SGN
Home | Pictures | Links | Papers | Technology Research | Scuba | Resume | Contact
 

Introduction

The purpose of this document is to provide directions on how to setup an encrypted VNC (Virtual Network Computing) session between two Microsoft Windows based computers over the Internet.

What is Stunnel?

"Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Socket Layer) available on both UNIX and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code."
Source: www.stunnel.org

How does Stunnel work?

Stunnel works by listening for connections on a predetermined TCP (Transmission Control Protocol) port and forwarding any connections it receives to the TCP service which the administrator wishes to be encrypted over a network connection. (Such as: telnet VNC, http, etc)

Example:

A network administrator sets up a server with VNC and Stunnel. The VNC daemon listens on TCP port 5900 by default and Stunnel can be configured to listen on any TCP port available. The network administrator sets up Stunnel to listen on TCP port 7777.

The network administrator then sets up a client computer with a VNC viewer and Stunnel. Stunnel on the client is setup to listen on TCP port 5900 (which is the VNC default port) and make a connection to the VNC server via TCP port 7777 when a connection to TCP port 5900 is made on the client.

Note: The client computer can not run a VNC daemon while running Stunnel on TCP port 5900 unless the VNC daemon or Stunnel is configured to listen on a different TCP port.

The end user opens up the VNC viewer on the client computer and connects to 'localhost:5900.' This connection is then passed to the VNC server through Stunnel on TCP port 7777. The Stunnel daemon on the VNC server then decrypts the data and forwards the data to the VNC server daemon. When this happens all VNC traffic between the client computer and the server is passed through Stunnel on TCP port 7777.

Setting up the VNC Server:

To setup the VNC server five packages are needed; VNC, Stunnel, two SSL libraries (which are available from the Stunnel website), and stunnel.pem, which will be generated from the Stunnel website. For the purpose of this document TightVNC (http://www.tightvnc.com) will be used as the VNC server and viewer.

1.) Download the latest VNC package from http://www.tightvnc.com/download.html.
2.) After the VNC package had downloaded; double click on the file to install the software.
3.) When the VNC package is installed; click on Start -> Programs -> TightVNC -> Launch TightVNC Server.
4.) In the "WinVNC: Current User Properties" box; type and retype a password in the password boxes. (Keep in mind password best practices when setting up a password.)
5.) Press Apply
6.) Press Advanced
7.) In the "WinVNC: Current User Advanced Properties" box; add a check next to "Allow loopback connections." Note: If it is intended to use the VNC daemon with out using Stunnel as well then leave the "Allow only loopback connections" unchecked. Otherwise check that box as well.
8.) Press Apply and OK on the "WinVNC: Current User Advanced Properties" box.
9.) Press Apply and OK on the "WinVNC: Current User Properties" box.
10.) Click Start -> Programs -> TightVNC -> Administration -> Install VNC Service. (This allows the VNC server to start on boot.)

After TightVNC is installed and setup it is time to install and setup Stunnel on the server.

1.) Download the latest Stunnel package from http://www.stunnel.org/download/binaries.html.
2.) Download the latest libssl32.dll and libeay32.dll from http://www.stunnel.org/download/binaries.html. Note: This two packages are close to the bottom of the page.
3.) Generate a stunnel.pem file by going to http://www.stunnel.org/pem/, filling out the form, press "Generate stunnel.pem File".
4.) Open notepad. Copy and paste the contents of the text box into notepad.
5.) Save the file as "stunnel.pem" in C:\WINDOWS\system32. Note: Make sure that the file doesn't save as stunnel.pem.txt.
6.) Rename the Stunnel executable to stunnel.exe.
7.) Move stunnel.exe, libssl32.dll, and libeay32.dll to C:\WINDOWS\system32.
8.) Open notepad. In notepad type the following:

client=no
cert=stunnel.pem

[vnc]
accept=7777
connect=5900

9.) Save the document as "stunnel.conf" in C:\WINDOWS\system32. Note: Make sure that the file doesn't save as stunnel.conf.txt.
10.) Click the Start button -> run -> type: "stunnel -install". (This installs Stunnel as a service on the computer, which will make the Stunnel start on boot.)
11.) Click the Start button -> run -> type: "stunnel". (This starts stunnel.)

Setting up the VNC Client:

Now that the server is setup it is time to setup the client computer. The client computer will need the same packages as the server computer.

1.) Download the latest VNC package from http://www.tightvnc.com/download.html.
2.) After the VNC package had downloaded; double click on the file to install the software.
3.) Download the latest Stunnel package from http://www.stunnel.org/download/binaries.html.
4.) Download the latest libssl32.dll and libeay32.dll from http://www.stunnel.org/download/binaries.html. Note: This two packages are close to the bottom of the page.
5.) Generate a stunnel.pem file by going to http://www.stunnel.org/pem/, filling out the form, press "Generate stunnel.pem File".
6.) Open notepad. Copy and paste the contents of the text box into notepad.
7.) Save the file as "stunnel.pem" in C:\WINDOWS\system32. Note: Make sure that the file doesn't save as stunnel.pem.txt.
8.) Rename the Stunnel executable to stunnel.exe.
9.) Move stunnel.exe, libssl32.dll, and libeay32.dll to C:\WINDOWS\system32.
10.) Open notepad. In notepad type the following:

client=yes
cert=stunnel.pem

[vnc]
accept=5900
connect=(INSERT_SERVER_IP_ADDRESS_HERE):7777

Note: Where "(INSERT_SERVER_IP_ADDRESS_HERE)" is replace that text with the IP Address of the VNC/Stunnel server.

11.) Save the document as "stunnel.conf" in C:\WINDOWS\system32. Note: Make sure that the file doesn't save as stunnel.conf.txt.
12.) Click the Start button -> run -> type: "stunnel -install". (This installs
Stunnel as a service on the computer, which will make the Stunnel start on boot.)
13.) Click the Start button -> run -> type: "stunnel". (This starts stunnel.)

Making a Test Connection:

Now that VNC and Stunnel are configured on the client it is time to test the connection.

1.) Click on Start -> Programs -> TightVNC -> TightVNC Viewer (It doesn't matter if you choose best or fastest. This is a user preference.)
2.) When the viewer opens type: "localhost" in the VNC server box and press OK.
3.) A VNC Authentication window will appear. Type the password for the VNC server and press OK.

That's it! A VNC session of the remote computer should now appear and the end user should be able to work through VNC with out fear of clear-text data being sniffed across the network.
 

| SGN mail | MyDiveLog |

Edited with Vim

© 2000 - 2011

Valid CSS! Valid XHTML 1.0!