May 20, 2013

Ubuntu VNC Gateway

I just have my VPS activated. I spent days wondering what to do with it. Then it hits me.
"Why not use the VPS as remote desktop gateway?"
I have spent more days working out how to do it. This is the note to work it out.

Some requirement:
  • A Virtual Private Server for the gateway
  • A Desktop/Laptop PC for the VNC server
  • Ubuntu Linux 12.04 for both server and PC (specifically in this publish)
  • OpenSSH installation on both gateway and server
  • X11VNC installation on VNC server PC
  • Another system as the VNC client which supports SSH tunnel

Why?
  • You want to access your PC from any network connected to the Internet but cannot have the router in the network forward connection to your PC
  • You have a VPS lying around in the net
  • Your VPS running under OpenVZ with tun/tap disabled by host and you don't want to or cannot have it enabled
  • You want the VNC service to automatically running every time the server boots
  • You want the VNC service to be available through gateway every time the VNC server connected

Most Linux system already have ssh installed. So let's just go ahead to setup x11vnc and ssh on the VNC server.

$ sudo apt-get install x11vnc

Next we setup so x11vnc runs at boot. By default, x11vnc is not available as service. So we are going to make an init configuration script for it. But before that, we are going to make a VNC password as an added security.

$ sudo x11vnc -storepasswd /etc/x11vnc.pass

Follow the instruction an enter the new password.

Next we write the configuration script. You can use any modest text editor

/etc/init/x11vnc.conf
description "X11 VNC"

start on login-session-start

script
    x11vnc -xkb -noxrecord -noxfixes -noxdamage -display :0 -auth /var/run/lightdm/root/:0 -forever -o /var/log/x11vnc.log -rfbauth /etc/x11vnc.pass -rfbport 5900 -bg
end script

Note that /var/run/lightdm/root/:0 is the Xauth file path for lightdm. Xauth is a X session authentication file. Find out the path of Xauth for your desktop manager. The path must be available both before and after login. and accessible for user after login. A log file will be handy if something is not working. I use /var/log/x11vnc.log for the log path. Point x11vnc to the stored password previously created in /etc/x11vnc.pass.

At this point you can restart the server machine to test the script. You can do ps aux | grep x11vnc to see if it is running or not after boot. It should be accessible from local network.

Now we make the network scripts to make ssh remote listening run every time the server connected. The ssh set to timeout after 5 minutes so it must be looped.

/root/bin/listen_for_x11vnc_on_gateway.sh
#!/bin/sh

sleep 3
while true
do
    ssh -fyTn -R '5900:localhost:5900' 'root@gateway.com 'sleep 300'
    sleep 300
done

The -R meaning is to direct every request to port 5900 to port 5900 on vnc server local interface on gateway.com. Run sleep for 300 seconds on gateway.com then close. The next sleep 300 is to wait until it is time to reconnect.

Make the file executable.

chmod 0500 /root/bin/listen_for_x11vnc_on_gateway.sh

/root/if-updown/x11vnc-gateway
#!/bin/sh

case "$IFACE" in
  lo) exit 0;;
esac

case "$MODE" in

    start)

    case "$ADDRFAM" in
      inet|inet6|NetworkManager) : ;;
      *) exit 0 ;;
    esac
    case "$PHASE" in
        post-up)
        exec /root/bin/listen_for_x11vnc_on_gateway.sh &
        ;;
    esac
    ;;

    stop)
    killall listen_for_x11vnc_on_gateway.sh
    ;;
esac

exit 0


Make the file executable then make links to it on /etc/network.

sudo chmod 0500 /root/if-updown/x11vnc-gateway
ln -s /root/if-updown/x11vnc-gateway /etc/network/if-up.d/
ln -s /root/if-updown/x11vnc-gateway /etc/network/if-post-down.d/

It is going to ignore loopback, and other connection other then inet, inet6 (IPv6), and NetworkManager. Go ahead and connect to the Internet. You can check using ps aux | grep ssh to make sure that it is running.

To connect to the server through the gateway, set your VNC client to connect to port 5900 on gateway.com through ssh port 22 on gateway.com. We don't need to configure the routers on both networks.

The ssh scripts must run without entering passwords. See my blog here to read on how to do it.

I am sure that the scripts are really ugly. So if there is a Linux guru out there, please don't hesitate to make suggestions.
Post a Comment

Fixing Broken LXDE Panel on Raspberry Pi

I was trying new package for my Raspberry Pi, when I realized that the panel of the desktop is no longer working. Only a blank space, cannot...