Pfsense rules to allow vnc over ssh tunnel
I'm having issues establishing a vnc connection over an ssh tunnel (testing in a local environment not over actual WAN)
My Desktop ip 192.168.1.2
ESXI 6.7 host with pfsense and a ubuntu 20.04 vm.
PFsense IP - 192.168.1.15 (Wan IP)
Ubutnu VM IP - 192.168.2.2 (Lan IP from PfSense)
I have a firewall rule to allow Any Source Address on WAN and any port on Wan to my ubuntu VM 192.168.2.2 Port 22 for SSH.
I have a NAT port forwarding rule to allow Destination Wan Address Port 22 to redirect to host 192.168.2.2 port 22 for ssh
I am able to establish SSH connection from my desktop to the Ubuntu vm with this setup.
What I want to do is use SSH tunneling to connect vncviewer from my desktop to the ubuntu vm.
I setup a tunnel for port 5900 over ssh but am unable to get vncviewer to connect to the vm.
When I try to connect I see the following
LAN tcp 192.168.2.2:43970 -> 192.168.1.15:5900 CLOSED:SYN_SENT 3 / 0 180 B / 0 B
There shouldn't be anything special required in pfSense to pass that if SSH is working.
Check the logs in Ubuntu.
@stephenw10 this may have been an issue with my incomplete understanding of ssh tunnels.
Since I am using port forwarding from the pfsense router (lab environment) 22 to ubuntu vm port 22.
When I establish an ssh connection from my desktop, I am using the wan ip of the pfsense router 192.168.1.15.
Creating a tunnel, I was trying to map 5900:192.168.1.15:5900. This caused the Ubuntu vm to try to establish a connection to port 5900 on 192.168.1.15 which would fail.
If I instead create a tunnel as 5900:127.0.0.1:5900, the vm will create a tunnel to its localhost port 5900 and I am able to proceed.
Please let me know if this is the appropriate way to perform tunneling
ssh -L 5900:127.0.0.1:5900 192.168.1.15 (assuming it would also work with ssh -L 5900:192.168.2.2:5900 192.168.1.15)
originally, I was doing
ssh -L 5900:192.168.1.15:5900 192.168.1.15
Yes exactly if you are trying to connect to a sercice on the Ubuntu server you would use localhost there, or some IP on the Ubuntu box listening on that port. Not the pfSense IP.