hafur.com vague pictures of amazing moments

Connect to VNC server via SSH tunnel and a bastion server

Sometimes I like to connect to my Mac mini (aka the Server) and do some maintenance using a UI. In my home network, I usually use Apple’s Screen-sharing app. The Screen-sharing app offers the best performance and is already installed, so it is a no-brainer. Open Screen-sharing Enter the IP address of the server Connect Simple as that!

It becomes a challenge when having access to my home network. There are 3rd-party applications available, such as Teamviewer, AnyDesk, or Edovia’s Screens Connect app (which I use to connect from my iPad to my server).

Another option is to connect via VNC to the server. You must enable VNC to use it in the ‘Sharing’ server settings (See here). Now you can also connect using a VNC Viewer application to the server.

If I create a Port Forward in my router, I can connect to my MacMini directly from the public internet. While this would work, I want to avoid exposing my server to the public internet. After all, it is a hostile world out there.

I recently added a Raspberry Pi to my home network, which acts as a Pi-Hole server and a bastion server. This setup allows me to connect via SSH to my server, whereas the Pi is my bastion server. Taking this approach further, I can create an SSH tunnel to connect to my server using a VNC viewer from anywhere. And that is precisely what I am now doing.

  1. Create a tunnel from Pi to the server
  2. Create a tunnel from the laptop to the Pi
  3. Connect to the server via VNC: vnc://localhost:


ssh user@pi -L <forward to port>:server:<VNC port> -N ssh user@server 

I am not using standard ports (ssh) in my configuration, so this is should be pretty secure solution. Since I am using an SSH tunnel, the connection is also encrypted to an otherwise non-secure protocol.

Bastion VNC Architecture

It is interesting to read the history of VNC on Wikepdia.