Securing access to VNC/console of a VM in TrueNAS Core?

[John Childermass]

When I create a bhyve virtual machine in TrueNAS Core, I can access it directly via VNC by clicking on the VNC icon under that VM in the TrueNAS web interface. However, this web-based noVNC session only works over http, not https. I'd like to avoid this insecure access, because — if I understand correctly — another client on my network could in theory eavesdrop on the unencrypted VNC traffic, for example while I configure the root password of the guest OS when installing it.

What are the best ways to secure all this? To be clear, I'm not talking about access to the guest OS once it is running, but to the "console" of the VM itself, even while installing the guest OS (and afterwards).

1. Is it possible to make the noVNC session use https? I'm using the self-signed freenas_default certificate for https access to the TrueNAS web interface, but this doesn't seem to carry over to the VNC session (I think the noVNC doesn't accept https connections). This thread looks similar, but it looks like the poster didn't manage to get it working either. I realise that even if I get https working for the noVNC sessions, it won't stop someone else on the network accessing the VM via VNC if they know the port on the TrueNAS host. If I'm concerned about this, should I disable vnc_web access?
2. Can I make the bhyve noVNC server listen only on localhost and then connect using an SSH tunnel? Is this what the "Bind" setting for the VM's VNC device is for, i.e. can I:
   1. Change vnc_bind from 0.0.0.0 to 127.0.0.1 (will this make it only accept connections from localhost?)
   2. Disable vnc_web (although I guess this doesn't matter if it's only listening on localhost)
   3. Enable SSH access (with Port Forwarding) in the TrueNAS web interface
   4. Set up a tunnel to the TrueNAS host (with a non-root user) and connect with a regular VNC client
3. Or, should I delete the VM's VNC device completely and do the OS install using the VM's serial console, accessed by SSH to the TrueNAS host?
4. Or, is there another approach I should take?

I looked at the vnc_password configuration option, but I didn't understand how it's supposed to work (or indeed whether it will secure things in the way I want). It says "Enter a VNC password to automatically pass to the VNC session. Passwords cannot be longer than 8 characters." How do I actually configure the password that the noVNC server is waiting for? Or, does this configuration option both configure the password on the server side, and automatically pass it from the noVNC web client session?

Thank you in advance for any advice!

 

[Patrick M. Hausen]

I use VNC for installation only (trusted network) and remove the device afterwards for all Unix guests, activating a serial console instead. For Windows I similarly install via VNC, then use RDP once the VM is up and running.

HTH,
Patrick

 

[John Childermass]

Thank you, @Patrick M. Hausen ! Do you connect to the serial console from an ssh session on the TrueNAS host?

Do you (or anyone else) know if my proposed option 2 (restrict VNC to local connections and tunnel in) would work too? Is there a security-related reason why you don't do it that way, or is it just that you don't need VNC?

 

[Patrick M. Hausen]

1. Yes, ssh to host.
2. I don't need VNC for Unix hosts and for Windows an RDP session beats VNC in terms of usability by such a large margin ...
3. Binding to 127.0.0.1 and using ssh port forwarding should work.

 

[John Childermass]

Thank you again! I think I managed to get both the serial console and the VNC options to work.

When connecting via serial, do you just use sudo to get access to the serial device, e.g. "sudo cu -l /dev/whatever" or is there a better way to handle this?

For anyone interested in the VNC approach, here's what I ended up doing for that:

• Configure the VNC device of the virtual machine:
  • Set Bind (vnc_bind) to 127.0.0.1 so that the noVNC server should only listen for local connections and other machines on the network can't connect directly (if I understand it correctly)
  • Set VNC port (vnc_port), e.g. to 5900
  • Set a vnc_password
  • Uncheck "Web Interface" (vnc_web = false)
• On TrueNAS:
  • Enable Services / SSH
  • "Log in as Root with password" is disabled
  • Allow TCP Port Forwarding
  • Under Advanced / Other Options / Weak Ciphers, uncheck None and AES128-CBC
  • Create a non-root user ("username")
• On the desktop machine from which I want to connect:
  • ssh -L 127.0.0.1:5959:localhost:5900 username@truenas
    • (using a bind_address of 127.0.0.1 so that only programs on this machine can use this tunnel, and not anyone else on the network, if I understood correctly)
  • Connect with a VNC client to localhost:5959
  • Enter the VNC password from vnc_password above

If anyone has suggestions for improving this and/or making it more secure, especially if I've misunderstood something, please let me know!

 

[rootella]

Any hint to customize vnc_bind on truenas scale? Seems locked to 0.0.0.0 or :::

 

[John Childermass]

Sorry, @rootella, I'm only on TrueNAS Core, so I'm not sure myself...