bookmark_borderHowTo setup a Counter Strike: Global Offensive Server on Linux

A lot of people who are running a rented Linux (v)Server are interested in creating a Counter-Strike: Global Offensive server. Creating a CSGO server under Linux is rather easy, Valve really did their homework here. The following short tutorial will give you the needed instructions to create a Counter-Strike: Global Offensive Server under Debian, Ubuntu or openSUSE:

1. Create a new user

First of all, you should really create a new user in your Linux system. The reason for that is simple: security! If your main user, or even your root user, is running the CS:GO server and is hacked later on, the hacker maybe is in the position to get access to the system behind the Server. With that being said, he may be able to get full access to the shell and he may be able to manipulate the system. To create new account on your Debian, Ubuntu or openSUSE system, you have to enter the following commands:

root@server:~# useradd csgosrv
root@server:~# passwd csgosrv
root@server:~# mkdir /home/csgosrv
root@server:~# chown csgosrv:users /home/csgosrv

So, the first commands creates a new user, called csgosrv. The seconds commands sets a new password for this user. The password you enter here will not be prompted.
The third command creates a new directory called csgosrv under the directory /home. This will be the standard home directory for the user csgosrv we’ve created before.
The fourth and last command sets the owner to the created user csgosrv and the group owner of the created csgosrv home directory to users.

2. Install needed dependencies

In this step we need to download the needed libraries in order to get the Steam command line tool working. If these libraries / tools are not installed, the Steam command line client (provided by Valve), will fail to start.
If you’re on a 64-Bit Debian or Ubuntu system you have to enable the i386 architecture in the first place. This is needed because the server software is written for the 32-Bit architecture. If you’re on a 32-Bit Ubuntu or Debian, you can skip this command:

root@server:~# dpkg --add-architecture i386

The following two commands are needed for 32-Bit and 64-Bit systems. They will update the repository information and install the needed libraries:

root@server:~# apt-get update
root@server:~# apt-get install gcc-multilib libstdc++6:i386 libgcc1:i386 zlib1g:i386 libncurses5:i386 libc6:i386 wget screen

If you’re on a openSUSE system, the commands are doing the same, but the syntax is different. The following two commands are updating the package repository and installs the needed libraries on a openSUSE system:

root@server:~# zypper ref
root@server:~# zypper in wget libgcc_s1-32bit libgcc_s1-gcc6-32bit ca-certificates screen

Now, that you have installed all the needed libraries, we can go on and start downloading and installing the server software.

3. Download Steam

Downloading the Steam command line tool is very easy. You can always get it directly from Valve. But before we start downloading the client, we should change to the beforehand created user csgosrv. We can do this with the following command:

root@server:~# su - csgosrv

As an alternative you could close your SSH session and reconnect with the user csgosrv.
Now that we’re working with the right user, it’s time to download and extract Steam:

csgosrv@server:~$ mkdir steam
csgosrv@server:~/steam> cd steam
csgosrv@server:~/steam> wget http://media.steampowered.com/client/steamcmd_linux.tar.gz
csgosrv@server:~/steam> tar xfvz steamcmd_linux.tar.gz

So, the first two commands are creating a new directory, called steam, and directly changed into it with the help of the cd command. The third command is downloading the Steam CMD tool with the help of the tool wget. The fourth and last command extracts the so downloaded .tar.gz archive.
After you’ve done this steps successfully you can go on and download the CS:GO server software.

4. Setup Steam and install CS:GO server files

This command will update the steam command line tool and installs the application „740“ which is the Counter-Strike: Global Offensive server. For now you don’t need to have your steam credentials ready. You can update steam and install the server software as an anonymous user:

csgosrv@server:~/steam> ./steamcmd.sh +login anonymous +force_install_dir ./csgo_server/ +app_update 740 validate +quit

This command will take some time and the so downloaded server software needs round about 15 GB hard disk space. The Server software will be installed in the directory /home/csgosrv/steam/csgo_server.

5. First start of the CS:GO server

Now that you have successfully downloaded and updated the Counter-Strike: Global Offensive server, we can do a test run. With the following command we can start the server with the mode Classic Casual and the Mapgroup mg_bomb which includes the old bomb spot maps like de_atztec or de_dust / de_dust2:

csgosrv@server:~/steam> cd csgo_server
csgosrv@server:~/steam/csgo_server> ./srcds_run -game csgo -console -usercon +game_type 0 +game_mode 0 +mapgroup mg_bomb +map de_dust

You will now get a lot of output. This is normal and shows you, that the software is working. However, at the end of all the lines you will find a message like this one:

****************************************************
*                                                  *
*  No Steam account token was specified.           *
*  Logging into anonymous game server account.     *
*  Connections will be restricted to LAN only.     *
*                                                  *
*  To create a game server account go to           *
*  http://steamcommunity.com/dev/managegameservers *
*                                                  *
****************************************************

Basically this message means that your server is not registered at Vale. As long as you don’t register your server at Vale, you will only be able to connect to the server via LAN, not via the internet. It will never be an official server played on. To make your server ready for the internet, you have to go on with the next step (you can terminate the actual running session with an CTRL+C combination).

6. Make your server an official registered one

To register your CS:GO server at Valve and make it ready for internet play, you have to register the server directly at Valve. To do so, visit the following link: Steam Server management. Login with your steam credentials (if you haven’t already) and enter the number 730 as the App ID in the first text box. The second text box can be filled with whatever you want. It’s just a comment field. For e.g. if you have more than one server you could write down the hostname here so that you can always directly see which token belongs to which server. Click on Create to get your Token:
After you clicked on Create you will see your token for your server. The token can only be used on one server for one active session. You can’t use the token for multiple servers at the same time. You have to create a new token for each of your servers.
Now that you have created your token, you can use it to start the server as an official CS:GO server with the following command:

csgosrv@server:~/steam/csgo_server> ./srcds_run -game csgo -console -usercon +game_type 0 +game_mode 0 +mapgroup mg_bomb +map de_dust +sv_setsteamaccount YOURTOKEN -net_port_try 1

Of course you have to replace the YOURTOKEN with the token you’ve created before. If there is no firewall blocking the traffic, you should now be able to find your server via the CS:GO server browser or connect directly via the hostname / IP to it.

7. Start the CS:GO server in the background

You may already noticed, that the CS:GO server stops running when you close the SSH connection. This is, because the CS:GO server software needs an active terminal / SSH session to go on running. However, there is a tool which is called screen. If you’ve followed this tutorial, you already have installed screen at the first steps. The following commands starts the CS:GO server in the background with the help of screen.

csgosrv@server:~/steam/csgo_server> screen -A -m -d -S csgo_server ./srcds -game csgo -console -usercon +game_type 0 +game_mode 0 +mapgroup mg_bomb +map de_dust +sv_setsteamaccount YOURTOKEN -net_port_try 1

If you want to jump into the screen session you can easily do this with this command:

csgosrv@server:~/steam/csgo_server> screen -r csgo_server

As long as you are connected (attached) to the screen session, you can do anything here like in a normal terminal session. If you want to leave the screen session again, just press CTRL+a, followed by the key d (CTRL+a sends a signal to the screen program that the next key stroke is something screen has to handle. The d key says to screen than: detach!).

Optional information

If you have problems connecting to your server, you should check if there is no firewall blocking the traffic. If there is any firewall doing so, you have to unlock the port 27015 (UDP) for your server.
For a more further configuration of the server (settings like warm up, max player count, map rotation and so on) you should visit the following page. It contains a almost complete server.cfg with a lot of comments: server.cfg on csgodev
For further fine tuning at the game modes you should read the official tutorial wikipedia page from Valve about this: CS:GO Server gamemodes
I also want to provide my own server.cfg file here. It’s rather simple and just sets some basic features, like friendly fire and warm up time. You can see my server.cfg file here: server.cfg
T
he server.cfg has to be stored in the directory cfg which is a subdirectory of the csgo_server directory, the directory which we had chosen while downloading the CS:GO server software.
 
Enough of the words. I wish you a good time in CS:GO and best wishes for you and your server 🙂
 
 

bookmark_borderHow To get your Realtek RTL8111/RTL8168 working (updated guide)

Realtek Logo
Image Source: wikipedia.org
A lot of people will remember my guide how to get a RTL8111/RTL8168 running under your Linux box. This guide is almost 5 years old now and I wanted to make a complete overhaul, because a lot of things has changed since then.

Why do I need this driver anyway?

Some people asked me, „Why do I need this driver anyway? Doesn’t the Linux Kernel ship it?“. This is of course a valid question. As far as I can see this, the RTL8111/RTL8168 is not Open Source and this would be of course the reason why the driver isn’t included into the Linux Kernel. As long as the driver isn’t Open Sourced, we have to build it on our own.

The installation methods

A lot of things have changed since I written the initial article about how to compile the driver under Ubuntu / Debian. Today we can use 2 methods for installing the driver. The following lines describes both of them.

The automatic way

NOTE: Thanks to the user „Liyu“ who gave me this hint!
NOTE2: For this way you need a working internet connection. You could use WLAN or a USB ethernet card like this one to get a temporary internet connection. You could also download every needed single package onto USB from another PC and install them in the right order.
As I said ealier, 5 years is a long time. And today Ubuntu and Debian have the driver included in it’s repository. For Debian you have to enable the non-free package sources. For Ubuntu you have to enable the universe package sources. You can easily do this by open your /etc/apt/sources.list as root with your editor of choice and add for each line starting with „deb“ non-free or universe at the end. So for example, if you use Debian a line like:

deb http://ftp.de.debian.org/debian/ jessie main contrib

would become to

deb http://ftp.de.debian.org/debian/ jessie main contrib non-free

The same for Ubuntu:

deb http://de.archive.ubuntu.com/ubuntu/ xenial main restricted

would become to

deb http://de.archive.ubuntu.com/ubuntu/ xenial main restricted universe

After this you have to do a:

sudo apt-get update

You can of course use graphical ways to enable non-free or universe. After you enabled the missing package repository, you will be ready to install the driver. This can be easily done with the following command:

sudo apt-get install r8168-dkms

The procedure will take some time, depending on your CPU because the driver will be build for your working Kernel. The good side is, that if any Kernel update happens on your machine, the kernel will be rebuild against the new Kernel automatically after the update because of the use of dkms.
After the procedure is finished, you should be able to use your network card instantly. If not, you should consider a reboot of your PC then.

The manual way

Well, the manual way is almost the same as it was before in the initial article. Anyway, I want to rewrite the steps here again. This is also tested against newer Kernels ( >= 4.0) which caused a lot of trouble for some people in the past.

  • 1. Install dependencies: Once more you need a working internet connection for this. You could also use the Debian or Ubuntu DVD which includes the needed packages. To install the dependencies just enter the following command:
    sudo apt-get install build-essential linux-headers-$(uname -r)
  • 2. Download the driver: You can download the driver from the official Realtek homepage mirror provided by mtorromeo at GitHub. This is the direct download link: click me.
  • 3. Blacklisting the r8169 driver: The r8169 is loaded when the r8168 is not found on your system. This will give you a network and internet connection, but with the r8169 driver your RTL8168 card will be very unstable. This means slow download rates, homepages taking hours to load and so on. To avoid that the r8169 is loaded, we blacklist it. This is be done by entering the following command:
    user@linux:~$ sudo sh -c 'echo blacklist r8169 >> /etc/modprobe.d/blacklist.conf'
  • 4. Untar the archive: After you successfully downloaded the driver, cd into the directory where the driver is downloaded and untar the driver with the following command:
    user@linux:~$ tar xfvz r8168-8.046.00.tar.gz

    NOTE: Your tar filename can of course differs if you download a newer version in the future for e.g.

  • 5. Compiling and installing the driver: Now we have to start compiling the driver. For this you cd into the extracted directory:
    user@linux:~$ cd r8168-8.046.00

    NOTE: Don’t forget to change your version number in the future here.
    Now that you are in the right directory, we can start with the real compiling process. For this Realtek brings an easy to use script which is called autorun.sh. So, to start compiling and installing the driver enter:

    user@linux:~/r8168-8.046.000$ sudo ./autorun.sh

    You should see a output which looks like this:

    Check old driver and unload it.
    rmmod r8168
    Build the module and install
    At main.c:222:
    - SSL error:02001002:system library:fopen:No such file or directory: bss_file.c:175
    - SSL error:2006D080:BIO routines:BIO_new_file:no such file: bss_file.c:178
    sign-file: certs/signing_key.pem: No such file or directory
    Backup r8169.ko
    rename r8169.ko to r8169.bak
    DEPMOD 4.4.0-31-generic
    load module r8168
    Updating initramfs. Please wait.
    update-initramfs: Generating /boot/initrd.img-4.4.0-31-generic
    Completed.

    You can ignore the SSL error for now. The driver should be successfully compiled and installed into your system. The driver is already loaded and should work.

  • 6. Check the driver: As a final step, you could start checking if the driver is really loaded into your Kernel. For this you can use the command lsmod. lsmod lists all drivers, which are usable by your Kernel. So, if everything was successful, you should see an output like this:
    user@linux:~/r8168-8.046.000$ lsmod | grep r8168
    r8168                 491520  0

    You can also check as well your ethernet device directly to see if the correct driver is loaded (special thanks goes to Tim which posted this in the comment section):

    user@linux:~$ sudo ethtool -i enp1s0
    driver: r8168
    version: 8.042.00-NAPI
    firmware-version:
    expansion-rom-version:
    bus-info: 0000:07:00.0
    supports-statistics: yes
    supports-test: no
    supports-eeprom-access: yes
    supports-register-dump: yes
    supports-priv-flags: no

    NOTE: You have to the change enp1s0 to the device name of your network card of course. This can be eth0, eth1, enp2s0, and so on.
    If your driver isn’t loaded until now, you should go with a reboot before further investigation.

That’s it

And that’s it. Now you’re ready to use your RTL8168/RTL8111 with the official Realtek drivers. If you have any questions and / or suggestions, please let me know in the comments.

bookmark_borderMy new helper Ansible

For some weeks ago, I decided to use Ansible as my central configuration tool of choice. The following text should give you a short intro in how to deploy files with Ansible.

What exactly is Ansible?

Now, what exactly is Ansible? Ansible is an auto configuration tool, which helps you to keep your configuration files central managed. You will benefit from easier configuration and you will save a lot of time. For example, if you have 3 DNS servers and you want to ensure that all this systems have the same db and configuration files used, you could use either a network storage (which is obviously something over the top here) or keep them central and push them to all DNS servers.
And Ansible is exactly doing that. It pushes your configuration files on given hosts. Another really pro for Ansible is, that it uses SSH to do so. This means that you don’t have to install a service to get your machines configured. Ansible is agent-less.

How to install

For almost every distribution out there in the wild, Ansible is available in the system repositories. For Ubuntu / Debian you can easily do:

sudo apt-get install ansible

as well as for openSUSE you can just do:

sudo zypper install ansible

After this, you can find the standard configuration under /etc/ansible.

Make SSH ready for Ansible

Every host which will be managed via Ansible needs to have a Public Key and a user which is allowed to use this Public Key to connect to the Host.
For my personal purposes I created a user which is allowed to change the files which are coming from Ansible. This is of course optional. You could also do this with the user root even if that means a little bit more of a security risk. Anyway, you have to generate a Public Key which is done with the following command for the user ant:

ant@ansible:~$ ssh-keygen -t rsa -b 4096

For our scenario, you shouldn’t set a password for the key. The other questions can be confirmed with pressing ENTER without any changes. After this your SSH Key is ready and you can push them to your Host which will be configured with Ansible later. After the following command is issued, the user ant on your Ansible system will be able to login as user ant on the system target without entering a password. As described above, you could also do this with the user root here:

ant@ansible:~$ ssh-copy-id -i ~/.ssh/id_rsa.pub ant@target

Now you should be able to login via ssh as the user ant on the system target without entering a password.

Groups and Hosts

Now that you have the target System fed with an Public Key, you are able to make the target System known in Ansible. The Ansible configuration files are located at /etc/ansible. First of all you should add the target system in the /etc/ansible/hosts file:

[testsystems]
target.local.dom

Let me explain this file a little bit. You can enter a hostname per line in this file. Ansible then knows them and will deploy the given files. To make the configuration easier, you can use groups. A definition of a group start with [ and ends with ]. So in this case the host target.local.dom would be in the group testsystems. You can put one host into multiple groups.

Playbooks

The host is now known for Ansible. As next we need to define the files which will be pushed and where their going to be deployed at the root filesystem of the target host.
For this, Ansible is using so called Playbooks. As its name implies, the Playbook is a collection of things which has to be done on the target system. You can do almost everything here which you also would be able to do by hand in the console. There a plenty of modules which can be used for e.g. Update your system, set file permission, and so on. And even if there is no module available which fits your needs, you can always use the bash module and write down what the system should do by yourself. A complete list of the modules and how to use them can be found at the official documentation. In this example we will push files to the target system. So we have to define this in the Playbook. You can either use the copy or the synchronize function within the file module to push the wanted files to the target. The following example will use the synchronize function:

---
- hosts: testsystems
vars:
files: /etc/ansible/files/testsystems/
gather_facts: false
become: false
tasks:
- name: copy files
synchronize: src={{ files }} dest=/opt
notify: restart ssh
handlers:
- include: handlers.yml

So what does this Playbook do now? Let me explain this file step by step:

  • hosts: Here we insert the group(s) which has been declared in the /etc/ansible/hosts file. You can name here single hosts as well as groups. It’s always recommended to use groups here.
  • vars: In vars we can declare variables which are used within this Playbook configuration. There is actually one variable defined which is called files. This variable is used later in the tasks section.
  • gather_facts: This is true or false. The standard is true. gather_facts is collecting informations about your system which can be used within the modules. Here it is disabled because we know that this Playbook will running well with the settings we give Ansible.
  • become: In earlier versions of Ansible this was called sudo. Become decides wether this Playbook needs root /sudo privileges to run, or not. The way how the system will become the root is defined in the central ansible.cfg. If set to true, you have to ensure that the „become user“, is available on the target system and has sudo permissions.
  • tasks: In tasks we define what to do on the target system. In this case we have one task, which is named „copy files“. It uses synchronize which is provided by the file module. The source path is the path which is defined in the variable files at the beginning of the Playbook-file. The Destination is the absolute path on the target system. In this case „/opt“. At the end, we use a notifier. This notifier is calling „restart ssh“ if a file has really changed on the target system. „restart ssh“ is written down in the „handlers.yml“ file. This file has to be in the same directory as this Playbook.

This is a really short and easy example of the capabilitys of Ansible. As I said earlier, you can do a lot of more stuff. For this you should consider to read the official documentation.
You can now save the file where ever you want. I recommend a place like /etc/ansible/conf.d. The filename ending should be .yml. So for e.g. we could save the file „testservers.yml“ under /etc/ansible/conf.d.

The handlers.yml file

As mentioned before, the handlers.yml file is just an addition to your existing Playbook. In the handlers file you can write down commands which can be reused a lot of more times. For example the „restart ssh“ command, which has been called in our Playbook, can be also needed by other upcoming hosts. To prevent for writing down the same commands again and again, we use an external extra file, which holds all the reusable commands. This file is here called handlers.yml and has to be stored in the same directory as your Playbooks. An example handlers file looks like this:

---
- name: restart bind
service: name=named state=restarted
- name: restart ssh
service: name=ssh state=restarted

So as you can see, we use the module service to restart the services ssh and bind. The services are restarted on the target system, when they get called in a Playbook. In our Playbook-example above, the „restart ssh“ command is triggered after copying files.

Testing our new configuration

We have a valid hosts and Playbook file and our target system has the needed Public Key. So we should be ready to go. To start or „call“ a Playbook you have to issue the following command on your command line:

ant@ansible:~$ ansible-playbook /etc/ansible/conf.d/testservers.yml

NOTE: Don’t forget, that you have to issue the command on your Ansible system, with the user which has the Public Key stored on the target system.
Now your Ansible server system should start pushing the data to the target system. A output like this should be shown to you:

PLAY [testservers] ************************************************************
TASK: [copy files] **************************************************
changed: [target.dom.local -> 127.0.0.1]
NOTIFIED: [restart ssh] ******************************************************
changed: [target.dom.local]
PLAY RECAP ********************************************************************
target.dom.local : ok=2 changed=0 unreachable=0 failed=0

This means the files are successfully copied and the ssh service was restarted. This means your first Ansible Playbook is running fine without issues. Now you can go on in adding more tasks.
Don’t for get the official documentation to do so 🙂

Further links

bookmark_borderOpenVPN Error: Linux route add command failed

OpenVPN Logo

Image source: openvpn.net

Everbody knows OpenVPN. A powerful and easy to configure VPN client, which is cross-platform available for BSD, Linux, MAC and Windows.
A lot of my Linux boxes are OpenVPN clients, starting with Virtual Machines as well as physical boxes. If I use my OpenVPN server as a default gateway, some machines having trouble to create the necessarily route. The output in the most cases is something like this:

Sun Jun 19 14:03:20 2016 /bin/ip route add 1.2.3.4/32 via 0.0.0.0
RTNETLINK answers: No such device
Sun Jun 19 14:03:20 2016 ERROR: Linux route add command failed: external program exited with error status: 2

So this means that the OpenVPN tried to create a new route with the help of the ip command which failed (error code 2). But how to fix this?

Add the route by your own

I’ve searched around the internet and nobody really had an answer to this. Well, the solution is rather simple. Directly after the successful connection to your OpenVPN server, add the route by your own. The following example would do this for the shown error above:

sudo route add -host 1.2.3.4 dev enp4s0

As you can see, there is no gateway address to reach the host. It’s simply the Ethernet device which is stated here (enp4s0 is the name of the first wired Ethernet device under openSUSE when using Network Manager (formerly known as eth0)).
This error also occurs, if you want to use a OpenVZ container as a OpenVPN client. By default, the first virtual network device of a OpenVZ container is called venet0. So you would have to enter the following command to get this error fixed:

sudo route add -host 1.2.3.4 dev venet0

After you added the host to your routing table with the correct outgoing network device, you’re ready to go to use the VPN as your default gateway.

Permanent Fix

To be honest, until now I wasn’t able to find a permanent fix for this. So this also means that you have to redo the route add command every time, when you have connected to your VPN.
If you know a permanent fix for this problem, just let me know in the comments below. Your help is appreciated 🙂

bookmark_borderHow to create an SSH tunnel under Linux

Creating an SSH Tunnel allows you to encrypt every network communication you want. You are also be able to access other network services which are only available at the destination which you trying to ssh to. Almost every Linux distribution is already able to create such a tunnel. However in term of „tunneling“, using SSH to create a tunnel is more like doing port forwarding.

SSH command to create a tunnel

Tunneling with SSH is really simple. You define the port on your local machine, where your forwarded port should be listening to. Then you define the destination it should point to. The following picture tries to show you how easy it really is:
ssh_blog
As you can see in the picture, the first number after the -L parameter (marked red) states the local port on your local machine where you execute the ssh command. This means that the remote service will be available locally on your machine with this port. You should only use ports above the „System Ports“ which are regulated in RFC 6335. This means ports greater than 1023 (in the picture we use port 5000 which is fine).
The second value (yellow marked) states the remote address. The remote address can be localhost but in this case localhost does not mean your local machine. It means the remote machine you are ssh-ing to. It is possible that you insert a machine name or IP behind the destination machine. The destination tries to establish the connection to the remote address then.
The third value after the -L parameter (marked blue) is the port of the destination address which is given in the step before (yellow marked). This means, if you want to connect to a running Webserver, then you have to enter 80 here (80 is the standard port for a HTTP connection).
The last value (marked green) is your username and the server you’re going to ssh to.

A more pratical example

Another good example would be something like this:

ssh -L5000:www.google.de:443 myserver.my.domain

This example will open a SSH connection to the server myserver.my.domain and will tunnel (or forward) the Port 443 on the destination address (in this example „www.google.de“) to the local port 5000 on your local machine. After this you will be able to enter https://localhost:5000 in your webbrowser on your local machine and you should see the google start page. This means all traffic which is going to www.google.de via HTTPS is routed over your myserver.my.domain.

Encrypting VNC traffic

VNC doesn’t encrypt network traffic by default. If you do remote administration with VNC you could either use a VPN or SSH as a much more simpler solution. There are other remote administration solution available which do support encryption out of the box (like X2Go or NXNomachine). However, using VNC in combination with SSH for encryption is as easy as possible. Encrypting a VNC connection over an SSH tunnel gives you some great benefits:

  1. The VNC traffic between your local machine and the destination (VNC Server) is encrypted.
  2. As a home server user, you can just open the SSH port in your routers firewall for external access. All other ports can remain closed because you can port forward them with the help of SSH.
  3. Due to the SSH user authentication you have something like a „low-level“ user authentication.

The following example opens a SSH connection to the server myserver.my.domain and forwards the VNC Server port on this server so that the VNC Server is reachable locally under the port 5000:

ssh -L5000:localhost:5900 myserver.my.domain

After the connection is established the VNC Server on the server myserver.my.domain can now be reached under the address localhost port 5000. If your server does listen on another port than the standard port of SSH (22) you can add the -p parameter to ssh to your server with the port you want:

ssh -p1234 -L5000:localhost:5900 myserver.my.domain

Further links