VNC into 2 computers

Joined
Dec 10, 2010
Messages
5
Reaction score
0
Points
1
I have recently set up one of my computers at work so that I can remotely log in and screen share via VNC. I set my computer to a static LAN ip and set up the proper port forwards for those services to be directed to my ONE computer on my network.

My question is how do I set up multiple computers on the same static WAN ip to work with VNC services? Do I just add port forwarding rules to TWO different computers? If so how in the finder connect dialog do I specify WHICH computer I'm trying to connect to? current finder connect looks like this:

vnc://33.333.333.333

because of my port forwarding rules in my router/firewall it knows to go to my one computer, and I'm prompted for a the VNC username and pass. But what if I want to do this with more than one computer on the network?

Thanks!
 
Joined
Jan 29, 2010
Messages
37
Reaction score
13
Points
8
Your Mac's Specs
27" iMac & 16" MacBook Pro (Intel)
The trick is to use a different port number for one of them. The default port for VNC is 5900, which is probably the port number you configured to forward through your router. If you set up another port forwarding config in your router but for a different port then you could VNC into either one just by specifying the associated port number in your VNC client. Note that the port you forward from your single WAN IP address probably doesn't have to be the same as the port the VNC server is using on the second machine. For example, you could forward WAN port 5901 to port 5900 on the LAN for the IP address of the second computer.

To connect to this new machine you just add ":NNNN" to the end of the IP address in the URL, where the NNNN represents the port number you chose for the second machine. So, you'd use something like this:

vnc://33.333.333.333:5901

You can do this for as many ports as you want, though some routers may limit how many you can configure.

I'll also add that VNC has notoriously weak security, so you may be exposing these systems more than you think. There are a variety of solutions to this, such as tunneling VNC through an SSH connection (that's what I do), or configuring a VPN connection into your network. Both of these are too involved to go into in this thread, but if you do an Internet search for something like "How to tunnel VNC through ssh" I'm sure you find lots of info.

HTH - Good luck!
 
OP
C
Joined
Dec 10, 2010
Messages
5
Reaction score
0
Points
1
Thanks so much that is exactly what I wanted to know!

However does anyone feel like elaborating on how SSH tunneling works, or can anyone link me to a good step by step how to? I understand the concept, but would like to know how to do it via terminal, I would prefer to not use any third party software. I've found it difficult to find a step by step for mac, most all seem to be windows guides, or they are all site built to recommend software that can accomplish it for you. But why use software when it appears like some quick terminal magic, and a couple router port forwarding steps.
 
Joined
Apr 7, 2008
Messages
187
Reaction score
7
Points
18
However does anyone feel like elaborating on how SSH tunneling works, or can anyone link me to a good step by step how to? I understand the concept, but would like to know how to do it via terminal

Your server machine (the one with vnc server) has to be running the ssh server.

Then on your client (the one connecting to vnc) you type:

Code:
ssh -L 5900:localhost:5900 your_login@your_ip

you need to replace your_login and your_ip. This will open a local port 5900 on your client which is redirected through the ssh connection to the port 5900 on "localhost" of your server.

Then, point your VNC client to "localhost:5900" and it should work.

I supposed that your ssh server is running on port 22 and is accessible.

hope it helps ;)
Tex
 
Joined
Feb 26, 2010
Messages
2,116
Reaction score
123
Points
63
Location
Rocky Mountain High, Colorado
Your Mac's Specs
1.8 GHz i7 MBA 11" OSX 10.8.2
our server machine (the one with vnc server) has to be running the ssh server.

That is not true. Any local machine can be running the ssh server. Just port forward the listening port to that machine (default is 22 but you can change it) Then you can ssh tunnel to any machine on your local network any port.

Looking at your code it should really be

Code:
ssh -L 5900:internal_ip_address_of_your_vnc_server:5900 your_login@dyndns_or_ip

What it is saying is -L (note that it is upper case) 5900 - setup tunnel to local port 5900 - port forward to <internal_ipaddress>:5900 - port 5900 of the internal ip address.

The your_login@dyndns_or_ip is the ssh login server - thus it doesn't have to be the same machine.
 
Joined
Feb 26, 2010
Messages
2,116
Reaction score
123
Points
63
Location
Rocky Mountain High, Colorado
Your Mac's Specs
1.8 GHz i7 MBA 11" OSX 10.8.2
Securing SSH

Since you asked - I've been planning to write something on ssh and what to do to secure it a little better. I have a ssh server running and found that scripts/bots/hackers try to log in with a username password constantly. So here are some ideas on what to do.

Here is a pretty good writeup on how to setup ssh on the mac - I don't use allow users - but I do use rsa_keys. I highly recommend using rsa_keys and turning off password login.
stocksy.co.uk - Mac - SSH on Mac OS X

Also, if you can, change the port. This isn't security through obscurity - this is to stop scripts. Basically most scripts look at port 22 and see if there is a response. If there is a response then the script will try to start logging in. This does help cut down on attempts - but shouldn't be your only defense. Secondly - many firewalls allow port 22 out - but not other random ports so if you are trying to login from behind a firewall make sure that whatever port you set is allowed out.

Code:
pico /etc/sshd_config
Uncomment #Port 22 by removing the #
You can set the port to whatever number you wish.

Grab Macports and install it.
The MacPorts Project -- Home
Then you can install denyhosts
Code:
port search denyhosts
port install denyhosts
This program will monitor ssh attempts. If too many attempts are made without logging in from the same ip address - then it will add that ip address to the /etc/hosts.deny file.

I personally use a linux server and have iptables setup to drop ssh attempts after 3 attempts. I use this in conjunction with denyhosts.
Code:
sudo iptables -N SSH_CHECK
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
sudo iptables -A SSH_CHECK -m recent --set --name SSH
sudo iptables -A SSH_CHECK -m recent --update --seconds 120 --hitcount 4 --name SSH -j DROP

I don't know how to do this in ipfw or the Mac. Maybe someone else can chime in. Here is more info on ipfw on OSX.
http://www.ibiblio.org/macsupport/ipfw/
 
Joined
Apr 7, 2008
Messages
187
Reaction score
7
Points
18
That is not true. Any local machine can be running the ssh server.

Of course.

The IP blacklisting and rsa key authentication a secure solution but maybe a strong password with ssh running on a different port is enough.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top