Linux remote access using VNC


VNC is a very common way to connect to a remote system, and also a very primitive (and simple) system. VNC is only able to handle a complete (virtual) display, it does not destinguish between application windows. A VNC server constructs an bitmap image of the (virtual) display, and VNC clients periodically requests a new screen-image from the server. The keyboard and mouse input is also sent back.

Using VNC

The VNC configuration is yet another variation of the X11 setup. In Linux, a VNC server does nothing really special, it emulates an X11 display and applications can connect to it. The resulting image won't be displayed at the screen, but sent to the connected VNC client.

There are two ways to start a VNC server. A VNC server can run persistant in the backgroud, or started on demand using xinetd and XDMCP. There are multiple VNC packages available, and TightVNC is the recommended option to use.

Inetd/xinetd setup

Although a VNC server can be started manually, the dynamic solution is much easier to use. It involves the xinetd server, and a local XDMCP connection.

How to enable XDMCP is explained in the X11 section. The XDMCP setup must be working, but the port can be closed in the firewall. The XDMCP service will only be accessed from the server itself.

The xinetd server listens for incoming connections, and start the actual service for each new connection. The server can be started with /etc/init.d/xinetd start. Some Linux distributions use inetd instead of xinetd. The configuration for inetd is explained below.

The configuration of xinetd is simple, and only requires a new file in the /etc/xinetd.d/ folder. The Xvnc service is started at request.

Xinetd setup for VNC: /etc/xinetd.d/vnc
service vnc1
  socket_type = stream
  protocol    = tcp
  wait        = no
  type        = UNLISTED
  port        = 5901

  user        = nobody
  server      = /usr/X11R6/bin/Xvnc
  server_args = :42 -inetd -once -query localhost -geometry 1024x768 -depth 16

Changing the configuration of xinet requires a restart of the service.

VNC uses the port range 5800-5899 for the servers. The port the server uses depends on the display number. Display 0 uses port 5801, display 1 uses port 5801, and so on.

The configuration file above uses port 5801, so can be accessed using vncviewer hostname:1. KDE users can start krdc with the location vnc://hostname:1.

VNC Applications

There are various VNC applications available:

The TightVNC package is available for Windows and Linux. It supports an "tight" encoding which is optimized for slow network connections.
KRDC is the remote desktop client installed with KDE. It also supports Windows Terminal Servers if rdesktop is installed.
TSClient is a remote desktop client for the GNOME desktop.

Alternative inetd setup

Some Linux distributions still use inetd, others use xinetd. The xinetd server performs the same functions as inetd.

The configuration of inetd is more complex. A new service must be defined in /etc/services, and the configuration consists of one long line in /etc/inetd.conf.

vnc1024  5801  # add this line to the file
vnc1024 stream tcp nowait nobody /usr/bin/Xvnc Xvnc -inetd -query localhost -once -depth 16 -geometry 1024x768

Tunneling VNC through SSH

The VNC protocol is insecure by it's design, it does not encrypt the connection between the server and client. SSH solves the problem. A secure tunnel can be established between the systems. Because all traffic will be sent over SSH, the VNC ports can be closed in the firewall too!

Creating an SSH tunnel:
ssh -L 5899:localhost:5801 -C username@hostname

SSH will forward all data received at the local port (5899) to the server. The server forwards the data to localhost:5801. Leave the SSH tunnel open, and start the vnc client from a new shell.

Accessing the VNC tunnel:
vncviewer -compresslevel 9 -quality 4 -encodings "tight copyrect" localhost:99

In the command above, the compression levels are defined explicitly. The VNC client tries to use the best encoding automatically. For local connections, the the "raw" encoding will be used. This behavour is overridden using the extra parameters.

Manual VNC setup

A VNC server can be started manually from SSH, using the vncserver command.

Starting the VNC server:
vncserver -name MyVNC -depth 8 -geometry 800x600
The server will respond with something like:
Response of the VNC server:
New 'MyVNC' desktop is hal9000:3

Starting applications specified in /home/diederik/.vnc/xstartup
Log file is /home/diederik/.vnc/hal9000:3.log

This indicates the server can be accessed using vncviewer :3, and stopped using vncserver -kill :3.

Most servers also open a second port in the 5900 range to serve a Java VNC applet for web browsers.

As the server starts, it runs the commands in ~/.vnc/xstartup to launch the desktop applications. This file can be changed to use a more advanced desktop instead of TWM. The default setup starts TWM, one of the most simple window managers available. TWM has a simple menu which can be accessed using the right mouse button.

Because the server runs permanently, running a large desktop environment might not be the best idea. VNC is a bit slow and colorfull desktop will also be a drag on resources. XFCE4 is a nice alternative desktop, and also suitable for VNC connections.

External Links

blog comments powered by Disqus