VNC via SSH - can't figure out the last step

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Ancandis, Nov 17, 2010.

  1. Ancandis macrumors member


    Nov 18, 2009
    How do I create a VNC connection to my Mac at home?

    I can't figure out the last step so Screen Sharing will show me my desktop.

    This is what I accomplished so far:
    connected to
    ssh -NfL 5900: -p 5678 *

    I get the password prompt and get a connection.

    * changed from default port 22

    When trying to connect using CMD+K in Finder:
    I get the message "A computer can not connect to itself and share its screen."

    What do I need to do to establish the VNC connection? Thanks
  2. belvdr macrumors 603

    Aug 15, 2005
    No longer logging into MR
    Try using a different port and IP (i.e. 5901:<IP of local system>:5900) for the connection.
  3. deconstruct60, Nov 17, 2010
    Last edited: Nov 17, 2010

    deconstruct60 macrumors 604

    Mar 10, 2009
    It is

    ssh -L <local port>:<remote host>:<remote port> <user_name>@<remote host>

    You are setting up a port forwarding connection to your own box with your version of the above command. What you want to say is "make this local port (address implicit: '-L' means local port. ssh doesn't need help to figure where it currently is ) forward to this remote addiress on the remote port number" . The error message is on point. Stop connecting to your own box.

    The VNC service you want to connect to is on the remote host. The ssh service service and the service server don't have to be the same. So technically it can be:

    ssh -L <local port>:<service host>:<service port> <user_name>@<ssh_service_host>

    it is simpler to remember it the first way listed above since often the ssh_service and service_host are the same address/box. But that is why you have to list it twice. You can use ssh though just to get through firewall and then send unencrypted traffic on the remote LAN. It is typically simpler and safer to just send it straight through to destination. Most LANs aren't particularly secure either if typing passwords .

    Something like

    ssh -R <remote port>:<local host>:<local port> ......

    is where you would plug in the local host address if needed. That would be useful if allowing remote folks to connect to VNC server on local host by establishing the tunnel on the service serving box.
  4. eatbacon macrumors regular

    Feb 4, 2003
    I use nearly the exact set up as the OP and it works fine, except I use a different local port as suggested by the first response. I happen to use a random port, but I just tested my setup with 5901 and it works. (I was concerned that since 5901 is also used by vnc when you have more than one server active that it would complain about that, but it does not).

    The second response is confused. You command does what you want. It forwards port 5900 on your local machine to 5900 on the local interface of your REMOTE machine. The local vnc client is rejecting your access to port 5900, but the tunnel is working fine. As suggested, use a port that the vnc client will not balk about and all will be well.
  5. LPZ macrumors 65816

    Jul 11, 2006
    I use the following alias and just type "vnc":

    alias vnc='ssh -N -f -L 5901:localhost:5900; open vnc://localhost:5901'
    (I have configured ssh to use keypair authentication, so don't need to supply a password or user name.)

    Have also configured the server firewall to accept vnc only from itself on port 5900.
  6. deconstruct60 macrumors 604

    Mar 10, 2009

    It is clearer when don't use the context sensitive references like , but yeah for DHCP hosts that is the way. Sorry about that.
    If the hosts targeting are named it clearer to use names.

    I think part of the problem is may be the "-f" which puts the ssh into the background. If trying to reuse a port ( there is already a VNC server listening on 5900 so get a failure you don't see it. ). If have problems with tunnels turn off the background mode and just open one up to make sure is working then kill it. You need an unsued port number. There are only loose conventions for port numbers outside the privileged range.

    It would be better to run it with a "-v" instead of a "-f" if having problems. Once you have worked out the connection specifics then run it in the background.
  7. d136o macrumors newbie

    Jan 15, 2011
    Similar situation:

    I wanted to tunnel VNC traffic over SSH. However, I wanted to make sure I was doing it right, as opposed to having an SSH tunnel doing something, then VNC working as well, and yet none of it as intended.

    The local port change from 5900 to 5901 seems to have done it:

    ssh -L 5901: user@remotehost

    then cmd+k on finder to run the "Connect to Server" dialog where I entered:


    a tcpdump of the traffic across the various ports seems to confirm that things are working as expected:

    tcpdump -vv -i en1 port 22 -> should show stuff
    tcpdump -vv -i en1 port 5900 -> should show nothing
    tcpdump -vv -i en1 port 5901 -> should show nothing
  8. adpeace macrumors newbie

    Feb 28, 2008
    The 'remote host' part of the argument is relative to the host being connected to. If you put localhost there then the port from localhost on the remote side will be forwarded. For example:

    ssh -L6000:localhost:6000
    forwards 6000 on my local machine to localhost:6000 on the remote side, which is So, the command being used was OK. I suspect that the VNC code just doesn't like connecting to localhost:5900 (i.e. :0).

    You can demonstrate this using the netcat utility: Open two terminals; in the first, run the ssh command above (replace my example with a valid username and host). On the remote host, run 'nc -l -p 6000'. Now, on your local client in the second terminal, run 'nc localhost 6000'. This connects to port 6000 on your local computer, which is being forwarded over the ssh. Type something and hit enter, and you'll notice it appear in the nc session running on the remote host in the first window. E.g. your terminals may look something like this:

    Terminal 1: I typed lines 1 and 2, 'hello' came over the connection:
    andy:~ adpeace$ ssh -L 6000:localhost:6000 <user>@<host>
    gateway-1:~$ nc -l -p 6000
    Terminal 2: I typed all this:
    andy:~ adpeace$ nc localhost 6000
    Hope that helps.

Share This Page