For security reasons most compute nodes on our HPC systems are not directly accessible from outside SURF and you need to go through a login node to access them. As a VNC remote desktop server will run on a compute node, an encrypted SSH tunnel is needed to access it.
Such an SSH tunnel is set up on login node. This section describes various options for setting up the tunnel, from a completely manual way to a more automated one.
We start with describing the manual option, even though that is not the most convenient to use. But it shows the tunneling step done by the automatic options and make it more clear what is going on.
Lisa: SSH tunneling disabled by default
On Lisa SSH tunneling is disabled by default. You can request it to be enabled for your login through our Service Desk.
Manual SSH tunnel setup
To set up an SSH tunnel for accessing a VNC server under macOS or Linux, you simply have to open a terminal window and run the command that was reported when you started the server with
vnc_desktop (step 3 above). It should look similar to this line:
This uses the
ssh command to set up a tunnel that forwards TCP port 5901 on your local machine to port 5901 on the GPU node r34n4 on Lisa, using the interactive visualization node
lisa.surfsara.nl as public access point. In most cases TCP port 5901 needs to be tunneled, which corresponds to VNC display
:1 (port 5902 would correspond to display
:2 , etc).
After executing the command above the SSH tunnel will have been set up and you will be logged into one of the login nodes. Leave the terminal window with the tunnel command open, as closing it will also close the SSH tunnel.
With the tunnel created we can now use a VNC viewer to connect to
localhost:1 , which is the local endpoint of the SSH tunnel. The VNC viewer will then ask for your user/password to connect to the VNC server, after which the connection to the remote desktop will be complete.
Microsoft Windows does not have built-in SSH capabilities, the best option is to first download the Plink tool (which is part of the PuTTY software). At http://www.chiark.greenend.org.uk/sgtatham/putty/download.html you can find the download link to
plink.exe. An alternative is to install TurboVNC and use its Java-based viewer, which comes with builtin SSH tunnelling, see below.
Next, start a command prompt (Windows-button +
cmd, press enter). In the command prompt, navigate to the location where you saved
plink.exe, use the command line you got when you started the server but use
plink.exe instead of
ssh as the command. It then should look something like this:
Automatic SSH tunneling on Linux and macOS: the
Some VNC clients, most notably TigerVNC and TurboVNC , offer a handy
-via command-line option that performs the SSH tunneling step shown above for you automatically. The
-via option is usually only available on the Linux and macOS versions of those VNC clients.
In case of the Linux/macOS example shown above the command to start the VNC client using the
-via option would reduce to:
The VNC client in this case will set up the appropriate SSH tunnel itself, followed by making a connection to the VNC server through the tunnel. You will be prompted to enter a password twice:
- First, for setting up the tunnel your regular CUA login password is needed (the same one as you use for accessing a login node)
- Second, the password for connecting to your VNC session. This differs based on the SURF system you are connecting to:
- Lisa: enter your regular CUA credentials, i.e. username and password
- Cartesius: enter the VNC password you configured separately
Automatic tunneling in Java TurboVNC Viewer
This section only applies to the Java version of the TurboVNC viewer. The native (Windows) version does not offer the builtin tunneling option. The native version is also scheduled to be deprecated starting with TurboVNC version 3.
The Java TurboVNC Viewer, which is available on Windows, macOS and Linux, has builtin support for SSH tunneling. From within TurboVNC it is straightforward to make a tunneled connection:
Start the Java TurboVNC Viewer
- Click the
Options...button and switch to the
Gateway (SSH server or UltraVNC repeater):
- Enter your CUA username under
- Enter the name of the login node under
Host. This should be
Use VNC server as gatewayunchecked
- Enter your CUA username under
- Close the Options window with
- In the main connection window enter the node and VNC display on which the VNC server is running.
For example, to continue the example above to connect to a VNC server running on
r34n4 on Lisa, the filled-in values would look like this:
Connect the regular welcome message you would see when connecting to the login node through SSH is shown as a separate window, click
OK to close it:
The next window shown is to enter your password to log into the login node (as shown in the window title), enter your CUA password here:
Finally, another user-password window is shown, which is used to make the connection to the VNC server (through the SSH tunnel which has been set up at that point):
After entering your credentials and pressing Enter the VNC remote desktop will now be accessible:
The above setup is quite convenient, as you can keep the tunneling settings on the
Security tab filled in, while only the compute node on which the VNC server is running needs to be entered in the main window.