Remote VNC over SSH on Windows
#Introduction
VNC is a remote desktop protocol used as a remote desktop solution across many different platforms. It’s sort of like SSH, which provides remote secure shell access. In this tutorial, we walk through how to set up an SSH and VNC server on Microsoft Windows, along with the Diode CLI, so that the machine can be remotely accessed via the Diode network.
Using the Diode Network brings the following advantages:
- Dodge NAT. This method works even behind NAT, making this solution particularly helpful in situations where you are behind a router that you are not able to configure, as is the case in a hotel or dorm room.
- Mobility. Using the Diode network allows for a single connection address regardless of which physical network you are connected to. This is ideal for use on devices such as laptops and smartphones that are constantly jumping from network to network.
- Friendly. Your Diode address won’t change on you like your IP address does. This means that with Diode, you don’t have to pay your ISP extra for a static IP address or deal with a dynamic DNS service. Your Diode address stays consistent out-of-the-box. Additionally, an easy-to-remember BNS address such as “mysurfacepro.diode” can be optionally registered to your Diode address; this name can then be used in place of your Diode address.
- Anonymity. Without the Diode Network, you would have to use your public IP address to connect, tying your internet traffic to your real-world identity. With the Diode Network, there is no personal information attached to your traffic by default.
- Secure. Using Diode to connect to your device provides security that your router can’t match. The Diode Network is fully decentralized and uses 256 bit public key cryptography for authentication. It’s easy to restrict access to only the devices you explicitly allow to connect.
#Stage 1: Diode CLI
- Download the Diode CLI for Windows diode_windows_arm64.zip file
- Extract diode_windows_arm64.zip and copy the resulting folder containing the extracted Diode file into the
%PROGRAMFILES%
directory. - Update the system path variable to include the Diode CLI
- Type “Edit the system environment variables” into the Windows search bar and click the result.
- Click the “Environment Variables” button at the bottom right of the popup
- Click on the “Path” variable
- With the “Path variable row highlighted, click “Edit”
- In the popup, click “New” & type the path to the parent directory of your recently-installed Diode CLI (it will be something like this:
%PROGRAMFILES%\diode_windows_amd64
) - Click “Ok” to save & close each of the 3 popup Windows
- Open up the command prompt and type “diode version” (make sure you’re not in the same directory as the installed Diode CLI). If you get a nice readout containing version info for the Diode CLI, then you’ve done the above configuration successfully. If you don’t get this nice readout, revisit the steps above.
- Take note of your servers Diode client address by running
diode config
in the command prompt - Build your connection string to publish port 22 (see the “diode publish” section of this linked article for more information).
- To publish your port publicly on the Diode Network, the following string is used:
diode publish -public 22:22
- To publish a port privately to a specific Diode Client, the following string is used:
diode publish -private 22:22,<authorized_diode_client_address>
. The leading “0x” must be included in the Diode client address. f you don’t have a Diode client address on another device yet, use option A for now to publish the port publicly. You will get a Diode client address in Stage 4 of this tutorial that you can use to lock down the Diode connection.
- To publish your port publicly on the Diode Network, the following string is used:
- Follow the steps in this short tutorial to set up the Diode CLI to publish your port automatically every time your Windows computer boots up. Use the connection string from the previous step when following this tutorial.
#Stage 2: OpenSSH Server
- Install OpenSSH
- Type “Manage optional features” into the Windows search bar and click the result.
- Click “Add a feature” at the top
- Search for “OpenSSH” and install the “OpenSSH Server”
- Start OpenSSH Service
- Type “services” in the Windows search bar and click the result
- In the services window, scroll down to “Open SSH Server”
- Right click “Open SSH Server”
- Click “properties”
- Change “Startup Type” dropdown from “Manual” to “Automatic”
- Click “OK”
- Right click “Open SSH Server” again
- Click “start”
- Close the Services window
- *OPTIONAL* Configure OpenSSH
- Navigate to
%PROGRAMDATA%\ssh
and open the file named “sshd_config” in notepad - Use this file to configure your SSH settings. I recommend disabling password-based authentication in favor of key-based authentication, but that is another topic.
- Navigate to
#Stage 3: VNC Server
- Download & install the TightVNC Server for Windows, sticking to defaults and using the “Typical” settings option if prompted (you can use any VNC server, but we’ll use this one for this tutorial).
- Set the administrative and remote access passwords as prompted.
#Stage 4: Connecting to the Server Via Diode Network
- On a different machine, download & install the Diode CLI
- In a terminal window, run:
diode socksd
- In a separate terminal window, use the following string to connect via ssh over the Diode Network. Be sure to substitute <user> and <diode_address> for the proper values. The <user> is the username of the user on the server you’re connecting to, and <diode_address> is the Diode client address that you took note of in stage 1 step 4. The leading “0x” should be included in the <diode_address>.
ssh -o "ProxyCommand=nc -X 5 -x localhost:1080 %h %p" -L 5900:localhost:5900 <user>@<diode_address>.diode
- Use a VNC client to connect to localhost:5900 (as for VNC clients, Remmina is good on Linux, and TigerVNC Viewer is good on Windows)
- *OPTIONAL* Secure the Diode Connection
You can secure the Diode connection so that only whitelisted clients can connect to the port published on the server. To do this, follow the steps below.- Get this clients Diode address by running
diode config
in the windows command prompt. Take note of the “client address” in the output of that command. - Edit your connection string that we set up in Stage 1 steps 5 & 6 to this format:
diode publish -private 22:22,0x361a8a27C3d1b939011198c69F4120CA4ea12E99
. This string publishes port 22 to the Diode network, but only for the client who’s address is listen in the string. Make sure to swap out the made up address in the example above for your actual clients address that you took note of in the previous step.
- Get this clients Diode address by running
#Alternative Stage 4: Connecting to the Server Via Diode Gateway
The most secure and dependable way to connect to your server is by following the steps in Stage 4 directly above; however, there is also the option of using a Diode Gateway such as diode.link which will allow you to connect to your server without installing the Diode CLI on your client. This also means that you must publish your port publicly on the Diode network, and not privately. Using this method, we only have to run the following command to connect to our server via ssh: ssh -o "ProxyCommand=nc -X 5 -x diode.link:1080 %h %p" -L 5900:localhost:5900 <user>@<diode_address>.diode
. Check out the “SSH Client Usage” section of this linked article for more information on this topic.