I have a friend who lives far away and needs technical support. So far I've been unable to diagnose the problem over the phone, so I was looking to use a VNC connection to remotely troubleshoot his computer. We both have Macs.
The issue is that he is behind a firewall, and all the ports are filtered (checked using nmap). Since I'm behind a firewall too, I was wondering if it would be possible to set up some sort of forwarding connection to my Linode VPS. i.e., We would both connect to my VPS, and all my VNC traffic would be forwarded through the VPS to my friend's computer (and since we both initiated connections to the VPS, there wouldn't be any issues with firewalls).
Best Answer
You need a reverse SSH tunnel, and a regular SSH tunnel, and you join them together in the middle.
We have 3 machines. Friend, Server, Mac.
From Friend, you connect to Server using SSH, setting up a tunnel in the reverse direction.
ssh -R 9999:localhost:5900 user@ServerThis creates an ssh session from Friend, to Server. On Server it listens on port 9999 (on the localhost address), and forwards anything on that port, back to Friend on port 5900 (through the ssh tunnel, so the firewall doesn't block it).
On Friend, you now need to ensure there's a VNC server listening on port 5900 (this is the default port for VNC servers).
Then, from Mac, you do this,
ssh -L 9999:localhost:9999 user@ServerThat tunnels everything on port 9999 at your end, to port 9999 on the localhost on Server. Since 9999 on Server is then forwarded to Friend, you've joined the tunnels together.
Now, you can open a VNC Client on Mac, and connect it to port 9999 (i.e. when it asks what to connect to, you connect to
127.0.0.1:9999).The ssh daemon on Server needs to support port forwarding for this to work.
You can do this with only one tunnel (the reverse tunnel from Friend using a slightly different format), but that leaves the Friend computer at risk because it would allow anyone to VNC to Friend by connecting to the port on Server's public IP address. This way, only you can connect.