Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: TightVNC and firewall problem (Read 17945 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

TightVNC and firewall problem

Hi!
I have a problem which I'm not able to resolve. In my home I have a PC with installed TightVNC server. I'm behind hardware firewall. On my computer in work I have TightVNC Viewer installed.
And here is a problem: I can't connect to my home machine. There is a message something like "Failed to connect to the server".
In my firewall is an section called Port triggering. I configured it to open ports TCP 5800. I have DSL connection with dynamic IP assigned so I use DynDNS.org.

So I have a question: what else have I to do to make it work? In firewall there is an section "Virtual Server". Maybe I should use it and not "Port triggering"?

Please help me because I give up!

Thanks!!!

TightVNC and firewall problem

Reply #1
Yes, the "virtual server" feature is probably what you want.  While my experience isn't the same as yours, I use it in an SMC Barricade to control computers via pcAnywhere.

Essentially what you'll want to do is to choose to forward TCP 5800 to the internal (non-routeable) IP address of the computer you wish to control.

TightVNC and firewall problem

Reply #2
First of all, VNC use ports 5900 - 5904. 5900 for display 0, too 5904 for display 4.
I dont know what OS you run on the VNC server, but if its Windows it defaults to 5900.

Here is what you have to do:
1. Open port 5900 in your hardware firewall.
2. Forward port 5900 to port 5900 on the ip address of the computer running VNC server (ex: 5900 10.0.0.xx:5900). NAT or Virtual Servers is probably what you are looking for here...
3. Open port 5900 in the software firewall on the server OS (if you have one).
4. Access your remote desktop with the external ip address or your DynDNS address, pluss screen number (ex: username.dyndns.org:0)

Beware: The data transfered between the computers is not encrypted, so it is a potensial security risk! Dont let this stop you, but just keep it in mind...

TightVNC and firewall problem

Reply #3
Thanks for answers!
Isn't port 5900 used to control VNC server via web browser? I thought port 5800 is used if I want to use VNC viewer...
So have I open 5900 TCP and UDP port or only TCP?
And one more question: 
If I understand it well, "virtual server" just opens some ports I choose. So what is a difference between "virtual server" and "port triggering"? Here is short description from my U.S. Robotics 9106:

Quote
NAT -- Port Triggering

Some applications require that specific ports in the gateway's firewall are opened so the remote parties have access. Port Triggering dynamically opens the Incoming Ports in the firewall when an application on the LAN initiates a TCP/UDP connection to a remote party using the 'Outgoing Ports'. The DSL Gateway allows the remote parties from the WAN side to establish new connections back to the application on the LAN side using the 'Open Incoming Ports'.


I understand it that way:
"virtual server" - ports are always open
"Port triggering" - ports are open when it is needed

Correct me if I'm wrong.

Thanks for help!

TightVNC and firewall problem

Reply #4
Quote
Beware: The data transfered between the computers is not encrypted, so it is a potensial security risk!
[a href="index.php?act=findpost&pid=263232"][{POST_SNAPBACK}][/a]


Is there something to do to make it more safe? I'm on Windows BTW...

TightVNC and firewall problem

Reply #5
Quote
Quote
Beware: The data transfered between the computers is not encrypted, so it is a potensial security risk!
[{POST_SNAPBACK}][/a]


Is there something to do to make it more safe? I'm on Windows BTW...
[a href="index.php?act=findpost&pid=263244"][{POST_SNAPBACK}][/a]


There's encryption plugin for [a href="http://ultravnc.sourceforge.net/]UltraVNC[/url] (which is better and faster VNC compatible program for Windows). Perhaps you can try that?

Of course you can also tunnel VNC connection via SSH, but that's trickier to setup (requires ssh server installed on you windows box and some ssh client that supports tunneling on the box you're connecting from) but works like charm. If you're willing to experiment a bit Just search google for "vnc ssh tunneling" and you'll find a few howtos.

TightVNC and firewall problem

Reply #6
* I am pretty sure tcp port 5900 is enough, but it does not hurt to open the udp port as well.
* Go here: http://www.usr.com/support/9106/9106-ug/ca...dy.html#virtual
Repeat the stages with the following settings:
1. Select Virtual Server from the Security Menu.
2. Click Add.
3. Select Customized service and complete the fields with the appropriate values.
    * Customized service: VNC
    * Protocol: TCP
    * External port: 5900
    * Internal port: 5900
    * Internal server IP Address: 192.168.1.xx
4. Click Apply.
5. Repeat once more, but use Protocol: UDP (Unsure if this is needed)

*  As Messer said, UltraVNC have an encryption plugin.
If you need/want to run TightVNC, you can run it through SSH. Instructions.

TightVNC and firewall problem

Reply #7
Quote
* I am pretty sure tcp port 5900 is enough, but it does not hurt to open the udp port as well.
* Go here: http://www.usr.com/support/9106/9106-ug/ca...dy.html#virtual
Repeat the stages with the following settings:
1. Select Virtual Server from the Security Menu.
2. Click Add.
3. Select Customized service and complete the fields with the appropriate values.
    * Customized service: VNC
    * Protocol: TCP
    * External port: 5900
    * Internal port: 5900
    * Internal server IP Address: 192.168.1.xx
4. Click Apply.
5. Repeat once more, but use Protocol: UDP (Unsure if this is needed)

*  As Messer said, UltraVNC have an encryption plugin.
If you need/want to run TightVNC, you can run it through SSH. Instructions.
[a href="index.php?act=findpost&pid=263297"][{POST_SNAPBACK}][/a]


I read it ealier and did as you write but still can't connect to my server.
My server has internal IP 192.168.1.2 I opened port 5900 UDP and TCP. I don't use software firewall and this included in Windows is disabled. In my work I even disabled firewall to be 100% sure it does not block something. And still I'm getting the same message: "Failed to connect to server". 

To renew my dynamic IP i use DynDNS.org service. My router (usr9106) has built in support for this service. I entered my host name, user name and password. There is something like " Last update status" with info "Good" so everything should work OK. I have to try one more thing I have in my mind: do not use built in support for this service and use some software solution to update my IP.

If some of you have any idea about my problem please share it with me!!

Thanks for help!!!

TightVNC and firewall problem

Reply #8
Short question:
Have you tried to use your external ip address instead of your DynDNS address in VNC Client?

TightVNC and firewall problem

Reply #9
Quote
Short question:
Have you tried to use your external ip address instead of your DynDNS address in VNC Client?
[a href="index.php?act=findpost&pid=263328"][{POST_SNAPBACK}][/a]


Hmm. I don't know if I understand you well, but I have DSL connection with Dynamic IP assigment, so this IP is changing few times per day... Correct me if I'm wrong...

TightVNC and firewall problem

Reply #10
I understand that, but at every time you have a valid ip address.
Try that one, to eliminate the DynDNS service...

TightVNC and firewall problem

Reply #11
Quote
I understand that, but at every time you have a valid ip address.
Try that one, to eliminate the DynDNS service...
[a href="index.php?act=findpost&pid=263344"][{POST_SNAPBACK}][/a]


To do it I have to know what IP address is at this moment. I can go from work to home, check it, come back to work and during my come back to work this IP may change    I need other person at my computer and phone him/ her about my actual IP...

TightVNC and firewall problem

Reply #12
Quote
To do it I have to know what IP address is at this moment. I can go from work to home, check it, come back to work and during my come back to work this IP may change    I need other person at my computer and phone him/ her about my actual IP...
[a href="index.php?act=findpost&pid=263362"][{POST_SNAPBACK}][/a]

I thought you could find your ip address in your DynDNS controll panel!

TightVNC and firewall problem

Reply #13
Quote
Quote
To do it I have to know what IP address is at this moment. I can go from work to home, check it, come back to work and during my come back to work this IP may change     I need other person at my computer and phone him/ her about my actual IP...
[a href="index.php?act=findpost&pid=263362"][{POST_SNAPBACK}][/a]

I thought you could find your ip address in your DynDNS controll panel!
[a href="index.php?act=findpost&pid=263384"][{POST_SNAPBACK}][/a]


You are right solaris! I tried it but still can't get connection. In my router dynamic dns config page is status displayed- last update: good 127.0.0.1.
Maybe here is a problem? I'm not sure, but maybe there should be my actual IP displayed and not 127.0.0.1?? Can someone confirm this?

TightVNC and firewall problem

Reply #14
Yes, something is wrong.
127.0.0.1 = localhost. You have to wait until you come home, to find your external ip address.

NB! You can test the whole setup from home, then make sure it works before you try it from your computer at work.
Use VNC Client on the same computer your VNC server is running.

TightVNC and firewall problem

Reply #15
Quote
Yes, something is wrong.
127.0.0.1 = localhost. You have to wait until you come home, to find your external ip address.

NB! You can test the whole setup from home, then make sure it works before you try it from your computer at work.
Use VNC Client on the same computer your VNC server is running.
[a href="index.php?act=findpost&pid=263401"][{POST_SNAPBACK}][/a]


Have you step by step solution how to resolve my problem? I know my actual external IP. What then?

Thanks for your time and help!!!

TightVNC and firewall problem

Reply #16
Sorry, I am pretty much lost!

But I have one last question:
You have your internet connection traight into your U.S. Robotics 9106 router, right?
Not goint trough some kind of adsl modem or simular.

TightVNC and firewall problem

Reply #17
Quote
Sorry, I pretty much lost!

But I have one last question:
You have your internet connection traight into your U.S. Robotics 9106 router, right?
Not goint trough some kind of adsl modem or simular.
[a href="index.php?act=findpost&pid=263408"][{POST_SNAPBACK}][/a]


Well, this USR9106 all in one hardware: wireless accespoint, adsl modem, switch, router and firewall.

TightVNC and firewall problem

Reply #18
Then I am out of ideas.
It "should" work, following the guidelines I have given.

TightVNC and firewall problem

Reply #19
Hey WILU,

I'm running TightVNC in a computer behind 2 firewalls, too. One is the router itself, who acts like a firewall if the ports are not being correctly forwarded, and the other one is windows firewall.
TightVNC uses 2 ports: 5800, for the Java Web Interface, and 5900, for the Viewer, which has more options and from my personal experience is a little bit faster.
Anyway, since I also have a dynamic IP address I had also to subscribe a service like DynDNS. I'm using No-IP, though. It's a great service, with software solutions for virtually all platforms. I'd disable the built-in ip update in your router if I were you, just to be sure, and give no-ip a try. It updates your IP and if you open the tool, it reports your external IP address. Note that somewhere, just in case.
In the "Virtual Server" section in your router forward the port 5900. To do this, follow the instructions in the link you provided:

Code: [Select]
# Select Virtual Server from the Security Menu.

# Click Add.
# Select Customized service and complete the fields with the appropriate values.

    * Protocol: TCP
    * External port: 5900
    * Internal port: 5900
    * Internal server IP Address: .

# Click Apply.


The "Internal server IP Address" is the LAN address the router assigned to the machine running TightVNC server. If you're not sure what the address is, go to Start Menu | Run and type the following command in the little window that popped up: "cmd" (without the quotes). You should now see an MS-DOS prompt. Type "ipconfig /all" (again without the quotes) and you should see the LAN address of the machine. Windows reports it like this:
Code: [Select]
IP Address. . . . . . . . . . . . : 192.168.0.183


(This is my ip address, yours is probably different, but also starts with 192.168.
That's the IP you need to tell the router. Then, be *sure* you've disabled the windows firewall for all the connections you have. If it works, you'll configure it later - your router acts as a firewall in the meantime.
Then go to work and try to access your machine. Use the TightVNC Viewer and its default port (5900, which is already open in the server computer). If it still doesn't work look for possible software in your work that might be blocking the connection. Maybe your work LAN is configured in some way that only extrenal connections to most common ports are allowed. Try from a friend's or relative's computer.

Hope this helps

TightVNC and firewall problem

Reply #20
Thank you all for your help and time!!!
After very loooooooooong "war" between my router and me i won!!

I can connect with my home computer!!!!

The problem was DynDNS.org service (?). Don't know why but my router do not work properly with it, so I registered to no-ip.com and everything works. I also opened port from 5900 to 5904 TCP.
I tried also a program solution to renew my IP but without a success.

TightVNC and firewall problem

Reply #21
You`re welcome!

Finally you managed to get it up and running...

TightVNC and firewall problem

Reply #22
Congratulations
I'd only open ports 5800 and 5900, though.

TightVNC and firewall problem

Reply #23
One more question:
Is it possible to control other computers in my lan? I think it is, but what I have to do? Control each other computer via other port ( I mean Computer1 via port 5900, computer2 via port 5901)? What exactly "screen number" mean? Or maybe it's like that: computer1 via screen 0, computer2 via screen1?

@emtee: you are right. too many open ports is not a good idea. I will close them when I go home.

I'm thinking also about managing my router from my work's computer. There is an option in my router to allow http connections from wan side. Is something else I have to do to control it from internet?

Thanks for help!

TightVNC and firewall problem

Reply #24
You canc ontrol other computers in your LAN just as easily as controlling remote computers. However, you must configure ThighVNC to use a port other than 5900, since that's already being routed to the initial computer. You cannot route the same port to 2 different machines.
I'm not sure what do you mean by screens, though. I don't think TightVNC has such features. Maybe for Linux, or the original VNC, but I've never noticed that in my server.