13 Securing IQdesktop connection
The VNC connection between your computer and the computer on which IQdesktop is running normally is not encrypted. This is not an issue in the cases where:
- You run IQdesktop locally on your computer.
- You run IQdesktop on a server inside your organization.
- You run IQdesktop on a server to which you are connected via VPN.
Typical and powerful methods of securing your connection to IQdesktop are discussed below.
Use a Virtual Private Network (VPN) to access the IQdesktop server. This also works for cloud based systems, such as AWS. Typically it will be your sysadmin / IT department taking care of that.
13.2 SSH tunneling
If no VPN is available, SSH tunneling can be used. In this case you establish a secure SSH connection to your IQdesktop container and tunnel all VNC traffic through this encrypted channel. SSH tunneling is easily set up but recommended more for experienced users.
An example for how to connect to IQdesktop via SSH tunnelling is shown below:
ssh firstname.lastname@example.org -p 6900 -L 3333:192.168.1.28:5900
In the above command the different elements have the following meaning:
ssh: the command line for ssh connection
user: username of user on iqdesktop
192.168.1.28: address of the server on which IQdesktop is running
6900: SSH port of the SSH server on IQdesktop, defined in the IQdesktop config file
5900: VNC port of the VNC server on IQdesktop, defined in the IQdesktop config file
3333: Port to which the VNC traffic from IQDesktop is tunneled on your local system
Once you have established the SSH tunnel, keep the terminal Window open and connect to IQdesktop via VNC, as shown in Chapter 11. The difference now is that you do not connect to the address of the computer on which IQdesktop is running, but to your local computer at the port specified in the command above:
Done! You have established a safe connection to IQdesktop in the absence of a VPN
IQdesktop also allows to secure the VNC connection via a certificate. You can use certificates issued by a CA or you can generate your own certificate. Both is equally safe.
The certificate information (private key and certificate) is passed to IQdesktop via the IQdesktop configuration file. The certificate can also be provided to the VNC client.
A self-issued certificate can be generated on Linux systems by simply typing:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out iqdesktop_VNC_key.pem
openssl req -key iqdesktop_VNC_key.pem -x509 -new -days 3333 -out iqdesktop_VNC_cert.pem
During the generation of the certificate, the FQDN (fully qualified domain name) should be chosen as the url with which IQdesktop can be accessed. If done, this avoids a warning when connecting to it.