Can not get X11 windows through VPN connection

Question

Level 1

15 points

Can not get X11 windows through VPN connection

I have X11 installed and I'm able to display local X11 programs. I'm connected through a Cisco VPN client to work and I can ssh to my Mac from work by using the IP address that the VPN client says it is using. However, this IP address does not seem to show up in ifconfig. I have run "xhost +" on my local Mac.

When I try to export my DISPLAY to the VPN IP address I can't get my windows to show up on my Mac. On some Linux boxes I've used there are sometimes some configurations to enable X windows to display from remote hosts. Is there something I need to configure on the Mac?

Thanks!

20" iMac Core Duo, Mac OS X (10.4.11), iPhone 8GB, iPod 60GB w/ video, iPod 8GB 2G nano

Posted on Dec 13, 2007 2:56 PM

Reply

Answer 1

Dec 16, 2007 2:50 PM in response to lseven

it should not be necessary to use the xhost program.
if you do a:
ssh -Y -l username ip.to.connect.to
and then xterm

what happens ?

Reply

Answer 2

Dec 16, 2007 3:34 PM in response to lseven

It's not clear to me which way you're going. You said,

"I'm connected through a Cisco VPN client to work and I can ssh to my Mac from work by using the IP address that the VPN client says it is using."

The "connected through a Cisco VPN client to work" indicates you are offsite (away from the work computer, perhaps at home?) and making a connection from home to the work computer.

But, "ssh to my Mac from work" suggests making a connection from work to home, particularly since the sentence continues with "by using the IP address that the VPN client says it is using". It's when connecting from work to home that you would have to specify the IP assigned to the VPN client, which is running on the computer at home.

So, which is it?

To re-enforce the other response, if you use ssh -Y you should not use "xhost +". In fact, one should never use "xhost +" as it opens a security hole. If you have to use xhost, specify the IP address you're opening to, as in "xhost + ip.to.open.to".

You may need to specify "ForwardX11 Yes" in an ssh config file; see man ssh for details.

I also connect to work using a Cisco VPN client, and if I recall correctly there is a setting in the Cisco client that enables X11 traffic. I'll try to check later today and come back with another response.

Message was edited by: Don MacQueen1

Reply

Answer 3

lseven Author

Level 1

15 points

Dec 16, 2007 9:19 PM in response to Don MacQueen1

I'm sorry I wasn't clear. I am at home trying to display X11 programs from my computer at work. I mentioned that I was able to ssh from my work computer to my home Mac computer over the VPN connection just to show that I had connectivity back to my Mac.

I was able to use ssh with X11 forwarding as suggested in the first reply and got my X11 programs to work! I was aware of this method but have never used it... I've always just run my X server on my PC in the past and displayed the X programs back to it without having to run ssh. I assume the ssh method is more secure, but is there a performance penalty?

I also didn't see any X11 traffic options in my Cisco client. But at least I'm able to work from home now! Thanks very much!

Reply

Answer 4

Dec 16, 2007 9:26 PM in response to lseven

Try enabling "IPSec over UDP". It's been a long time, so my recollection is vague, but I think maybe that's what it took to get X windows tunneled through Cisco's VPN client.

Reply

Answer 5

Dec 16, 2007 9:45 PM in response to lseven

Glad you're up and running!

And, oops, I didn't see your message of success before I sent my suggestion about IPSec. Obviously, if ssh -Y did the job then you don't need to check the IPSec thing.

Yes, ssh is more secure (it stands for secure shell, I believe). It encrypts all its traffic, so in principle there has to be performance penalty. But I've never been able to notice one, so it must be a small penalty. Admittedly, I rarely display, for example, large bitmaps, so I suppose your mileage may vary...

Reply