Tuesday, April 17, 2012

Tunneling VNC over SSH to a Windows computer using bVNC

These instructions pertain to bVNC Secure and Free bVNC Secure, but they can be easily translated to instructions for ssvnc as well. bVNC is an Android and Blackberry Playbook/OS 10 application, available on Google Play and App World respectively. Find it on your mobile device or here:

Google Play, for devices running Android 2.2 and up, or here:

App World for BB Playbook and OS 10 devices.

0) If the Windows computer is not attached directly to the Internet,
forward port 22 to it. Port forwarding instructions are different for
every router out there, so look up how to do that for your make and
model. Also, having a fixed IP address for the Windows machine helps.
Finally, DynamicDNS set up on your router would help you immensely to
locate your router on the Internet.

1a) Install OpenSSH for Windows:
https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH

1b) If the above does not work for you, alternatively install freeSSHd
- Go to: http://www.freesshd.com/?ctt=download
- Download and start freeSSHd.exe
- Do a default installation
- A user reported that running freeSSHd as a system service on his machine does not work properly. So let's play it safe, and when freeSSHd asks you whether you want to run it as a system service, say NO.
- When freeSSHd finishes installing, there will be a freeSSHd icon on your desktop. Drag and drop this item in Start->All Applications->Startup (the list of applications that start when you log in).
- Restart Windows.
- If you are feeling adventurous, you can try running freeSSHd as a system service, but if you experience problems, you have to completely uninstall it, reboot, and then reinstall it.

2) Open port 22 on Windows Firewall
- Control Panel->Windows Firewall
- Ensure the Don't allow exceptions box is not checked.
- Click the "Exceptions" tab
- Click the "Add Port..." button.
- Type sshd for name and 22 for Port number. Leave TCP selected.
- Click "OK", and then "OK" again on the outside dialog.

3) Click on the little icon with the yellow lock in the notification
area of the taskbar (bottom right).
- If the icon isn't there, run Start->All Programs->freeSSHd->freeSSHd
- Click on Tunneling->Allow local port forwarding.
- Click on Users->Add...
- Type the (Login ID)* of an EXISTING user on the system, and next
to "User can use", tick "Shell" and "Tunneling"
- Alternatively, you can create a user by selecting something
other than "NT Authentication" in the "Authorization" box.
- Click "OK" or "Apply"

4) Install TightVNC
- Go to: http://www.tightvnc.com/download.php
- Get and install the "Self-installing package for Windows".
- Do a default install and set a (VNC password)** and a control
interface administrative password (up to 8 characters).
- Click on the icon with the "V" in the notification area of the taskbar.
- Disable "Serve Java Viewer to Web clients"
- Access Control->Loopback Connections->Check "Allow loopback
connections" AND "Allow only loopback connections".
- After you have it working you can look through for any other
settings you want.

5) Start bVNC and configure a VNC over SSH connection:
- Select "VNC over SSH" in Conn. Type.
- Optionally name the connection in Nickname.
- Type in your external (Internet) IP address or Dynamic DNS
hostname in SSH Server.
- Leave port 22 for SSH port.
- Type in the (Login ID)* and the Windows password associated with
it in the fields next to SSH Auth.
- Leave localhost in for VNC Server, and port 5900 for VNC port.
- Type the (VNC password)** from step (4) in VNC Auth.
- You will probably have to check "Local mouse pointer", because
TightVNC doesn't show a mouse pointer in Windows with bVNC.
- Tap "Connect", and you should be in. Please note that not all
routers are capable of doing loopback connections, so you may not be
able to connect to your Internet IP address while you are BEHIND the
router. I.e. unfortunately, due to router limitations, you may have to
be elsewhere to test this in some cases.

6) If you want password-less ssh to your Windows machine, you have to generate an SSH key in bVNC, and export it in some way (say you share it to yourself by email). Then, what you do is save it in C:\Program Files\freeSSHd in a file named the same as (Login ID)* (without ANY extension), where (Login ID)* is the user name of your Windows user that you set up in step (3).

10 comments:

  1. Great work, Iordan - thank you very much! I've made this setup and it works fine.

    One note and one question though. I am using Windows 7 Ultimate.

    1. When freeSSHd is started as a service - it's icon is not shown in the system tray.

    The service opens port 22 but I am not able to connect - i get a wrong username/password error.
    When I start the FreeSSHDService.exe and go in settings - it shows that the ssh service is not started. I click start - it gives me an error that the address is already in use.

    So the freesshd service opens the port but is somehow not functional.

    My solution is to disable the service and just put FreeSSHDService.exe in StartUp or in the Run key in the registry. So it starts an application. Everything is fine this way.

    2. My question :) Is there a way to save the sshd password in the Android device? I want to put a more secure password but the android user cannot enter it every time. That way I think my connection will be more secure(granted the android device is not compromised).

    Thank you for the great work and instructions :)

    Stefan Genov.

    ReplyDelete
    Replies
    1. Hi Stefan,

      Since your message, I've added support for SSH keys to bVNC. This should obviate the need for saving passwords in bVNC. Password saving seems to be an industry-standard security FAIL and nobody does it.

      Security keys can be revoked easily server-side in case a mobile device is lost, and do not reveal a password when sniffed.

      I hope you are enjoying bVNC, and please consider reviewing it and the donation version if you've donated.

      Cheers,
      Iordan

      Delete
    2. Hey Stefan, I see that there is a more official SSH port now:
      https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH

      Can you please try those instructions and let me know whether it works well for this purpose and if there were any special instructions to making it work?

      Delete
  2. I'm getting a "failed to connect to SSH server" error message. I've followed all the steps correctly and double checked.

    The only thing I did differently was just "allow" the freesshd program in I found some options deep in the program that would allow me to set specific ports for the program. But I just assumed that allow everything would cover the 22 port anyway. I also tried just allowing 22 and it's still giving me an error message.

    The message is on the blackberry FYI.

    ReplyDelete
    Replies
    1. Hi Jacob, please ensure port 22 is open on all firewalls. You mentioned Norton 360 in an email, so that is also somewhere to look. Also, concentrate on getting the TigerVNC with VeNCrypt method working as it's way easier to set up.

      Delete
  3. Thanks Iordan,

    I actually got it working. It just needed to open a port on the router. I am running into the crashing problems with tigervnc 3.

    Are you aware of any significant changes between 1 and 3 in terms of security and/or features?

    ReplyDelete
  4. Nevermind, it's not working over the cell network. It was working only when I was connected to the wifi network. This is so frustrating.

    ReplyDelete
  5. I get the following error.
    connection to VNC server failed with reason:null? help please

    ReplyDelete
    Replies
    1. ohhh I see I did not check the tunneling box

      Delete
    2. Hi Enmanuel, thanks for the invaluable feedback to other users!

      Delete