The officially official Devuan Forum!

You are not logged in.

#1 2023-01-01 14:26:16

Registered: 2020-05-15
Posts: 37  

SSH tunnel from PC's VNC client to a VM's desktop on separate VM Host

G'day and Good Year.

I have encountered the idea that there might be security benefits from keeping my adventurous Internet browsing and my Internet commercial transactions (e.g. shopping, banking) on separate machines. I wondered if these separate machines could be VMs.

I also read that while it is convenient to access these VMs using VNC, VNC's access is less secure than it might be, and can be improved by a mysterious magic called "SSH tunneling". This would offer some protection against others on my network (guests, neighbours, wardrivers in the street outside, miscreants infiltrating my media player(s) or IoT lightbulbs, etc) possibly reading the unencrypted VNC traffic.

This hypothesis was stated on the Internet, so it must be true. I mean, all Internet statements are true, not so?

So...trying the VM route, I have at my disposal

1) A Linux computer I refer to as my "PC" (it's a bit feeble to be a VM Host)

2) A Linux computer I refer to as my "VM Host"  (Powerful, noisy, clumsy to work with)

3) A number (1 is a number, OK?) of "VM"s which can be run on the "VM Host"

Currently, to set the scene: I sit at my PC, and connect to my VM Host with an SSH tunnel via the incantation:

ssh -L 5901:localhost:5901 -l <VM Host userid> <VM Host IP>

This gives me a terminal on the VM Host, where I spin up a live VM thusly:

qemu-system-x86_64 <> -vnc :1

To access the desktop (and therefore the browser) on this VM, I fire up remmina on the PC, select VNC connection method, and point this at


This opens up the VM's desktop in the PC's VNC client window and I can browse OR transact. With multiple VMs, I could keep these activities separate.

My question is:

1) Am I benefitting from the magical protection of "SSH tunneling" in my interactions all the way between my PC VNC client and the VM desktop?


2) Does this protection only extend to the connection between the PC VNC client and the VM Host, leaving communication between the VM Host and the VM itself protected only by VNC security? Perhaps I need to create another SSH tunnel on the VM host?

My interpretation is that it is the first option. That is: SSH tunneling covers the comms between remmina i.e. the VNC client on my PC, to qemu-system on the VM Host, and that is everything I need, because the VM exists only in qemu-system. There is no unsecured comms between qemu-system and the VM, because the VM does not exist outside qemu-system.

I understand that a lot of other threats are being ignored, but my interest, for now, is in the extent of the SSH tunnel's protection.

I hope I've explained it clearly enough to receive some feedback that I can actually understand, though my powers of understanding are quite feeble.


Board footer