[SOLVED] Need secure connection to VNC server

mfoley · 03-09-2018, 01:43 PM

Not sure if this question should be here in Security, or Networking, or Server, but here goes ...

I'm running x11vnc on linux workstations. I'm using Real VNC viewer to connect remotely from Windows, and TigerVNC to connect from Linux. Between the remote client and the VNC server/workstation is another Linux box acting as a router. Here's the setup:

VNC Viewer --- port 1234 ---> Router ----> port 5900 on Linux workstation

The problem is that the connection between the viewer and the x11vnc server is unencrypted. The x11vnc server supports "tunneling" through through an ecrypted channel, e.g.

ssh -t -L 5900:localhost:5900 far-host 'x11vnc -localhost -display :0'

I have zero experience with tunneling. I've done 'ssh host "command"' before, and I've done 'ssh -p port host "command", but I can't figure out the port:localhost

ort meaning, even after reading the man page.

Can someone help me out?

Is there a better approach to getting the connection encrypted? (I really only care about the connection between viewer client and router; that's external. the router --> VNC Server connection is LAN/internal and I don't care so much about that)

jefro · 03-09-2018, 08:20 PM

I'm sure there is a few hundred ways to do this.

One suggestion may be this. ? https://www.ibm.com/developerworks/l...vnc/index.html

Others may have better or easier ideas too.

mfoley · 03-09-2018, 11:50 PM

Thanks for the feedback. That would be great if there's a few hundred ways to do it. All I need is one, and that seems hard to find! At the moment, I'm stymied at step 1 of the link instructions. My stunnel command (Slackware64 14.2) looks nothing like the example in the link. My man page is like this one: https://www.systutorials.com/docs/linux/man/8-stunnel/. The man page shows no -d, -r, or -p options. It is expecting to find a config file. When I try the example I get:

Code:

# stunnel -d 5905 -r 5900 -p combined.pem 
[ ] Clients allowed=500
[.] stunnel 5.35 on x86_64-slackware-linux-gnu platform
[.] Compiled with OpenSSL 1.0.2h  3 May 2016
[.] Running  with OpenSSL 1.0.2n  7 Dec 2017
[.] Update OpenSSL shared libraries or rebuild stunnel
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
[ ] errno: (*__errno_location ())
[!] Invalid configuration file name "-d"
[!] realpath: No such file or directory (2)

Have you actually done this? If so, how do I proceed?

mfoley · 03-16-2018, 04:23 PM

Quote:

Originally Posted by jefro

One suggestion may be this. ? https://www.ibm.com/developerworks/l...vnc/index.html

After getting on the stunnel maillist and asking this question, I was told that jefro's referenced link was obsolete back in 2007 when it was posted. I've since been given better link reference that reflect current stunnel configs and parameters:

https://www.stunnel.org
https://tunnelix.com/securing-mysql-...ment-on-centos
https://www.symantec.com/connect/art...tion-microsoft

I've configured stunnel on my client and server (both Linux). I'll post the configs if someone wants to see them, but I think to main problem related to the error I get when trying to connect:

Code:

2018.03.15 14:42:15 LOG3[0]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Searching the web, I've found some references to this error. One of them, https://stackoverflow.com/questions/...ix-my-ssl-cert, says, "This error happens when OpenSSL receives something other than a ServerHello in a protocol version it understands from the server."

I think this is an OpenSSL problem rather than an stunnel issue. Does anyone have any insight into this error?

mfoley · 03-16-2018, 06:24 PM

Problem Solved! I didn't have my various ports set up correctly. Here is my configuration in case anyone else needs a secure connection for VNC or whatever else they might want. In my case, I'm using VNC viewers Tiger VNC on Linux and Real VNCviewer on Windows, and x11vnc server on the local Linux workstation. Although each of these viewers and the server do offer some kind of encryption, they don't seem compatible with each other, so up to now the connection has been unencrypted (not good). Hence the attempt to use stunnel.

I have a local Linux host acting as firewall/router. It routes requests on port 1234 to port 3389 on a local Linux workstation which is running x11vnc server listening on its local port 5900. I want to connect to this VNC server from a remote vnc viewer.

(Why does the router forward to port 3389? Because the workstaion can dual-boot Windows, so the forward works regardless of booted OS.)

Remote vnc viewer, stunnel client stunnel.conf:

Code:

verify = 2
pid = /home/mfoley/.stunnel/stunnel.pid
CAfile = /home/mfoley/.stunnel/certificate.pem
client = yes
[x11vnc]
accept = 5900
connect = router.obfuscate.org:1234

Local workstation vnc server, stunnel server stunnel.conf:

Code:

pid = /var/run/stunnel.pid
debug = 7
[x11vnc]
accept = 3389
key = /root/privatekey.pem
cert = /root/certificate.pem
connect = 127.0.0.1:5900

The certificate is self-signed and created on the stunnel/vnc server host using the following commands:

Code:

# openssl genrsa -out privatekey.pem 2048
# openssl req -new -x509 -days 365 -key privatekey.pem -out certificate.pem

The certificate.pem is copied to the stunnel client host.

With x11vnc listening on 5900 on the local workstation and with 'stunnel stunnel.conf' running on both stunnel client (as the normal user) and server hosts, I used the remote vnc viewer and connected as a normal user, with the connection 127.0.0.1:5900

I'm guessing I could configure my vnc viewers to connect to multiple clients with difference [service] sections, for example:

Code:

verify = 2
pid = /home/mfoley/.stunnel/stunnel.pid
CAfile = /home/mfoley/.stunnel/certificate.pem
client = yes

[remoteHost1]
accept = 5900
connect = router.obfuscate.org:1234

[remoteHost2]
accept = 5901
connect = router.obfuscate.org:4321

I haven't tried that, but I will.

I futher guess that I could have different CAfiles per server if I moved that directive to the respective service definitions, but I haven't tried that either.

Next steps are to get this running as a daemon and, more importantly, to implement the stunnel client on Windows. If I get the latter going, I'll post back the howto.

jefro · 03-16-2018, 08:08 PM

Thanks for the update and solution. I get lost in the threads and sometimes don't get back, sorry. Was hoping others had their way to post.

mfoley · 03-17-2018, 01:41 AM

Quote:

Originally Posted by jefro

Thanks for the update and solution. I get lost in the threads and sometimes don't get back, sorry. Was hoping others had their way to post.

Thanks jefro! Although your particular link was obsolete, it did put me on the right track for the solution.

Final post: stunnel Windows client

I've now got the Windows client set up and working. Here's how with the help of https://www.techwalla.com/articles/h...l-certificate:

I downloaded and installed stunnel for Windows from https://www.stunnel.org/downloads.html. I've modified the file "C:\Program Files (x86)\stunnel\config\stunnel.conf" to have:

Code:

debug = info
output = stunnel.log

[CCARTER]
client = yes
accept = 127.0.0.1:1914
connect = obfuscated.org:1914
CAfile = certificate.pem

I copied the same .pem file described in previous posts to that same config folder. It is the same .pem file as I am using on my Linux client.

I ran 'C:\Program Files (x86)\stunnel\bin\stunnel -install' to install the service and it did so. I started the service. (It is set to automatically start on reboot)

Finally I tried connecting from my VNC client to 127.0.0.1::1914, and voila! It worked!

As expected, my RealVNC viewer warns that the connection is not encrypted even though it now is. That's because stunnel is external to the viewer and the viewer is not itself doing the encryption, so it doesn't know.

I'll marked this as solved, but I have some personal action items to follow through on: 1) make a .bat file for non-techy users to do the above on their home Windows machines. 2) Find and get working an stunnel client for Mac. 3) Figure out where the Windows log files are kept!