How to make a ThinLinc server behind NAT externally accessible

It is often the case that your internal network is behind a router performing Network Address Translation (NAT). As long as your ThinLinc server is only meant to be accessed from within the network, this is not a problem. You often, however, want to access your ThinLinc server from other locations as well.

Unless properly configured, externally connecting to your server will result in a “Connection to server timed out.” error.

This guide describes one way to enable external access to a single ThinLinc server behind NAT using the native ThinLinc client. If you instead want to set up a multi-node ThinLinc cluster, see Preparing the Network for ThinLinc Installation in the ThinLinc Administrator’s Guide. If you would like to enable external access using the browser-based client Web Access, see ThinLinc Web Access Server Configuration.

1. ThinLinc Server: A single ThinLinc server with both the Master (vsmserver) and Agent (vsmagent) service running.
2. Externally Reachable IP Address: Your network should have an externally reachable IP.
3. IP Address Stability: Ideally, your server should have a static external IP address. If this is not possible, using a dynamic DNS service is a viable alternative.
4. Port Forwarding: You need the ability to forward an SSH port to your ThinLinc machine.
5. NAT Hairpinning Support: A router supporting NAT Hairpinning, also known as NAT Loopback. This makes it possible to continue using ThinLinc from inside the network. Most current routers support this out of the box.

The native ThinLinc client uses SSH as its secure transport layer. On the server side, ThinLinc uses the SSH server provided by the system. Hence – for ThinLinc to be reachable from outside the local network, the system SSH server must also be externally reachable.

For a ThinLinc installation running on a single machine, forwarding port 22 from your router’s external interface to the IP address of your ThinLinc server is sufficient. When the port forward is in place, you should be able to connect to the server using SSH with the external IP address or DNS name.

When the ThinLinc client connects, it first connects to the Master (vsmserver) which then responds with the address of the Agent (vsmagent). The client then connects directly to the Agent. By default, the address in the Master response is the Agent’s internal IP. In our case, there will be two subsequent connections to the same machine, as the machine hosts both the Master and Agent.

As you are now connecting from outside the network, we want the Master to respond with the external IP address or DNS name of the machine. This is done by setting /vsmagent/agent_hostname in /opt/thinlinc/etc/conf.d/vsmagent.hconf to the external IP or DNS name:

# Public hostname; the hostname that clients are redirected to. If not
# defined, the agent will use the computer's IP address.
agent_hostname=thinlinc.example.com

Then, restart the Agent service:

sudo systemctl restart vsmagent

You should now be able to connect to the server using the native ThinLinc client, specifying your externally reachable IP address or DNS name in the “Server” field in the client.

If you did not externally map the server’s SSH port to 22, the externally reachable SSH port of the server must be specified in the ThinLinc client. This is done under Options… → Security → SSH Port.