How to remotely control your computer behind NAT router and Firewall

Hello, fellow readers!

Today, I am going to share a way to access a computer behind NAT Router and Firewall. There are literally several ways to access the computer whose working totally depends upon your case. I am considering the case when both client (controller) and host (controlee) are from different networks and are behind NAT Router and firewalls.

vncthroughfirewalldiagram3

We are going to use a third party server which has an ssh server running all the time. But before going directly into the steps, I want to share conceptually what we are going to do. If you just want the how part, you can skip the theory part.

Theory

Firewalls usually block every incoming connection from outside the network except the ones whose ports are open (check your blocked ports, http://canyouseeme.org). But if the connection is requested from inside the network, Firewalls will allow most of the connection (assuming advanced packet filtering is not applied). To check which outgoing ports are allowed by your network, visit http://portquiz.net.

figure_7-1

So, we have to start a connection from inside the network and that’s where we need a third party server (packet relay server or TCP relay server) which has a public IP. The packet relay server will act as a bridge between client and host which passes every data coming from client to host. We will first request an SSH connection from both client and host to the server. This will let the firewalls to pass the connections on both sides (assuming both firewalls allow Port 22 in outgoing rules) and will make a tunnel between client-server and server-host. Most firewalls cannot look inside these tunnels and thus cannot block the content being passed through them. Then, we will pass the VNC data from client to server and from server to host on port 5900 which firewall cannot see as it is happening inside the tunnel.

VNC through SSH tunneling (2)

 

Instead of assuming port 5900 is free on the SSH machine, we will assume both users agreed to use 5933. This will illustrate how to use a different port for the redirection. It could be any port, what matters is that both parties refer to the same one.

To make an ssh tunnel from client (VNC Viewer) to server, we will use

ssh -t -L 5900:localhost:5933 user@third-machine.net

Here, the command means: connect with ssh to user@third-machine.net, and forward all connection attempts to the local 5900 to port 5933 on the machine called localhost, which can be reached from the third-machine.net machine.

To make an ssh tunnel from host (VNC server) to server, we will use

ssh -t -R 5933:localhost:5900 user@third-machine.net

Here, the command means: connect with ssh to user@third-machine.net, and forward all connection attempts to the remote 5933 to port 5900 on the machine called localhost, which can be reached from your local machine. This is called reverse ssh tunnel.

After this successful setup, run VNC server at host listening to localhost on port 5900. Then, run VNC viewer at client looking at localhost on port 5900. Tadaa! now you can control the host’s screen. Now let’s see how to do it actually.

Procedure

Setting up VNC server on Ubuntu

We will be going to use x11vnc for our purpose because it makes all the settings very simple for Unix-like systems.

Step 1: Install x11vnc using sudo apt install x11vnc.

Step 2: Run command: x11vnc -ssh username@third-machine.net:33. And you are done with the reverse ssh command and VNC server starts listening to localhost on port 5900. You can also set a password for your VNC server by using -passwd XXXX with the above command. Add -forever to run it forever even when the ssh connection is lost and -shared to share the screen with more than one person. Look for other options with the man command.

Setting up VNC server on Windows

We will be going to use PuTTY for establishing ssh tunnel and TightVNC as a VNC server.

1. Establishing SSH connection

Download PuTTy from here and install it using default settings. Open putty by typing it in command prompt and follow the steps as described below:

pnd8cjp

Step 1: Add a name to this session.
Step 2: Enter host name “username@host_ip”and port 22.
Step 3: Click on plus sign before SSH.
x55mbgy
Step 4: Click on tunnels.
Step 5: Enter source port= 5933, destination= localhost:5900, select remote and auto and click Add.
Step 6: Click on X11.
vaaumsr
Step 7: Check enable x11 forwarding.
Step 8: Click on session.
jioizj3
Step 9: Click Save. Now whenever you will open putty, just click on this saved session and then load.
Step 10: Click Open. The ssh session will start. Enter the password, if asked.

2. Starting VNC server

Download TightVNC from here and install it using default settings. Open up TightVNC server. An icon “V” appears at the bottom right corner, right click on that icon, go to configuration and make the settings as per below given images:
sxv0ijx
ojacexp
Set the primary password and then press OK. Now, we are done with setting up VNC server.

Starting VNC Viewer

We will be using SSVNC software as a VNC Viewer on the client’s computer. It comes for many platforms. Ubuntu users can download using command: sudo apt install ssvnc. Others can download it from here.

Start ssvnc and then:
– select “Use ssh”.
– enter username@third-machine.net:33 in “VNC Host:Display” entry box and enter the password for VNC server in the “VNC Password” entry box.
– click on connect.
– enter the password for your ssh account if asked.

Congratulations!! You have successfully connected your computer to the host’s computer. Use F9 to see other’s screen in full-screen mode.

Happy Remote Controlling!! 😉

P.S: Here are some links which were really helpful in reaching out to this solution:

http://www.karlrunge.com/x11vnc/faq.html#faq-firewall-out

http://lightofdawn.org/wiki/wiki.cgi/Nat2NatVNC

3 thoughts on “How to remotely control your computer behind NAT router and Firewall

  1. Pingback: Starting SSH tunnel on Windows Start | Abhay's Blog
  2. Hi,
    Thanks for addressing this issue.
    I need some clarification please.
    I have a home computer with private ip (mac) call it macbook
    I have another computer with public ip (linux) call it gatewayserver
    I have another computer with private ip (linux) call it officeserver

    I have installed vncserver listening on 5900 on officeserver
    I have installed vncviewer on macbook.

    How to setup the connection now. Please help.
    On my macbook i run
    ssh -t -L 5900:macbook:5900 mian@gatewayserver

    on gateway server i run
    ssh -t -R 5900:officeserver:5900 mian@gatewayserver

    Start vncviewer on macbook
    and type mian@officeserver:1

    It is not working. Whats wrong?

    Like

    • Hi Mian!
      Thanks for approaching. Follow this and you’re good to go:
      1. Make sure you have an ssh server running on the gateway server. I’m assuming your ssh account username is “mian”.
      2. On your office server, download x11vnc and run command: x11vnc -ssh mian@gatewayserver’s_ip:33
      3. On your MacBook, download ssvnc, run it, select “use ssh” button; in host section, enter mian@gatewayserver’s_ip:33; in password section, enter your vnc server’s password; click connect. Now, on next screen, enter your ssh account password, if asked.

      Let me know if it doesn’t work.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s