Reverse VNC Session

This site remains here for legacy reasons and will not be updated! All the other articles are probably still available but not linked any more. Start page.

In this tutorial I'll cover how you can help a person with computer problems (on a windows system, of course) via VNC, even if that user is behind a NAT router.

One solution to this is to use the router's port forwarding ability (if that router even has such a function). But this is very complicated to set up, especially if you don't have access to the router yourself and have to guide a user through menus and forms you cannot see.

But there is another way, called Reverse VNC.

For this to work I assume that you either have

Setting up TightVNC

In either of these cases, the user whose computer you want to control remotely has to install TightVNC (Direct Link to the Windows Binary Installer). Once the download is finished, VNC must be installed.

After TightVNC was successfully installed, the user has to start a new server. That is done via Start -> All Programs -> TightVNC -> Launch TightVNC Server. If a configuration dialogue is shown, be sure to set a password (won't be used any more; pick something like 123). Click OK.

TightVNC Config Dialogue

After that, you maybe have to re-start the server. You can see that the server is running properly if there pops up a V-Icon in your SysTray.

So much for the Windows box.

Setting up the Gateway / Local Port Forwarding

You just have to do this step if you (the one who wants to connect to the VNC session running on the Windows box) are behind a NAT router yourself. If that is the case, you have two choices:

  1. Set up proper port forwarding. You have to forward Port 5500/tcp to your computer. Setting up port forwarding heavily depends on how good/expensive your router was. Port forwarding usually takes some time and knowledge how to do it as well. And, port forward rules are static. After finishing the VNC session you'd have to delete the rule again. If you know how to do all that, skip the next few paragraphs.
  2. Use a gateway:

    The gateway just reads packages from the windows machine and forwards it (over a secure channel) to your PC where you can then interact with the VNC session.

    So we first establish a tunnel to your computer. Since your computer is in a NATed network as well (and you decided to not configure port forwarding), you have to initiate the connection (for more details, see the Reverse Shell Guide or the ssh(1) man page). You'd issue the following command from your local PC:

    ssh -NR user@gateway

    Important! For this to work you have to set the GatewayPorts option set to yes in your sshd config. Also, if you use iptables, you probably have to allow connections to port 5500: iptables -I INPUT -i eth0 -p tcp --dport 5500 -j ACCEPT

    Now, every connection made to gateway:5500 is forwarded over the secure channel to your host, port 5500.

Setting up the VNC listener / Connecting

On your host, the only thing left to do is to set up a VNC listener (that is, a VNC client listening for incoming connections). That is done with the command: xvncviewer -listen

Just leave that program open. As it is in listening mode, it'll wait until a connection comes in and will then open the window for you automatically. Since the connection will be started from the host you want to control, you don't have to enter any kind of password.

Now, the user can initiate the connection from his/her windows box by right-clicking on the VNC SysTray icon and selecting "Add New Client".

As hostname just give the IP or hostname of your gateway (if you haven't set up a gateway but port forwarding at your router, insert your IP or perhaps DynDNS hostname). Then click OK.

TightVNC Add Client Dialogue

Voila! The connection should be working now.

One piece of advice: If the connection drops, don't kill the VNC listener. Instead, kick all users from the VNC server at the Windows side and re-add your hostname

© 2005-2006 Julius Plenz
Questions? Suggestions? Reviews? I love to receive email!
$Id: reverse-vnc.php 72 2006-02-28 23:30:14Z feh $