How to set up a Secure VNC session using sshd and Shorewall

Many methods for securing VNC on Windows machines use Putty 
(https://www.chiark.greenend.org.uk/~sgtatham/putty/) to manage the 
VPN as a SSH session with port forwarding.   The method shown here 
simplifies the Windows 7 setup and does not use Putty on the workstation.  
Instead, a ssh port on the firewall is forwarded to an internal Linux SSHD server, 
and that server manages the secure tunnel.  The Linux server 
redirects the forwarded VNC ports using Shorewall and DNAT.
VNC clients need an SSH login on the Linux SSHD box.  When they
make the SSH connection to the SSH server, a local port is served on their machine to 
access the VNC hosted session on the Windows 7 machine. 

*NB:  This method does not add security to the local lan.  Other workstations
on the local net inside the firewall might run a packet sniffer to view
the VNC session data.  The sessions within the lan are only secured by the 
VNC session password.  The security here is for external viewers to gain
the local hosts.  Viewers outside the lan use the ssh encrypted VPN tunnel, and 
are quite secure.  Use Putty on the individual Windows workstations, the more
common method, to secure the sessions within the lan.  The method described here
is more appropriate for small lans with users that don't manage Putty well.  It is 
simpler for the user to set up and run than having to also sort out Putty.

* In this example, two Windows 7 (tm) workstations are assigned the IP 
addresses 192.168.1.12 and 192.168.1.13 with a Linux SSHD server that 
resides on their network with its inbound SSH port forwarded from the 
internet gateway to manage the SSH VPN tunnel.


***  W O R K S T A T I O N    S E T U P   ***
* Install VNC server on the workstations.  

  * Go here https://www.tightvnc.com/download.php and download tightVNC 
    for your operating system.
  * Navigate to your browser's download directory so you can see the 
    files listed there.
  * Click 2x on the TightVNC installation routine you just downloaded, 
    e.g.: tightvnc-2.7.10-setup-64bit.msi    
  * OK the next two dialog windows that ask about trusting and running 
    the tightvnc installer
  * Accept the terms of agreement, Click "I accept", then click "Next"
  * Click "next" again, Click "Install" to start the install
  * In a moment, the User Account Control dialog will come up and ask 
    if you want to allow the installer to run, click "Yes".
  * Once the installer is done, click "Finish"

*  Next is the VNC server configuration

  *If you have a "VNC" icon in the lower right corner of the desktop, 
  click on it,  If you do not, click the start button and click the 
  "Start VNC Server" button that should be at the bottom of the list 
  of programs, that will put the "VNC" icon in the lower right. 
  Windows may hide that icon, and you may need to find and click on 
  the little black arrow near the bottom right of the desktop that 
  unhides it to see it.  Now please click on the VNC icon to open 
  the configuration dialog.

  * You should have a dialog window titled "Tight VNC Server Configuration", 
  in that window, for workstation 192.168.1.12, change the "Incoming 
  viewer connections" from 5900 to 5902.  For workstation 192.168.1.13, 
  change the "Incoming viewer connections" from 5900 to 5903.  
  Next click on the "Set" button for the Server password (just below 
  the 5902/3 entry), and set the password to "22222" (use your own
  passwords, but do not lose them), Click on the "Set" button just
  below, to set the Viewer password, and set that password to 
  "22222" as well.  In this example, the 192.168.1.13 station 
  uses the password "33333", in real life use your own unique
  high quality passwords.

* Click OK to close the configuration window. You are done setting 
  up the Windows machine.



***   L I N U X    S S H D    S E T U P   ***
* Install Shorewall (https://shorewall.net/)

* Configure the /etc/shorewall files as: 
  * Interfaces file: "lan     eth0            -               tcpflags,routeback"
  * Rules file:
	"DNAT    $FW     lan:192.168.1.12:5902   tcp     5902"
	"DNAT    $FW     lan:192.168.1.13:5903   tcp     5903"
  * Zones Files: 
	 "fw      firewall"
	 "lan     ipv4"
  * Policy File:  
	 "lan     $FW     ACCEPT          -"
	 "$FW     lan     ACCEPT          -"
	 "all     all     REJECT          info"
* Invoke "shorewall compile" and see if Shorewall compiles without error.
* Invoke "shorewall start; sleep 60; shorewall clear" to test your settings 
  for a minute without being locked out of the system if you have made a mistake.
* Once shorewall is working, invoke it one more time with "shorewall start"
* If you are running Debian Linux, you may need to also edit 
  /etc/default/shorewall and set "Startup = 1".						 
* Configure the /etc/shorewall files to start Shorewall 
    /etc/shorewall/shorewall.conf startup_enabled=yes. 

*  You need to edit the firewall/gateway to setup a port forward.  If you use 
  the default ssh port, 22, forat machinesward that to the SSHD machine.  If you choose
  a different port for ssh, set that port to forward to the SSHD box and edit 
  the SSHD box's configuration in the /etc/sshd.conf file to set the listening port to 
  your chosen inbound ssh port, for example, 20200.  The -p parameter in the ssh calls
  shown below will need that revised port setting.  Leave the -p off for the 
  default port 22.
    
***    R E M O T E   C L I E N T    ***     
  
A word about viewers:  you can use Windows or Linux to view the desktops. The example
below shows how to use Linux.  Windows users would need Putty to set up the
ssh tunneling.  Putty uses the same ports and values as the ssh tool described here.  
There are many VNC viewers.  TightVNC provides one in the same package already 
installed on the host machines, install it without setting up the VNC server to
use a Windows Viewer.  Linux offers several VNC viewers as well, a common one 
being KRDC, the K desktop Remote Desktop Connection tool.
  
* With machines up running Win7 and VNC icon in lower left, a remote inbound 
ssh session can securely host/view their desktops from Linux by:

  ssh -p 20200  -L 5902:192.168.1.12:5902 userid@123.123.123.123  # where -p 20200 
	 is the non-standard ssh port assigned  in the /etc/sshd.conf file.  Leave the -p
	 off if you are using port 22, the default port.  192.168.1.12 is the
	 IP of the Windows 7 workstation, and the 5902  is the port assigned in the 
	 Shorewall configuration, and corresponds to VNC display 2.  See the VNC
	 documentation for more about display numbers and ports.  The userid 
	 is your login ID on the SSHD box, 123.123.123.123 is the IP address of the 
	 site (the IP assigned to your gateway firewall by your ISP).
	 
	 You can suffix a "-N" to the ssh line above to not open a shell on the SSHD machine.  
	 Use Ctrl-C to quit the SSH session in that case, otherwise just exit the shell 
	 as usual to quit.
	 
* Launch a vncviewer as localhost with display :2 and password 22222 to see the 
  192.168.1.12 machine.  
  
* Use the 5903, 192.168.1.13, password 33333 values as above to view the Windows 7
  machine at 192.168.1.13 and launch a vncviewer as localhost :3 password 33333
  
  
***  F I N I S H E D   ***  
  
  
* To close it all down, quit the viewer, exit the ssh session and have the Windows 
  users disable the VNC service on their desktop.  If you don't close the ssh session
  the 5902 (etc) ports are not freed up and will be trouble if you launch a second 
  instance of ssh with the same ports.