⟵ Home page
May 10, 2016
Last updated: June 12, 2016
VNC Remote Support via Tor Onion Services
I am in the sort of unlucky position to be the only computer guy in the whole family. That means that I'm resposible for supporting unexperienced parents, grand parents and even their neighbours. For proper support, I often need to see what's going on on their screens and control their PC remotely. So, of course the obvious choice is VNC! (No, some crappy proprietary TeamViewer connecting to some servers somewhere is not accaptable for me.) But how to connect to these boxes that are behind some cheap DSL changing it's IP address every day or not even allowing any hosting at all?
The answer for me of course is my favourite tool of the entire internet: Tor. Simply run an Onion Service on that machine! Since I actually managed to migrate some of the users I support to Linux (I encourage you to do the same. Believe it or not, some newbies are going to love it!), I have worked out one way for Windows and Linux each to set this up. For this guide I'll assume that you're going to connect from a Linux machine on which you've already set up Tor.
On Windows, we're just going to run a simple VNC Server listening on localhost only. The second service is going to be Tor, obviously.
We need to get the so called "Tor Expert Bundle", which is really just the usual Tor software for Windows. You can get it here. Extract the Tor directory of the zip file somewhere (I always just go with C:\). Next create a text file named torrc in the Tor directory. Make sure that it has no filename extension (like .txt). Edit the file in Notepad to contain the following:
HiddenServiceDir C:\Tor\os-vnc HiddenServicePort 5900 127.0.0.1:5900 HiddenServiceAuthorizeClient basic vncsupport
Note that I leave an extra empty line between each line. That's because Notepad still uses the DOS format, where newlines work a little different.
We use the HiddenServiceAuthorizeClient function to add some extra security. Only a simple VNC password isn't very secure. Next open up cmd as Administrator (Start Menu → search for cmd → right click the cmd entry → Run as Administrator) and execute:
C:\Tor\tor.exe --service install --options -f C:\Tor\torrc
Of course, you need to change the path, if yours differs.
This installs Tor as an actual Windows service so it starts everytime the machine is being booted.
VNC server setup
For the VNC server I use TightVNC. Download the TightVNC for Windows MSI and run it. For Setup Type select Costum and uncheck TightVNC Viewer. We only need the server component.
On the next page uncheck Add exception for TightVNC to Windows Firewall. We don’t want the VNC server to be reachable from the outside except via the Onion Service which is listenening on localhost.
After that you can begin the installation process. It will ask you for passwords. I do use a password for remote access, but I don’t use an administrative password. After you provided that, the installation is finished.
Now there’s still some configuration to be done. In Start Menu select All Programs → TightVNC → TightVNC Server (Service Mode) → TightVNC Service - Offline Configuration. Select the Access Control tab and make sure that both boxes in the Loopback Connections area are checked. After that, hit OK and restart the TightVNC service.
We need to add a line to the torrc file of the Linux machine that we want to connect from. It starts with HidServAuth, followed by the content of C:\Tor\os-vnc\hostname of the Windows machine. For example:
HidServAuth qwertyuiopasdfgh.onion X+0i+z27MR2j1VCmgZlDYQ
After saving the changes, restart Tor on Linux (probably
service tor restart, depends on your setup).
The last thing needed is a VNC client. I recommend xvnc4viewer. On Debian or Ubuntu, you can install it using the command
apt install xvnc4viewer. Now we should be able to connect. Open up a Terminal and execute something like:
$ torsocks xvnc4viewer qwertyuiopasdfgh.onion
Obviously, you need to enter a different .onion address.
After entering the VNC password, the connection should be established.
On Linux, I prefer to host a SSH Server which is accesible via Tor. I tunnel the VNC connection using SSH. I’ve already done a guide on how to set up a SSH server behind an Onion Service, so follow it to install this on the machine that you want to control. You also need to install x11vnc (
apt install x11vnc on Debian/Ubuntu) on that machine.
Assuming that you followed the SSH server guide, you should now have an entry for the machine that you want to connect to in the file ~/.ssh/config on the machine that you want to connect from. Make sure that you SSH directly into the user’s account (you may want to define a user entry in ~/.ssh/config for that). For the purpose of this guide, I’ll also assume that you named that entry grandpaslinuxbox.
With the following command, you can connect to grandpaslinuxbox, run a temporary VNC server and tunnel it to your local port 6000:
$ ssh -L 6000:localhost:5900 grandpaslinuxbox env DISPLAY=:0 x11vnc -localhost
After that you should be able to connect to the VNC server:
$ xvnc4viewer 127.0.0.1:6000
As soon as you close the VNC window, the VNC server will shut down and the SSH connection will terminate.