Accessing a VNC over two firewalls

Scenario: You're in an office, with paranoid security, limitting what connections you can establish to the outside world. You have a workstation at home, which you have protected behind a firewall that limits what you let in. You want to remotely connect to that home workstation from work.

Solution: Four easy steps -

Prerequisites

SSH out from the work network

No sane firewall will block port 443 (https). Therefore, using this SSH port-changing tutorial, enable a rerouting of connections from port 443 to your SSH server (just change the 2222 in the iptables command line to 443).

root@homegateway# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to localhost:22
me@work$ ssh -p 443 me@homegateway.home.net
homegateway:me$ 

Create a tunnel to your home server

Once you've got the capability to SSH to your home gateway, you can use it to tunnel data to your home server. Set up local port 5901 (vnc:1) to tunnel to your home workstation, port 5901. Start SSH in daemon mode (-f), without a command (-N)

work:me$ ssh -p 443 -f -N -L 5901:homeworkstation:5901 me@homegateway.home.net

Start the VNC server

me@workstation$ vncserver -geometry 800x600 -depth 16 :1
You will require a password to access your desktops.

Password: 
Verify:   
Would you like to enter a view-only password (y/n)? n
xauth:  creating new authority file /home/me/.Xauthority

New 'X' desktop is workstation:1

Start the VNC client

We just need to connect to our local port 5901, the tunnel and routing will do everything else for us

me@work$ vncviewer localhost::5901
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Password: 
Authentication successful
Desktop name "me's X desktop (workstation:1)"

Cleaning Up

Alternatives/Drawbacks

You'll notice that iptables is capable of delivering packets not just to the local SSH port, but also to an arbitrary port on any machine. So in theory you could redirect incoming gateway port 443 to workstation's port 5901. This has the drawback of only permitting a single VNC connection. With SSH tunnelling, any number of VNC connections can be made, as any number of SSH connections can be made.