Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey guys, im having this problem where VNCSERVER used to work from the office fine, also in my local lan at home, but now, i can only access it via localhost only, and not the office. I did configure my router to work with it, but nuthing goes. SSH does work.
Is there any reason why this happened, and how to fix it? Does it have anything to do with host.allow or host.deny?
The only way it would have to do with the hosts.X files is if you changed them. Were you connecting to tightVNC directly or through an SSH tunnel? If you were doing it directly I'd suggest that maybe your office IT people closed off the ports on their firewall.
I was using the viewver.exe and i would doubt it was the it guys, they just past by me and saw what i was doing and even offered help! hehe but didnt figure out why...
As of the host.x files i did not change them, but if i go into them,, there is no value there, only the comments...
Another thing, lets say im at home from windows, and do it via IP it doesnt work, only localhost:1 would or 192.168.1.100:1 aswell...
Oh another thing i noticed is that before when i started VNCSERVER, i user to read my name in the log file (i think not sure) But now it is:
[andres@localhost andres]$ vncserver
New 'X' desktop is localhost:1
Starting applications specified in /home/andres/.vnc/xstartup
Log file is /home/andres/.vnc/localhost:1.log
Oh another thing i noticed is that before when i started VNCSERVER, i user to read my name in the log file (i think not sure) But now it is:
[andres@localhost andres]$ vncserver
New 'X' desktop is localhost:1
Starting applications specified in /home/andres/.vnc/xstartup
Log file is /home/andres/.vnc/localhost:1.log
Well, that looks like a perfectly normal vncserver startup to me. You could verify that it is running by running lsof -i in a console. You should see Xvnc is running and listening.
Quote:
Another thing, lets say im at home from windows, and do it via IP it doesnt work, only localhost:1 would or 192.168.1.100:1 aswell...
Now this suggests to me that you are connecting to the vncserver over an SSH tunnel as this is EXACTLY what you do if you do have an SSH tunnel established for VNC. Do you have to establish an SSH connection in order for you to see any desktop with a VNC client? And I'm guess I'm not clear about one thing; When you do connect to localhost:1, are you seeing your office system or are you running a VNC server on your home Windows box?
Which actually brings me back to your IT guys. If they are worth their weight in warm spit, they should know that allowing direct VNC access outside of a VPN connection or an SSH tunnel is a HUGE security hole. And if they are allowing directy VNC access, then you seriously need some new IT guys. VNC transmits everything in clear text, so anyone listening would be able to pick up a username and password to your corporate system pretty easily. So it wouldn't be at all surprising if they forced an VNC connections through something secure like an SSH tunnel.
I dont really understand all the terms you used exactly in ur post since im fairly new still to all this!
Basicly, i use vncviewer.exe from windows. At work, i use my external IP, which in return gives me a connection error. From my windows box at home, i either use localhost:1 or 192.168.1.100:1 which works fine.
OK, now it is my turn to be confused...... You say you can't connect from your work computer to what server? Is it a work server? A home server? I guess I'm not sure of what players are involved here and what you're actually trying to do.
Quote:
I dont really understand all the terms you used exactly in ur post since im fairly new still to all this!
If you have some specific questions, I'd be glad to answer them as best I can. Maybe point out the bits you don't understand?
hehe ok here we go! At home, i have my linux box, and windows xp box (separate).
I want to access the linux box via vncviewer from work using the external ip.
When im at home using windows, i can access the linux box via vnc using either localhost:1 or 192.168.1.100:1. But from work, using my-external-ip:1 does not work.
It use to work for un to a month ago (from work) but now it just doesnt, i get a connection error.
What i wasnt undetstanding from your post was about the tunneling SSH. Yes i do use ssh from work to do some stuff like installing some software or setting up users and permission etc. I dont know if that answer your question though!
Thanks for your help by the way Hangdog42! really apreciate it!
There are a couple of things that come to mind. First off, does the Linux box have a static IP address? If it doesn't that would be real trouble.
Quote:
But from work, using my-external-ip:1 does not work.
I'm also assuming that you have a router of some sort between your home computers and the Internet. If that is true, you have to set up port forwarding on the router to forward port 5901 to the Linux box. This is also why I asked about the static IP address. If you had port forwarding set up, but didn't have a static IP on the linux box, this could be a problem.
What is more of an issue however, is that by using the external-ip:1, you are essentially running VNC in the clear. This is a huge security risk and I would strongly suggest you do some reading on how to run VNC over and SSH tunnel.
Quote:
What i wasnt undetstanding from your post was about the tunneling SSH.
SSH has the capability of grabbing ports on both ends of the connection and tunneling them through the SSH connection on port 22. Essentially this means that you can access any port on a remote machine by opening only port 22. It also means any traffic going across this tunnel is encrypted.
The reason I'm asking is that it is a good idea to tunnel port 5901 through SSH so you can use this tunnel to access VNC. Essentially this means that SSH would grab port 5901 on your windows box and any traffic sent to that port would be routed to port 5901 on the Linux box. I do this all the time so I can access my Linux server from anywhere on the internet and still be certain it is a secure connection.
Quote:
When im at home using windows, i can access the linux box via vnc using either localhost:1 or 192.168.1.100:1.
OK, this is the bit that still confuses me. If the IP address of the linux box is 192.168.1.100, then that command should work. However, the localhost:1 should NEVER connect you to the Linux vncserver unless you have established an SSH tunnel first.
Tunneling is one of those things that if you don't know for a fact you're doing it, odds are you aren't. Anyway, I'm going to assume that you are using Putty on your Windows box, so here is a site that has a few screen shots (about half way down) that show how to set up a tunnel with Putty.
Now you do have to do the VNC port math right. Vncserver runs on port 5900 + screen number. So when you have vncserver telling you it is starting on screen :1, that would be 5901 (and screen :2 would be 5902, etc.). So basically you need to forward local port 5901 (the "Source port" in Putty) to port 5901 of the Linux box (the "Destination" in Putty). Note that the Destination box needs an IP address. This MUST be the LAN IP address of your Linux box (192.168.1.100). So it would look something like this: 192.168.1.100:5901.
For connections coming from the Internet (like when you are at work), you need to set up your router to forward port 22 to your Linux box. So from work, you would use Putty to connect to your external (WAN) IP address. Once that connection is made, the tunnel will be enabled and you would connect the VNC client to localhost:1.
Now, if you are going to expose your SSH server to the Internet, be sure to do some reading around here on securing SSH. There are a lot of threads, so a search should bring up loads of info. But basically be sure to use the AllowUsers directive in your /etc/sshd_config file to limit which usernames have SSH access and do NOT allow root to use SSH. People ARE going to take a rip at cracking your SSH with a dictionary attack so make sure your usernames and passwords are not easily guessed.
Hey thanks alot Hangdog! That worked great! Tunneling now works perfectly!
As for people try to log into ssh with root, i tried for the sake of testing with the root password and it was denied, so i guess i may be safe on this part!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.