OK… not very original, but the key point is that I want to be able to use the wireless networking, stick it anywhere, and not have to worry about peripherals. A very mobile server.

I already work with remote servers over public networks, and rarely use anything but the command line. For this project I wanted to be able to use the Mac desktop. This seemed the perfect excuse to play with VNC. Additionally, I frequently use SSH and PKI for encryption and authentication respectively, but not VNC.

The Plan.

It seemed to me that there were several parts to the problem, with only one of which I’m familiar.

1. Configure a VNC Client on the local machine.
2. Configure a VNC Server on the remote machine behind a firewall.
3. Enable SSH communication through the firewall.
4. Lock it all up using an SSH tunnel through the firewall so the Server and Client could talk.

Now to work!

The Client.

I settled on Chicken of the VNC (COTVNC), a open source project providing a VNC Client for Mac OS-X. Great, that’s just what I want and it gets good reviews, but I guess most other clients out there would work too.

Once installed COTVNC takes almost no configuration, that all comes later in the SSH and Server.

You might be able to see that I set up two connections; one for an unsecured connection, so that I could see if the security measures locked me out later; and this one for the secured connection, that’s why the host is the local machine.

The Server.

First I tried Apple Remote Desktop (ARD), but found it a little slow, but more importantly I couldn’t find a way to close the two ports in the firewall that the service automatically opened. While I’m diligently using SSH tunnelling to avoid compromising the security of my machine, these two ports are sitting there waiting for attack!

Time to try a different approach. I chose to disable the ARD service, closing the firewall again and installed a third party VNC server. The one I selected was Vine Server from Redstone Software. The reason? Nothing better that I’d read good things about it in blogs and on message boards, it’s available for Mac OS-X, and it’s free.

For Mac OS-X it downloads as a disk image containing the Server and a Viewer. I just wanted the Server as I’m using COTVNC, so a drag toward the Applications folder and a double click later I’m ready to configure things.

Vine server can be run in two different modes; as a System Server that starts automatically whenever the Mac starts up; or as a Desktop Server that can be run like any other application. Since I want to run my Mac mini as a remote headless — no keyboard, mouse or monitor — server, I only configured the System Server.

Not especially difficult, but the eagle‒eyed out there might have spotted that I didn’t enable the “Require Remote Login” option; in fact I did the first time and bang went any connection. I reasoned that I’m using SSH tunnelling, so the Server won’t realise that the connection IS via SSH and block it.

Set the System Server running, checking that it starts up again after a restart, and that’s the Server done.

The Secure Protocol.

Actually, this was pretty easy. Go to System Preferences > Sharing and enable the Remote Login service.

Make sure that the other services are disabled, unless you have a particular use for them; I’ll be enabling the Web Sharing service later. This should ensure that the firewall is closed on all ports except the one used for SSH — port 22.

The Tunnel.

The idea of the SSH tunnel was to forward any communications sent between port 5900 — the default VNC port — on the local machine and the remote machine, through an encrypted SSH connection.

Now there are lots of utilities to help you manage your SSH world, but I tend to use SSH-Agent and the command line. I primarily use SSH-Agent to manage authentication, but it does have the ability to construct tunnels.

If you’ve got PKI set up, you won’t even need to enter any passwords in order to establish the connection.

The Result.

Once your tunnel is connected, you can start up COTVNC, or equivalent, and log‒in!

Everything appears to work and I find Vine Server much more responsive than the Apple free offering.

By the way, I tried logging in with the unsecured connection and was kicked out.