Learning Center
SSH

How to Create an SSH Tunnel for Secure Connections over VNC

16 Jun 2025
Hostman Team
Hostman Team

One of the major drawbacks of the VNC (Virtual Network Computing) protocol for remote access to computers is the complete lack of session encryption. 

Bf070f03 1241 422f 9f54 4348c6ce45c0

Image source: FAQ on the TightVNC website

One way to address this issue is by creating an SSH tunnel over which the VNC session will run, ensuring full encryption of the VNC session. An SSH tunnel creates an encrypted data channel between the client device and the server. In addition to establishing a secure connection to the remote device, an SSH tunnel can also be used to transfer data.

And if you’re looking for a reliable, high-performance, and budget-friendly solution for your workflows, Hostman has you covered with Linux VPS Hosting options, including Debian VPS, Ubuntu VPS, and VPS CentOS.

In this article, we will explore several methods for creating an SSH tunnel, including using the standard ssh utility, as well as third-party client applications such as PuTTY and MobaXterm.

Prerequisites
Copy link

  • A server or virtual machine with VNC installed. You can use TightVNC for this. We explain how to install it in another article.

  • A second server or virtual machine with a pre-installed Linux OS with a graphical interface. You can use any modern Linux distribution or a home computer or laptop running Windows. Both Home and Professional editions, as well as Windows Server versions, are suitable.

Creating an SSH Tunnel 
Copy link

Method 1. The ssh Utility
Copy link

Let’s start by setting up an SSH tunnel using the standard OpenSSH client, which comes pre-installed by default on almost all modern Linux distributions, as well as on Windows operating systems starting from Windows 10 version 1709 and above. Windows Server 2019 and Windows Server 2022 would also work. 

On Windows systems, you can also use any WSL distribution (Windows Subsystem for Linux).

The following command for setting up an SSH tunnel works the same on both Linux and Windows:

ssh -L 5901:localhost:5901 root@<server-IP-address>

Where:

  • -L — the flag for local port forwarding. In local forwarding, a port from the client device is forwarded to the server. All subsequent connections to this local port will pass through the SSH tunnel.
  • 5901:localhost:5901 — syntax for forwarding the remote port. In this example, we inform SSH that we want to forward port 5901 (the port of the VNC server) located on the remote server to gain access to the VNC server. At the same time, we also open port 5901 on our local device (localhost).
  • root@<server-IP-address> — the standard syntax for SSH connection.

After entering the command, the system will prompt for the user’s password, and upon successful entry, you will log into the server. After this, the SSH tunnel will be established. It's important to remain connected to the server; otherwise, the SSH session (and the tunnel) will be interrupted.

If you need to launch the SSH tunnel in "daemon" mode (in the background), use the -fNT options, for example:

ssh -fNT -L 5901:localhost:5901 root@<server-IP-address>

Where:

  • -f — after the password is entered, instead of launching a shell, the ssh process will switch to the background;
  • -N — do not execute any command on the remote server after starting the tunnel;
  • -T — disables the use of a terminal.

Once the SSH tunnel is successfully established, you can connect using any VNC client utility, for example, TightVNC Connection. Launch the utility and enter the address localhost::5901 in the “Remote Host” field:

72e6f220 988b 41f0 A3ba 40c3cebec2bc

After entering the address, click the “Connect” button. The program will request the password for the VNC session, which is set during the VNC server configuration:

68c211bd Fa33 4c8f A0ef Cedc6af7322c

After entering the password, a window with the graphical interface of the server will open:

E8aac3d3 7ea3 46cb 888f Bc428eeb715f

All traffic between your device and the VNC server is now fully protected and encrypted.

Method 2. PuTTY
Copy link

In addition to using the standard ssh utility, a tunnel can also be set up using the popular client utility for connecting to remote servers — PuTTY. To do this, follow these steps:

  1. Launch PuTTY and in the main menu fill in the following fields:

    • Host Name (or IP address): enter the IP address of the VNC server;

    • Port: specify the port used by SSH;

    • Saved Sessions: enter any name for the session so that it can be saved and launched quickly in the future.

  2. Click the “Save” button to save the current session.

6c30817a C871 4947 Af47 D027219eac9a

  1. In the left menu, find the “Connection” section, expand it, and go to “Tunnels”:

5d88be05 C250 4e01 8797 931c510d77d3

  1. In the opened section, fill in the following details:

    • Source port: specify the port to be opened on the client device, e.g., 5901;

    • Destination: enter the IP address of the VNC server and the VNC server’s port.

  2. After entering the data, click the “Add” button:

2caff664 465f 4f2e Ae33 69ab3007a2b4

  1. Return to the PuTTY main menu (the “Session” section) and connect to the server by clicking the “Open” button. During the first login, you will need to accept the host key by clicking the “Accept” button.

3d59508b C610 4780 A95c E6429af39efd

  1. After entering the user account password, the server terminal will open:

3a8778be Fbab 4339 8ee0 D1507f642a96

  1. Without closing the PuTTY session window, open your VNC client application (e.g., TightVNC Connection) and enter the address localhost:5901:

Pic1

After entering the VNC session password, the server’s graphical interface will be displayed.

Method 3. MobaXterm
Copy link

Another popular program for Windows OS used to connect to remote servers is MobaXterm. It can also be used to create an SSH tunnel. To do so, follow these steps:

  1. Launch the program and click on the “Tunneling” tab at the top:

11711700 3076 419e Bae8 9fd245feac08

  1. In the tunnel settings window, make sure the option “Local port forwarding” is selected and fill in the following information:

    • In the “My computer with MobaXterm” section, enter the local port (5901) to be opened on the device;

    • In the “SSH server” section, enter the address of the remote VNC server, along with the login and password to connect to the server;

    • In the “Remote server” section, enter localhost as the address and 5901 as the port.

E0d2e70b F582 4df4 A376 Ae8334f46aa6

  1. Click the “Save” button to save the settings.

  2. In the opened window, click the start button in the “Start/stop” section:

29e1ddc7 9281 496f B959 B965e6db227f

Once the SSH tunnel is launched, go to the “Session” section:

954999a6 655c 46c9 Acf0 54a86b9bbabb

  1. In the “Remote hostname or IP address” field, enter localhost, and in the “Port” field, enter 5901:

1e058a96 29a3 4f01 B2d5 9a73767cd65c

  1. Click the “OK” button to connect.

After entering the VNC session password, the server’s graphical interface will appear:

Conclusion
Copy link

Although the VNC protocol does not encrypt its traffic by default, this issue can be resolved by using an SSH tunnel. In this article, we reviewed several methods for setting up an SSH tunnel on your device.

You can also use our VPS Storage options to save all the SSH keys that necessary fro your work.