Teamviewer alternative: How to get a Remote Desktop VNC connection via SSH over an intermediate server, avoiding firewalls

What to do when Teamviewer suddenly doesn’t connect or you can’t or don’t want to use it for other reasons? What if a friend needs urgent assistance and you need to see his screen to help out? Standard Open Source tools to the rescue! If you know how to use SSH from the command line and have access to an user account on a remote server running SSHD, then this article will save you!

Teamviewer-like products are so popular because they solve a real problem: To connect from one household computer to another is not straightforward because we all use regular modems/routers to connect to the internet. They are usually not set up for Port Forwarding. In laymans terms this means: You can initiate a connection to  the internet, but the internet never can initiate a connection to you. This quandary has only one solution: an intermediary is needed. Teamviewer-like products all offer such intermediary servers. Data is never directly sent from one computer to the other. Data is passed through a server (which allows for all kinds of spying by the way, if the encryption is not good enough!)

There are tons of (unfortunately for me) half-working instructions in the web about how the commands must look like. I took me several hours to wrap my mind around the problem. For this article, I’ve decided to make an image gallery so that you can see easier what is going on behind the scenes. Running just 4 commands will do the trick!

The following list and image shows the starting point of our situation:

  • We are sitting in front of the computer called “sittinghere”.
  • We want to see the screen of the computer called “overthere”.
  • There is a server called “hopper” which runs an ssh daemon (sshd) listening on the standard port 22. Our data will ‘hop’ though there, hence the name “hopper”.


The initial battlefield: Regular firewalls are installed for "sittinghere" and "overthere". "hopper" has a firewall with only port 22 open.
The initial situation: Regular firewalls are constrict “sittinghere” and “overthere”. “hopper” has a firewall with only port 22 open.

We instruct our friend, sitting in front of the computer “overthere”, to start any kind of VNC server. There are many products for Windows, Mac OS, and Linux available. I’m using Linux and decided for x11vnc because it allows access to the screen of the currently logged in user instead of starting a new user session. The command is:

After this command, our situation has changed. See the following image. The VNC server has started listening on port 5900 (see lower right corner):


A VNC server is started "overthere". It listens on port 5900.
A VNC server is started “overthere”. It listens on port 5900.

Now we have to instruct our friend, sitting on “overthere”, to run a ssh command to connect to “hopper”. You can make a little batch script for this to make it more convenient, but this is not the focus of this article. The command is:

With this command, sshd on “hopper” is instructed to create a socket on port 7001. And when someone connects to this port, it will be as if the same connection had been made on “overthere” port 5900. In the code above, “localhost” refers to the computer “overthere” because the command is executed on this computer.

Let’s see how our situation now looks like:


An ssh client is started "overthere" with Remote Port Forwarding options. A connection is made to sshd, running on "hopper". sshd opens a port localhost:7001 and listens for incoming connections from localhost.
An ssh client is started “overthere” with Remote Port Forwarding options. A connection is made to sshd, running on “hopper”. sshd opens a port on localhost:7001 and listens for incoming connections.

Now that “overthere” has done its connection to “hopper”,  it is time for “sittinghere” to connect to “hopper” too. Here is the command:

This means: A socket on port 7002 will be created on localhost (“sittinghere”). If someone connects to this port, it will be as if the same connection had been made on port 7001 on “hopper”. Here’s the new situation:


"sittinghere" starts ssh with Local Port Forwarding options. It connects to sshd running on port 22 of "hopper". It also creates port 7002 on localhost and listens for incoming connections.
“sittinghere” starts ssh with Local Port Forwarding options. It connects to sshd running on port 22 of “hopper”. It also creates port 7002 on localhost and listens for incoming connections.

Now, remember that a connection to port 7001 on “hopper” will have the same effect as if the same connection had been made on “overthere”. This means we will have a kind of ripple-through effect: As soon as we connect to port 7002 on “sittinghere”, the connection will ripple through until it connects to port 5900 of “overthere”. And this endpoint is our VNC server.

Now let’s connect with a VNC client from “sittinghere” to “overthere”. You will find lots of good VNC clients in the internet. Just connect to

which is equivalent to

This will start our connection cascade, and the final situation looks like this:


On "sittinghere", a VNC viewer is started and told to connect to localhost port 7002. This connection is detected by ssh which makes sshd running on "hopper" connect to port 7001, which causes ssh running on "overthere" connect to port 5900. Now the route is complete and we can see the remote screen!
On “sittinghere”, a VNC viewer is started and told to connect to localhost port 7002. This connection is detected by ssh which makes sshd running on “hopper” connect to port 7001, which causes ssh running on “overthere” to connect to port 5900. Now the route is complete and we can see the remote screen!


Congratulations, we’re now all connected through! If you have set a password (we’ve set it to “PASSWORD” in the above example), you now will see the remote screen. Note that we didn’t even have to execute a command on “hopper”, nor even reconfigure any firewall! My experience is that the quality and speed of the transmitted remote image is much better with this method than with commercial products. Of course, this is because commercial products have to divide and share bandwidth across all users.

The SSH connections will stay alive until you terminate them. So, just type “exit” in the ssh terminals opened at “sittinghere” and “overthere” that we have been opened previously (to “hopper”).

I’m glad I don’t have to rely on commercial products only any more!

Debian Linux HowTo: Bridging WLAN to Ethernet for Access Point (Infrastructure Mode) for Android Phones

wlan card

I am using the Wireless (WLAN) mainly to connect my mobile phone to the internet, for faster downloads and to test mobile apps. First, I only used Apple devices (such as iPad, iPod, iPhone, etc.), and those could connect without problems to a so-called Ad-Hoc network. However, many mobile devices, such as Android, unfortunately will NOT connect to an Ad-Hoc network, for reasons which are very well explained on this How-To Geek posting (it taught me about many things I didn’t know!).Since I’ve recently given up on Apple products and only use Android phones, I needed a definite answer to this problem. And I found it today.

As you may know, there are basically 2 modes to operate a wireless network: “Ad-Hoc” and “Infrastructure” (the latter one also called “Access Point” or shorter “AP”) mode. Cheaper Wireless cards only support the Ad-Hoc mode, but do NOT support the AP mode.

So, I thought: Let’s just buy a WLAN card which supports the AP mode. I bought the Intel Centrino Advanced-N 6235 (Link to official Intel product page). I found it here on Amazon: Intel Network 6235AN.HMWWB Centrino WiFi Card Half Mini PCI Express Advanced-N 6235 Dual Band Bluetooth

It is supported beginning with Kernel version 3.2. I mounted it, and was planning to use the Network Manager of Debian Wheezy / Gnome 3 to quickly set up an AP Hotspot. Easier said than done! Because even though there is an option to set “Infrastructure” mode, my Android phone still would not connect. It would simply write “Ad-Hoc Connecting” and stop there, even though I had set the Infrastructure mode.


Network Manager in Debian Wheezy / Gnome3
Network Manager in Debian Wheezy / Gnome3


Network Manager in Debian Wheezy / Gnome3 offering "Infrastructure" mode which is not recognized by an Android smartphone, even though the network card supports AP and is fully supported by the Kernel.
Network Manager in Debian Wheezy / Gnome3 offering “Infrastructure” mode which is not recognized by an Android smartphone, even though the network card supports AP and is fully supported by the Kernel.


I had to wade through a LOT of web postings, all suggesting not-really-working ‘solutions’ until I found a synthesis of all the collected information that worked for me.

It turns out that you need a dedicated user-space program for ‘driving’ the AP hardware contained in your network chip, and this is hostapd . It seems, you can’t do without.

I found this blog which offered a bash script to automate the job, but it only worked for Ubuntu, and not for Debian due to different configuration files. I also found this little Qt program that made the wireless connection work for my phone, but disconnected my laptop from all networks.(It could have been my fault due to misunderstandings though…)

This blog did a good job in explaining what  hostapd  is and gives basic installation and configuration instructions. You should read the post in any event. However, the suggested final solution did not work for me. Yes, the phone would see the generated wireless network, would connect, but immediately disconnect. I have not found the reason for the failure, but it probably lies hidden in the complexity of the set-up which painstakingly involves

  • a locally run DHCP and DNS server,
  • configuration of same,
  • and manual calls to  iptables  (masquerading, forwarding, etc.) to route between eth0 and wlan0 devices

The author of this blog wrote a second post to avoid the locally run DHCP server in favor of re-using the DHCP server of the network (e.g. the modem) by using  dnsmasq , which is yet another locally run server, only a bit simpler, but has to be configured also. I tried it to no avail. Same problem: phone would disconnect immediately. Frustrated, I moved on.

Then I found ths blog which brought a new idea: the concept of bridging between network interfaces instead of using iptables, which, and this is the good news, is supported ‘natively’ by  hostapd and the Linux networking system configured by  /etc/network/interfaces . However, this solution still did not work for me. After modifying  /etc/network/interfaces accordingly, I managed to mess my internet connection up. It turned out that setting up a bridge between Ethernet and Wireless is not that trivial! Even the highly official Debian Wiki BridgeNetworkConnections would not give working results for my case. So, I started crossreferencing between other solutions and finally came up with the following sequence of commands that work for me on my pretty standard Debian Wheezy laptop with one ethernet adapter (eth0) and the above mentioned Intel network adapter (wlan1). You only need to install 2 packages (bridge-utils and hostapd). With my method, there is no need for a locally installed DHCP or DNS server, and no need to modify the /etc/network/interfaces  file. There is no requirement to permanently make changes to your network configuration. In an emergency (if you are stuck somehow), a reboot will reset your network configuration to the defaults. Devices connected to your newly created wireless network will be served by the DHCP and DNS server specified in your router/modem. Your mobile phone will be a regular and equal member of your LAN.

You can turn the following listed commands easily into a Bash script with ‘start’ and ‘stop’ arguments. But I’ll leave that up to you. It’s easy enough once you copy/past the following commands into a terminal window. So, without further ado, as superuser…

… install bridge-utils. These are helper programs.

Next, remove the attached IP address from the Ethernet card eth0. Bridging will not work when an IP address is set.

Next, turn on IPv4 networking for your wireless card. This is necessary, otherwhise one of the next steps will give the error “can’t add wlan1 to bridge br0: Operation not supported”.

Next, create the actual bridge br0 with the helper program brctl:

Next, bridge between ethernet and wireless. The order of the last two arguments is not important:

Next, bring the newly created bridge up, as a virtual device:

At this point, you will have lost your connection to your LAN/WAN. You have to set an IP address, netmask, router, etc. for the bridge. We do this via DHCP:

Now you should be able to access the internet again. Test it! If it doesn’t work, just reboot your computer. We have not made permanent changes to your system (another advantage of this method!)

So far so good. Now we have to create our actual wireless network in AP mode and use our Android phone to test it. Install hostapd:

Create a configuration file somewhere on your drive. I chose the location  /etc/hostapd/my-wlan.conf . Make sure you have the right driver set for your card (see above mentioned blog for more info. n180211 should work in most cases):

(comments are thanks to above mentioned blog)

Now, simply start hostapd with this configuration file as the only argument:

You will see debug messages helping you to see what is going on behind the scenes. Now use your Android phone, enable WIFI, wait for the network “networkname” to appear, connect to it, enter the password “12345678”, open up a browser and see if it works. Make sure that Wireless is turned on in your Network Manager:

gnome network manager wlan

Otherwise you will get the following messages:

To turn off wireless (you really don’t want to be grilled by microwaves 24 hours a day!), you cannot just turn Wireless off in your Network Manager since it seems to ‘damage’ the bridge (I have yet to confirm this a second time), and you won’t be able to access your network/internet. You have to ‘deconstruct’ the bridge in the following way:

Only after that, you can turn of Wireless in your Network Manager. Again, if you are stuck, just reboot.

I hope this helps somebody, it worked for me, if not, write me a comment.


Symlinks within shared folders in VirtualBox: Operation not permitted and Read Only Filesystem

This is not a bug, it is a security feature of Virtual Box. Nevertheless it is annoying when you want to use your virutal system as a build system which needs symlinks in shared folders. To enable symlink creation, do the following:

Shut down your virtual machine, close all VirtualBox windows, including the main GUI window

For example, if your virtual machine is called “Debian Wheezy” (with a space), you have to escape that space with a backslash. In my case, I had to do:

To check if your setting has been taken, run

Restart your virtual machine and creating of symlinks should work. I found that creating hard links still doesn’t work with this method. If anyone knows a fix for hard links, please let me know!

Do not Panic! Remote Server (Hetzner) not rebooting any more – A Solution

GDFL 1.2
GDFL 1.2

I went through this experience recently. First of all, don’t panic! I panicked, and because of this, I made a mistake: I didn’t wait long enough for it to come online. Had I waited up to 60 minutes, it would probably have come online (see reason below). The story:

I had broken packages on my Ubuntu 10.04 server and decided to fix them by

While updating, I noticed that the package grub-pc  also was upgraded, apparently a new bootloader (or bootloader configuration) was installed. This made me feel uncomfortable, since I didn’t know if the server would reboot after this upgrade. So, because of the saying “The devil you know is better than the devil you don’t know” (and a desire to sleep peacefully at night!) I decided to reboot the server and see what would happen. To my big dismay, it did not come online. SSH connections failed with "Port 22: Connection refused" .

I panicked and asked the Hetzner Support (which is very responsive and supportive btw!) to install a LARA Remote Console so that I could see the text output of the booting screen. After some regular startup text, the screen became blank. I panicked even more and took immediate steps to move all data to a new server. It took me 6 hours to complete the most important parts, and another full week of restless work to finish it. We will see that it was not neccessary.

Most regular servers at the Hetzner datacenter are running Software RAID. It seems that after a reboot (especially if you send a Hardware Reset) the OS needs some time to re-sync or check the file system. I am not sure what caused the delay in my case. Re-syncing the entire RAID array can take up to 1-2 hours, depending on your hardware and disc space.

So, wait at least 1 hour for it to come online, especially after a hardware reset! When you activate Hetzner’s Rescue system (which is very good btw!) it will stay active for a minimum of 1 hour, so your server will be down for 1 hour at least, in any event. So you are not losing much by waiting a bit longer.

Now, in my case, I assumed that Grub2 was broken. So I activated the Hetzner Rescue System, booted into it, and reinstalled Grub2. I have found the following method here and it worked for me. First you have to mount the regular RAID filesystem under /mnt :

At this point, you are in your regular root directory. To reinstall Grub2 the Debian Way, I did:

To make really sure, I reconfigured the package:

It will ask you where to install the bootloader. I selected:

No errors were reported. I rebooted again and it did not come online immediately, for the reasons previously mentioned. I waited long enough (in my case, 15 minutes) and it did come online. So, rule number one is: Don’t panic!

A solution for MySQL Assertion failure FIL_NULL

Mysql screenshot

A defective RAM module recently caused data corruption in MySQL tables. MySQL would log the following to /var/log/syslog  in regular intervals, about every few minutes:

Reading MySQL documentation and various blogs didn’t help much. I ran CHECK TABLES  on all the tables and they all reported OK. Then I ran

and still all tables reported OK. Nevertheless the Assertion Failures continued. Then I stumbled across this excellent blog post, which suggested to dump evertying into a .sql file, wipe /var/lib/mysql (not without making a backup, mind you!), and re-import everything from scratch. This is what I did and it worked.

I recorded the passwords for each database and collected it into a SQL script like this:

When you dump all databases into a .sql file, it will not dump the permissions, so you will need to restore them later with this script. Next, the dumping part, then removal and reinstallation of mysql (Danger here: When you remove mysql-server, all packges which depend on it also will be removed!):

Here, I had to reset the MySQL admin password because it didn’t work any more, so I ran:

Then, I re-imported all databases from the dump file:

Then I run the SQL permission script that I mention above.

For me, this resulted in no more Assertion Failures. Yay!



Adventures with various Segfaults due to defective RAM


If you get various segfaults on your Linux server, like these:




etc. etc., then, no, your system is not suddenly crazy. Nor are you. It is highly likely that you RAM is defective. You should reboot your server and run the  RAM test from your boot manager (Grub always has such a test) to see if it can detect faulty RAM.

If you are operating a server that you can’t reboot because you can’t tolerate downtime, there is an excellent tool called memtester , which is a memory test for a running system. It is part of the Debian distribution, installit with apt-get install memtester  Check top to see how much free RAM there is available. Say you have 10GB RAM free, then ask memterst to test 8GB of it (so that 2GB are remaining free for the running system to operate). In my case, memtester indeed detected faults.

I ran

It outputted stuff like this:

So, when I replaced the RAM, the Segfaults stopped. You can run memtester  regularly to make sure the RAM is okay. Healty RAM is a very crucial part of your successful hosting operation!

In my case however, the segfaults corrupted MySQL tables, which I had to clean up. All’s well that ends well!


How to install Guest Additions with Folder Sharing on VirtualBox – The Debian Way

Debian Wheezy as guest Operating System with Folder Sharing

I always forget where to download the proper version of the Virtualbox GuestAdditions, so here is a short tutorial about how to do it quickly and easily in the Debian way. I always need folder sharing between the guest and host OS, so you will see how this is done also. I will be using the current stable distribution Debian Wheezy as host system (without a running display manager, just the console), and  as the guest system also Debian Wheezy. It turns out that Debian has even packaged the Guest Additions for virtualbox.

First, install Virtualbox and the Guest Additions:

Then install Debian Wheezy as a guest system. Next, mount the Guest Additions ISO file by navigating through the menu system of Virtualbox:

  • Devices -> CD/DVD Drives -> Coose a virtual CD/DVD disk file …

Choose the ISO from this path:

Next, in your guest OS, mount the virtual CD, and run the installer:

Next shut down your guest OS (don’t to this in your host OS 😉 ):

Now set up the shared folder in the menu system of Virtualbox:

  • Settings -> Shared Folders -> +
  • Select Folder
  • Check “Auto-mount”

Re-start your guest OS, and you will have the shared folder auto-mounted in /media/sf_Public . Voila!

File permissions for successful SSH login via authorized_keys

Setting correct file permissions for ssh is a bit tricky

If you want to ssh into your server without being repeatedly prompted for the password you can copy your public ssh key into a file called authorized_keys  in the .ssh subdirectory of the home directory of the remove server account. However, this works only if the permissions for this file are set correctly.

First, if you have not done so already, generate the public key for your local user:


This will create a file ~/.ssh/

Append the only line in this file into the file ~/.ssh/authorized_keys  of the remote user account. Create the directory and file if it does not exist.

Now try to ssh into your remote account. If ssh is still asking for the remote user’s password, check the permissions of the following files and directories:

  • The permissions of the home directory of the remote user must be 755
  • The permissions of the remote .ssh directory must be 700
  • The permissions of the remote authorized_keys file must be 600

… of course all of those must be owned by the remote user, and not by root.

Now, you should be able to ssh into the remote account without being asked for the password!

How to set up audio streaming (internet radio) in Linux

RadioThis tutorial will show you how you can go live with your own internet radio station in a few minutes.

Demystifying “streams”

There is a lot of information, disinformation and irrelevant information about this in the internet. When you listen to internet radio, and you inspect the network requests in your Google Chrome Developer Tools (yes, you should use Chrome anyway), you will discover that a ‘magickal’ stream is nothing else than a blatantly simple HTTP download of a regular file which never finishes. Yup, jawdroppingly simple.

What do you need?

In order to broadcast audio (e.g. internet radio) into the internet, you need

  1. a remote streaming server with high bandwidth to which many clients can collect
  2. a local stream generator, which is sending a single stream to the streaming server

The following tutorial shows how you can easily achieve this with free and open source tools which are part of the Debian (Ubuntu) distributions. It will take you 15 minutes to start your first rudimentary broadcast.

We will use Icecast2 as a streaming server, simply for the reason that it is part of the Debian distribution and that I got it to work immediately. As the local stream generator we will use darkice, for the same reasons.

Why not Windows? Well, since the majority of remote servers are running Linux distributions, you can use Icecast2 anyway. If you want to use a different stream generator for Windows, you can do so. This screencast shows you how it’s done.


Is Icecast a professional-grade solution? According to a blog,

Very much so. ICEcast is an industry standard platform used by thousands and thousands of radio stations all over the world. Its wide compatibility means people can listen with most players and operating systems.

Listeners will be able to connect to your MP3 stream from all over the world, with all the popular media players including Windows Media Player, iTunes, Winamp, Realplayer, XMMS, and many more media players besides.

Although incredibly simple, it can cope with even the heaviest demands and will not break under pressure. Its simplicity works to the broadcaster and listeners favor.

According to Wikipedia,

Version 2 [of Icecast] was started in 2001, a ground-up rewrite aimed at multi-format support (initially targeting Ogg Vorbis) and scalability.

A ground-up rewrite for scalability certainly sounds like good news! So, let’s dive in!

You would do the following steps on a server which is located at a large internet node with enough bandwidth to serve all your audience. To install, simply type

During the installation you will be asked if you want to configure Icecast2. Answer yes. You will be asked the hostname. Here simply leave the default “localhost”. Next, you will be asked for source, relay and administration passwords. For testing, leave “hackme”. If you want to change the configuration at a later point, edit the configuration file  /etc/icecast2/icecast.xml

Next, you have to enable the Icecast2 server by setting ENABLE  in the configuration file  /etc/default/icecast2  to true .

Now, start the server by typing

service icecast2 start

You now can access the web admin interface on port 8000 of your machine:

Icecast2 web-based admin interface
Icecast2 web-based admin interface

The log file is in /var/log/icecast2/error.log  and access.log  . Best to tail -f both files to observe what is going on.


Darkice is a stream generator. It encodes audio into various formats (e.g. ogg, mp3, etc.) from various inputs (e.g. microphone jack, line-in jack, or the stereo mix of your operating system) and sends a single stream to our Icecast2 server, which in turns re-broadcasts it to all connected clients.

To install, simply type:

By default it does not install a configuration file. But there is an example one in the documentation. Copy this to the /etc directory:

cp /usr/share/doc/darkice/examples/darkice.cfg /etc

You will need to edit this file according to your needs. Here is an example that worked for me:

Make sure that the password and the IP address of the Icecast2 server (which we installed earlier on the other machine) match. Also, remember the mountPoint of this stream. This is simply a label, in my case it is “example1”. Then you simply run as normal user

It is a console-only application and you will see some messages. This is what I get:

The note about the realtime stuff is just a warning, it works for me nevertheless. It would be easy to run it as superuser.

Making a simple stream player

We will simply make a small website with one <audio> element. That is enough to play streams. Create an empty file called streamtest.html  with the following contents:

Make sure that the IP address corresponds to the server where the Icecast2 server is running on. Open this html file in a browser and click the play button. Now you should hear the same audio that the darkice client has as its input.

Changing the audio input for darkice

In case you don’t have the Pulse Audio Volume control installed, install it with

Then run it. As soon as you have darkice running, the “Recording” tab will show the text “ALSA plug-in [darkice]: ALSA Capture from …” From the drop down you can select the input source. The text is a bit misleading. In my case “Monitor” means the stereo-mix of the entire computer (e.g. all system sounds, all played back audios). “Built-in Analog Stereo” means the microphone / line-in jack.

Pulse Audio volume control pavucontrol
Pulse Audio volume control pavucontrol

For professional radio applications you of course would not use such a simple software mixer, but have an external hardware-based mixer to which all the microphones and the line-out of your computer are attached. Then you would connect the final output of the hardware mixer to your computer line-in and select “Built-in Analog Stereo” for darkice’s input.

Linux has a more professional audio system called Jack as a replacement for the standard system Pulse Audio (we were using Pulse Audio in the above tutorial, which is similar to what Windows uses). Both are running on the Linux Kernel’s sound system called ALSA.


In the face of tons of documentation and blogs in the internet it is surpirisingly easy to set up your own, simple internet radio station with zero investment, all thanks to the Open Source movement.




Citations within footnotes in LaTeX

Writing a tutorial on programming, I needed citations within footnotes. Luckily, the biblatex package added support (see first comment on the sourceforge page of biblatex) for citations within footnotes in 2011. Apparently, this is not straightforward, since a low-level citation command has to be used to satisfy LaTeX. Anyway, this is now done automatically by the biblatex  package, so I didn’t have to make any changes.

In my document, I only use the LaTeX command  \autocite  which behavior I can define in the document preamble. In my preamble I have:

Now, with the following TeX code…

… you get the following output:

LaTeX citation within footnote on HTML and Kindle output
LaTeX citation within footnote on HTML and Kindle output


You will notice that footnote 2 is a citation from within the normal text. Since I’ve specified autocite=footnote  in the preamble, this is rendered as a footnote. However, the citation from within the footnote 1 is rendered in-line.