How to setup ssh to tunnel VNC traffic throught the Internet

Virtual Networking Computing (VNC) is remote control software which allows you to view and interact with one computer using a simple program (viewer) on another computer (server) over a local area network or anywhere on the Internet. VNC is a cross-platform application that does not require the two computers to be the running the same operating system. For example you can use VNC to view your office Linux machine on your Windows PC at home. VNC is freely and publicly available and is distributed under the GNU General Public License (GPL). There are various distributions of VNC but the one we will be covering is RealVNC. VNC has two parts, a client and a server. The server is the program on the machine that shares its screen, and the client (or viewer) is the program that watches and interacts with the server. VNC software requires a TCP/IP connection between the server and the viewer. This is the standard networking protocol on LANs, WANs, broadband and dialup connections. Each computer has a unique IP address and may also have a name in the DNS. You will need to know the IP address or name of the server when you connect a viewer to it. If you are assigned a dynamic IP address, you might benefit from using a third party DNS management service.

Installing an SSH Server on Windows

Local port forwarding requires an SSH server running on the Windows machine. OpenSSH is provided as part of Cygwin which is an environment similar to Linux for Windows. Cygwin provides an install and update utility (setup.exe) to retrieve packages from the Internet. When you install Cygwin, select the OpenSSH package (available in the Net category). Once installed, complete the Cygwin configuration as shown below…

In My Computer -> Properties -> Advanced -> Environment Variables:

add the variable CYGWIN=ntsec tty.

add C:\cygwin\bin to the PATH environment variable.

Now configure Windows OpenSSH from a Cygwin console window using the “ssh-host-config” command as shown below:

$ ssh-host-config Generating /etc/ssh_host_key.

Generating /etc/ssh_host_rsa_key

Generating /etc/ssh_host_dsa_key

Generating /etc/ssh_config file

Privilege separation is set to yes by default since OpenSSH 3.3. However, this requires a non-privileged account called ‘sshd’.

Should privilege separation be used? (yes/no) yes

Generating /etc/sshd_config file

Host configuration finished. Have fun!

Now we need to create a local forwarded tunnel from Windows to Linux:

ssh -L 5900: [email protected]

Use this command to forward port 5900 on the Windows machine (where the VNC viewer runs) to Linux host (where the VNC server runs). The loopback interface address ( must be used. If localhost is specified, connecting the VNC viewer to the loopback interface fails with the message: channel 2: open failed: connect failed: Connection refused Connect to the VNC server over the SSH tunnel To complete the procedure, start the VNC viewer on the Windows machine (pointing to the server at At this point, the connection is forwarded from the Windows machine to the Linux VNC server. All network traffic is transparently encrypted by the SSH tunnel.