Connecting to a Linux machine with VNC

From CS Support Wiki
Revision as of 16:00, 3 June 2010 by Jpr9c (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

VNC is remote control software that makes your Linux desktop environment on a remote machine available on a local host, much like Windows's Remote Desktop Connection (RDC).

There are key differences between the two:

  • VNC servers and clients have several popular variants, whereas Windows has primarily settled upon the native RDC client and server.
  • VNC is, by default, not secure. In contrast to RDC, data passed within a VNC session can be sniffed. In order to secure the connection, you should always use SSH Tunneling.

Communications Overview

"Tunneling" is a way of setting up an encrypted network pipe between the local machine sitting in front of you and the remote host to which you want to connect. In an ordinary network connection, you start a "client" program that connect to some well-known port number on the remote machine where the server daemon for that particular service is listening for new connections.

In this case, the vncserver listens on port 590<N> where <N> is the X-display number that vncserver is started with.

vncserver -nevershared :<N>

The client program - eg, KRDC - connects to the remote host when you give it that port number:


The communication path looks like this:<random open port#> <--><N>

When you set up an ssh tunnel, ssh connects to the remote machine at the specified tunnel port and then simply forwards that data to the same port number on the local host. Think of this like an extension cord. There is an open socket on the remote host; ssh connects to that for you and brings that socket to the localhost. This is useful for network protocols that are insecure (unencrypted) as it allows the unencrypted protocol to connect only on the localhost loopback interface: the unencrypted traffic never passes over the network wire where it can be sniffed, spoofed or otherwise attacked. Now the communication path looks like this:

client:<random open port#> <--> localhost:590<N> <--> ssh tunnel <--><N> <--> server:590<N>

It is critical when you set up the tunnel, that you use the consistent port numbers for "<N>"!

Quick start

In these examples, we will be using X-display number 9 - so the value for <N> is 9, throughout. If you are the only person using vnc on the remote machine, you can probably just cut-and-paste the commands below, and everything will work. However, if there are multiple vnc users, you may have to pick a different display number to get things to work. You will get an error message from vncserver when you start it if someone is already using that display number.

Start tunneling

On the client machine, tunnel port 5909 from the remote machine over SSH:

Linux clients

ssh -L 5909:localhost:5909 <username>@<remotehost>

Substitute your username and remote host, i.e.

Windows clients

Open SecureCRT. In the "Connect" box, right-click on the session you wish to use. Choose "Properties," then choose the Port Forwarding category. Click "Add..." and type 5909 in the Local Port box. Then, whenever that session is active, the specified port will be forwarded from the local machine to the remote machine.

Start the VNC server

On the remote machine:

vncserver -nevershared :9

The first time you start VNC server, you'll be prompted to create a password that you will need to supply to your VNC clients. Choose something secure!

Start the VNC client

Back on the client machine, start the VNC client for your desktop environment:

Linux clients

  1. Open Remote Desktop Viewer (Under Applications->Internet).
  2. Click Connect
  3. When prompted for the host and port you'd like to connect to, enter "localhost" and "5909".

You'll then be prompted for the password you created when you started your VNC server.

  1. Open Remote Desktop Viewer (Under the Internet menu).
  2. Under the Machine menu, click Connect (or, select the icon that looks like a grey plug)
  3. When prompted for the host and port you'd like to connect to, enter "localhost" and "5909".

You'll then be prompted for the password you created when you started your VNC server.

Windows clients

  1. Start the VNC Viewer
  2. Enter "localhost:9" in the Server box
  3. Click OK

You'll then be prompted for the password you created when you started your VNC server.

  1. Start the UltraVNC Viewer
  2. Enter "localhost:9" in the VNC Server box
  3. Click Connect

You'll then be prompted for the password you created when you started your VNC server.

Mac clients

Chicken of the VNC
  1. Start Chicken of the VNC
  2. Enter "localhost" in the Host box
  3. Enter "9" in the Display box
  4. In the Password box, enter the password you created when you started your VNC server.
  5. Click Connect

Closing down

  • Close out of your VNC client
  • Shut off the VNC server on the remote machine:
vncserver -kill :9

Advanced options

Changing your default VNC desktop environment

By default, Metacity is the default window manager for VNC sessions. If you don't explicitly choose a different window manager, your VNC desktop may be a plain X session - a terminal against a grey background, without a taskbar or menus.

To fix this, first shut down your VNC client and server, and edit your ~/.vnc/xstartup file on the remote host.

Find the line "x-window-manager &".

  • If you'd like to use KDE, change this to:
startkde &
  • If you'd like to use Gnome, change this to
gnome-wm &
gnome-panel &
nautilus --no-default-window &
gnome-cups-icon &
gnome-volume-manager &

Note: We recommend KDE for VNC sessions; we've tested several methods to invoke Gnome, and each has exhibited display or keyboard input problems. The above method was the most reliable method of invoking Gnome in cursory tests.


My VNC desktop is just an "X Desktop" window against a grey background

See "Changing your default VNC desktop environment" under "Advanced options."

I get a "display already in use" error when I start vncserver

Another vncserver is already running with that x-display number. Close the ssh tunnel and start over, choosing a new display number for <N>.

I'm getting a "connnection refused" message from the vnc client, even though the tunnel is up

Please double-check your port number values for <N>.