Personal tools
You are here: Home Team Members Zdenek Chmelar TigerVNC server through SSH Tunnel

TigerVNC server through SSH Tunnel

by zdenek last modified Feb 24, 2011 09:32 PM

Short guide for VNC server configuration with the access to VNC server through SSH tunnel to enable encrypted access on remote desktop.

Applicable to Fedora Versions

  • All

Requirements

  1. Basic knowledge of vim (or any other preferred) editor.
  2. We need to execute some commands as a root. To configure SUDO to be able to execute commands as a root, please follow this guide > Configuring SUDO
  3. In addition, we will need SSH access to remote system where the VNC server will be running. Ensure that the remote system with VNC server has allowed SSH services in its firewall.
  4. If you want to connect from internet to your VNC server that's behind the firewall of your local network, set up proper port forwarding of SSH port to VNC server so all incoming SSH requests are routed from internet to your VNC server, if applicable.

Doing the Work

In following steps we will install VNC server, configure VNC user and start the VNC services. Because the current version of VNC server (1.0.9) provides only plain connection, I will use SSH tunnel to encrypt the communication between VNC server and the client to make it secure.
It has one more advantage - you do not need to configure your firewall and/or router with additional rules for ports and their forwarding because port for SSH is the only port we will need to have opened and/or forwarded.

  1. Install VNC server on the remote system to which we want to log in on via remote desktop
  2. su -c 'yum -y install tigervnc-server'
  3. As soon as the installation is finished, make a backup of the VNC server configuration file located in /etc/sysconfig/vncservers.
    su -c 'cp /etc/sysconfig/vncservers /etc/sysconfig/vncservers.backup'
  4. Open VNC server configuration file located with your desired editor (I used vim editor).
  5. su -c 'vi /etc/sysconfig/vncservers'
  6. Read the instructions in this file. Have a look at the commented example at the end of the configuration file.
    # VNCSERVERS="2:myusername"
    # VNCSERVERARGS[2]="-geometry 800x600 -nolisten tcp -localhost"
  7. The number of display [2] corresponds to the port through which this remote desktop of the user "myusername" will be accessible. The default port of VNC server is 5900. To reach the desired desktop of the user, we have to create a sum of this default port and user's assigned display number. In this example, the port of user "myusername" is 5902 (5900 + 2). We will need this number later on.
    Server parameters (in line VNCSERVERARGS[ ] ) are explained in the configuration file. The argument "geometry" defines resolution of the remote desktop screen.
    Let's create our own profile in this configuration file (use your name). Add these lines at the end of the configuration and save it once you are done:
    VNCSERVERS="1:zdenek"
    VNCSERVERARGS[1]="-geometry 1440x900 -nolisten tcp -localhost"
    In this case, I want to have user "zdenek". This user was assigned with desktop number 1. It means he will reach VNC server through port 5901. Resolution of the remote desktop will be 1440x900. The other parameters are used to prevent X connections to your VNC server via TCP and to prevent remote VNC clients connecting except when doing so through a secure tunnel (that's our goal).
    If you want to have more users, feel free to do so. Just be sure you assign another desktop number to each of them.
  8. Create VNC passwords for your user. Log in as the user (zdenek in my example) and type command
    vncpasswd
    You will be asked to type your new VNC password and then one more for its confirmation. This step will create hidden configuration directory .vnc in user's home directory. It contains your encrypted password and configuration file of your remote desktop.
    ll ~/.vnc

    -rw-------. 1 zdenek zdenek 8 Dec 18 2009 passwd
    -rwxr-xr-x. 1 zdenek zdenek 576 Dec 22 2009 xstartup
  9. Start VNC server
    su -c '/sbin/service vncserver start'
    You should see following output
    Starting VNC server: 1:zdenek                              [  OK  ]
    In case you reboot the remote system, the VNC server will not start up during the boot process. To ensure the VNC server will start during each boot again, execute following command:
    su -c '/sbin/chkconfig vncserver on'
    In this point, we have finished our work on the remote system. VNC server is running and user zdenek has reserved his own desktop there.
  10. We will now connect from our client to remote VNC server through SSH tunnel. First of all, we will install vnc viewer (client) on our client PC, if not already done. In case your client PC runs Fedora as well, execute this command:
    su -c 'yum install tigervnc'
  11. I have assigned to user zdenek desktop number 1 on remote VNC server. Herewith his port for access on VNC server is 5901.
    Open terminal on your client and run following command (use your user name and IP of remote VNC server. Change the VNC port (bold) applicable for your user):
    ssh -l zdenek -L 5901:127.0.0.1:5901 192.168.2.101
    The example above will open SSH connection for user zdenek to remote VNC server with IP address 192.168.2.101. The "-L 5901:127.0.0.1:5901" is in the form of "-L local-port:host:remote-port" and tells SSH to forwards the local port 5901 to remote port 5901 on localhost.
  12. Open vnc viewer on your client - execute command
    vncviewer
    Or start the application from menu "Applications" > "Internet" > "TigerVNC Viewer". Following window will pop up
    VNC_viewer
    Type there the IP address of the localhost (127.0.0.1) and port number of your desktop behind the colon (Do not use the public / private IP address of your VNC server because it will not work; use only localhost). In general, use 127.0.0.1:N, where N is number of the assigned desktop. In my case it is the desktop number 1. Click OK button. You will be asked for password. Type the one you have set up in the step 6 above and enter the return key.
    VNC_auth
    A window with remote desktop will appear.
    VNC_done

Troubleshooting

How to test

  1. Remote desktop has too low / high resolution.
    - Check the user's desktop setting in VNC configuration file /etc/sysconfig/vncservers and update the desktop resolution behind parameter "-geometry". Restart the VNC server after that:
  2. su -c '/sbin/service vncserver restart'
  3. How to get rid of "VNC config" menu window on the remote desktop that pops up each login on the remote VNC.
    I speak about this
    VNC_config_menu
    - Go to user's .vnc directory on VNC server
    cd ~/.vnc
    - Edit configuration xstartup file
    vi xstartup
    - Comment "vncconfig -iconic &" line with "#" symbol, so the result will looks like this
    #vncconfig -iconic &
    - Save the file and restart the VNC server
    su -c '/sbin/service vncserver restart'
  4. The remote desktop is grey / is not the one I use (Gnome or KDE).
    - If you have problem with your remote desktop graphical interface, you need to modify the user' configuration file "xstartup" in .vnc directory and enable the start of your Gnome or KDE interface. Go to user's .vnc directory on VNC server
    cd ~/.vnc/
    Edit the xstartup file
    vi xstartup
    Go to the end of the file, comment line with "twm &" and add "startx &" to initiate Gnome or "startkde &" for KDE environment initialization. The final result fill be following:
    for Gnome
    #twm &
    startx &
    or for KDE
    #twm &
    startkde &
    Save the file and restart the VNC server
    su -c '/sbin/service vncserver restart'
  5. I cannot log in on VNC server but SSH tunnel works.
    - Compare the port assigned to your desktop in VNC configuration file /etc/sysconfig/vncservers with the remote port used in your tunnel. Are both the same? If not, fix port number in your tunnel command and connect again. Compare your SSH tunnel command with the one listed in step 9 of the How To.
    - If still no success, you maybe did some update of VNC configuration and forgot to restart the VNC service.
    su -c '/sbin/service vncserver restart'
    - If still no success, check .vnc in user's home directory on the remote server. Is the .vnc directory of user "John" really located in the home directory of the same user "John"? If not, fix it! Restart VNC after that
    su -c 'service vncserver restart'
    - If still no success, rename the current .vnc directory and create new one with password generation for VNC user.
    mv ~/.vnc ~/.vnc.backup
    vncpasswd
    Restart VNC server after that
    su -c '/sbin/service vncserver restart'
  6. I cannot log in on VNC server because SSH tunnel doesn't work. Both VNC server and my client are in the same intranet (e.g. at home)
    - Check if SSH service is running on VNC server. Restart that service
    su -c '/sbin/service sshd restart'
    Ensure the SSH service will start each time when system boots.
    su -c '/sbin/chkconfig sshd on'
    - If still no success, ensure the firewall of VNC server has set the SSH as trusted service. Even if checked as trusted in your firewall, uncheck the SSH box and check it again. Then confirm this settings and update the Firewall configuration after the root authentication is done.
    - If still no success, check the SSH configuration file /etc/ssh/sshd_config. Is your user in AllowedUsers if you applied this access limitation? Isn't SSH key authentication required instead of standard login? Does the user account exist on the remote VNC server? Isn't that account locked? etc.
  7. I cannot log in on VNC server because SSH tunnel doesn't work. VNC server and my client are in different networks (e.g. one is at home and second one in the office or vice versa)
    - Check the port forwarding rule is activated and configured for SSH port on the router where VNC server is located. In other words, that the VNC server is "visible" behind the firewall on this SSH port from the internet.
    Example of such a port forwarding setting on the router:
    Port_Forwarding
    It means that all incoming traffic on TCP port 22 from the internet (from office for example) is transferred to private IP address 192.168.2.101 of the local network (home PC with VNC server). No other ports are needed because all incoming communication is done via SSH tunnel.
    - If still no success, check if you didn't modify the default SSH port in /etc/ssh/sshd_config. If you did so, correct the port number in the port forwarding rule on your router.
    -If still no success, follow questions / answers in step 5 of the Troubleshooting chapter.

More Information

The xstartup configuration file

In case you have doubts about the content of the user's xstartup configuration file located in .vnc directory of the user's home, I posted my own config below. You can compare this one with your own

#!/bin/sh

#vncconfig -iconic &
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
OS=`uname -s`
if [ $OS = 'Linux' ]; then
case "$WINDOWMANAGER" in
*gnome*)
if [ -e /etc/SuSE-release ]; then
PATH=$PATH:/opt/gnome/bin
export PATH
fi
;;
esac
fi
if [ -x /etc/X11/xinit/xinitrc ]; then
exec /etc/X11/xinit/xinitrc
fi
if [ -f /etc/X11/xinit/xinitrc ]; then
exec sh /etc/X11/xinit/xinitrc
fi
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
#twm &
startx &

Disclaimer

We test this stuff on our own machines, really we do. But you may run into problems, if you do, come to #fedora on irc.freenode.net

Added Reading

Document Actions
Log in


Forgot your password?
New user?