Pfsense rules to allow vnc over ssh tunnel


  • I'm having issues establishing a vnc connection over an ssh tunnel (testing in a local environment not over actual WAN)

    My Desktop ip 192.168.1.2

    ESXI 6.7 host with pfsense and a ubuntu 20.04 vm.
    PFsense IP - 192.168.1.15 (Wan IP)
    Ubutnu VM IP - 192.168.2.2 (Lan IP from PfSense)

    I have a firewall rule to allow Any Source Address on WAN and any port on Wan to my ubuntu VM 192.168.2.2 Port 22 for SSH.
    I have a NAT port forwarding rule to allow Destination Wan Address Port 22 to redirect to host 192.168.2.2 port 22 for ssh

    I am able to establish SSH connection from my desktop to the Ubuntu vm with this setup.

    What I want to do is use SSH tunneling to connect vncviewer from my desktop to the ubuntu vm.
    I setup a tunnel for port 5900 over ssh but am unable to get vncviewer to connect to the vm.

    When I try to connect I see the following
    LAN tcp 192.168.2.2:43970 -> 192.168.1.15:5900 CLOSED:SYN_SENT 3 / 0 180 B / 0 B

  • Netgate Administrator

    There shouldn't be anything special required in pfSense to pass that if SSH is working.

    Check the logs in Ubuntu.

    Steve


  • @stephenw10 this may have been an issue with my incomplete understanding of ssh tunnels.

    Since I am using port forwarding from the pfsense router (lab environment) 22 to ubuntu vm port 22.

    When I establish an ssh connection from my desktop, I am using the wan ip of the pfsense router 192.168.1.15.
    Creating a tunnel, I was trying to map 5900:192.168.1.15:5900. This caused the Ubuntu vm to try to establish a connection to port 5900 on 192.168.1.15 which would fail.

    If I instead create a tunnel as 5900:127.0.0.1:5900, the vm will create a tunnel to its localhost port 5900 and I am able to proceed.

    Please let me know if this is the appropriate way to perform tunneling

    ssh -L 5900:127.0.0.1:5900 192.168.1.15 (assuming it would also work with ssh -L 5900:192.168.2.2:5900 192.168.1.15)

    originally, I was doing
    ssh -L 5900:192.168.1.15:5900 192.168.1.15

  • Netgate Administrator

    Yes exactly if you are trying to connect to a sercice on the Ubuntu server you would use localhost there, or some IP on the Ubuntu box listening on that port. Not the pfSense IP.

    Steve