Securely connect to a VNC server tunneled over SSH from Windows with this procedure. We use SSH tunneling for the insecure VNC protocol as for other insecure protocols like RDP. This procedure works from a local Windows PC to a remote VNC server on Linux, macOS, etc. We assume the remote server computer has an SSH server and VNC server already setup.

On the local client computer, add to the ~/.ssh/config for this Host a line like:

  LocalForward 5990 localhost:5900

where 5900 is the VNC port on the remote PC, and 5990 is an arbitrary distinct port on the local PC to avoid clashes on 5900. Note: the VNC server might use port other than 5900. On Linux a common default VNC port is 5901.

To connect, ssh to the server as usual, then use VNC Viewer to connect to localhost::5990. When the SSH connection (tunnel) is closed, so is the VNC connection.

Reference: macOS network ports