Topics include: programming, Apple, Unix, gadgets, large-scale web sites and other nerdy stuff.

SSH tunneling VNC

2006-03-16 09:30:33

Sometimes I need to be able to get into my Mac at home, with the the full GUI and not just ssh. To do this, I use ssh tunneling. There are many variants of this recipe, but if your network is like mine, this one will work for you.

At home I have a fixed IP address, and I have my router set to forward port 22 to my bastion host. This is a minimal linux server with nothing much on it. To log in to any machine at home, I ssh to the fixed IP of my router, which forwards to the bastion host. Then from there I can ssh to any machine at home: the mac mini in the family room, the old g4 cube in the office or the old pentium 3 linux machine that serves as my internal DNS.

Caution: It's of course very important that the bastion host be kept up-to-date, and have very good passwords on the few account that are ssh-able. More than once I've had my house "hacked" because of vulnerabilities in various network services, and that is no fun. Fortunately, I've always detected the hackage within a few hours because of tripwires I had set up. It's also a very good idea to use IP tables to limit the places on the net that can connect to your SSH. For example, I only allow connections to my house from the IP addresses at work and at a couple of other places on the net. This makes my home server unreachable from the random hackers trolling for open SSH connections. This means, if I need to ssh tunnel from a new location (like from a Starbucks), I am out of luck.

On the Mac itself, you need to enable Apple Remote Desktop. This is nothing more than an enhanced VNC server. If you buy the ARD client it has some nice extra features like remote software updating, and probably optimized performance. But you can use any free VNC view to connect. I like Chicken of the VNC, mostly because it has a silly name. To enable ARD on your Mac, open System Preferences, click Sharing, check "Apple Remote Desktop," open the "Access Privileges" dialogue. Enable "VNC Viewers may control screen" and choose a password. The password could be something simple, because you aren't going to expose VNC to the network, you are tunneling over a secure connection.

For our example, let's pretend that your router fixed-IP has a DNS name of; your mac at home has an internal DNS name of

From outside your network, on your Mac with Chicken of the VNC, open a terminal and do:

ssh -L

After you sign in with ssh, your terminal window will show you signed in to the bastion host. You need to leave that running to keep the tunnel going.

Now, open Chicken of the VNC. You should add a new server entry, as shown. Use "hostname" and Display 1. Display 1 is 5901; if you tunneled from 5902, the display would be 2. The password should be the simple password you created on the remote Mac under Apple Remote Desktop access controls.

Click "connect" and you'll be connected. One more tip: don't put background images on your Mac desktop at home, since this will make everything REALLY slow. A solid background color is best.