SSH, VNC & Tunnelling (updated)

I’ve been meaning to implement, what turned out to be, a simple security improvement with for connecting to my Pi over VNC.

Specifically, tunnelling my VNC connection over an SSH connection using Putty.

Prior to this change I used my router to forward an external non-standard port to the standard VNC port that I could use internally. In addition, I was only running my VNC connection as needed and strictly killing the service once it was no longer needed.  Thus limiting external exposure.

Now, if someone gets access to my system via SSH, I have far bigger issues to be concerned with, so while killing the service to reduce resource usage may be a good practice, its not the same level of concern.

Now, not only do I get to remove a port forwarding rule from my router, but my entire VNC session is encrypted.

The Method (minus Madness)

Starting with a Putty profile that I can already use to establish a successful SSH connection…

  1. Load the “Saved Session”
  2. Modify “Saved Session” name (e.g. add “- vnc” to the end) and save
  3. Category -> Connection -> SSH -> Tunnels
    1. Source Port: Set to an open local port (e.g. 5900)
    2. Destination:  Set to the VNC server’s address and port (e.g. localhost:5901)
    3. Click “Add”
  4. Go back to the “Saved Sessions” section and save again
  5. Open the VNC saved session in Putty

Now you should be able to connect to the VNC server with your VNC Viewer by going to “localhost:1” (change as appropriate if not using the default settings).


Update: Connecting to a separate Windows box using Windows Remote Desktop

After successfully doing the above, I did not see a reason why it would not similarly work a host other than ‘localhost’.

And I was right, with the above instructions only changing slightly.

  • I set the Source Port to “3388”
  • And for the Destination, I set the value to the remote machine’s IP & port (e.g.

Since they do not conflict, I was even able to add this forwarded port to the same profile as my VNC tunneling.

Once configured, I only have to connect to “localhost:3388” with Windows Remote Desktop.

Note:  Port 3389 is the standard Windows Remote Desktop port.

Raspbian – VNC

Installing VNC on the Pi

We’re going to use Tight VNC here (server on the Raspberry Pi and Viewer on Windows).

There’s an excellent tutorial over at Penguin Tutor if you need more information.

First of all install the Tight VNC Server from the command prompt:

sudo apt-get install tightvncserver

Let it finish installing (if you’re asked to confirm anything, just hit ‘y’ on the keyboard). When complete start the server:


You’ll be asked to create a password, enter one and confirm. I used raspberry for ease of use, but probably not the most secure!

When asked to create a view only password, say No.

Every time you start VNC you’ll see something like:

New 'X' desktop is raspberrypi:1

Note the :1. This is the desktop session created. You can add more by running VNC again.

Head over to TightVNC on your windows box and install the viewer.