VNC behind Firewall or Router

Using VNC behind a firewall or a NAT router without public IP available can be a huge challenge for remote control and maintenance tasks. As local networks operate on their own network address space, these IP network addresses are not known to the public Internet and therefore not directly accessible from outside the private network of your company. Typically, companies access and route the Internet connection for their private networks over a single Router/Gateway and Firewall which receives a permanent or a dynamically changing public IP address. This means that a PC with a private network address within your company is able to access any public IP address within the Internet by routing over your companies public IP Gateway/Router, but the other way its not possible to directly access the private IP address within your companies network.

VNC How to access behind Router Firewall

Generally its impossible to directly access a VNC server running behind a Firewall or a NAT Router, but there are several technical possibilities to overcome this challenge.

Port Forwarding

A common method that is used for many different remote access purposes, such as accessing a private address of your webcam from all over the world, is to configure port forwarding on your router/gateway. Port forwarding allows remote computers (for example, computers on the Internet) to connect to a specific computer or service within a private local-area network (LAN). In a typical private network, computers obtain Internet access through a DSL or cable modem connected to a router or network address translator (NAT/NAPT). Hosts on the private network are connected to an Ethernet switch or communicate via a wireless LAN. The NAT device’s external interface is configured with a public IP address. The computers behind the router, on the other hand, are invisible to hosts on the Internet as they each communicate only with a private IP address.

vnc port forwarding

When configuring port forwarding, the network administrator sets aside one port number on the gateway for the exclusive use of communicating with a service in the private network, located on a specific host. External hosts must know this port number and the address of the gateway to communicate with the network-internal service. Often, the port numbers of well-known Internet services, such as port number 80 for web services (HTTP), are used in port forwarding, so that common Internet services may be implemented on hosts within private networks.

Listening VNC Client with public IP

By triggering the connection from inside a private network it is possible to establish a connection to a waiting (listening mode) vnc viewer. With UltraVNC for example you can start the viewer in listening mode by typing ultravnc.exe -listen. The constraint for accessing a listening vnc viewer is of course that the network address of the viewer can be accessed by the server. So the vnc viewer  has to run on a public IP address.

Public VNC Repeater:

The same way as Skype or TeamViewer are operating is also possible in combination with VNC. Skype and TeamViewer are routing both connections over a central, globally available server with public IP address. So both sides, the server as well as the client can operate on private IP addresses and connect to each other by using the central server. Within the VNC world this concept/software is called a VNC repeater server. VNC repeater servers are responsible for accepting both connections from VNC clients as well as from VNC servers. Typically the VNC repeater accepts VNC clients/viewers on port 5900 and connections coming from your VNC server on port 5500. Both sides have to agree on a common connection ID in order to enable the VNC repeater to distinguise which viewer connection should be connected with which server connection.

vnc repeater

You can find free implementations for VNC repeater software from UltraVNC and another implementation on Google Code.

If you are operating a remote maintenance service its strongly advised to setup your own VNC repeater on your own publicly accessable server!

There are also some free VNC repeaters running online, where you can start to test out such a scenario without setting up your own VNC repeater:

MobileVNC Repeater Autoconnect Support
MobileVNC, Windows CE and Windows Embedded Compact VNC Server also supports the automatic reconnect to listening VNC viewers or to VNC Repeaters.

Leave a Reply

Your email address will not be published. Required fields are marked *