Hello, fellow readers!
Today, I am going to share a way to access a computer behind NAT Router and Firewall. There are literally several ways to access the computer whose working totally depends upon your case. I am considering the case when both client (controller) and host (controlee) are from different networks and are behind NAT Router and firewalls.
We are going to use a third party server which has an ssh server running all the time. But before going directly into the steps, I want to share conceptually what we are going to do. If you just want the how part, you can skip the theory part.
Firewalls usually block every incoming connection from outside the network except the ones whose ports are open (check your blocked ports, http://canyouseeme.org). But if the connection is requested from inside the network, Firewalls will allow most of the connection (assuming advanced packet filtering is not applied). To check which outgoing ports are allowed by your network, visit http://portquiz.net.
So, we have to start a connection from inside the network and that’s where we need a third party server (packet relay server or TCP relay server) which has a public IP. The packet relay server will act as a bridge between client and host which passes every data coming from client to host. We will first request an SSH connection from both client and host to the server. This will let the firewalls to pass the connections on both sides (assuming both firewalls allow Port 22 in outgoing rules) and will make a tunnel between client-server and server-host. Most firewalls cannot look inside these tunnels and thus cannot block the content being passed through them. Then, we will pass the VNC data from client to server and from server to host on port 5900 which firewall cannot see as it is happening inside the tunnel.
Instead of assuming port 5900 is free on the SSH machine, we will assume both users agreed to use 5933. This will illustrate how to use a different port for the redirection. It could be any port, what matters is that both parties refer to the same one.
To make an ssh tunnel from client (VNC Viewer) to server, we will use
ssh -t -L 5900:localhost:5933 email@example.com
Here, the command means: connect with ssh to
firstname.lastname@example.org, and forward all connection attempts to the local
5900 to port
5933 on the machine called
localhost, which can be reached from the
To make an ssh tunnel from host (VNC server) to server, we will use
ssh -t -R 5933:localhost:5900 email@example.com
Here, the command means: connect with ssh to
firstname.lastname@example.org, and forward all connection attempts to the remote
5933 to port
5900 on the machine called
localhost, which can be reached from your local machine. This is called reverse ssh tunnel.
After this successful setup, run VNC server at host listening to localhost on port 5900. Then, run VNC viewer at client looking at localhost on port 5900. Tadaa! now you can control the host’s screen. Now let’s see how to do it actually.
Setting up VNC server on Ubuntu
We will be going to use x11vnc for our purpose because it makes all the settings very simple for Unix-like systems.
Step 1: Install x11vnc using
sudo apt install x11vnc.
Step 2: Run command:
x11vnc -ssh email@example.com:33. And you are done with the reverse ssh command and VNC server starts listening to localhost on port 5900. You can also set a password for your VNC server by using
-passwd XXXX with the above command. Add
-forever to run it forever even when the ssh connection is lost and
-shared to share the screen with more than one person. Look for other options with the man command.
Setting up VNC server on Windows
We will be going to use PuTTY for establishing ssh tunnel and TightVNC as a VNC server.
1. Establishing SSH connection
Download PuTTy from here and install it using default settings. Open putty by typing it in command prompt and follow the steps as described below:
Step 1: Add a name to this session.
Step 2: Enter host name “username@host_ip”and port 22.
Step 3: Click on plus sign before SSH.
Step 4: Click on tunnels.
Step 5: Enter source port= 5933, destination= localhost:5900, select remote and auto and click Add.
Step 6: Click on X11.
Step 7: Check enable x11 forwarding.
Step 8: Click on session.
Step 9: Click Save. Now whenever you will open putty, just click on this saved session and then load.
Step 10: Click Open. The ssh session will start. Enter the password, if asked.
2. Starting VNC server
Download TightVNC from here
and install it using default settings. Open up TightVNC server. An icon “V” appears at the bottom right corner, right click on that icon, go to configuration and make the settings as per below given images:
Set the primary password and then press OK. Now, we are done with setting up VNC server.
Starting VNC Viewer
We will be using SSVNC software as a VNC Viewer on the client’s computer. It comes for many platforms. Ubuntu users can download using command:
sudo apt install ssvnc. Others can download it from here.
Start ssvnc and then:
– select “Use ssh”.
– enter firstname.lastname@example.org:33 in “VNC Host:Display” entry box and enter the password for VNC server in the “VNC Password” entry box.
– click on connect.
– enter the password for your ssh account if asked.
Congratulations!! You have successfully connected your computer to the host’s computer. Use F9 to see other’s screen in full-screen mode.
Happy Remote Controlling!! 😉
P.S: Here are some links which were really helpful in reaching out to this solution: