13 Securing IQdesktop connection

The VNC connection between your computer and the computer on which IQdesktop is running normally is not encrypted. This is not an issue in the cases where:

  • You run IQdesktop locally on your computer.
  • You run IQdesktop on a server inside your organization.
  • You run IQdesktop on a server to which you are connected via VPN.

Typical and powerful methods of securing your connection to IQdesktop are discussed below.

13.1 VPN

Use a Virtual Private Network (VPN) to access the IQdesktop server. This also works for cloud based systems, such as AWS. Typically it will be your sysadmin / IT department taking care of that.

13.2 SSH tunneling

If no VPN is available, SSH tunneling can be used. In this case you establish a secure SSH connection to your IQdesktop container and tunnel all VNC traffic through this encrypted channel. SSH tunneling is easily set up but recommended more for experienced users.

An example for how to connect to IQdesktop via SSH tunnelling is shown below:

ssh user@192.168.1.28 -p 6900 -L 3333:192.168.1.28:5900

In the above command the different elements have the following meaning:

  • ssh: the command line for ssh connection
  • user: username of user on iqdesktop
  • 192.168.1.28: address of the server on which IQdesktop is running
  • 6900: SSH port of the SSH server on IQdesktop, defined in the IQdesktop config file
  • 5900: VNC port of the VNC server on IQdesktop, defined in the IQdesktop config file
  • 3333: Port to which the VNC traffic from IQDesktop is tunneled on your local system

Once you have established the SSH tunnel, keep the terminal Window open and connect to IQdesktop via VNC, as shown in Chapter 11. The difference now is that you do not connect to the address of the computer on which IQdesktop is running, but to your local computer at the port specified in the command above:

Done! You have established a safe connection to IQdesktop in the absence of a VPN

13.3 Certificates

IQdesktop also allows to secure the VNC connection via a certificate. You can use certificates issued by a CA or you can generate your own certificate. Both is equally safe.

The certificate information (private key and certificate) is passed to IQdesktop via the IQdesktop configuration file. The certificate can also be provided to the VNC client.

A self-issued certificate can be generated on Linux systems by simply typing:

Key:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out iqdesktop_VNC_key.pem

Certificate:

openssl req -key iqdesktop_VNC_key.pem -x509 -new -days 3333 -out iqdesktop_VNC_cert.pem

During the generation of the certificate, the FQDN (fully qualified domain name) should be chosen as the url with which IQdesktop can be accessed. If done, this avoids a warning when connecting to it.