I’ve been meaning to implement, what turned out to be, a simple security improvement with for connecting to my Pi over VNC.
Specifically, tunnelling my VNC connection over an SSH connection using Putty.
Prior to this change I used my router to forward an external non-standard port to the standard VNC port that I could use internally. In addition, I was only running my VNC connection as needed and strictly killing the service once it was no longer needed. Thus limiting external exposure.
Now, if someone gets access to my system via SSH, I have far bigger issues to be concerned with, so while killing the service to reduce resource usage may be a good practice, its not the same level of concern.
Now, not only do I get to remove a port forwarding rule from my router, but my entire VNC session is encrypted.
The Method (minus Madness)
Starting with a Putty profile that I can already use to establish a successful SSH connection…
- Load the “Saved Session”
- Modify “Saved Session” name (e.g. add “- vnc” to the end) and save
- Category -> Connection -> SSH -> Tunnels
- Source Port: Set to an open local port (e.g. 5900)
- Destination: Set to the VNC server’s address and port (e.g. localhost:5901)
- Click “Add”
- Go back to the “Saved Sessions” section and save again
- Open the VNC saved session in Putty
Now you should be able to connect to the VNC server with your VNC Viewer by going to “localhost:1” (change as appropriate if not using the default settings).
Update: Connecting to a separate Windows box using Windows Remote Desktop
After successfully doing the above, I did not see a reason why it would not similarly work a host other than ‘localhost’.
And I was right, with the above instructions only changing slightly.
- I set the Source Port to “3388”
- And for the Destination, I set the value to the remote machine’s IP & port (e.g. 10.0.10.10:3389)
Since they do not conflict, I was even able to add this forwarded port to the same profile as my VNC tunneling.
Once configured, I only have to connect to “localhost:3388” with Windows Remote Desktop.
Note: Port 3389 is the standard Windows Remote Desktop port.