Chicken of the VNC and conneting to multiple computers on a single LAN

If you have all of your Macs inside the LAN operating okay with remote access by CotVNC, then 3/4 of the battle is done. But first thing I would do is tunnel your VNC through an encrypted ssh tunnel, unless you don't mind the possibility of a sniffer outside your home network being able to intercept every one of your vnc packets in plain text and monitor your every vnc move.

The easy way to do it would be to connect via ssh to one of the computers inside the LAN with a bunch of ports tunneled through the encrypted ssh connection. I've got several posts that talk about tunneling vnc through ssh. Do a search on posts by me (j.v.) since last year with search terms "vnc ssh 5901". Port forward port 22 through your home router to, for example, your imac, and turn on remote login (ssh login) on your imac. You do not need 5900 port forwarded through the router, only port 22.

To access multiple computers, modify your ssh login command, that you type in Terminal on the computer outside your LAN, to add additional "-L" port forward switches, for example, "ssh -L 15900:127.0.0.1:5900 -L 15901:192.168.0.102:5900 -L 15902:192.168.0.103:5900 -L 15903:192.168.0.120:5900 michael@xx.xx.xxx.xx. Then in CotVNC, you connect to 127.0.0.1:15900, 127.0.0.1:15901, 127.0.0.1:15902, or 127.0.0.1:15903, in order to connect to imac, ibook, ibook2, or acer. All the VNC traffic is encrypted and tunneled inside the ssh connection. All traffic to all computers is delivered to the imac's localhost interface, and depending on which port you specified in CotVNC, it goes to the computer specified in the "-L" switches for that port.

Michael Erb1 wrote:
Right now the port forwarding on my Linksys WRT54G looks like this...

VNC1 5500 to 5500 Both 192.168.0.100 enable
VNC2 5800 to 5800 Both 192.168.0.100 enable
VNC3 5900 to 5900 Both 192.168.0.100 enable
VNC-iBook 5502 to 5502 Both 192.168.0.102 enable
VNC-iBook2 5503 to 5503 Both 192.168.0.103 enable
VNC-Acer 5504 to 5504 Both 192.168.0.120 enable

I'm not familiar with Chicken of the VNC, but its description suggests that it is only a VNC client. Is there an actual VNC server running on these machines that listens on ports 5502, 5503 or 5504?

The VNC server generally uses port 5900, unless you have done something to change the port it listens on.

I would have the linksys do the following port forwarding

WAN port 5900 to 192.168.0.100 port 5900
WAN port 5901 to 192.168.0.102 port 5900
WAN port 5902 to 192.168.0.103 port 5900
WAN port 5903 to 192.168.0.120 port 5900

When you want to connect to iBook2, you would tell Chicken of the VNC to connect to the WAN visiable IP address of your Linksys and use port 5902. The Linksys should redirect that connection to 192.168.0.103 port 5900 which should be the VNC server running on iBook2.

Previous posts suggesting the use of ssh tunnels is actually a very good idea as VNC is NOT secure. Everything VNC sends is unencrypted.

For extra credit, you could specify a random high numbered WAN port being routed to each system's port 5900

WAN port 57100 to 192.168.0.100 port 5900
WAN port 57102 to 192.168.0.102 port 5900
WAN port 57103 to 192.168.0.103 port 5900
WAN port 57120 to 192.168.0.120 port 5900

The advantage here is that these port numbers are less likely to be scaned as they are not standard "Known Ports".

If you decide to use ssh tunnelling, you could use a similar trick to obscure your ssh port.

While this is security by obsecurity (and not a great approach to security), it does cut down on remote systems consuming some of your bandwidth probing your system, as you are not responding on the well known ports.

Following on with Bob's and my previous posts, the "obscure ssh port" idea is a good one, in my opinion, simply because, as Bob points out, it is much less likely to be probed by internet evildoers. In that ssh login directive, add a "-p xxxxx" where xxxxx is some 4- or 5-digit port number (personally, I keep it smaller than 49152 because ports 49152-65535 are usually used by local applications making outgoing internet connections) (additionally, I make it a habit to only pick port numbers that are identified as "Unassigned" on this list). Hopefully, your modem/router is sophisticated enough to let you cross-map external WAN port "XXXXX" to internal LAN port 22. If not, in the case of ssh, there's a couple of extra configuration hoops you have to jump through in order to make ssh listen on internal LAN port "XXXXX" -- not difficult but it's just annoying that you have to jump through additional hoops that you wouldn't have to do if your router were sophisticated enough.