John Childermass
Dabbler
- Joined
- Oct 20, 2016
- Messages
- 34
When I create a bhyve virtual machine in TrueNAS Core, I can access it directly via VNC by clicking on the VNC icon under that VM in the TrueNAS web interface. However, this web-based noVNC session only works over http, not https. I'd like to avoid this insecure access, because — if I understand correctly — another client on my network could in theory eavesdrop on the unencrypted VNC traffic, for example while I configure the root password of the guest OS when installing it.
What are the best ways to secure all this? To be clear, I'm not talking about access to the guest OS once it is running, but to the "console" of the VM itself, even while installing the guest OS (and afterwards).
Thank you in advance for any advice!
What are the best ways to secure all this? To be clear, I'm not talking about access to the guest OS once it is running, but to the "console" of the VM itself, even while installing the guest OS (and afterwards).
- Is it possible to make the noVNC session use https? I'm using the self-signed freenas_default certificate for https access to the TrueNAS web interface, but this doesn't seem to carry over to the VNC session (I think the noVNC doesn't accept https connections). This thread looks similar, but it looks like the poster didn't manage to get it working either. I realise that even if I get https working for the noVNC sessions, it won't stop someone else on the network accessing the VM via VNC if they know the port on the TrueNAS host. If I'm concerned about this, should I disable vnc_web access?
- Can I make the bhyve noVNC server listen only on localhost and then connect using an SSH tunnel? Is this what the "Bind" setting for the VM's VNC device is for, i.e. can I:
- Change vnc_bind from 0.0.0.0 to 127.0.0.1 (will this make it only accept connections from localhost?)
- Disable vnc_web (although I guess this doesn't matter if it's only listening on localhost)
- Enable SSH access (with Port Forwarding) in the TrueNAS web interface
- Set up a tunnel to the TrueNAS host (with a non-root user) and connect with a regular VNC client
- Or, should I delete the VM's VNC device completely and do the OS install using the VM's serial console, accessed by SSH to the TrueNAS host?
- Or, is there another approach I should take?
Thank you in advance for any advice!