Vncserver
Related articles
Vncserver is a remote display daemon that allows users several remote functionalities including:
- Virtual (headless) and fully parallel X sessions that run in the background (i.e. not on the physical monitor but virtually) on a machine. All applications running under the server may continue to run, even when the user disconnects.
- Direct control of the local X session(s) (i.e. X running on the physical monitor).
Contents
Installation
Vncserver and vncviewer are provided by tigervnc.
Running vncserver for virtual (headless) sessions
First time setup
Create environment and password files
Vncserver will create its initial environment file and user password file the first time it is run:
$ vncserver
You will require a password to access your desktops. Password: Verify: New 'mars:1 (facade)' desktop is mars:1 Creating default startup script /home/facade/.vnc/xstartup Starting applications specified in /home/facade/.vnc/xstartup Log file is /home/facade/.vnc/mars:1.log
The default port on which vncserver runs is :1 which corresponds to the the TCP port on which the server is running (where 5900+n = port number). In this case, it is running on 5900+1=5901. Running vncserver a second time will create a second instance running on the next highest, free port, i.e :2 or 5902.
Shutdown the vncserver by using the -kill switch:
$ vncserver -kill :1
Edit the xstartup file
Vncserver sources ~/.vnc/xstartup
which functions like an .xinitrc file. At a minimum, users should define a DE to start if a graphical environment is desired. For example, starting xfce4:
#!/bin/sh export XKL_XMODMAP_DISABLE=1 exec startxfce4
Permissions
It is good practice to secure ~/.vnc
just like ~/.ssh
although this is not a requirement. Execute the following to do so:
$ chmod 700 ~/.vnc
Starting the server
Vncserver offers flexibility via switches. The below example starts vncserver in a specific resolution, allowing multiple users to view/control simultaneously, and sets the dpi on the virtual server to 96:
$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 :1
For a complete list of options, pass the -help switch to vncserver.
$ vncserver -help
Running vncserver to directly control the local display
Using tigervnc's x0vncserver
TigerVNC provides the x0vncserver binary which has similar functionality to x11vnc e.g.
$ x0vncserver -display :0 -passwordfile ~/.vnc/passwd
For more see
man x0vncserver
Using x11vnc
Another option is to use x11vnc. This has the advantage or disadvantage, depending on your perspective, of requiring root to initiate the access. For more, see X11vnc.
Connecting to vncserver
Any number of clients can connect to a vncserver. A simple example is given below where vncserver is running on 10.1.10.2 on port 5901 (:1) in shorthand notation:
$ vncviewer 10.1.10.2:1
Passwordless authentication
The -passwd
switch allows one to define the location of the server's ~/.vnc/passwd
file. It is expected that the user has access to this file on the server through SSH or through physical access. In either case, place that file on the client's file system in a safe location, i.e. one that has read access ONLY to the expected user.
$ vncviewer -passwd /path/to/server-passwd-file
Example GUI-based clients
Securing vncserver by SSH tunnels
On the server
One wishing access to vncserver from outside the protection of a LAN should be concerned about plain text passwords and unencrypted traffic to/from the viewer and server. Vncserver is easily secured by ssh tunneling. Additionally, one need not open up another port to the outside using this method since the traffic is literally tunneled through the SSH port which the user already has open to the WAN. It is highly recommended to use the -localhost
switch when running vncserver in this scenario. This switch only allows connections from the localhost -- and by analogy only by users physically ssh'ed and authenticated on the box!
$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 -localhost :1
On the client
With the server now only accepting connection from the localhost, connect to the box via ssh using the -L switch to enable tunnels. For example:
$ ssh IP_OF_TARGET_MACHINE -L 8900:localhost:5901
This forwards the server port 5901 to the client box on port 8900. Once connected via SSH, leave that xterm or shell window open; it is acting as a secured tunnel to/from server. To connect via vnc, open a second xterm and connect not to the remote IP address, but to the localhost of the client thus using the secured tunnel:
$ vncviewer localhost::8900
From the ssh man page: -L [bind_address:] port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax:
[bind_address/] port/host/ hostport or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of ``localhost'' indicates that the listening port be bound for local use only, while an empty address or `*' indicates that the port should be available from all interfaces.
Connecting to a vncserver from Android devices over SSH
To connect to a VNC Server over SSH using an Android device:
1. SSH server running on the machine to connect to. 2. VNC server running on the machine to connect to. (Run server with -localhost flag as mentioned above) 3. SSH client on the Android device (ConnectBot is a popular choice and will be used in this guide as an example). 4. VNC client on the Android device (androidVNC).
Consider some dynamic DNS service for targets that do not have static IP addresses.
In ConnectBot, type in the IP and connect to the desired machine. Tap the options key, select Port Forwards and add a new port:
Nickname: vnc Type: Local Source port: 5901 Destination: 127.0.0.1:5901
Save that.
In androidVNC:
Nickname: nickname Password: the password used to set up the VNC server Address: 127.0.0.1 (we are in local after connecting through SSH) Port: 5901
Connect.
Tips and tricks
Starting and stopping vncserver at bootup and shutdown via systemd
One can have systemd run the service globally hardcoding the user into the service or one can run it in systemd's user mode. Both options are presented below but only select one of the two.
Globally
Create /etc/systemd/system/vncserver@.service
and modify it defining the user to run the server. Use this with systemd to manage it.
/etc/systemd/system/vncserver@:1.service
# The vncserver service unit file # # 1. Copy this file to /etc/systemd/system/vncserver@:<display>.service # 2. Edit User= # ("User=foo") # 3. Edit and vncserver parameters appropriately # ("/usr/bin/vncserver %i -arg1 -arg2 -argn") # 4. Run `systemctl daemon-reload` # 5. Run `systemctl enable vncserver@:<display>.service` # # DO NOT RUN THIS SERVICE if your local area network is untrusted! # # See the wiki page for more on security # https://wiki.archlinux.org/index.php/Vncserver [Unit] Description=Remote desktop service (VNC) After=syslog.target network.target [Service] Type=forking User= ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :' ExecStart=/usr/bin/vncserver -desktop VNCSERVER_NAME -geometry 1440x900 -AlwaysShared -dpi 100 %i ExecStop=/usr/bin/vncserver -kill %i [Install] WantedBy=multi-user.target
Start vncserver@:1.service
and optionally enable it to run at boot time/shutdown.
In user mode
Create ~/.config/systemd/user/vncserver@.service
and modify it defining the user to run the server. Use this with systemd to manage it.
~/.config/systemd/user/vncserver@.service
[Unit] Description=Remote desktop service (VNC) After=syslog.target network.target [Service] Type=forking ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :' ExecStart=/usr/bin/vncserver -desktop VNCSERVER_NAME -geometry 1440x900 -AlwaysShared -dpi 100 %i ExecStop=/usr/bin/vncserver -kill %i [Install] WantedBy=multi-user.target
Reload the daemons when creating new service files:
systemctl --user daemon-reload
Start the service in usermode:
systemctl --user start vncserver@:1
Copying clipboard contents from the remote machine to the local
If copying from the remote machine to the local machine does not work, run autocutsel on the server, as mentioned below [reference]:
$ autocutsel -fork
Now press F8 to display the VNC menu popup, and select Clipboard: local -> remote
option.
One can put the above command in ~/.vnc/xstartup
to have it run automatically when vncserver is started.
Fix for no mouse cursor
If no mouse cursor is visible when using x0vncserver
, start vncviewer as follows:
$ vncviewer DotWhenNoCursor=1 <server>
Or put DotWhenNoCursor=1
in the tigervnc configuration file, which is at ~/.vnc/default.tigervnc
by default.
Connecting to an OSX system
See https://help.ubuntu.com/community/AppleRemoteDesktop. Tested with Remmina.