For security reasons most compute nodes on our HPC systems are not directly accessible from outside SURF and you need to go through a login node to access them. As a VNC remote desktop server will run on a compute node, an encrypted SSH tunnel is needed to access it.

Such an SSH tunnel is set up on login node. This section describes various options for setting up the tunnel, from a completely manual way to a more automated one.

We start with describing the manual option, even though that is not the most convenient to use. But it shows the tunneling step done by the automatic options and make it more clear what is going on.

Lisa: SSH tunneling disabled by default

On Lisa SSH tunneling is disabled by default. You can request it to be enabled for your login through our Service Desk.

Manual SSH tunnel setup

Linux, macOS

To set up an SSH tunnel for accessing a VNC server under macOS or Linux, you simply have to open a terminal window and run an ssh -L  command. In general, it looks like this:

workstation$ ssh -L 5901:<node>:5901 <user>@<system>

Here, node  is the compute node on which your VNC server runs, <user> is your username and <system> would be one of or

A concrete example:

workstation$ ssh -L 5901:r34n4:5901

This uses the ssh command to set up an encrypted tunnel that forwards TCP port 5901 on your local machine to port 5901 on the GPU node r34n4 on Lisa, using the interactive visualization node as access point. In most cases TCP port 5901 needs to be tunneled, which corresponds to VNC display :1 (port 5902 would correspond to display :2 , etc).

After executing the command above the SSH tunnel will have been set up and you will be logged into one of the login nodes. Leave the terminal window with the tunnel command open, as closing it will also close the SSH tunnel.

With the tunnel created we can now use a VNC viewer to connect to localhost:1 , which is the local endpoint of the SSH tunnel (VNC display :1  will get translated into port 5901). The VNC viewer will then ask for your user/password to connect to the VNC server, after which the connection to the remote desktop will be complete.


Microsoft Windows does not have built-in SSH capabilities, the best option is to first download the Plink tool (which is part of the PuTTY software). At you can find the download link to plink.exe. An alternative is to install TurboVNC and use its Java-based viewer, which comes with builtin SSH tunnelling, see below.

Next, start a command prompt (Windows-button + r, type cmd, press enter). In the command prompt, navigate to the location where you saved plink.exe, use the command line you got when you started the server but use plink.exe  instead of ssh  as the command. It then should look something like this:

plink.exe -L 5901:r34n4:5901

Automatic SSH tunneling on Linux and macOS: the -via option

Some VNC clients, most notably TigerVNC and TurboVNC , offer a handy -via command-line option that performs the SSH tunneling step shown above for you automatically. The -via option is usually only available on the Linux and macOS versions of those VNC clients.

In case of the Linux/macOS example shown above the command to start the VNC client using the -via option would reduce to:

workstation$ vncviewer -via r34n4:1

The VNC client in this case will set up the appropriate SSH tunnel itself, followed by making a connection to the VNC server through the tunnel. You will be prompted to enter a password twice:

  • First, for setting up the tunnel your regular CUA login password is needed (the same one as you use for accessing a login node)
  • Second, the password for connecting to your VNC session: enter your regular CUA credentials, i.e. username and password

Automatic tunneling in Java TurboVNC Viewer

This section only applies to the Java version of the TurboVNC viewer. The native (Windows) version does not offer the builtin tunneling option. The native version is also scheduled to be deprecated starting with TurboVNC version 3.

The Java TurboVNC Viewer, which is available on Windows, macOS and Linux, has builtin support for SSH tunneling. From within TurboVNC it is straightforward to make a tunneled connection:

  1. Start the Java TurboVNC Viewer

  2. Click the Options... button and switch to the Security  tab
  3. Under Gateway (SSH server or UltraVNC repeater):
    1. Enter your CUA username under SSH user 
    2. Enter the name of the login node under Host . This should be  for Lisa, for Cartesius
    3. Leave Use VNC server as gateway  unchecked
  4. Close the Options window with OK
  5. In the main connection window enter the node and VNC display on which the VNC server is running.

For example, to continue the example above to connect to a VNC server running on r34n4  on Lisa, the filled-in values would look like this:

After clicking Connect the regular welcome message you would see when connecting to the login node through SSH is shown as a separate window, click OK to close it:

The next window shown is to enter your password to log into the login node (as shown in the window title), enter your CUA password here:

Finally, another user-password window is shown, which is used to make the connection to the VNC server (through the SSH tunnel which has been set up at that point):

After entering your credentials and pressing Enter the VNC remote desktop will now be accessible:

The above setup is quite convenient, as you can keep the tunneling settings on the Security tab filled in, while only the compute node on which the VNC server is running needs to be entered in the main window.