stunnel4/doc/en/VNC_StunnelHOWTO.html

191 lines
8.2 KiB
HTML
Raw Permalink Normal View History

2017-03-28 09:58:13 +02:00
<!-- saved from url=(0022)http://internet.e-mail -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=iso-8859-1">
<TITLE></TITLE>
<META NAME="GENERATOR" CONTENT="StarOffice/5.2 (Win32)">
<META NAME="CREATED" CONTENT="20010220;7501784">
<META NAME="CHANGED" CONTENT="16010101;0">
<STYLE>
<!--
@page { margin: 2cm }
-->
</STYLE>
</HEAD>
<BODY>
<P ALIGN=CENTER STYLE="margin-bottom: 0cm"><FONT SIZE=4 STYLE="font-size: 16pt"><U><B>VNC
over STUNNEL with a Linux server and Windows 2000 client HOWTO</B></U></FONT></P>
<P ALIGN=CENTER STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">19 February 2001</P>
<P STYLE="margin-bottom: 0cm">ver 1.0</P>
<P STYLE="margin-bottom: 0cm">by Craig Furter and Arno van der Walt</P>
<P STYLE="margin-bottom: 0cm">contact us at <A HREF="mailto:cfurter@vexen.co.za">cfurter@vexen.co.za</A>
and <A HREF="mailto:arnovdw@mycomax.com">arnovdw@mycomax.com</A></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">We assume that you have already
downloaded VNCServer and VNCViewer.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">First of all there is a step by step
HOWTO and then we'll look at the theory behind all this.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<OL>
2017-11-15 15:03:25 +01:00
<LI><P STYLE="margin-bottom: 0cm">Download and install OpenSSL,
SSLeay, and Stunnel on the Linux/Unix box. Download the modules.</P>
2017-03-28 09:58:13 +02:00
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)
[root@anthrax$]gunzip openssl-x.xx.tar.gz (repeat for all 3 the
modules)</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">b)
[root@anthrax$]tar &#150; xvf openssl-x.xx.tar (repeat for all 3 the
modules)</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Copy the following to Notepad and
save the file as VNCRegEdit.REG on the Windows 2000 box</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">--cut here and copy
2017-11-15 15:03:25 +01:00
to VNCRegEdit.REG then double click the file to
2017-03-28 09:58:13 +02:00
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
here--<BR><BR>
</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Install Stunnel on the Windows
2000 machine by copying the following files to your \WINNT\SYSTEM32\
directory</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)libeay32.dll</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">b)libssl.dll</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">c)stunnel.pem</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">On the Linux box execute the
following command as root and let it run in its own terminal.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">./stunnel -d 5900
-r 5901</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Execute vncserver (it should run
as display:1 when you execute the ps aux |grep vnc command)</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Now on the Windows 2000 machine
execute the following command and let it run in its own terminal.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5900 -r
2017-11-15 15:03:25 +01:00
unix.ip.address:5900 -c</P>
2017-03-28 09:58:13 +02:00
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">.</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">And on the Windows 2000 machine
open VNCviewer and connect to localhost specifying no display</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">ie. 10.10.1.53 in
the window</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">For each additional display repeat
steps 4 &#150; 6 and increment the specified ports with 2 ie. The
Linux command will look as follows:</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> ./stunnel -d 5902
-r 5903
</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and the Windows
2000 command as follows:
</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5902 -r
2017-11-15 15:03:25 +01:00
unix.ip.address:5902</P>
2017-03-28 09:58:13 +02:00
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and remember to
start another vncserver on the Linux box for each VNC display</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">The display number on the
vncviewer must also be incremented with two ie:</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">10.10.1.53:2 etc.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><FONT SIZE=4><U>The THEORY</U></FONT></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><U>Tunneling:</U></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">What this means is that software
(daemon) runs on the client and server machine. In this case, the
Windows 2000 machine is the client and the server is the *NIX
machine. Stunnel will then run as client on Windows 2000 and server
mode on the UNIX box.<BR><BR>eg:<BR>Windows:<BR>stunnel -d 5900 -r
unix.ip.address:5900 -c<BR><BR>UNIX<BR>stunnel -d 5900 -r 5901<BR><BR>This
means that connecting to VNC display 0 in the localhost will transfer
all the calls to the *NIX machine on display 1. So the VNC server on
the *NIX machine must be running on display 1. Not display 0. If you
run stunnel before VNC, VNC will automatically move to display 1
noticing that port 5900 (&quot;display&quot; 0) is already in
use).<BR><BR>What happens now is that when you connect to port 5900
on the Windows machine via an &quot;unsecured&quot; connection, a
secure &quot;tunnel&quot; is opened from Windows 2000 to the *NIX
machine on port 5900. The *NIX machine then opens a &quot;unsecured&quot;
connection to itself on port 5901. We now have a secure tunnel
available.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><U>A bit about VNC and displays</U></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">The -d is the listening IPaddress:port
and the -r is the remote IPaddress:port. VNC uses port 5900 for
display 0. That means that display 1 will be 5901. If you want VNC
server to listen for a connection on port 80 then the display number
will be 80 - 5900 = -5820. If you want VNC server to<BR>listen on
port 14000 then the display number is 14000 - 5900 = 8100.<BR><BR>So
all you have to do is run stunnel on the UNIX machine and VNC on the
desired &quot;display&quot; number.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><U>VNC on the Windows 2000 machine</U></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">To connect from the client machine you
2017-11-15 15:03:25 +01:00
need to enter the client machine's IP address and the &quot;display&quot;
2017-03-28 09:58:13 +02:00
(from the port conversion). But VNC will think that you are trying to
connect to the local machine and does not allow this. To override
2017-11-15 15:03:25 +01:00
this add the following to your registry.<BR><BR>--cut here and copy to
anything.reg. then double click the file to
2017-03-28 09:58:13 +02:00
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
here--<BR><BR>Now VNC will not complain. So you need to always run
stunnel in client mode on the Windows machine and then connect with
VNCViewer to the localhost on the correct &quot;display&quot;. By the
way, *NIX doesn't complain about this. There is no setting needed if
*NIX to *NIX.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><U>VNC's Java client</U></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">Unfortunately this will not work well
2017-11-15 15:03:25 +01:00
with the built-in web version. If you did not known about it, try
2017-03-28 09:58:13 +02:00
http'ing into a machine running VNC server on it, to port 58XX (where
XX is the display number), and the Java client will be loaded.<BR><BR>
</P>
</BODY>
2017-11-15 15:03:25 +01:00
</HTML>