TightVNC over the Internet using a Reverse SSH Tunnel, PuTTY and a Middleman


Remote Computer - firewall - Internet - middleman server - internet - firewall - local computer

We want to run a VNC server on the remote computer so that we can control it using a VNC viewer on the local computer, and we want to encrypt all traffic with SSH. The challenge is that we cannot directly connect either way because of the firewalls. Rather than open ports on the firewalls, we will open connections from each of the computers to a middleman server on the internet in such a way that allows the local computer to tunnel through to the remote computer. This soluton will allow you to connect to the remote computer from anywhere on the internet, including from smartphones.

In this example, the remote computer runs Windows XP, the middleman runs Fedora Server Linux and the local computer runs Ubuntu Desktop 11.04.

On the remote computer

  1. Install TightVNC server
  2. Use REGEDIT to set HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server\AllowLoopback to 1
  3. Set up PuTTY
    1. Under Connection / SSH / Tunnels check Local ports accept...... and Remote ports do the same.....
    2. Set the Source Port to 5900
      Set the Destination to
    3. Select the Remote and IPv4 radio buttons
      Click Add
    4. Go to the Session dialog
    5. Under Host Name... enter the IP address of the middleman server
      In the Port field, enter 5900
      Select the SSH radio button.
    6. To save this set up, enter a memorable name in the Saved Sessions field and click Save.
    7. Start the reverse SSH tunnel with the middleman server by clicking Open and, in the terminal window that appears, logging on to the middleman server with the user's account and password. Once you have logged on, the tunnel will be open.

On the middleman server
Add these lines to /etc/sshd_config

TCPKeepAlive yes
ClientAliveInterval 30
ClientAliveCountMax 99999
GatewayPorts yes

On the local machine

  1. Install TightVNC Viewer or other VNC client.
  2. Connect with USER@IP_ADDRESS_OF_MIDDLEMAN:5900
    where USER is a user ID on the middleman server and IP_ADDRESS_OF_MIDDLEMAN is the IP address of the middleman server. You will need to provide, in succession, a password for the user's account on the middleman and a password for the VNC server on remote computer, and you will need to log-in to Windows XP using the user's XP account password.

There are excellent commercial tools for doing this, such TeamViewer. However, these cost money when used for business purposes. The above solution is free and runs a bit faster, but at the expense of more complex set up. This solution has been tested with VNC viewers running on Ubuntu and with Android VNC running on an HTC Desire HD.