How to Establish VNC Connection Over SSH tunnel in CentOS 8
We recently covered how to install TigerVNC server on CentOS 8. VNC connections are insecure by themselves. Therefore, in this tutorial, we are going to show you how to establish a VNC connection over a SSH tunnel on CentOS 8. This will secure the connection and transmitted data. To successfully complete the steps from this manual, you must complete all the settings from the first part.
Previously, we created the user username. Now we need to give him the ability to connect to the server via SSH, if he does not have it. To test this, try connecting to the remote server via SSH as username.
If this works, you can proceed to the next step. If not, you need to either enable password authorization on the server, or configure a SSH key for username. See chapters SSH configuration and SSH key configuration in the Initial CentOS 8 Server Setup note.
Open the TigerVNC configuration file:
sudo nano /etc/tigervnc/vncserver-config-defaults
Uncomment the following line:
Restart the TigerVNC service:
sudo systemctl restart vncserver@:2
Now it will not be possible to connect via VNC to the server directly from a remote computer, only via a SSH tunnel.
Now let’s move on to the client computer.
Creating a SSH tunnel on Linux or MacOS
On any Unix-like operating system, just open a command prompt and enter the following command:
ssh -L 62000:localhost:5902 -N username@TigerVNC_server_IP
Replace username with your login that was created in the first part of the tutorial. And TigerVNC_server_IP with your server address. As you can see, this is a usual ssh command. The -L and -N flags allow it to be used to create a tunnel.
Creating a SSH tunnel on Windows with Putty
In Putty, the differences from regular SSH connection are also not very different. You need to go to the Connection section, then SSH and finally Tunnels. Enter 62000 in the Source port and localhost:5902 in the Destination.
Click Add and Apply.
Establishing a VNC connection over a SSH tunnel
After the tunnel is created, you can establish a secure VNC connection to the remote server. To do this, use any VNC client, as in the first part. But the address and port of the VNC server for connection will differ: localhost:62000.