HttpTunnel4vnc

The Problem

Usually VNC-clients and -servers use a proprietary protocoll (rfb-protocoll) on user-defined ports (e.g. 5900) to communicate through a bidirectional channel. This works well as long as client and server have a direct link (no proxies or firewalls in between) or the VNC-user has full control over all components involved. But in typical real-world scenarios we have no control over firewalls (usually opening only a few well-defined ports and blocking proprietary protocolls) and we have to deal with proxies (sometimes giving the client indirect internet-access only). Therefore VNC will often not work in such real-world scenarios.

The Solution

HttpTunnel4vnc solves this problem by tunneling VNC's proprietary rfb-protocoll over HTTP. Almost all (protocol-filtering) firewalls are configured to be open for HTTP. Furthermore firewalls typically open the ports 80 and 443. In scenarios with clients placed inside a local network (often with a non-public IP) and internet-access only through HTTP-proxies, HttpTunnel4vnc will provide a working solution too.

Features

Our main goal was to provide a solution that works with a wide range of firewalls and proxies and requires minimal fuss on the client side.
HttpTunnel4vnc requires no signed applets, no reconfiguration of firewalls; proxy settings of browsers are used transparently.
HttpTunnel4vnc uses only vanilla HTTP GET and PUT requests (no fancy CONNECTs), this should work even with the dumbest browsers. [We know that HttpTunnel4vnc does not work with certain proxies, but we don't know the exact reasons; at the time being, we blame these proxies for not implementing HTTP correctly. Squid and Apache work.]
HTTP tunneling introduces quite a bit of overhead, and things get worse the more proxies are between client and server. A rough estimate suggests, that HTTP tunneling requires 10 times more bandwidth than a direct connection. However, our subjective perception is that interactive performance is still good. YMMV, of course.
HttpTunnel4vnc supports persistent (keep-alive) connections and HTTP pipelining. Unfortunately, few browsers, and even fewer proxies, take advantage of these features.
HttpTunnel4vnc can be configured to work transparently behind Apache. This way, you can use the all import port 80 for VNC and other applications. Thus HttpTunnel4vnc can also be configured to provide virtual multi-session support (bonus: multiple VNC servers on port 80 + full Apache on port 80 can coexist).

Requirements

The HttpTunnel4vnc server runs at least on GNU Linux/x86 (other java-capable plattforms are possible, but not tested).

The modified viewer works with Internet Explorer 5 (or newer) and with Mozilla using the SUN JavaPlugin (other browsers may work as well, but are not tested. Opera 6.1 is known not to work)

If you want to use multi-session support, you need Apache and it's rewrite-engine (rewrite_mod; see INSTALL in downloaded file for details).

Installation

Server:

There are 2 versions available (choose one of them):

(A) Lisp Version: forwarder 1.5

This is our production version, which is well tested.

This version requires a CMU Common Lisp environment. If you don't have CMUCL and don't want to install it: try our java version: see (B)

Download CMU Common Lisp and install it on your machine.

Download the forwarder (lisp source + binary), unpack it, and follow the instructions in the INSTALL file. The "forwarder" is the server-part of HttpTunnel4vnc.

(B) Java Version: jforwarder 0.2

This is a re-implementation in Java - not well tested but no errors known.

Download the jforwarder (java source + binary), unpack it, and follow the instructions in the INSTALL file. The "forwarder" is the server-part of HttpTunnel4vnc.

Client:

Download and compile the modified viewer (java source).

The viewer is heavily based on tightVNC 1.2.6 (see README) and has an additional required applet-parameter:

This parameter is required in all cases. The RFB protocol is tunneled on a connection to this port. The firewall (on the client side) must not block this port. Setting TUNNELPORT to -1, disables HTTP tunneling. Setting PORT to -1 forces HTTP tunneling.

--> TUNNELPORT
  Value: TCP port number of the forwarder (server)
  Default: none.

Optional:Just is case you want to start the client from command-line (instead as an applet): Extract the sources, then change to the resulting directory "vnc_javasrc". Do the following:

1. make clean; make all
2. java VncViewer HOST "myhost" PORT -1 TUNNELPORT "4567"

(note: no "-jar .." option used)

Prices

We do not charge fees for private use, but ask you to follow the following points:

give feedback (comments & hints, bug-reports & bug-fixes)

set link to this page

HttpTunnel4vnc: ("forwarder", etc.)

free for private use
contact us for commercial use
VncViewer: free for any use (see GPL General Public License)

License(s)

HttpTunnel4vnc is published under a BSD-style License.

VncViewer (java client) is published under the GPL.

Contributors

Helmut Eller	Lead programmer: he has done most of the coding (especially all the hairy stuff) - network expert and lisp guru
Christoph Rettig	Testing and programming hints - java expert and dog owner (dog's-name: "Pepe", dog-size: x-small ;-)
Martin Eller	Project coordination and marketing - responsible for all the rest

The development of HttpTunnel4vnc has been sponsored by "Eller & Partner Unternehmensberatung KEG", Austria, Vienna.

Referrences

Primary TightVNC Site
What is a VNC?
Our Corporate Site (german)
use HttpTunnel4vnc@online-marketwatch.com for contact
VNCProxy on ErgoTech.com (uses Java Servlets)
brandgang another tunneling solution (out-of-date ??)