Solved! I've fixed up the various ports and now I am able to connect. For the edification of other list readers I'll summarize.
I have a local Linux host acting as firewall/router. It routes requests on port 1234 to port 3389 on a local Linux workstation which is running x11vnc server listening on its local port 5900. I want to connect to this VNC server from a remote vnc viewer.
(Why does the router forward to port 3389? Because the workstaion can dual-boot Windows, so the forward works regardless of booted OS.)
Remote vnc viewer, stunnel client stunnel.conf:
verify = 2 pid = /home/mfoley/.stunnel/stunnel.pid CAfile = /home/mfoley/.stunnel/certificate.pem client = yes [x11vnc] accept = 5900 connect = router.obfuscate.org:1234
Local workstation vnc server, stunnel server stunnel.conf:
pid = /var/run/stunnel.pid debug = 7 [x11vnc] accept = 3389 key = /root/privatekey.pem cert = /root/certificate.pem connect = 127.0.0.1:5900
The certificate is self-signed and created on the stunnel/vnc server host using the following commands:
openssl genrsa -out privatekey.pem 2048 openssl req -new -x509 -days 365 -key privatekey.pem -out certificate.pem
The certificate.pem is copied to the stunnel client host.
With x11vnc listening on 5900 on the local workstation and with 'stunnel stunnel.conf' running on both stunnel client (as the normal user) and server hosts, I use the remote vnc viewer, logged in as a normal user, with the connection 127.0.0.1:5900
I'm guessing I could configure my vnc viewers to connect to multiple clients with difference [service] sections, for example:
verify = 2 pid = /home/mfoley/.stunnel/stunnel.pid CAfile = /home/mfoley/.stunnel/certificate.pem client = yes
[remoteHost1] accept = 5900 connect = router.obfuscate.org:1234
[remoteHost2] accept = 5901 connect = router.obfuscate.org:4321
I haven't tried that, but I will.
I futher guess that I could have different CAfiles per server if I moved that directive to the respective service defintions (can someone confirm?), but I haven't tried that either.
Thanks especially to Flo Rance for helping me work through this.
Now, I have to figure out how to do this from a Windows client!
--Mark
Hi Mark,
Great, I'm glad you've solved it.
Regards, Flo Rance
On Sat, Mar 17, 2018 at 12:14 AM, Mark Foley mfoley@novatec-inc.com wrote:
Solved! I've fixed up the various ports and now I am able to connect. For the edification of other list readers I'll summarize.
I have a local Linux host acting as firewall/router. It routes requests on port 1234 to port 3389 on a local Linux workstation which is running x11vnc server listening on its local port 5900. I want to connect to this VNC server from a remote vnc viewer.
(Why does the router forward to port 3389? Because the workstaion can dual-boot Windows, so the forward works regardless of booted OS.)
Remote vnc viewer, stunnel client stunnel.conf:
verify = 2 pid = /home/mfoley/.stunnel/stunnel.pid CAfile = /home/mfoley/.stunnel/certificate.pem client = yes [x11vnc] accept = 5900 connect = router.obfuscate.org:1234
Local workstation vnc server, stunnel server stunnel.conf:
pid = /var/run/stunnel.pid debug = 7 [x11vnc] accept = 3389 key = /root/privatekey.pem cert = /root/certificate.pem connect = 127.0.0.1:5900
The certificate is self-signed and created on the stunnel/vnc server host using the following commands:
openssl genrsa -out privatekey.pem 2048 openssl req -new -x509 -days 365 -key privatekey.pem -out certificate.pem
The certificate.pem is copied to the stunnel client host.
With x11vnc listening on 5900 on the local workstation and with 'stunnel stunnel.conf' running on both stunnel client (as the normal user) and server hosts, I use the remote vnc viewer, logged in as a normal user, with the connection 127.0.0.1:5900
I'm guessing I could configure my vnc viewers to connect to multiple clients with difference [service] sections, for example:
verify = 2 pid = /home/mfoley/.stunnel/stunnel.pid CAfile = /home/mfoley/.stunnel/certificate.pem client = yes
[remoteHost1] accept = 5900 connect = router.obfuscate.org:1234
[remoteHost2] accept = 5901 connect = router.obfuscate.org:4321
I haven't tried that, but I will.
I futher guess that I could have different CAfiles per server if I moved that directive to the respective service defintions (can someone confirm?), but I haven't tried that either.
Thanks especially to Flo Rance for helping me work through this.
Now, I have to figure out how to do this from a Windows client!
--Mark _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Flo Rance -
Mark Foley