Pfsense rules to allow vnc over ssh tunnel

  • I'm having issues establishing a vnc connection over an ssh tunnel (testing in a local environment not over actual WAN)

    My Desktop ip

    ESXI 6.7 host with pfsense and a ubuntu 20.04 vm.
    PFsense IP - (Wan IP)
    Ubutnu VM IP - (Lan IP from PfSense)

    I have a firewall rule to allow Any Source Address on WAN and any port on Wan to my ubuntu VM Port 22 for SSH.
    I have a NAT port forwarding rule to allow Destination Wan Address Port 22 to redirect to host port 22 for ssh

    I am able to establish SSH connection from my desktop to the Ubuntu vm with this setup.

    What I want to do is use SSH tunneling to connect vncviewer from my desktop to the ubuntu vm.
    I setup a tunnel for port 5900 over ssh but am unable to get vncviewer to connect to the vm.

    When I try to connect I see the following
    LAN tcp -> CLOSED:SYN_SENT 3 / 0 180 B / 0 B

  • Netgate Administrator

    There shouldn't be anything special required in pfSense to pass that if SSH is working.

    Check the logs in Ubuntu.


  • @stephenw10 this may have been an issue with my incomplete understanding of ssh tunnels.

    Since I am using port forwarding from the pfsense router (lab environment) 22 to ubuntu vm port 22.

    When I establish an ssh connection from my desktop, I am using the wan ip of the pfsense router
    Creating a tunnel, I was trying to map 5900: This caused the Ubuntu vm to try to establish a connection to port 5900 on which would fail.

    If I instead create a tunnel as 5900:, the vm will create a tunnel to its localhost port 5900 and I am able to proceed.

    Please let me know if this is the appropriate way to perform tunneling

    ssh -L 5900: (assuming it would also work with ssh -L 5900:

    originally, I was doing
    ssh -L 5900:

  • Netgate Administrator

    Yes exactly if you are trying to connect to a sercice on the Ubuntu server you would use localhost there, or some IP on the Ubuntu box listening on that port. Not the pfSense IP.