VNC over ssh on port 322 behind a firewall

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
    I have two remote boxes, A and B. In A, the SSH daemon is listening on
port 22 (as usual) whereas in B it is listening on port 322. A and B are
behind a firewall F1, with a common IP address I. F1 (over which I have
full control) is configured to do port forwarding, such that external ssh
connections to ports 22 and 322 are forwarded to A and B, respectively.

    I am accessing A and B from a box C behind another firewall F2. I have no
control over F2; the best I can do with it is to use a SOCKS server to run
socksified applications. Anyway, in C, in my .ssh directory, I have the
following config file:

    Host A
     HostName I
     HostKeyAlias A

    Host B
     HostName I
     HostKeyAlias B
     Port 322

    With this setup, executing the following command

    ssh A

in C gives me a shell in A (the key sharing between A, B and C is already
in place, so no password is used.) In order to get a shell in B, from C I
must do the following

    runsocks ssh B

runsocks is a SOCKS5 function that socksifies an application - ssh, in
this case. Without runsocks, the following error message is printed:

    ssh: connect to host I port 322: Connection refused

    I guess that the firewall F2 is allowing traffic on port 22, but not on
port 322, unless one uses the SOCKS proxy.

    So far so good. With this SSH infrastructure we next tackle VNC
connections over ssh.

    From C, I can connect to a VNC server running on A, and listening on port
5900, without any problem. I first do the relevant SSH port forwarding:

    ssh -T -L 5900:localhost:5900 -C -N A

    Assuming that I have a VNC server on A as above, the following command in
C gives me access to that server:

    vncviewer localhost:0

    Jolly good.    

    Now, how can I do the same with B? I tried the SSH port forwarding to B,
as follows:

    ssh -T -L 5900:localhost:5900 -C -N B

    Unsurprisingly, this elicits the following error:

    ssh: connect to host I port 322: Connection refused

    I next tried to socksify the SSH port forwarding:

    runsocks ssh -T -L 5900:localhost:5900 -C -N B

and the error message this time is

    listen: Bad file descriptor
    channel_setup_fwd_listener: cannot listen to port: 5900
    Could not request local forwarding.

After which the command hangs till explicitly killed.

    Is there a way around this problem, bearing in mind that my control over
the F2 firewall is virtually non-existent?

Re: VNC over ssh on port 322 behind a firewall

Quoted text here. Click to load it

It does seem that SOCKS is getting in the way of the port fowarding by
messing up the connections in some way.  Here's another option: on
server B, run ssh on a different and commonly used port, such as 80 or
443.  443 is commonly used for this purpose because it's normally used
for SSL, so most firewalls allow it to pass.  80, or any other commonly
used port such as 21 or 23, might also serve for the same reason.  But
some firewalls include application filtering that blocks these.  For
example, my office firewall blocks all non-HTTP traffic across port 80.  
But port 443 doesn't have this problem; because traffic on that port is
usually encrypted anyway, the application filters give up and let all
traffic pass.

Good luck,
To reply by email, change "" to ""

Re: VNC over ssh on port 322 behind a firewall

On Tue, 31 Aug 2004 15:12:10 -0400, Andrew Schulman wrote:

Quoted text here. Click to load it

    Thanks for your reply. Ports 80 and 443 were not available, but 23 was.
After changing my setup so that the ssh daemon in my remote box B listens
on port 23, the VNC connection worked flawlessly.

Re: VNC over ssh on port 322 behind a firewall

Quoted text here. Click to load it

As Andrew points out, this is due to the socksifying messing up the port
forwarding - it basically assumes a "simple" client-type program that
wants all its network activity socksified, whereas for ssh you typically
don't want it to apply to the local port listening (and it frequently
doesn't work anyway except for special cases like active mode ftp).

In the old "original" SSH implementation there was a configure option to
"natively" socksify ssh at build time, which would get around this - it
had #ifdefs all over the code, so I can understand if the OpenSSH folks
didn't want to retain/reproduce that.

Quoted text here. Click to load it

Besides using a different port like Andrew mentions (with caveats), I
think you should be able to use the socksified ssh (without
port forwarding) as ProxyCommand for a non-socksified ssh (with port
forwarding). Of course this means that you will actually have double
encryption, so it's not very efficient - you could probably instead use
socksified netcat or somesuch, or I seem to remember reading here about
some dedicated program for ssh proxying, couldn't find it with a quick
google groups search though. In any case it just needs to provide a
clear channel to a ssh server, see the ssh_config man page.

Off the top of my head, with netcat installed as 'nc', you can maybe
just replace the "Port 322" (and "HostName I" I guess) for "Host B" in
your config file with

  ProxyCommand runsocks nc I 322

- and have a simple 'ssh B' work, with or without port forwarding.

--Per Hedeland

Re: VNC over ssh on port 322 behind a firewall

Quoted text here. Click to load it

Some SOCKS implementations (eg the NEC SOCKS5 reference implementation)
allow SOCKSification of of connect()s and not bind()s.  In the NEC case,
this is a command of "c" in libsocks5.conf rather than "-" or "b".

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline