Using VNC securely in Oracle Cloud Infrastructure

Introduction

I frequently come across the situation, where I find OCI Instances that have numerous well-known ports exposed to the public internet - VNC with Port 5901 being one of the common offenders. I have even come across OCI Instances where VNC was active with a logged in root session waiting to be used on the VNC without a password...

This article will show in easy steps how to avoid this situation and walks through the secure use of VNC via an SSH tunnel. The second part focuses on using chained SSH tunnels when private subnet and a Jump Box - also known as a Bastion Host come into play. This is an extension to the tutorial for Oracle Cloud Infrastructure-Classic that I published a few years ago here.

For basic VNC directly to the VM see this support document: OCI : Configure VNC on OCI Instance (Doc ID 2456478.1)

The following diagram shows the setup that this article describes.

Environment Setup

This article uses a single VCN (vncdemovcn) with two distinct subnets as shown here:

The jump-subnet will be housing the jumpbox and will have access to the Internet directly via an Internet Gateway. The db-subnet is a private subnet with no access to the Internet. The only access from the db-subnet is routed via a NAT Gateway.  The scenario is described here: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Tasks/scenarioc.htm

The step by step instructions can be followed to create a similar setup. Make sure to create the Internet Gateway and NAT Gateway with the corresponding route table as shown here:

Finally create the JumpBox as Instance in the jump-subnet with a public IP and the database as DB System with a private IP only in the db-subnet.

Basic SSH Tunnel

The diagram shows the flow of the connection for the first basic example - the second subnet will be involved later in the article.

For this example the SSH Tunnel is established using the Putty Tool. Use the public IP address of the created JumpBox and give it the session a name.

Next expand the session tree on the left hand side and select the category “Data” in the “Connection” branch. Enter “opc” in the Auto-login username field.

Expand the “SSH” branch and select “Tunnels”. Here enter 5901 as source port and localhost:5901 as destination. Click add.

Next navigate to “Auth” in the “SSH” branch and point to the private key that has the authentication information as provided during the provisioning of the JumpBox. 

Finally navigate back to the “Session” category. Press the “Save” Button and then press “Open” to establish the connection.

Configure VNC Server

If everything is configured correctly you will be greeted by the usual prompt.

Install the VNC Server to allow access.

sudo yum -y install tigervnc-server

sudo yum -y install xterm

After all packages are installed simply run:

vncserver 

You will be prompted for a password. Make sure you follow the complexity rules set by your organisation as VNC will not test for complexity of this password. The VNC server with the default settings, e.g. port 5901 for display :1 etc. These settings can be changed in the configuration file: /home/opc/.vnc/xstartup

If you need a full desktop see: How to Install GUI with Oracle Linux 7 (Doc ID 2153562.1)

Connect to VNC Server

Next start your local VNC viewer. The SSH tunnel redirects the VNC output of your VM to your localhost on port 5901. Hence enter localhost:5901 in the VNC Server field and press “Connect”.

The first time you connect you will be issued a warning, that the connection is not encrypted. In our case the SSH tunnel is providing the encryption so this should suffice for most use cases.

Enter the password you have selected for the VNC Server.

If everything is working correctly you will see the xtem window as shown below. You are now ready to use the VNC on the Jumpbox.

To stop the VNC Server simply connect via putty or open a terminal and enter:

vncserver –kill :1

If you prefer to have a different resolution simply start the vncserver using the geometry flag and the prefered resolution.

vncserver –kill :1

vncserver -geometry 1600x1200

Chaining SSH tunnel to connect to VNC Server in a private Subnet

The advanced example use a chain of SSH tunnel to access the VNC Server running on the database server. This allows access to the DB Server’s VNC without having to expose ports etc.

There are certainly other options to achieve this, however the approach described here requires no reconfiguration of the network setup, i.e. opening ports, which will suit most environments.

As a first step we stop the VNC Server on the JumpBox - this is not strictly required it will just make the understanding of the concept easier.

vncserver –kill :1

Next we start the VNC Server on the database instance as shown below.

vncserver

We copy the private key required to access the database to the host and establish a tunnel to the VNC Server as shown here.

ssh  -i privatekey.ppk  -L 5902:database-private-ip:5901 database-private-ip

ssh  -i privatekey.ppk  -L 5902:10.0.10.3:5901 10.0.10.3

Now we can connect directly to the VNC Server of the database host without exposing anything additionally to the Internet.  Again use localhost:5901 as the address.

The connection is encrypted end to end via SSH.

The SSH Tunneling feature enables secure end-to-end connections to VNC and basically all other tools that might be required on a day to day basis like SQL Developer etc. 

Further Reading

Running Graphical Applications Securely on Oracle Cloud Infrastructure

https://docs.cloud.oracle.com/en-us/iaas/Content/Resources/Assets/whitepapers/run-graphical-apps-securely-on-oci.pdf

Connecting to the VNC Console

https://docs.cloud.oracle.com/en-us/iaas/Content/Compute/References/serialconsole.htm#six