Using a tunnel to secure your VNC connection to Basho


To begin, you should install a program called Putty. This program allows you to make connections to other computers and has additional features which add security to these connections.

You can download Putty at URL http://chiark.greenend.org.uk/~sgtatham/putty/download.html.

When you establish a VNC connection to basho you are required to type your password.  That password gets encrypted so that someone capturing your transmission across the internet cannot use your password.  However, once the connection gets established, the data your send and receive via your VNC session is not encrypted unless you take the steps we're about to describe.

Normally, one computer connects to another computer on the internet by sending messages to a certain "port" on the other computer.  The VNC server on basho, for instance, answers requests on a particular port.  Except for the password, data travelling to and from this port will not be encrypted.  What we can do, however, is to set up an encrypted link from one computer to another via something called Secure Shell Tunneling.   We create an encrytped, secure, tunnel from one computer to the other over a particular port, which carries traffic destined for a different port on the destination machine.  The data in the tunnel is always encrypted.  

So let's say you're trying to connect to your VNC session on basho at port 5905 (there will be a table of port numbes at the end of these instructions).  If we did not use a tunnel, our machine at home/school would try to open a vnc window by connecting to port 5905 on basho directly.  But we want to use an encrypted tunnel instead, so we use Putty to create the tunnel and forward traffic to and from port 5905 over its encrypted Secure Shell (SSH) link on port 22.

Here is how to forward the vnc session :5 to vastro using Putty and vncviewer:

Start with Putty.  
In Category,  select Connection|SSH|Tunnels and enter the following data:

Putty Configuration window

Then push the "Add" button.  Your window should look something like this:

Putty config window

Click on "Session."  You should make a configuration file for vnc forwarding.  Enter the following into your window:

Putty config window

Then push "Save."  Your window should look like this:

Putty config window

You would select VNCforward from now on when you start your connection using Putty.


Now we can start a secure tunnel with Putty.  
Select the VNCforward session and press "Open."  You will then need to login with your account name and password.
A window such as this will appear:

putty login window

At this point the tunnel is established.  The window above can be used to run commands which do not require graphics.  You are now ready to start a VNC session through the encrypted tunnel.  Your tunnel begins at your machine, so instead of  starting a vncviewer connection to basho directly, you point vncviewer to your end of the encrypted tunnel.  
In network language, the machine you are sitting on is nicknamed "localhost."  You will start vncviewer pointing at the tunnelled port on your own machine (localhost).  

You can start the vncviewer from the MS-DOS Command Prompt or if you created a shortcut as described earlier, you can double-click on the vncviewer icon.

Here is an example of starting vncviewer from the MS-DOS command prompt:

vncviewer startup

If you double-clicked the vncviewer icon on your desktop, you should see the following screen:

vncviewer login

As usual, after starting vncviewer, you should see the login window that starts your vnc session:

vncviewer login window

Once you enter your password and click "OK",  your VNC desktop should appear:

vnc window

That's it!  Your keystrokes are now being encrypted and transferred securely to basho.  

Please make sure that you enter "localhost" in the "VNC Server" window in Putty. If you do not then your connection is not secure and someone may be able to steal your password.

When you are done for today, click the "X" on the upper right corner of the vastro X desktop vncviewer window to close down the program on your Windows PC, then type "logout" in the Putty terminal window connection to basho.
A nice side effect is that besides being encrypted, the tunnel settings (via Putty) can be compressed, so the vnc desktop may respond faster while you are using it.

ASI-IDPort
15901
25902
35903
45904
55905
65906
75907
85908
95909
105910
115911
125912
135913
145914
155915
165916
175917
185918
195919
205920
215921
225922
235923
245924
255925
265926
275927
285928
295929
305930

If you have additional questions, please direct them to the web board.


John Doroshenko  Sept 15, 2003