Securing WinVNC With SSH

VNC is a free client/server system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures.

You can combine WinVNC and an SSH port forwarding client/server pair, such as Bitvise SSH Client and Server, to form a secure solution for remote GUI login. Suppose you install a VNC server on machine A, and the SSH server on machine B. Machine A and machine B can be the same machine, and should generally be as close as possible, because only the connection between the VNC viewer and machine B will be secured; the connection between machine A and machine B will be unprotected. In order to securely access the VNC server from a client machine, you need to perform the following steps:

  • Equip the client machine with an SSH port forwarding client. Configure this client to connect to the SSH server on machine B, and to forward connections that come to port 5900 on the client machine to port 5900 on machine A. In SSH terminology, this is client-to-server port forwarding, or 'local' forwarding. If you intend to use a VNC display other than 0, you should alter the port numbers appropriately: the VNC port number is 5900 plus the display number, e.g. 5905 for display 5.
  • Configure the VNC viewer to connect to localhost. If you configured the SSH client to listen on a port other than 5900, you also need to specify the display number. E.g., specify 'localhost:5' if the SSH client is listening on port 5905.
  • If the SSH and WinVNC servers both reside on the same computer, you will need to enable local loopback connections in WinVNC. See the WinVNC documentation - look for the AllowLoopback keyword under" Advanced Options.

See also Making VNC more secure using SSH (alternate links 1) for a lengthier description of how to setup SSH port forwarding for VNC.