Pfsense rules to allow vnc over ssh tunnel
-
I'm having issues establishing a vnc connection over an ssh tunnel (testing in a local environment not over actual WAN)
My Desktop ip 192.168.1.2
ESXI 6.7 host with pfsense and a ubuntu 20.04 vm.
PFsense IP - 192.168.1.15 (Wan IP)
Ubutnu VM IP - 192.168.2.2 (Lan IP from PfSense)I have a firewall rule to allow Any Source Address on WAN and any port on Wan to my ubuntu VM 192.168.2.2 Port 22 for SSH.
I have a NAT port forwarding rule to allow Destination Wan Address Port 22 to redirect to host 192.168.2.2 port 22 for sshI am able to establish SSH connection from my desktop to the Ubuntu vm with this setup.
What I want to do is use SSH tunneling to connect vncviewer from my desktop to the ubuntu vm.
I setup a tunnel for port 5900 over ssh but am unable to get vncviewer to connect to the vm.When I try to connect I see the following
LAN tcp 192.168.2.2:43970 -> 192.168.1.15:5900 CLOSED:SYN_SENT 3 / 0 180 B / 0 B -
There shouldn't be anything special required in pfSense to pass that if SSH is working.
Check the logs in Ubuntu.
Steve
-
@stephenw10 this may have been an issue with my incomplete understanding of ssh tunnels.
Since I am using port forwarding from the pfsense router (lab environment) 22 to ubuntu vm port 22.
When I establish an ssh connection from my desktop, I am using the wan ip of the pfsense router 192.168.1.15.
Creating a tunnel, I was trying to map 5900:192.168.1.15:5900. This caused the Ubuntu vm to try to establish a connection to port 5900 on 192.168.1.15 which would fail.If I instead create a tunnel as 5900:127.0.0.1:5900, the vm will create a tunnel to its localhost port 5900 and I am able to proceed.
Please let me know if this is the appropriate way to perform tunneling
ssh -L 5900:127.0.0.1:5900 192.168.1.15 (assuming it would also work with ssh -L 5900:192.168.2.2:5900 192.168.1.15)
originally, I was doing
ssh -L 5900:192.168.1.15:5900 192.168.1.15 -
Yes exactly if you are trying to connect to a sercice on the Ubuntu server you would use localhost there, or some IP on the Ubuntu box listening on that port. Not the pfSense IP.
Steve