Establishing a VNC Connection Through a Firewall



What's the best way to establish a VNC connection to a computer located behind a firewall/router, to which you don't have access? I have a home Linux computer on a Comcast connection, which explicitly blocks incoming requests, so I can't hit the IP directly, but I'd like to remote into it from an arbitrary Internet connection. How would I work around this?

I've witnessed some commercial products, such as one employed by Dell tech support, which appears to use a public web server, which you visit from the target computer in order to "expose" it to an incoming VNC connection. Is there anything similar that's free/cheap for personal use?


Posted 2010-06-28T14:52:35.123

Reputation: 6 081

What all does Comcast block? Most ISPs only block 80, 443, and 25 to prevent people from running web/mail servers. 5900/5901 (or higher if you're using more sessions) are typically unblocked. – Brian Knoblauch – 2010-06-28T15:01:07.587

As far as I know, Comcast blocks everything that's not initiated from the server. I can't even ping my server, much less connect via VNC. I put the server in my router's DMZ and even disabled the server's firewall to ensure nothing was interfering on my end, but I still can't get to it. – Cerin – 2010-06-29T00:19:58.363



You can try tunneling VNC over SSH, but you may find the performance to be a bit slow. You may also want to look into freenx, which is already secure by running over SSH and is much faster than VNC.

If you don't mind using a 3rd party, I really like LogMeIn for it's security and simplicity all in one. All I need is a browser to connect to my PC at home. Your weak link is going to be the password you use for your account, so make sure it's a good one.


Posted 2010-06-28T14:52:35.123

Reputation: 4 228

Thanks, LogMeIn is along the lines of what I was looking for. Although I'd be a little nervous giving a third party remote access to my machine. – Cerin – 2010-06-29T00:22:32.350

Just realized LogMeIn only supports Windows and Mac. No Linux support at all. Blarrgh. – Cerin – 2010-07-09T15:10:56.103


You can usually just forward port 5900 from your firewall to the computer that you want to VNC into and then connect to your external IP, or get a DDNS provider if your router/firewall supports it.


Posted 2010-06-28T14:52:35.123

Reputation: 19 580

I have no control over Comcast's firewall. Sorry if my question was unclear. – Cerin – 2010-06-29T00:14:03.213

@Chris S - I can confirm that Comcast doesn't actually block this, or even 80 for that matter - at least not in Philadelphia. I'd imagine this is the same everywhere. It is possible that your Comcast modem is a combo firewall/router/NAT device. If this is the case, you will need to call Comcast and have them walk you through putting it into bridged mode. This will allow you to have the expected behavior. – MDMarra – 2010-06-29T00:42:46.370


... visit from the target computer in order to "expose" it to an incoming VNC connection. Is there anything similar that's free/cheap for personal use?

TeamViewer. You'd run the quick-support (or full) module on your target and take with you the session code and password it provides. Enter these into the TV full module on your away machine to connect to the target.


Posted 2010-06-28T14:52:35.123

Reputation: 6 128


Assuming for simplicity that you have only one client (but which can have arbitrary IP's), that the VNC server runs behind a firewall where you can't open ports, but the client has no such problems, a workaround would be to do put this command into an on-boot script on the server:

while sleep 100; do ssh vnc_user@$client -R 5900:; done

This opens a reverse tunnel from the server to the client. This is possible from behind a firewall.

Ensure you've created a passphraseless ssh-key on the server (ssh-keygen, and press return a couple times) so you can put this in a boot script.

Now, in order to do this from an "arbitrary internet connection", simply get a free account at, and exchange $client in the above command for that dyndns address (e.g. On the client, run sshd, and create a user with very little access:

sudo useradd -m -s /bin/false vnc_user

Copy the file server:~/.ssh/ into client:~vnc_user/.ssh/authorized_keys so that the vnc server has ssh access to the vnc client(s). (The /bin/false ensures the vnc server can't actually run commands on the client, only open a port; if you don't trust the server you can do more hardening in sshd_config.)

Now as long as you run a dyndns daemon on the client (or update your IP address manually at, you can connect to the server. If your client changes IP address, the ssh connection should drop and the server will try reestablishing the connection.

(If the client too is behind a firewall, I guess both client and server could open tunnels to a third machine which has no firewall trouble, but in any case you need at least one server which can run sshd against the open Internet.)


Posted 2010-06-28T14:52:35.123

Reputation: 183


you can use Hamachi (which was bought by logmein). You install the client on all the machines you want to share then you create a new password protected network and join all the machines to it. Its perfectly safe. Even Steve Gibson recommended it a couple years back. I've used it many times and works like a charm.

They have a free non commercial version.


Posted 2010-06-28T14:52:35.123

Reputation: 184