User profile for user: terryb
terryb Author
User level: Level 4
3,542 points

Force screen sharing to bind to second network?

We have a Mac Studio Ultra running Ventura and an iMac running Monterey each with a 10Gb wired connection (for fast access to video assets on a private network with no internet access) and a WiFi connection for occasional web access. We want to bind screen sharing to the 10Gb network.


If the network service order is set so WiFi is at the top, web access and connections on the 10Gb network work correctly, but Screen Sharing listens on the WiFi network address.


If the service order is changed so the 10Gb network is at the top, Screen Sharing listens on the 10Gb network address but the Mac has no internet access. Removing the router entry from the 10Gb network settings then allows internet access because the route out falls to the WiFi network settings. But now Screen Sharing is listening on the WiFi network address again.


Is there a way to force Screen Sharing to permanently bind to one network via editing a plist or config file somewhere?

Mac Studio

Posted on Jan 4, 2023 1:19 PM

Reply
Question marked as Top-ranking reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
154,119 points

Posted on Jan 4, 2023 1:36 PM

Barney-15E wrote:

Are the two networks on different subnets? When you connect via screen sharing, try using the IP address of the other device that it has on that 10G network.


Above is correct. For this configuration to work reliably, separate IP subnets are required. Each NIC will have its own IP address within the subnet, and the local router can be configured to pass or to block access as required.


As I’m not sure if you want both subnets access to screen sharing, or just the 10 GbE subnet…


To complete this block, the local switch/router/firewall will need to block access to screen sharing on the Wi-Fi subnet, absent rummaging in the innards of macOS routing and firewall support to shut off screen sharing there.


If you want screen sharing on both, then specify the local IP subnet address. Your local DNS server can also be set to vend the subnet-local IP address, or you can use mDNS locally, to identify the local IP address.

View in context

Similar questions

10 replies
Question marked as Top-ranking reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
154,119 points

Jan 4, 2023 1:36 PM in response to Barney-15E

Barney-15E wrote:

Are the two networks on different subnets? When you connect via screen sharing, try using the IP address of the other device that it has on that 10G network.


Above is correct. For this configuration to work reliably, separate IP subnets are required. Each NIC will have its own IP address within the subnet, and the local router can be configured to pass or to block access as required.


As I’m not sure if you want both subnets access to screen sharing, or just the 10 GbE subnet…


To complete this block, the local switch/router/firewall will need to block access to screen sharing on the Wi-Fi subnet, absent rummaging in the innards of macOS routing and firewall support to shut off screen sharing there.


If you want screen sharing on both, then specify the local IP subnet address. Your local DNS server can also be set to vend the subnet-local IP address, or you can use mDNS locally, to identify the local IP address.

Reply
User profile for user: terryb
terryb Author
User level: Level 4
3,542 points

Jan 24, 2023 6:07 PM in response to MrHoffman

To close the loop on this, I wanted to report back and document what I ended up doing for anyone else looking to make screen sharing a bit more secure. This worked for me but if your Mac bursts into flames, sorry.


Modified from https://gist.github.com/mhofman/171539fa11052aae785fd19d8b382664


Force screen sharing to listen on localhost only and connect via ssh tunnel


The solution is to disable the /System/Library/LaunchDaemon and use a "launcher" daemon that will forcibly load the modified /Library/LaunchDaemon. You must still activate Screen Sharing through the preferences or else it will end up in observe only mode.


On the remote host:

Activate Screen Sharing in the System Preferences


$ sudo cp /System/Library/LaunchDaemons/com.apple.screensharing.plist /Library/LaunchDaemons/com.apple.screensharing.plist


In /Library/LaunchDaemons/com.apple.screensharing.plist, edit the Sockets section. This will force screen sharing to listen on localhost only.


<key>Sockets</key>

  <dict>

    <key>Listener</key>

    <dict>

      <key>SockNodeName</key>

      <string>localhost</string>

      <key>SockServiceName</key>

      <string>vnc-server</string>

    </dict>

  </dict>


Create /Library/LaunchDaemons/com.apple.screensharing.launcher.plist with the following content:


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

  <key>Label</key>

  <string>com.apple.screensharing.launcher</string>

  <key>LaunchOnlyOnce</key>

  <true/>

  <key>RunAtLoad</key>

  <true/>

  <key>KeepAlive</key>

  <false/>

  <key>ProgramArguments</key>

  <array>

    <string>/bin/launchctl</string>

    <string>load</string>

    <string>-F</string>

    <string>/Library/LaunchDaemons/com.apple.screensharing.plist</string>

  </array>

</dict>

</plist>


$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist


$ sudo launchctl load -w /Library/LaunchDaemons/com.apple.screensharing.launcher.plist


Create an ssh tunnel and use vnc over the tunnel

On the local client:


$ ssh user@remotehost -L 5901:localhost:5900

Then using Connect to Server (Command-K) connect to vnc://localhost:5901


I chose 5901 as the local port but it can be any unused port above 1024.


Enable password-less ssh key login

On the local client:

If ~/.ssh/id_ed25519.pub doesn’t already exist, run:


$ ssh-keygen -t ed25519

Accept the defaults


Copy the contents of id_ed25519.pub to the remote host:

$ cat ~/.ssh/id_ed25519.pub | ssh user@remotehost 'cat >> ~/.ssh/authorized_keys'


Now, ssh should login using the key.


Force ssh-key-ONLY login

On the remote host, first make sure password-less key login from all required clients works.


Edit /etc/ssh/sshd_config and change these lines to the following:


PasswordAuthentication no

ChallengeResponseAuthentication no


Now, you can only ssh in with a key, a password is not accepted.


Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
57,445 points

Jan 4, 2023 1:51 PM in response to terryb

Look at the 'route' command

man route

And then Google

macOS route command examples

and you should be able to setup 'route' so that the IP addresses for 172.16.


You could also try

ssh -L 12345:172.16.x.x:5900 system.on.your.LAN

and then connect using 

Finder -> Go (menu) -> Connect to server -> vnc://localhost:12345

which should connect your Screen Sharing session to local port 12345, which ssh will route to system 172.16.n.n port 5900 (the Screen Sharing port).

Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
154,119 points

Jan 4, 2023 4:28 PM in response to terryb

terryb wrote:

MrHoffman, Interesting about the response getting lost. I'll have to figure out how to view ScreenSharing logs in Ventura to see if the connection attempt is made on the 172 network but the response goes out on the wrong interface.


All IP traffic has a destination IP address, and the routing will pick the NIC with the lowest-cost route, or will pick the designated router when no local route is available and will hand this all off to the designated router.


There is no correlation between the network route that the arriving packets use, and the network route that will be used by departing packets. This whether the application connection uses TCP, QUIC, UDP, or whatever.


traceroute can be useful here, and “ping” will tell you when a particular route is hosed.


And switches and firewalls can absolutely provide connectivity surprises within this realm; whether allowing or denying.

Reply
User profile for user: terryb
terryb Author
User level: Level 4
3,542 points

Jan 4, 2023 1:41 PM in response to Barney-15E

Yes, the 10Gb and WiFi networks are on different subnets -- 172.16 and 10.0.


When you connect via screen sharing, try using the IP address of the other device that it has on that 10G network.


Connecting via the 10Gb 172.16 address even though the Screen Sharing prefs say it's listening on the 10.0 address can work for some period of time but it eventually fails and then only responds on the 10.0 address. I'm not sure what the trigger is.


Is there a way to modify this so instead of binding screen sharing to localhost, bind it to the 10Gb interface? https://gist.github.com/mhofman/171539fa11052aae785fd19d8b382664


Reply
User profile for user: terryb
terryb Author
User level: Level 4
3,542 points

Jan 4, 2023 2:24 PM in response to BobHarris

Thanks for the response BobHarris. I will try your local port forwarding method but my understanding of what's happening is that the Mac stops listening for Screen Sharing requests on the 172 network and only responds on the 10 network. If I toggle its service order or add a router in its 172 network settings it will start listening on the 172 network again. But as I mentioned earlier, this breaks internet access over WiFi. The 172 network has no route to the outside.


We only want the 10Gb networked Macs to listen for screen sharing on the 10Gb 172 network, regardless of the service order or entries in the router field.

Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
57,445 points

Jan 4, 2023 2:55 PM in response to terryb

Thinking about what you just said, that may be the case. But there might be a way to use ssh to get into the other Mac, then have the connection contact 5900 internally via localhost. Not with the command I gave, but something else.


It may take some google digging on your part, if you are at all comfortable with ssh connections.


Otherwise the 'route' command perhaps will do what you need.


Or look at 

man pfctl
man pf.conf


pf is for Packet Filter, and I think you can arrange for it to do packet forwarding on the destination Mac. This is a stretch, and I do not really know what I'm talking about, but it might be something worth googling.

Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
154,119 points

Jan 4, 2023 2:50 PM in response to terryb

I’ve yet to see an app that wasn’t listening on all NICs, absent some local setup. (That gist points to one way to do that.) What usually happens with these cases absent local customizations is a routing error. The connection gets to the target NIC, but the response—which is not tied to the arriving NIC—comes back via the wrong network route.


Another case I’ve met here is an intervening firewall that gets tired of remembering things and drops an idle connection from its tables, and the ends get confused.

Reply
User profile for user: terryb
terryb Author
User level: Level 4
3,542 points

Jan 4, 2023 3:13 PM in response to MrHoffman

BobHarris, I recall seeing a defaults write setting to only accept screensharing connections from localhost and then one would ssh into a port that's mapped to localhost. Or something like that.


MrHoffman, Interesting about the response getting lost. I'll have to figure out how to view ScreenSharing logs in Ventura to see if the connection attempt is made on the 172 network but the response goes out on the wrong interface.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Force screen sharing to bind to second network?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up