I tend to work from many different machines that don't all have the same software installed. I open up a vnc session and work away, and my desktop is always the same as I left it. I generally do this from windows (hehe... windows has evolved into a glorified terminal) and once putty is set up to tunnel it takes about four and half seconds to get the thing going when I first sit down at the computer.

As for the overhead, yeah it probably does slow it down some, but I'd guess that the network delay is still probably large compared to the additional packet computation. I don't know how many additional packets are required though...

as for the most secure way of adjusting routers remotely, I'd simply ssh into the computer and use lynx to access the router.

[killerrobot]

oh! one more thing I thought of -

when you tunnel, you don't need to forward any ports for vnc. The tunnel will send all 5900 ports (or whichever port your vnc flavor uses) to the ssh port. Thus the router doesn't need to know about it. of course then they have to have an ssh dameon running.... but that does help balance things out

[krunge]

Here is some more related information: http://www.karlrunge.com/x11vnc/faq....aq-singleclick
including SSL tunnelling with stunnel.