Connect to a Mac from Windows with TightVNC over SSH

A secure TightVNC-to-Mac workflow has two layers. First, Windows opens an SSH tunnel to the Mac. Second, TightVNC connects to a local VNC address exposed by that tunnel, often localhost:5901.

That local address can feel strange at first. TightVNC is running on Windows, but localhost:5901 is the Windows side of the tunnel. The tunnel then lands on the Mac and reaches the Mac screen service from there.

The Mac needs Screen Sharing enabled, an SSH endpoint available, and a key that is allowed to open the VNC tunnel. The safest version of the key is not a normal shell login. It should be limited to the connection path it needs.

If legacy VNC authentication is required by the viewer, create or copy the VNC password from the Mac-side tool that manages the screen-sharing compatibility layer. Store it separately from the SSH key passphrase.

Run the prepared Windows tunnel script or SSH command. If the private key is encrypted, enter the SSH key passphrase when prompted. Once the tunnel is open, start TightVNC Viewer.

In TightVNC, set the remote host to localhost:5901 unless your tunnel script prints a different local port. Do not enter the Mac IP as the VNC host when VNC lockdown is enabled. The Mac IP belongs to the SSH side, not the VNC side.

HearthGate can generate the Windows script, package the private key, show the connection state, report the active tunnel, and keep the VNC port protected behind SSH. TightVNC stays the viewer. HearthGate owns the Mac-side gateway posture.

That separation is useful: keep using the Windows viewer you know, but do not make the Mac screen port the thing Windows reaches directly.