Help

If you did not create a key during setup, open the Connection tab in HearthGate and generate a new one. Use an SSH key passphrase when possible, choose either a random passphrase or your own, and store it somewhere safe. Before generating the key, select the key scope that matches how this Windows machine will connect: Local network only is the safest option for same-network access, while Local + Internet or Internet only can be used when the connection must work from outside the LAN. If you already have a package, you can import it instead.

Choose the Windows command or script for the machine that will make the connection. You can copy the command, download the script, or save the private key separately. For the easiest Windows setup, use Save bundle so the private key, launcher, and supporting files are saved together.

If HearthGate generated a random SSH key passphrase, copy it now and keep it secure; HearthGate does not store it for later recovery. Then open Compatibility, make sure Legacy VNC mode is on, and copy or regenerate the VNC password. TightVNC uses this VNC password after the SSH tunnel is already established.

Unzip the saved bundle anywhere convenient on the Windows machine. You can launch connect-windows.cmd directly, or open connect-windows.ps1 in PowerShell. Downloaded PowerShell scripts are often blocked by RemoteSigned policy and Mark-of-the-Web; if that happens, use the .cmd launcher or unblock the PowerShell script once from inside the extracted folder.

Unblock-File "connect-windows.ps1"

Run the Windows launcher and enter the SSH key passphrase when prompted. Once the SSH tunnel is open, HearthGate shows a new SSH session notification on the Mac.

In TightVNC Viewer, set Remote Host to localhost:5901, or use the local port shown by the HearthGate command if your package uses a different one. This is true whether the SSH tunnel reaches the Mac over the same LAN or from the internet. When VNC Lockdown is enabled, do not enter the Mac host IP in TightVNC; the VNC side should stay on localhost. Why VNC Lockdown?

localhost:5901

When TightVNC asks for authentication, enter the VNC password from HearthGate Compatibility. This is not the SSH key passphrase; it is the short Legacy VNC password used by the VNC viewer after the tunnel is already running.

After TightVNC connects, HearthGate reports that a VNC viewer is connected through the SSH tunnel. The Mac screen is being viewed, but port 5900 remains protected behind the tunnel.