VNC and ssh port forwarding

This is a note about how to setup a ssh proxy jump connection to allow terminal access and VNC based desktop access:

            ssh          ssh
localhost ------> proxy ------> target
             ^             ^
           using         using
           mykey         mykey

In my case, the localhost is a Mac laptop, the proxy and target are ubuntu servers.

  1. Creating id_rsa in localhost (my laptop), add the same to the both proxy’s and target’s ssh-agent. (ref:
  2. Now the following command will make connection to the target via proxy (credit:
    ssh -i ~/.ssh/id_rsa -Ao ProxyCommand="ssh -i ~/.ssh/id_rsa -W %h:%p -p proxySSHport User@proxyIP" -p targetSSHport User@targetIP

    If you use iTerm2, you can create a new profiles to make it as a shortcut: Profiles -> Open Profiles -> Edit Profiles… -> + (on lower left corner) -> General -> Send text at start (paste the command in this box)

  3. To setup VNC connection, we need to setup a port forwarding in addition to the above command:
    ssh -i ~/.ssh/id_rsa -Ao ProxyCommand="ssh -i ~/.ssh/id_rsa -W %h:%p User@targetIP" -L 5901: -N -f -l User targetIP

    Noted that the target server part used -l to specify username. This username will also be used as VNC login user, so you need to set that in the next part on the target server. From the ssh manual (

      • -N‘ Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
      • -f‘ Requests ssh to go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background. This implies -n. The recommended way to start X11 programs at a remote site is with something like ssh -f host xterm.
        If the ExitOnForwardFailure configuration option is set to ”yes”, then a client started with -f will wait for all remote port forwards to be successfully established before placing itself in the background.
      • -W host:port
        Requests that standard input and output on the client be forwarded to host on port over the secure channel. Implies -N-TExitOnForwardFailure and ClearAllForwardings and works with Protocol version 2 only.
  4. If you don’t have VNC service running already on your target server. Here’s very good reference on how to set that up:

    Remember to use the same username in last setup for setup in the Step 4 part


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.