I frequently come across the situation, where I find OCI Instances that have numerous well-known ports exposed to the public internet - VNC with Port 5901 being one of the common offenders. I have even come across OCI Instances where VNC was active with a logged in root session waiting to be used on the VNC without a password...
This article will show in easy steps how to avoid this situation and walks through the secure use of VNC via an SSH tunnel. The second part focuses on using chained SSH tunnels when private subnet and a Jump Box come into play. This is an extension to the tutorial for Oracle Cloud Infrastructure-Classic that I published a few years ago here.
For basic VNC directly to the VM see this support document: OCI : Configure VNC on OCI Instance (Doc ID 2456478.1)
The following diagram shows the setup that this article describes.
This article uses a single VCN (vncdemovcn) with two distinct subnets as shown here:
The jump-subnet will be housing the jumpbox and will have access to the Internet directly via an Internet Gateway. The db-subnet is a private subnet with no access to the Internet. The only access from the db-subnet is routed via a NAT Gateway. The scenario is described here: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Tasks/scenarioc.htm
The step by step instructions can be followed to create a similar setup. Make sure to create the Internet Gateway and NAT Gateway with the corresponding route table as shown here:
Finally create the JumpBox as Instance in the jump-subnet with a public IP and the database as DB System with a private IP only in the db-subnet.
The diagram shows the flow of the connection for the first basic example - the second subnet will be involved later in the article.
For this example the SSH Tunnel is established using the Putty Tool. Use the public IP address of the created JumpBox and give it the session a name.
Next expand the session tree on the left hand side and select the category “Data” in the “Connection” branch. Enter “opc” in the Auto-login username field.
Expand the “SSH” branch and select “Tunnels”. Here enter 5901 as source port and localhost:5901 as destination. Click add.
Next navigate to “Auth” in the “SSH” branch and point to the private key that has the authentication information as provided during the provisioning of the JumpBox.
Finally navigate back to the “Session” category. Press the “Save” Button and then press “Open” to establish the connection.
If everything is configured correctly you will be greated by the usual prompt.
Install the VNC Server to allow access.
sudo yum -y install tigervnc-server
sudo yum -y install xterm
After all packages are installed simply run:
You will be prompted for a password. Make sure you follow the complexity rules set by your organisation as VNC will not test for complexity of this password. The VNC server with the default settings, e.g. port 5901 for display :1 etc. These settings can be changed in the configuration file: /home/opc/.vnc/xstartup
Next start your local VNC viewer. The SSH tunnel redirects the VNC output of your VM to your localhost on port 5901. Hence enter localhost:5901 in the VNC Server field and press “Connect”.
The first time you connect you will be issued a warning, that the connection is not encrypted. In our case the SSH tunnel is providing the encryption so this should suffice for most use cases.
Enter the password you have selected for the VNC Server.
If everything is working correctly you will see the xtem window as shown below. You are now ready to use the VNC on the Jumpbox.
To stop the VNC Server simply connect via putty or open a terminal and enter:
vncserver –kill :1
If you prefer to have a different resolution simply start the vncserver using the geometry flag and the prefered resolution.
vncserver –kill :1
vncserver -geometry 1600x1200
The advanced example use a chain of SSH tunnel to access the VNC Server running on the database server. This allows access to the DB Server’s VNC without having to expose ports etc.
There are certainly other options to achieve this, however the approach described here requires no reconfiguration of the network setup, i.e. opening ports, which will suit most environments.
As a first step we stop the VNC Server on the JumpBox - this is not strictly required it will just make the understanding of the concept easier.
vncserver –kill :1
Next we start the VNC Server on the database instance as shown below.
We copy the private key required to access the database to the host and establish a tunnel to the VNC Server as shown here.
ssh -i privatekey.ppk -L 5902:database-private-ip:5901 database-private-ip
ssh -i privatekey.ppk -L 5902:10.0.10.3:5901 10.0.10.3
Now we can connect directly to the VNC Server of the database host without exposing anything additionally to the Internet. The connection is encrypted end to end via SSH.
The SSH Tunneling feature enables secure end-to-end connections to VNC and basically all other tools that might be required on a day to day basis like SQL Developer etc.
Running Graphical Applications Securely on Oracle Cloud Infrastructure
Connecting to the VNC Console