I sense confusion and a possible misunderstanding.
When you establish a SSH tunnel with:
ssh user@server -L 5900:localhost:5900
...the following things happen:
- a SSH connection is established and authenticated, of course.
- the SSH client will set up a TCP port forwarding tunnel that listens for incoming connections on your local client system (
-L
)
- the listening side of the tunnel will be on port 5900 on your system (= the first
5900
)
- the encrypted tunnel will go from your local client system to the
server
system
- the output end of the tunnel on the
server
system will again pass the traffic onwards in its original unencrypted form, to localhost:5900
as the server
system sees it. This is not the localhost
of your local system, but localhost
of the server
system.
This is why your sentence "But I only have a Server and a client so cannot use forwarding" makes no sense. You can always forward things from your local system's localhost to the remote system's localhost (or vice versa, using -R
instead of -L
).
Port forwarding is the reason why SSH can be used to protect other programs that have no built-in support for SSH nor any kind of a special interface to it.
To successfully use the tunnel, you must understand that you can now reach the server
's port 5900 by connecting to your client system's local port 5900. Or in other words, you must tell the VNC client to connect to localhost:5900
to connect to the server
using the encrypted tunnel. If you tell the VNC client to connect to server:5900
instead, you are telling it to bypass the tunnel you set up for it, and just connect directly without the benefit of SSH encryption.
You also said that you don't want to use port forwarding. Well, then whatever your VNC (or any other) client is, must have some more elaborate way to use the tunnel provided by SSH. As far as I know, there are two possibilities:
Now, the SSH client will set up a SOCKS proxy in port 1234 of your local system. All the traffic entering that proxy will first pass through the encrypted SSH tunnel to the server
system, and from there (again in unencrypted form) to whatever destination the VNC (or other) client requested. Of course, the VNC (or other) client must be configurable to support SOCKS4 or SOCKS5, and you must configure it to use a SOCKS proxy at localhost:1234
to use the SSH tunnel.
- The other alternative is a full integration to the SSH client. In order to use SSH tunnels without any kind of proxy or port forwarding, the VNC (or other) client must include the SSH functionality, so that it can utilize the SSH tunnels directly from within its own program code, and effectively use the remote
sshd
server as an extender of itself, to establish network connections from there to anywhere.