david winter

Working remotely with SSH and VNC

Visiting the house out in Spain is one of our favourite things to do in the off-peak seasons. When it’s grey, gloomy and wet back home in the UK, a weeks visit is all you need to top up on Vitamin D and 20-degree heat.

With a solid 4G connection hooked up the house, remote work is a possibility for me as I just need that connection for web development. My better half needs to do data modelling and has just bought a 16 core PC back home that he uses as a mini-supercomputer. His MacBook out in Spain wouldn’t get him far, so I set about setting him up so that he could utilise the processing power back home while sitting by the pool out in Spain.

Accessing home IP address

With time of the essence before our departure to the airport, I needed a quick and easy way to gain access to our home IP address as it’s not a static one and could change at any point. The PC at home would be on all of the time, so I created a small shell script that would run hourly and output the IP address into a Dropbox folder so that it would be retrievable from Spain.

sudo nano /etc/cron.hourly/home_ip
#!/bin/bash

dig +short -4 myip.opendns.com @resolver1.opendns.com > ~/Dropbox/home_ip.txt
sudo chmod +x /etc/cron.hourly/home_ip

This would now run daily and Dropbox would keep this in sync for me.

SSH

Simple enough on Ubuntu:

sudo apt install openssh-server

Copy over your SSH key from the computer that you’ll be connecting to your home PC with:

ssh-copy-id <username>@<local-ip-address-of-home-pc>

It will prompt you for your password, but once the command has completed, you will be able to SSH in without a password.

If the command tells you that you don’t have an SSH key, run:

ssh-keygen -t rsa

You can hit enter to accept all of the defaults, but you may want to assign a passphrase to your key for extra security.

Port forwarding

This can be different depending on your home router, but it’s essential to forward a public port on your router onto the SSH service running on your home PC. For us, we decided on a non-standard SSH port. For example, port 2200 would forward onto port 22 of our home PC.

In your router settings, also try and fix the DHCP assigned IP address of your home PC, or set it to static if there is an option just to eliminate the risk that the IP address may change on your local network, which would then break the port forwarding.

Testing SSH connection

It’s a good time to now test the SSH connection outside of your local home network. You can tether to your phone, or visit somewhere else with a different connection.

You can try the connection with:

ssh -p 2200 [email protected]$(cat ~/Dropbox/home_ip.txt)

Remember to substitute the port for the one you selected in your router settings and your username. The $(cat ~/Dropbox/home_ip.txt) will be swapped out for the contents of the file that contains your home IP address.

You should then have a successful connection via ssh.

VNC for remote desktop

This is an optional step, but if you want to have a remote desktop experience too, you can enable VNC. In Ubuntu, under sharing preferences, you’ll be able to enable this. It’s important to set a password to allow for a connection that doesn’t require a person at the computer to manually approve the connection. This would not be helpful while out in Spain!

By default, the Ubuntu VNC server, Vino, has encryption enabled. That’s great! However, the built-in macOS VNC client does not support this, so we need to disable it on Ubuntu with:

gsettings set org.gnome.Vino require-encryption false

Now on your local network, you can test the connection. From the Finder menu, select Go > Connect to Server or push cmd + k to open the dialog, then you can enter:

vnc://<your-local-ip-address>

You’ll be prompted to enter your passphrase and then you can connect and should be able to see the screen share.

If you trust your local network users, not having encryption enabled is probably fine. However, I would not recommend now opening the VNC port and use port forwarding to gain access to this remotely as it would not be encrypted over the wider internet.

Instead, let’s use SSH tunnelling so that we gain encryption again while also being compatible with the macOS VNC client.

SSH tunnel for VNC

We already have our SSH port forwarding on our router, so remotely, we just want to set up an SSH tunnel for the local VNC port.

ssh -N -L 5200:localhost:5200 -p 2200 [email protected]$(cat ~/Dropbox/home_ip.txt)

The important parts of this command are 5200:localhost:5200 which tells your computer to tunnel your 5200 port with the port 5200 on your localhost machine (in this case the home PC). Everything after this is just the standard SSH connection to the home PC.

So now, you can connect to your home PC from your Mac with:

vnc://localhost

And this will be tunnelling to your home PC via the SSH connection, with encryption out of the box.

2019-03-15

Questions? Comments? Your 2¢'s? → @davidwinter