DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th February 2024
hd77 hd77 is offline
Shell Scout
 
Join Date: Jan 2022
Posts: 103
Default can't connect to openbsd through standard VNC : connection refused

hello

i tried to :
install tigervnc
launch vncserver from the users'ssh remotely
i added a password

then in root:
/etc/pf.conf
Quote:
block return out log proto {tcp udp} user _pbuild
pass in on egress proto udp from any to port 5900
pass in proto tcp from any to athn0 port 5900
pass in proto udp from any to athn0 port 5900
pass in on egress proto tcp from any to any port 5900
pass in on egress proto udp from any to any port 5900
restart by :
pfctl -f /etc/pf.conf


then, on the vnc client, to connect :
lanip:5900

with serveal pc on the same lan (everything is on lan, nothing uses internet), everytime the vnc client fails :
ConnectToTcpAddr[ipv4]: connect: Connection refused
Trying ipv6 connection to '192.168.1.53'
ConnectToTcpAddr[ipv6]: trying ip-addr: '192.168.1.53'
ConnectToTcpAddr[ipv6]: connect: Connection refused
Unable to connect to VNC server (192.168.1.53:5900)
vncviewer command failed: 0

i tried to look at :
https://daemonforums.org/showthread.php?t=2449
https://daemonforums.org/showthread.php?t=11837
https://daemonforums.org/showthread.php?t=12505

without solution

even in fe80:: .. i just dont understand
Reply With Quote
  #2   (View Single Post)  
Old 6th February 2024
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,989
Default

I see what I believe are PF configuration errors.
  • You have provisioned `from any to port 5900`. I believe you want either `from any to any port 5900` or `any to (self) port 5900`. The grammar expects a host to follow "to", with as in this case, an optional port number.
  • You have provisioned `to athn0` but i believe you meant `on athn0`, since PF expects the operand following "to" to refer to a host or multiple hosts, not to an interface.
I recommend caution when ever you use `from`, `to`, `in`, and `on` as these limit what traffic matches the rule, and it is easy to make mistakes.

If the intent is to "permit both UDP and TCP traffic from anywhere that uses destination port 5900 to pass in both directions, if the traffic transits through athn0" then this rule should suffice:
Code:
pass on athn0 proto { tcp udp } from any to any port 5900
Reply With Quote
  #3   (View Single Post)  
Old 3 Weeks Ago
hd77 hd77 is offline
Shell Scout
 
Join Date: Jan 2022
Posts: 103
Default

Quote:
Originally Posted by jggimi View Post
I see what I believe are PF configuration errors.
  • You have provisioned `from any to port 5900`. I believe you want either `from any to any port 5900` or `any to (self) port 5900`. The grammar expects a host to follow "to", with as in this case, an optional port number.
  • You have provisioned `to athn0` but i believe you meant `on athn0`, since PF expects the operand following "to" to refer to a host or multiple hosts, not to an interface.
I recommend caution when ever you use `from`, `to`, `in`, and `on` as these limit what traffic matches the rule, and it is easy to make mistakes.

If the intent is to "permit both UDP and TCP traffic from anywhere that uses destination port 5900 to pass in both directions, if the traffic transits through athn0" then this rule should suffice:
Code:
pass on athn0 proto { tcp udp } from any to any port 5900
Quote:
Impossible to connect to VNC server
i suspect being a firewall issue.

i tried by following this how-to :
https://www.tumfatig.net/2011/vnc-server-on-openbsd/
does it works for you?
for me : no.

i didnt found any other...

if somebody 'd like to help me, by xmpp tchat, to create a kind of "automatic script" whom permits to enable read-to-be-used VNC for workstations and personal laptops, in a way to avoid serching for hours a proper way of remote control..

alone i wont be able to..
Reply With Quote
  #4   (View Single Post)  
Old 3 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,989
Default

1. I already provided a PF rule which should pass port 5900 in any direction. Have you applied this rule? If so, what does your COMPLETE pf.conf look like now?

2. You are trying to follow a 13-year-old "howto" which does not have any firewall recommendations. Have you contacted the author for any updates or guidance? There is an email link at the bottom of the page.
Reply With Quote
  #5   (View Single Post)  
Old 2 Weeks Ago
hd77 hd77 is offline
Shell Scout
 
Join Date: Jan 2022
Posts: 103
Default

Quote:
Originally Posted by jggimi View Post
1. I already provided a PF rule which should pass port 5900 in any direction. Have you applied this rule? If so, what does your COMPLETE pf.conf look like now?

2. You are trying to follow a 13-year-old "howto" which does not have any firewall recommendations. Have you contacted the author for any updates or guidance? There is an email link at the bottom of the page.
hello:

pf.conf :
Quote:
set skip on lo

block return # block stateless traffic
pass # establish keep-state

# By default, do not permit remote connections to X11
#block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network

pass on athn0 proto { tcp udp } from any to any port 5900
rc.conf.local:
Quote:
x11vnc_flags="-listen 0.0.0.0 -rfbauth /etc/x11vnc.passwd -logfile /var/log/x11vnc -ncache 0 -display :0 -forever -loop100 -auth /etc/X11/xdm/authdir/authfiles/A:0-*"
pls consider me as a 13yo boy as openbsd is not that simple
Reply With Quote
  #6   (View Single Post)  
Old 2 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,989
Default

You do not appear to have a firewall issue. From what you've posted, you have a "default pass" configuration. All traffic will either match the very last rule (pass on athn0...) if it is destined for port 5900 in either direction, otherwise, any other traffic will match your second rule (pass). PF has a "last matching rule wins" policy, unless expressly overridden, so your only block rule will not be applied to any traffic.
  1. Is x11vnc running? # rcctl check x11vnc should help.
  2. If it is, are you able to connect to it via loopback ("localhost" or "127.0.0.1" or "::1")?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
"Connection refused" on my own web page acampbell OpenBSD General 14 16th March 2020 03:41 PM
connect to OpenBSD BOX with VNC mfaridi OpenBSD General 9 14th April 2010 08:38 PM
Working dial-up connection - No Client Connection vigol FreeBSD General 5 22nd November 2009 10:59 PM
Connection refused by tcp_wrappers sniper007 FreeBSD General 1 30th August 2009 02:31 PM
connect to openbsd box (ssh) milo974 Other BSD and UNIX/UNIX-like 4 3rd January 2009 02:44 AM


All times are GMT. The time now is 05:31 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick