Scenario / Question:

How do I setup vncserver so I can remote into my server or workstation. How do I configure vncserver to be secure and have an encrypted connection.

Solution / Answer:

Install vnc-server on the remote machine and vncv on the computer you want to connect from. Use SSH tunnels to have your vnc connection be secure and encrypted.

Install and Setup vnc-server

Install vnc server:

# yum -y install vnc-server

Configure vnc server:

Remote user is: admin

Remote display is: 2

Desktop Resolution: 1024×768

As root add to the file /etc/sysconfig/vncserver:

# vi /etc/sysconfig/vncserver
VNCSERVERS="2:admin"
VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp -nohttpd -localhost"

VNCSERVERS=”2:admin” – defines the vnc server instance. In this case vnc will start an instance for user “admin” on display “2″.

VNCSERVERARGS[2] – defines that the settings for display “2″ as specified by the [2]

-geometry 1024×768 – defines the resolution to be 1024×768

-nolisten tcp – to prevent X connections to your VNC server via TCP

-nohttpd – to prevent web-based VNC clients connecting

-localhost – to prevent remote VNC clients connecting except when doing so through a secure tunnel.

VNC Server ports

VNC Server uses ports based on the instance display number. The default port is 590(x) where x is the instance display number. In our case we used an instance display of “2″ so the port VNC Server will be expecting a connection on is 5902.

So when connecting to our instance display of 2 for user admin we will need to connect to port 5902.

VNC-Server User setup:

We need to setup the “admin” user that will connect to the vnc-server. “admin” needs to be a local linux user account. We need to define a vnc password for user admin when connecting to vnc server.

# adduser admin
# passwd admin
# vncpasswd admin

Start VNC-Server and set to start at boot

# service vncserver restart
# chkconfig vncserver on

VNC Server User Configuration

User settings are stored in the file /home/[user]/.vnc/xstartup (replace “[user]” with the name of the user you setup)

By default vnc-server configures user to have a xterm instance for their Windows Manager. This isn’t the greatest for remotely managing a GUI based system and Gnome would be better.

VNC Server to use Gnome desktop

Configure the file xstartup and to look like this:

#!/bin/sh

# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
# xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
# twm &
gmd &

Restart the VNC server for changes to take effect:

# service vncserver restart

Secure VNC Server via SSH Tunnel

VNC Server is insecure by default but we can make it secure by using ssh tunnels. In order for ssh tunnels to work you must have ssh setup and port 22 open on your remote systems firewall.

The command to create SSH Tunnel and start VNC viewer is:

# ssh -f -L 5902:127.0.0.1:5902 admin@HOSTIP sleep 30; vncviewer 127.0.0.1:5902:2

-f – Requests ssh to go to background just before command execution.  The recommended way to start X11 programs at a remote site

-L – Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This forwards our local 5902 port to port 5902 on the remote host. Thus a tunnel is created between our local port 5902 and the remote port 5902. Anything you send to local port 5902 will be sent to remote host port 5902.

admin@HOSTIP – user and remote host’s ip for the ssh connection

sleep 30 – Keeps the ssh tunnel connection open for 30 seconds, and if after 30 seconds the tunnel isnt used it disconnects the tunnel. Prevents SSH process from being left open when we exit our vnc session.

vncviewer 127.0.0.1:5902:2 – Start vncviewer program and connect to “localhost” port “5902″ instance display “2″