I found this post by Schreibg

if I want to remotely log into the server from work, what port do I need to open up on my router?

If you're tunneling VNC through SSH, you need to open port 22. Actually, if you are using a router that isn't your linux box, you need to forward port 22 from your router to your linux box.

That said, your place of work may have its own firewall that blocks port 22 and that may be a tougher problem to solve. Most IT people I know aren't going to be willing to open a hole in the firewall unless there is a really good reason. And even then, they usually aren't too happy about it.

hmm.. strange when I replace his example ip 123.456.789.123 with my enternal ip, i am unable to connect when I connect the vnc to my localhost:4901

any other setting I am suppose to change?

A couple of questions:
Did ssh connect? (like I said in my first post, your work firewall may be blocking port 22). If ssh isn't functioning, you aren't going to be able to tunnel through it.

Is vncserver running on the other end? If so, is it running on terminal 1 (you should be able to determine this with a netstat -al in the ssh terminal to see what port Xvnc is listening to).

I have no problem connecting w/ ssh.

I can connect using vnc behind the router, but when I use the external ip I can only connect only with the putty not the vnc viewer

The only way I can connect though the external ip is to open up port 5901 on my router, but that mean i'm not using ssh tunnel right?

OK, if you can make an SSH connection with Putty, 90% of the battle is won.

When I use Putty, I do everything in the Schreibg post EXCEPT


Here I actually use 5901 rather than an arbitrary port number. Why? You'll see in a minute....

Now in VNC, when I connect, I connect to localhost:1. Here is where the 5901 bit comes in. The number after the : in this box is the display number, not the port number. In essence, since VNC works on the 5900 series of ports, display 0 is at 5900, display 1 is at 5901, display 2 is at 5902..... And I have no idea where display 4901 would be. I know I'm cutting a fine line here between display and port, but VNC is obviously doing some math with the value after the : and I think that is why you are having trouble.

So, as long as SSH is connected, the tunnel is established and vncserver is running on display 1 (Xvnc should be listening to port 5901 and you can check this with the netstat -al command), there should be no problem connecting. Port 22 should be the ony one you have to forward. And yes, if you have to open port 5901 on your router, you aren't using the ssh tunnel.

Hmm.. ok here are the configuration for putty:
Session -> Logging
Host Name: <my external ip>
Protocal: SSH

Forward Port:
L5901 <my external ip>:5901

I have the vncserver on display :1

After I connect w/ putty, load the vnc client, in the area for VNC Server: localhost:5901

it doesnt do anything when I connect with the vnc client. there wasnt even a message about can not connect.

I think that you are very, very close. It looks like SSH is set up to tunnel properly but I think you've got the VNC client connection wrong. Here is my config that I use on a daily basis. The Slackware box that acts as my ssh and vnc server has an IP address of 192.168.1.10

Putty
Session page:
Host Name box: 192.168.1.10
SSH radio button checked (port 22 in the Port box)
Connections->SSH->Tunnels
Source Port Box has 5901
Destination box has 192.168.1.10:5901
Click on the Add button so that L5901 192.168.1.10:5901 appears in the Forwarded Ports box

Go back to Sessions, save the configuration, then Open.

Once logged into the Slackware box, start vncserver if it isn't already.

Start Windows VNC client. In the VNC server box I put

localhost:1


Note that I do NOT put in localhost:5901. I think that is where you've gone wrong.

are you able to connect from an outside your router? I have no problem connecting in the lan but when I change the ips eg. 192.168.0.10 to the ip of my wan, thats where I can only connect the ssh but not the vnc.

I think I know what is going wrong.....I made the same mistake when I first started doing this and it drove me nuts for about a week.

When you want to connect from outside your lan, you need to change the IP on the Sessions page to your WAN ip but you need to leave the tunnel IP exactly the way it is for your network.

So lets say your router has a WAN ip of 1.2.3.4 and your linux box has an ip of 192.168.1.10

In the Host Name box on the Session page you would have 1.2.3.4 and you would of course have the SSH button selected.

On the Tunnels page, the source port box should have 5901 and the destination box should have 192.168.1.10:5901. So after you click the add button, you still have L5901 192.168.1.10:5901, just as if you were connecting from behind your router.

Then the VNC connection should still be to localhost:1. That bit doesn't change at all.

Thanks! it's working now