TightVNC is a VNC (Virtual Network Computing) Unix server and viewer. It is a remote display program that allows you to run totally parallel sessions on a machine which you can access from anywhere on a LAN or over the Internet. The server and all applications your start continue to run on it even when you disconnect. This is NOT the same as controlling the desktop that is being displayed on the local monitor/LCD. To do this, see the [connecting to the root desktop] section of this article.
Again, these vncserver run totally in parallel to your desktop session. You can also have multiple servers running simultaneously on the same machine (each on a different port). To improve security of sessions VNC can be piped through SSH (Secure SHell).
- 1 Running VNC Server
- 2 Securing VNC Server by SSH Tunnels
- 3 Working with Clipboards
- 4 Connecting to the Root (:0) Desktop
- 5 Complete List of Tightvncserver Options
Running VNC Server
First Time Setup
Start tightvncserver to create your initial files and to assign your password(s) like so:
$ vncserver :1
The default port the server runs on is :1 which corresponds to the the TCP port on which the server is running (where 5900+n = port number). In this case, it's running on 5900+1=5901.
With the password(s) assigned, kill the server to configure a desktop with the following command:
$ vncserver -kill :1
In the future, one may wish to have multiple vncservers running in parallel. To kill a specific server, specify its specific port number in the kill statement.
The xstartup File
Tightvncserver gets its info from the Template:Filename which is created the first time tightvncserver runs. The xstartup file works just like an .xinitrc file. Edit to your liking. An example is provided here:
#!/bin/sh export XKL_XMODMAP_DISABLE=1 exec ck-launch-session startlxde #for an lxde session #exec ck-launch-session gnome-session #for a gnome-session #exec ck-launch-session openbox-session #for an openbox desktop #exec ck-launch-session startxfce4 #for an xfce desktop #exec ck-launch-session icewm #for an icewm desktop #exec ck-launch-session startkde #for a kde desktop
The export XKL_XMODMAP_DISABLE=1 line is needed to avoid keyboard mis-mapping. Do not omit it!
Users can also add a line here to autostart any script/program. For example, the latest version of lxde doesn't autoload the desktop wallpaper/icons by default. One must do so manually as shown in the last line of this example:
#/bin/sh export XKL_XMODMAP_DISABLE=1 exec ck-launch-session startlxde exec pcmanfm --desktop
Below is a simple script one can use to start vncserver in a specific resolution, allowing multiple users to view/control simultaneously, and setting the dpi on the virtual server to 96:
#!/bin/bash vncserver -geometry 1440x900 -alwaysshared -dpi 96 :1
For a complete list of options, see the [Complete List of Tightvncserver Options] section of this article.
Starting and Stopping VNC Server at Bootup and Shutdown
To have the VNC Server run automatically at startup simply, call it from the Template:Filename like so replacing USERNAME with the name of the user on the system who owns the VNC Server:
su USERNAME -c "vncserver -geometry 1440x900 -alwaysshared -localhost -dpi 96 :1"
Likewise, have the vncserver shutdown by killing it from the Template:Filename like so:
su USERNAME -c "/usr/bin/vncserver -kill :1"
Securing VNC Server by SSH Tunnels
On the Server
One wishing access to the vncserver should be concerned about plain text passwords and unencrypted traffic to/from the viewer and server. VNC Server is easily secured by ssh tunneling. Additionally, one need not open up another port to the outside using this method since the traffic is literally tunneled through the SSH port which the user already has open to the WAN. It is highly recommended to use the -localhost switch when running vncserver in this scenario. This switch only allows connections from the localhost -- and by analogy only by users physically ssh'ed and authenticated on the box!
$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 -localhost :1
On the Client
With the server now only accepting connection from the localhost, connect to the box via ssh using the -L switch to enable tunnels. For example:
$ ssh IP_OF_TARGET_MACHINE -L 8900/localhost/5901
This forwards the server port 5901 to your client box on port 8900. Once connected via SSH, leave that xterm or shell window open; it is acting as a secured tunnel to/from server. To connect via vnc, open a second xterm and connect not to the remote IP address, but to the localhost of the client thus using the secured tunnel:
$ vncviewer localhost:8900
From the ssh man page: -L [bind_address:] port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax:
[bind_address/] port/host/ hostport or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of ``localhost indicates that the listening port be bound for local use only, while an empty address or `*' indicates that the port should be available from all interfaces.
Working with Clipboards
Cut and paste to/from the clipboard does not work out of the box, at least with tightvnc version 1.3.10. This feature is available through autocutsel which is in [community].
# pacman -S autocutsel
Make sure it is executed with the -fork option, either interactively or from your Template:Filename
#!/bin/sh export XKL_XMODMAP_DISABLE=1 autocutsel -fork exec ck-launch-session startlxde #for an lxde session #exec ck-launch-session gnome-session #for a gnome-session #exec ck-launch-session openbox-session #for an openbox desktop #exec ck-launch-session startxfce4 #for an xfce desktop #exec ck-launch-session icewm #for an icewm desktop #exec ck-launch-session startkde #for a kde desktop
Connecting to the Root (:0) Desktop
When you connect to vncserver with your client, by default you are given a new X session with your own desktop. This means that a person who is physically sitting in front of the server will not see your remote session, and vice-versa you cannot see or interact with the root (:0) or physical desktop.
If you would like to remote into a machine with vnc and actually see and interact with the root desktop you can use x11vnc, which provides access to the root (:0) desktop by default. A person sitting in front of the server will see your actions, such as the mouse moving etc.
x11vnc is very similar to setup, and you can use the same clients as vncserver.
Complete List of Tightvncserver Options
Additional options may be defined by the user, for a complete list enter a bad option which forces vncserver to display all available options.
vncserver -tit $ vncserver -tit Couldn't start Xvnc; trying default font path. Please set correct fontPath in the vncserver script. Couldn't start Xvnc process. Unrecognized option: -tit use: X [:<display>] [option] -a # mouse acceleration (pixels) -ac disable access control restrictions -audit int set audit trail level -auth file select authorization file bc enable bug compatibility -bs disable any backing store support -c turns off key-click c # key-click volume (0-100) -cc int default color visual class -co file color database file -core generate core dump on fatal error -dpi int screen resolution in dots per inch -deferglyphs [none|all|16] defer loading of [no|all|16-bit] glyphs -f # bell base (0-100) -fc string cursor font -fn string default font name -fp string default font path -help prints message with these options -I ignore all remaining arguments -ld int limit data space to N Kb -lf int limit number of open files to N -ls int limit stack space to N Kb -nolock disable the locking mechanism -logo enable logo in screen saver nologo disable logo in screen saver -nolisten string don't listen on protocol -p # screen-saver pattern duration (minutes) -pn accept failure to listen on all ports -nopn reject failure to listen on all ports -r turns off auto-repeat r turns on auto-repeat -s # screen-saver timeout (minutes) -su disable any save under support -t # mouse threshold (pixels) -terminate terminate at server reset -to # connection time out -tst disable testing extensions ttyxx server started from init on /dev/ttyxx v video blanking for screen-saver -v screen-saver without video blanking -wm WhenMapped default backing-store -x string loads named extension at init time -query host-name contact named host for XDMCP -broadcast broadcast for XDMCP -indirect host-name contact named host for indirect XDMCP -port port-num UDP port number to send messages to -once Terminate server after one session -class display-class specify display class to send in manage -cookie xdm-auth-bits specify the magic cookie for XDMCP -displayID display-id manufacturer display ID for request -geometry WxH set framebuffer width & height -depth D set framebuffer depth -pixelformat format set pixel format (BGRnnn or RGBnnn) -udpinputport port UDP port for keyboard/pointer data -rfbport port TCP port for RFB protocol -rfbwait time max time in ms to wait for RFB client -nocursor don't put up a cursor -rfbauth passwd-file use authentication on RFB protocol -httpd dir serve files via HTTP from here -httpport port port for HTTP -deferupdate time time in ms to defer updates (default 40) -economictranslate less memory-hungry translation -lazytight disable "gradient" filter in tight encoding -desktop name VNC desktop name (default x11) -alwaysshared always treat new clients as shared -nevershared never treat new clients as shared -dontdisconnect don't disconnect existing clients when a new non-shared connection comes in (refuse new connection instead) -viewonly let clients only to view the desktop -localhost only allow connections from localhost -interface ipaddr only bind to specified interface address -inetd Xvnc is launched by inetd -compatiblekbd set META key = ALT key as in the original VNC -version report Xvnc version on stderr