VNC vino over SSH tunnel ONLY

Question

I've been searching for hours now, can't figure this one out.

I am trying to make the following happen:

Client: remmina + ssh tunnel

Server: Lubuntu + openssh server (public key authentication) + vino server over ssh tunnel ONLY + allow client to only open 1 port (vnc port)

So far I can connect to my server apparently in both ways (with ssh tunnel and without it), which is unacceptable.

Running vino-preferences GUI doesn't help me much :s

So my question basically is:

"How do I block any port opening on server and only single SSH port (22) and allow client to tunnel VNC over SSH via specific port (If it makes sense)?"
No other type of VNC connection should be allowed

P.S. I plan to forward port 22 on router to my server and only allow SSH connections.

steeldriver · Accepted Answer · 2015-12-26T02:42:33.167

4

AFAIK the vino-preferences GUI does not include it, but I believe the parameter you are looking for is network-interface

gsettings get org.gnome.Vino network-interface

If unset (i.e. the above command returns the empty string, '') then vino-server listens on all available interfaces, whereas if set to lo

gsettings set org.gnome.Vino network-interface 'lo'

then it will listen only on the lo (localhost) interface.

You could also use the GUI dconf-editor, where the parameter is listed under the org -> gnome -> desktop -> remote-access item.

You can confirm that the server is listening on the desired interface using netstat e.g. the default is

$ sudo netstat -nlp | grep ':5900'
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      10927/vino-server
tcp6       0      0 :::5900                 :::*                    LISTEN      10927/vino-server

(listening on all available interfaces); then after

$ gsettings set org.gnome.Vino network-interface 'lo'

you should see that it is only listening on the localhost interface(s):

$ sudo netstat -nlp | grep ':5900'
tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN      10927/vino-server
tcp6       0      0 ::1:5900                :::*                    LISTEN      10927/vino-server

Alternatively (or additionally), you could use iptables or ufw to close the port - by default, it is port 5900 + display number.

edited Dec 26 '15 at 02:42

answered Dec 26 '15 at 02:05

steeldriver

136,215
21
243
336

Thanks for introducing me to gsettings/dconf and iptables/ufw, very useful! – GogromaT Dec 26 '15 at 02:35
Nice, works like a charm! I am able to connect like so: ssh -L LOCAL_PORT:localhost:SERVER_VNC_PORT USER@SERVER_IP and then going to remmina connect like so: 127.0.0.1:LOCAL_PORT. Fantastic! – GogromaT Dec 26 '15 at 02:59
@GogromaT glad to help – steeldriver Dec 26 '15 at 03:03
Alternatively, the OP could just close port 5900 (or whatever port he has the VNC daemon running on. – Daniel Dec 26 '15 at 03:54
@Daniel yes I think I did mention that – steeldriver Dec 26 '15 at 04:08
This does not seem to work in 20.10. – Chaim Eliyah Apr 09 '21 at 02:21

VNC vino over SSH tunnel ONLY

1 Answers1

Linked