TurboVNC's native SSH tunneling slower than Putty for SSH tunneling on Windows 10; how to use external SSH client?

[sunrisepi]

Hi. Great work with TurboVNC! I compared it to TightVNC & TigerVNC and I think TurboVNC is the best one so far! The display quality is excellent, and I appreciate the scaling options for the resolution of the display. Very well implemented.

I have a question about the native SSH tunneling support in TurboVNC. TurboVNC performance is slower than Putty when using SSH tunneling. My findings:

• TurboVNC is about 8 times slower for initial connection & about 3 times slower when moving windows/graphics on a remote session, during the session.
• This is unfortunate as I really wish I could use everything in one program.
• It is tedious to manually establish an SSH tunnel using Putty and then starting up TurboVNC to connect. I would like to make this work a bit more efficiently.

More details: Using on Windows 10, version 21H2 (OS Build 19044.1766) Using TurboVNC 64-bit, version 3.0 (20220503). Using Putty 64-bit, version 0.74

When using TurboVNC tunneling:

• Viewer options in TurboVNC: In Security, set Gateway & populate SSH user/host options.
• Connection: Set the VNC server:port for connection, click Connect
• Enter SSH password for Gateway server.
• "Standard VNC Authentication [VncAuth]" dialog appears, with message displayed in green bar, "This connection is encrypted"
• Enter VNC password
• VNC connection to server is established. Server I am connecting to via VNC is running Ubuntu 22.04 LTS.
• Black screen for about 6-8 seconds (time varies a bit) before the session appears and I am able to interact with the server.
• About 3-4 seconds of latency between moving a window on my remote server and having the window display update completed, so I may interact with the session. This latency makes it a bit slow to use.

When using Putty for SSH tunneling:

• I noticed performance is much faster using Putty as external SSH Client; I have it configured exactly as summarized here: https://helpdeskgeek.com/how-to/tunnel-vnc-over-ssh/
• When using Putty for SSH Tunnel config, in TurboVNC I do not have any Gatway configured in Gateway.
• Establish SSH tunnel manually using Putty. Then run TurboVNC, connect to localhost:PORT.
• TurboVNC advises at "Standard VNC Authentication [VncAuth]" screen, "This connection is not encrypted," even though it is (I am connecting via an SSH tunnel established via Putty on local server). I suppose TurboVNC does not know this as the tunnel was not established by its native SSH code.
• Enter VNC password. After login I see the remote VNC server session appear in less than 1 second.
• When I move windows in the GUI on my remote VNC server session, they update in nearly real time, perhaps 1/8th of a second latency (only a bit of latency before window rendering finishes and I can interact). The session is nearly as responsive as when I am not using encryption.

Could an External SSH Client be used with TurboVNC on Windows 10? If the performance of the native SSH tunneling within TurboVNC can't be changed, I am wondering if I could use Windows SSH or Putty command line SSH with TurboVNC as an external SSH client, but I saw this closed issue which seems to indicate a problem with that: https://github.com/TurboVNC/turbovnc/issues/322 Is that still broken?

While considering if I could use Windows SSH as an external SSH client, I reviewed the below but the documentation is a bit difficult for me to understand. It would be great if the documentation could be updated to include examples, like Unix manpages often do.

6.6 Using SSH to Manually Secure a TurboVNC Connection https://rawcdn.githack.com/TurboVNC/turbovnc/33e7014483b01b0635bc20b37b403708ebeb4294/doc/index.html#hd006006

11.2 Viewer Settings https://rawcdn.githack.com/TurboVNC/turbovnc/33e7014483b01b0635bc20b37b403708ebeb4294/doc/index.html#hd0011002

Could you please provide examples of how to do the following?

• How to invoke vncviewer.bat from Windows command line (I tried with -ExtSSH and -Via and couldn't get it to connect to my gateway)
• How to configure the VNC_VIA_CMD environment variable? It is not clear to me how to configure this. I know I can use SET VNC_VIA_CMD="{value}" in Windows command prompt, but no idea what to put in that definition.
• How to set the various parameters like %H, %L etc.? I tried a number of ways but most of the time vncviewer.bat just spits out the usage help, because I am clearly not doing things right.

I verified by manually running the "default command" that this works for me:
ssh.exe -f -L 5901:MyVNCServerIP:5901 myUser@GatewaySSHServer sleep 20

This is the same as what is defined as the default run by TurboVNC, as written in section 11.2 of the documentation:

When the -via option is used along with the -extssh option, the TurboVNC Viewer reads the VNC_VIA_CMD environment variable or the turbovnc.via system property, expands patterns beginning with the “%” character, and uses the resulting command line to establish the secure tunnel to the VNC gateway. If VNC_VIA_CMD is not set, then this command line defaults to /usr/bin/ssh -f -L %L:%H:%R %G sleep 20 on Linux/Un*x and Mac systems and ssh.exe -f -L %L:%H:%R %G sleep 20 on Windows systems.

So to recap I am running this manually from Windows command prompt and it seems to work to establish an SSH tunnel in Windows: ssh.exe -f -L 5901:MyVNCServerIP:5901 myUser@GatewaySSHServer sleep 20. After running that, I launch TurboVNC (using the icon in Windows start menu) and tell it to connect to localhost:5901 and then it connects OK. And it is fast like when I manually set up the Putty SSH tunnel. When I exit TurboVNC, I noticed the ssh command in the command prompt exits too, so it looks like ssh is running the entire time that TurboVNC is running.

On Windows the default command TurboVNC runs is nearly the same: ssh.exe -f -L %L:%H:%R %G sleep 20

I just need help figuring out how to define VNC_VIA_CMD and the %L, %H, %R and %G variables. There is no example in the documentation for how to do this. I would appreciate your help in understanding how to do that, so I can try it and see if this would allow me to use Putty (or some other ssh client) instead of TurboVNC's SSH client, as a workaround.

I really like TurboVNC and wish to use it; just need the SSH tunneling to be a bit faster. Thank you very much!

[dcommander]

I have never observed such a slow-down in the built-in SSH client, nor has anyone else reported it, so I’m curious as to why that is happening. I will reply to your other questions in more detail when I am back in the office on Wednesday. The short answer is that, yes, you can use -extssh and -via or -tunnel on Windows, but it requires an implementation of OpenSSH that supports the -f (fork) option. Cygwin and MSYS2 are the only OpenSSH implementations that support that, to my knowledge.

[sunrisepi]

Thanks for the update, I'll look into Cygwin/MSY2. That's odd (unfortunate) the SSH built into Windows (which is also OpenSSH) doesn't support forking. FYI this is the version I have on my system:

C:>ssh -V OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

Looking forward to the additional information you could share when you are back in the office. Happy 4th of July if you celebrate it!!! 🎆 🎉 ☺️

[sunrisepi]

Thanks for the tip about Cygwin, @dcommander. That fixed the slowdown issue I was seeing! Steps completed:

• Install Cygwin64 for Windows 10, being sure to select the OpenSSH package during the installation.
• Launch the Cygwin64 Terminal and verify the OpenSSH version (very recent!).

  $ ssh -V OpenSSH_9.0p1, OpenSSL 1.1.1p 21 Jun 2022

• Familiarize myself with how Cygwin works (accessing Windows paths from Cygwin terminal, calling a Cygwin script via Windows shortcut). I found this helpful for script execution.
• Before creating script, manually run the below commands within Cygwin terminal and ensure they work: (a) ssh forwarding functions as expected (ssh forks and returns the command shell so I could enter another command); (b) TurboVNC may be successfully executed from a Cygwin terminal.

  ssh -f -L 5901:{MyVNCServerIP}:5901 {myUser}@{GatewaySSHServer} sleep 20; /cygdrive/c/Program\ Files/TurboVNC/vncviewer.bat localhost:5901

• The above was verified! ssh forks with this version of OpenSSH (as you noted) & TurboVNC used the SSH too! And it was very fast.
• Next I wanted to try TurboVNC with its native SSH to encrypt once again. Curious to see if it would show different behavior when run from Cygwin.

  /cygdrive/c/Program\ Files/TurboVNC/vncviewer.bat -via {myUser}@{GatewaySSHServer} {MyVNCServerIP}:5901

• Unfortunately, when I ran TurboVNC using its native SSH, it exhibited the same slowdown as before (6-8 seconds to load initial screen, then about 3-4 seconds to move windows around in GUI).
• Next I thought I would try both the -extssh and -via parameters. Maybe if I executed TurboVNC from Cygwin, TurboVNC would load the Cygwin version of SSH as the default?

  /cygdrive/c/Program\ Files/TurboVNC/vncviewer.bat -extssh -via {myUser}@{GatewaySSHServer} {MyVNCServerIP}:5901

• Success! The above command requested my Gateway SSH Server password, then showed the VNC login with the gorgeous green bar w/text saying the connection was encrypted. I then entered my VNC password and the session loaded in about 1 second & windows move nearly immediately, in 1/8th second or so. Very fast.
• Hence I'm confident the above method utilizes the default SSH within CygWin (OpenSSH 9.0p1).
• I placed that command in my Cygwin script and now use that for VNC to my server!

Incidentally, looks like the Win-32 OpenSSH bug (no forking; #999) has been open since 12/22/17. Hopefully that is fixed soon. I saw that mentioned in another article.

Thanks again for sharing the tip about Cygwin. Happy to have an easy to run batch script that can connect me quickly via SSH-encrypted VNC to my server now!!! 😄

I would very much appreciate learning how I could define VNC_VIA_CMD and the %L, %H, %R and %G variables, so looking forward to your info on that. I am sure this will be useful knowledge for future projects.

If there is any other data I could provide to try to help determine why the native SSH implementation within TurboVNC seems to exhibit more latency, let me know. Thank you.

[sunrisepi]

I don't have a good explanation for this, but I am no longer seeing the slow VNC performance with TurboVNC. I installed the programs on a different laptop today and could not reproduce the issue. The laptop I was using yesterday also no longer exhibits the issue! It is all fast now! Great, but baffling! 😂

• On a different laptop (made by Gateway, Intel Core i5-1035G1, 16GB RAM, Win 11 64-bit), I installed TurboVNC and Cygwin OpenSSH.
• I ran a VNC test using TurboVNC with its integrated SSH authentication, and performance was just fine - not slow.
• I ran the same VNC connection test using Cygwin OpenSSH in forward/fork mode (-extssh and -via switches), then had it run TurboVNC. Just as fast.

I then tried the same tests on the laptop I used yesterday (Dell Latitude E7470, Intel Core i5-6300U, 8GB RAM, Win 10 64-bit). I saw the same results; both TurboVNC's integrated SSH and Cygwin OpenSSH (via -extssh and -via switches) work nice and fast! Very strange, because yesterday, only Cygwin OpenSSH and Putty were fast. When I had used TurboVNC's integrated SSH yesterday, VNC performance was much slower.

I am wondering something. Does TurboVNC cache/save settings anywhere? Maybe even though I am telling TurboVNC to use integrated SSH, it is somehow still using the -extssh & -via settings and utilizing OpenSSH? 😕 I have no idea.

I am glad it is working well with both SSH clients, but I am bewildered why it was working so slowly with the integrated SSH in TurboVNC yesterday. It must have been something on my side. But I do not know what it could be. I have learned so much about VNC and SSH in a day! I suppose I can be thankful for that. 😄

[dcommander]

• How to invoke vncviewer.bat from Windows command line (I tried with -ExtSSH and -Via and couldn't get it to connect to my gateway)

That is the correct way to use -extssh and -via on Windows. Just be sure to specify the TurboVNC host from the point of view of the SSH gateway. For instance, if the SSH gateway and the TurboVNC host are the same machine, then the following command lines are equivalent:

"c:\Program Files\TurboVNC\vncviewer.bat" -extssh -via {ssh-gateway} localhost:{vnc-display}

"c:\Program Files\TurboVNC\vncviewer.bat" -extssh -tunnel {turbovnc-host}:{vnc-display}

• How to configure the VNC_VIA_CMD environment variable? It is not clear to me how to configure this. I know I can use SET VNC_VIA_CMD="{value}" in Windows command prompt, but no idea what to put in that definition.
• How to set the various parameters like %H, %L etc.? I tried a number of ways but most of the time vncviewer.bat just spits out the usage help, because I am clearly not doing things right.

The syntax of VNC_VIA_CMD is described in Section 11.2 of the TurboVNC User's Guide. If the viewer shows the usage screen, then that has nothing to do with VNC_VIA_CMD. It means that the command-line arguments are somehow incorrect.

• Next I thought I would try both the -extssh and -via parameters. Maybe if I executed TurboVNC from Cygwin, TurboVNC would load the Cygwin version of SSH as the default?

It is indeed necessary to either execute the viewer from a Cygwin shell or have the Cygwin binary directory in your PATH. The reason is that the default value of VNC_VIA_CMD on Windows is ssh.exe -f -L %L:%H:%R %G sleep 20. You can change VNC_VIA_CMD to c:\\cygwin\\bin\\ssh.exe -f -L %L:%H:%R %G sleep 20 (note double backslashes) if you want to use the TurboVNC Viewer with -extssh outside of a Cygwin shell or without Cygwin in your PATH. (Note that -tunnel will use a different environment variable, VNC_TUNNEL_CMD.)

If there is any other data I could provide to try to help determine why the native SSH implementation within TurboVNC seems to exhibit more latency, let me know. Thank you.

Please specify how you generated your OpenSSH private key. Perhaps your key uses an algorithm that is not well optimized in the TurboVNC Viewer's built-in SSH client. Other than that, I have no explanation.

I am wondering something. Does TurboVNC cache/save settings anywhere? Maybe even though I am telling TurboVNC to use integrated SSH, it is somehow still using the -extssh & -via settings and utilizing OpenSSH? 😕 I have no idea.

The TurboVNC Viewer only stores settings when you click "OK" in the TurboVNC Viewer Options dialog, and it only stores the settings that are configurable in the Options dialog. Thus, the -via setting would be stored if you launched the viewer using -via, opened the Options dialog, then clicked "OK" to dismiss the dialog. The -extssh setting is never stored. However, there is a bit of subtlety to the -extssh behavior. As documented in the usage screen, the viewer will automatically enable -extssh if either the VNC_VIA_CMD or VNC_TUNNEL_CMD environment variable is set.

You can clear all of the stored settings by doing the following:

• Open the TurboVNC Viewer Options dialog.
• Under the "Global" tab, click "Clear the list of saved connections".
• Click "Cancel" to dismiss the TurboVNC Viewer Options dialog.
• Quit and restart the TurboVNC Viewer.

[sunrisepi]

Thanks for the additional details; that clarifies VNC_VIA_CMD. I misinterpreted the documentation to mean that I had to set values for the parameters %G, %H, %L and %R. After reading your response I now understand that values for those parameters are populated based on what is entered on the command line. 🤦 😊

Good tip on how to invoke Cygwin's ssh outside of Cygwin. I tried that and verified it works, by setting my VNC_VIA_CMD to the following (I'm using the 64-bit version of Cygwin): c:\\cygwin64\\bin\\ssh.exe -f -L %L:%H:%R %G sleep 20

Please specify how you generated your OpenSSH private key. Perhaps your key uses an algorithm that is not well optimized in the TurboVNC Viewer's built-in SSH client. Other than that, I have no explanation.

I'm not using keys; just SSH password authentication. Not sure why it was slow but it is fine now.

Thanks for the info on how to clear settings & for answering my other questions. I don't have any other questions, so feel free to close this if you agree. 👍 Thank you.

[dcommander]

Hopefully the performance issue was just intermittent, but if you encounter it again, let me know.