Difference between revisions of "TigerVNC"

From ArchWiki
Jump to: navigation, search
m (Reverted edits by Yassine (talk) to last revision by Graysky)
 
(172 intermediate revisions by 34 users not shown)
Line 1: Line 1:
 
[[Category:Security]]
 
[[Category:Security]]
[[Category:Virtual Network Computing]]
+
[[Category:Remote desktop]]
 
[[de:VNC]]
 
[[de:VNC]]
{{Article summary start}}
+
[[es:TigerVNC]]
{{Article summary text|Vncserver is a remote display daemon that allows users to run totally ''parallel'' sessions on a machine which can be accessed from anywhere.  All applications running under the server continue to run, even when the user disconnects. }}
+
[[ja:Vncserver]]
{{Article summary heading|Related Articles}}
+
[[ru:Vncserver]]
{{Article summary wiki|x11vnc}} - Another flavor of VNC which allows connections to the root (:0) desktop.
+
[[zh-cn:Virtual Network Computing]]
{{Article summary end}}
+
{{Related articles start}}
 +
{{Related|x11vnc}}
 +
{{Related articles end}}
 +
[http://tigervnc.org/ TigerVNC] is an implementation of the [[Wikipedia:VNC|VNC]] protocol. This article focuses on the server functionality.
  
 
== Installation ==
 
== Installation ==
Vncserver is provided by {{pkg|tigervnc}} and {{pkg|tightvnc}} both of which can be installed from the [[official repositories]].
 
  
== Running Vncserver ==
+
[[Install]] the {{Pkg|tigervnc}} package.
===First Time Setup===
+
{{Note|This packages provides the requisite vncserver, x0vncserver and also vncviewer.}}
==== Create Environment and Password Files ====
+
Vncserver will create its initial environment file and user password file the first time it is run:
+
$ vncserver
+
+
You will require a password to access your desktops.
+
+
Password:
+
Verify:
+
+
New 'mars:1 (facade)' desktop is mars:1
+
+
Creating default startup script /home/facade/.vnc/xstartup
+
Starting applications specified in /home/facade/.vnc/xstartup
+
Log file is /home/facade/.vnc/mars:1.log
+
  
The default port on which  vncserver runs is :1 which corresponds to the the TCP port on which the server is running (where 5900+n = port number).  In this case, it is running on 5900+1=5901.  Running vncserver a second time will create a second instance running on the next highest, free port, i.e :2 or 5902.
+
Vncserver provides two major remote control abilities:
 +
# Virtual (headless) server which is similar to the standard X server, but has a virtual screen rather than a physical one. The virtual server runs completely ''parallel'' to the physical X server should one be running.
 +
# Direct control of the local X session(s) which do run on the physical monitor.
  
{{Note|Linux systems can have as many VNC servers as physical memory allows -- all of which running in parallel to each other.}}
+
== Running vncserver for virtual (headless) sessions ==
  
Shutdown the vncserver by using the -kill switch:
+
=== Create environment, config, and password files ===
  $ vncserver -kill :1
+
Vncserver will create its initial environment, config, and user password file the first time it is run. These will be stored in {{ic|~/.vnc}} which will be created if not present.
  
====Edit the xstartup File====
+
{{hc|$ vncserver|
Vncserver sources {{ic|~/.vnc/xstartup}} which functions like an [[.xinitrc]] file.  At a minimum, users should define a DE to start if a graphical environment is desired. For example, starting xfce4:
+
You will require a password to access your desktops.
  
#!/bin/sh
+
Password:
export XKL_XMODMAP_DISABLE=1
+
Verify:
exec startxfce4
+
  
{{Note|The XKL_XMODMAP_DISABLE line is known to correct problems associated with "scrambled" keystrokes when typing in terminals under some virtualized DEs.}}
+
New 'mars:1 (facade)' desktop is mars:1
{{Note|As of 31-Oct-2012, usage of the command "exec ck-launch-session ..." in ~/.vnc/xstartup is depreciated since Arch has dropped consolekit.}}
+
  
==== Permissions ====
+
Creating default startup script /home/facade/.vnc/xstartup
It is good practice to secure {{ic|~/.vnc}} just like {{ic|~/.ssh}} although this is not a requirement.  Execute the following to do so:
+
Starting applications specified in /home/facade/.vnc/xstartup
$ chmod 700 ~/.vnc
+
Log file is /home/facade/.vnc/mars:1.log
 +
}}
  
== Running vncserver ==
+
Notice the :1 trailing the hostnameThis is indicating the TCP port number on which the virtual vncserver is running.  In this case, :1 is actually TCP port 5901 (5900+1).  Running {{ic|vncserver}} a second time will create a second instance running on the next highest, free port, i.e 5902 (5900+2) which shall end in :2 as above.
Vncserver offers flexibility via switchesThe below example starts vncserver in a specific resolution, allowing multiple users to view/control simultaneously, and sets the dpi on the virtual server to 96:
+
+
$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 :1
+
{{Note|One need not use a standard monitor resolution for vncserver; 1440x900 can be replaced with something odd like 1429x882 or 1900x200 etc.}}
+
  
For a complete list of options, pass the -badoption switch to vncserver.
+
{{Note|Linux systems can have as many VNC servers as physical memory allows, all of which running in parallel to each other.}}
  
  $ vncserver -badoption
+
Shutdown the vncserver by using the -kill switch:
 +
  $ vncserver -kill :1
  
== Connecting to vncserver ==
+
==== Edit the environment file ====
Any number of clients can connect to a vncserver.  A simple example is given below where vncserver is running on 10.1.10.2 on port 5901 (:1) in shorthand notation:
+
$ vncviewer 10.1.10.2:1
+
  
=== Passwordless Authentication ===
+
Vncserver sources {{ic|~/.vnc/xstartup}} which functions like an [[.xinitrc]] file. At a minimum, users should start a DE from this file.  For more, see: [[General recommendations#Desktop environments]].
The -passwd switch allows one define the location of the sever's ~/.vnc/passwd file. It is expected that the user has access to this file on the server through ssh or through physical accessIn either case, place that file on the client's filesystem in a safe location, i.e. one that has read access ONLY to the expected user.
+
  
$ vncviewer -passwd /path/to/server-passwd-file
+
For example, starting lxqt:
  
=== Example GUI-based Clients ===
+
{{hc|~/.vnc/xstartup|
*extra/gtk-vnc
+
<nowiki>#!/bin/sh
*extra/vinagre
+
exec startlxqt
*extra/rdesktop
+
</nowiki>}}
*community/remmina
+
*community/vncviewer-jar
+
  
== Securing VNC Server by SSH Tunnels ==
+
==== Edit the optional config file ====
=== On the Server ===
+
One wishing access to vncserver from outside the protection of a LAN should be concerned about plain text passwords and unencrypted traffic to/from the viewer and server. Vncserver is easily secured by ssh tunneling.  Additionally, one need not open up another port to the outside using this method since the traffic is literally tunneled through the SSH port which the user already has open to the WAN.  It is highly recommended to use the -localhost switch when running vncserver in this scenario.  This switch only allows connections ''from the localhost'' -- and by analogy only by users physically ssh'ed and authenticated on the box!
+
  
  $ vncserver -geometry 1440x900 -alwaysshared -dpi 96 -localhost :1
+
With the release of tigervnc 1.60-1, support for parsing options in {{ic|~/.vnc/config}} has been implemented which obviates the need to call {{ic|vncserver}} with command line switches. The format is one option per line.  An example is provided:
 +
{{hc|~/.vnc/config|
 +
<nowiki>
 +
## Supported server options to pass to vncserver upon invocation can be listed
 +
## in this file. See the following manpages for more: vncserver(1) Xvnc(1).
 +
## Several common ones are shown below. Uncomment and modify to your liking.
 +
##
 +
securitytypes=tlsvnc
 +
desktop=sandbox
 +
geometry=1200x700
 +
dpi=96
 +
localhost
 +
alwaysshared
 +
</nowiki>}}
  
=== On the Client ===
+
=== Starting and stopping vncserver via systemd ===
 +
Systemd can manage the vncserver via a service in one of two modes using either a user or system service.  Both are presented below.
  
With the server now only accepting connection from the localhost, connect to the box via ssh using the -L switch to enable tunnels. For example:
+
==== User mode ====
 +
{{Note|In order to keep the vncserver alive when the user logs out (physically or via ssh), one must enable the linger option for loginctl like this: {{ic|# loginctl enable-linger username}} Failure to do so will result in the vncserver getting killed when the user logs off the machine.}}
  
  $ ssh IP_OF_TARGET_MACHINE -L 8900/localhost/5901
+
Start the service in usermode:
 +
  $ systemctl --user start vncserver@:1
  
This forwards the server port 5901 to the client box on port 8900.  Once connected via SSH, leave that xterm or shell window open; it is acting as a secured tunnel to/from server.  To connect via vnc, open a second xterm and connect not to the remote IP address, but to the localhost of the client thus using the secured tunnel:
+
Enable the service in usermode:
  $ vncviewer localhost:8900
+
  $ systemctl --user enable vncserver@:1
  
From the ssh man page:
+
==== System mode ====
''-L [bind_address:] port:host:hostport''
+
Create {{ic|/etc/systemd/system/vncserver@:1.service}} and modify it defining the user to run the server, and the desired options.
  
''Specifies that the given port on the local (client) host is to be forwarded to the given host  and  port on the remote side.  This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address.  Whenever  a  connection  is  made  to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.  Port forwardings can also  be  specified  in the configuration file.  IPv6 addresses can be specified with an alternative syntax:''
+
{{hc|/etc/systemd/system/vncserver@:1.service|
 
+
<nowiki>
''[bind_address/] port/host/ hostport or by enclosing the  address  in  square  brackets.''
+
# The vncserver service unit file system mode
''Only the superuser can forward privileged ports.  By default, the local port is bound in accordance with the GatewayPorts setting.  However, an explicit bind_address may be used to  bind  the connection to a specific address.  The bind_address of ``localhost'' indicates that the listening port be bound for local use only, while an empty address or `*' indicates that the port should be available from all interfaces.''
+
 
+
== Starting and Stopping VNC Server at Bootup and Shutdown ==
+
{{hc|/etc/systemd/system/vncserver@1.service|
+
<nowiki># The vncserver service unit file
+
 
#
 
#
 
# 1. Copy this file to /etc/systemd/system/vncserver@:<display>.service
 
# 1. Copy this file to /etc/systemd/system/vncserver@:<display>.service
 
# 2. Edit User=
 
# 2. Edit User=
 
#  ("User=foo")
 
#  ("User=foo")
# 3. Edit and vncserver parameters appropriately
+
# 3. Edit the vncserver parameters appropriately
 
#  ("/usr/bin/vncserver %i -arg1 -arg2 -argn")
 
#  ("/usr/bin/vncserver %i -arg1 -arg2 -argn")
 
# 4. Run `systemctl --system daemon-reload`
 
# 4. Run `systemctl --system daemon-reload`
Line 120: Line 110:
  
 
[Service]
 
[Service]
Type=forking
+
Type=simple
User=
+
User=foo
 +
PAMName=login
  
# Clean any existing files in /tmp/.X11-unix environment
+
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStartPre=-/usr/bin/vncserver -kill %i
+
ExecStart=/usr/bin/vncserver -geometry 1440x900 -alwaysshared -fg %i
ExecStart=/usr/bin/vncserver %i
+
 
ExecStop=/usr/bin/vncserver -kill %i
 
ExecStop=/usr/bin/vncserver -kill %i
  
Line 131: Line 121:
 
WantedBy=multi-user.target
 
WantedBy=multi-user.target
 
</nowiki>}}
 
</nowiki>}}
 +
 +
[[Start]] {{ic|vncserver@:1.service}} and optionally [[enable]] it to run at boot time/shutdown.
 +
 +
==== Multi-user mode ====
 +
One can use systemd socket activation in combination with [[Xdmcp|XDMCP]] to automatically spawn VNC servers for each user who attempts to login, so there is no need to set up one server/port per user.  This setup uses the display manager to authenticate users and login, so there is no need for VNC passwords. The downside is that users cannot leave a session running on the server and reconnect to it later.
 +
To get this running, first set up [[Xdmcp|XDMCP]] and make sure the display manager is running.
 +
Then create:
 +
{{hc|/etc/systemd/system/xvnc.socket|
 +
<nowiki>
 +
[Unit]
 +
Description=XVNC Server
 +
 +
[Socket]
 +
ListenStream=5900
 +
Accept=yes
 +
 +
[Install]
 +
WantedBy=sockets.target
 +
</nowiki>}}
 +
{{hc|/etc/systemd/system/xvnc@.service|
 +
<nowiki>
 +
[Unit]
 +
Description=XVNC Per-Connection Daemon
 +
 +
[Service]
 +
ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1920x1080 -once -SecurityTypes=None
 +
User=nobody
 +
StandardInput=socket
 +
StandardError=syslog
 +
</nowiki>}}
 +
Use systemctl to [[start]] and [[enable]] {{ic|xvnc.socket}}. Now any number of users can get unique desktops by connecting to port 5900.
 +
 +
If the VNC server is exposed to the internet, add the {{ic|-localhost}} option to {{ic|Xvnc}} in {{ic|xvnc@.service}} and follow the instructions below about connecting over SSH (Note that the 'localhost' in {{ic|-query localhost}} is not {{ic|-localhost}}). Since we only select a user after connecting, the VNC server runs as user 'nobody' and uses xvnc directly instead of the 'vncserver' script, so any options in ~/.vnc are ignored.  Optionally [[autostart]] {{ic|vncconfig}} so that the clipboard works ({{ic|vncconfig}} exits immediately in non-VNC sessions). One way is to create:
 +
{{hc|/etc/X11/xinit/xinitrc.d/99-vncconfig.sh|
 +
<nowiki>
 +
#!/bin/sh
 +
vncconfig -nowin &
 +
</nowiki>}}
 +
 +
== Running vncserver to directly control the local display ==
 +
 +
=== Using tigervnc's x0vncserver ===
 +
{{Pkg|tigervnc}} provides the x0vncserver binary which allows direct control over a physical X session.  Invoke it like so:
 +
$ x0vncserver -display :0 -passwordfile ~/.vnc/passwd
 +
 +
For more see
 +
man x0vncserver
 +
 +
=== Using x11vnc ===
 +
Another option is to use {{pkg|x11vnc}} which has the advantage or disadvantage, depending on one's perspective, of requiring root to initiate the access.  For more, see: [[X11vnc]].
 +
 +
== Connecting to vncserver ==
 +
{{Warning|It is ill-advised to connect insecurely to a vncserver outside of the LAN; readers are encouraged read the rest of this article in its entirety if use cases require connections outside of one's LAN. That being said, TigerVNC ''is encrypted by default'' unless it is specifically instructed otherwise by setting SecurityTypes to a non-secure option, although this lacks identity verification and will not prevent MITM attack during the connection setup. X509Vnc is the recommended option for a secure connection.}}
 +
 +
Any number of clients can connect to a vncserver.  A simple example is given below where vncserver is running on 10.1.10.2 on port 5901 (:1) in shorthand notation:
 +
$ vncviewer 10.1.10.2:1
 +
 +
=== Passwordless authentication ===
 +
 +
The {{ic|-passwd}} switch allows one to define the location of the server's {{ic|~/.vnc/passwd}} file. It is expected that the user has access to this file on the server through [[SSH]] or through physical access. In either case, place that file on the client's file system in a safe location, i.e. one that has read access ONLY to the expected user.
 +
 +
$ vncviewer -passwd /path/to/server-passwd-file
 +
 +
=== Example GUI-based clients ===
 +
 +
* {{Pkg|gtk-vnc}}
 +
* {{Pkg|kdenetwork-krdc}}{{Broken package link|replaced by {{Pkg|krdc}}}}
 +
* {{Pkg|rdesktop}}
 +
* {{Pkg|vinagre}}
 +
* {{Pkg|remmina}}
 +
* {{Pkg|vncviewer-jar}}
 +
 +
TigerVNC's vncviewer also has a simple GUI when run without any parameters:
 +
$ vncviewer
 +
 +
== Accessing vncserver via SSH tunnels ==
 +
An advantage of SSH tunneling is one does not need to open up another port to the outside, since the traffic is literally tunneled through the SSH port which the user already has open to the WAN.  It is highly recommended to use the {{ic|-localhost}} switch when running vncserver with this method since this switch only allows connections ''from the localhost'' and by analogy, only by users physically ssh'ed and authenticated on the box.
 +
 +
{{Note|TigerVNC uses TLSVnc encryption by default, unless specifically instructed via the SecurityTypes parameter. Authentication and traffic is encrypted, but there is no identity verification. TigerVNC supports alternative encryption schemes such as X509Vnc that allows the client to verify the identity of the server.
 +
 +
When the SecurityTypes on the server side is set to a non-secure option as high-priority (such as None, VncAuth, Plain, TLSNone, TLSPlain, X509None, X509Plain; which is ill-advised), it is not possible to use encryption.  In that case, one can tunnel the VNC over SSH.  When running vncviewer, it is a good idea to explicitly set SecurityTypes and not accept any unencrypted traffic.}}
 +
 +
=== On the server ===
 +
Below is an example invoking vncserver with the -localhost flag:
 +
$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 -localhost :1
 +
 +
Alternatively, simply add the "localhost" option as a single line in {{ic|~/.vnc/config}}.  Below is the example above in this format:
 +
{{hc|~/.vnc.config|
 +
<nowiki>
 +
## Supported server options to pass to vncserver upon invocation can be listed
 +
## in this file. See the following manpages for more: vncserver(1) Xvnc(1).
 +
## Several common ones are shown below. Uncomment and modify to your liking.
 +
##
 +
geometry=1200x700
 +
alwaysshared
 +
dpi=96
 +
localhost
 +
</nowiki>}}
 +
 +
=== On the client ===
 +
 +
With the server now only accepting connection from the localhost, connect to the box via ssh using the -L switch to enable tunnels.  For more on this feature, see the manpage for ssh itself.
 +
For example:
 +
 +
$ ssh 10.1.10.2 -L 5901:localhost:5901
 +
 +
This forwards the server port 5901 to the client box also on port 5901.  Note that one does not have to match the port numbers on the server and client.  For example:
 +
 +
$ ssh 10.1.10.2 -L 8900:localhost:5901
 +
 +
This forwards the server port 5901 to the client box on port 8900. 
 +
 +
Once connected via SSH, leave that xterm or shell window open since it is acting as the secured tunnel to/from server.  To connect via this encrypted tunnel, simply point the vncviewer to the client port on the localhost.
 +
 +
Using the matched ports on the server/client:
 +
$ vncviewer localhost:1
 +
 +
Using different ports on the server/client:
 +
$ vncviewer localhost:8900
 +
 +
=== Connecting to a vncserver from Android devices over SSH ===
 +
 +
To connect to a VNC Server over SSH using an Android device:
 +
 +
{{bc|1. SSH server running on the machine to connect to.
 +
2. VNC server running on the machine to connect to. (Run server with -localhost flag as mentioned above)
 +
3. SSH client on the Android device (ConnectBot is a popular choice and will be used in this guide as an example).
 +
4. VNC client on the Android device (androidVNC).}}
 +
 +
Consider some dynamic DNS service for targets that do not have static IP addresses.
 +
 +
In ConnectBot, type in the IP and connect to the desired machine. Tap the options key, select Port Forwards and add a new port:
 +
 +
{{bc|Nickname: vnc
 +
Type: Local
 +
Source port: 5901
 +
Destination: 127.0.0.1:5901}}
 +
 +
Save that.
 +
 +
In androidVNC:
 +
 +
{{bc|Nickname: nickname
 +
Password: the password used to set up the VNC server
 +
Address: 127.0.0.1 (we are in local after connecting through SSH)
 +
Port: 5901}}
 +
 +
Connect.
 +
 +
== Tips and tricks ==
 +
=== Connecting to an OSX system ===
 +
 +
See https://help.ubuntu.com/community/AppleRemoteDesktop. Tested with Remmina.
 +
 +
=== Copying clipboard contents from the remote machine to the local ===
 +
 +
If copying from the remote machine to the local machine does not work, run autocutsel on the server, as mentioned below [https://bbs.archlinux.org/viewtopic.php?id=101243 reference]:
 +
 +
$ autocutsel -fork
 +
 +
Now press F8 to display the VNC menu popup, and select {{ic|Clipboard: local -> remote}} option.
 +
 +
One can put the above command in {{ic|~/.vnc/xstartup}} to have it run automatically when vncserver is started.
 +
 +
=== Fix for no mouse cursor ===
 +
 +
If no mouse cursor is visible when using {{ic|x0vncserver}}, start vncviewer as follows:
 +
 +
$ vncviewer DotWhenNoCursor=1 <server>
 +
 +
Or put {{ic|DotWhenNoCursor<nowiki>=</nowiki>1}} in the tigervnc configuration file, which is at {{ic|~/.vnc/default.tigervnc}} by default.
 +
 +
=== Recommended security settings ===
 +
{{Note|If using ssh tunnels (i.e. [[#Accessing vncserver via SSH tunnels]]), X509Vnc is not required since the encryption is handled by the sshd.}}
 +
 +
SecurityTypes controls the preferred security algorithms. The default in the current version 1.5.0 is "X509Plain,TLSPlain,X509Vnc,TLSVnc,X509None,TLSNone,VncAuth,None". A more secure alternative is "X509Vnc,TLSVnc", which will disable all unencrypted data traffic.
 +
 +
It is recommended to use X509Vnc, as TLSVnc lacks identity verification.
 +
 +
$ vncserver -x509key /path/to/key.pem -x509cert /path/to/cerm.pem -SecurityTypes X509Vnc :1
 +
 +
Issuing x509 certificates is beyond the scope of this guide. However, this is expected to be straightforward after the public launch of [[wikipedia:Let's Encrypt|Let's Encrypt]]. Alternatively,  one can issue certificates using [[OpenSSL]] and manually share the keys between server and client using email for instance.
 +
 +
=== Toggling Fullscreen ===
 +
 +
This can be done through vncclient's Menu. By default, vncclient's Menu Key is F8.
 +
 +
=== Unable to type less than character (<) ===
 +
If pressing {{ic|<}} on a remote client emits the {{ic|>}} character, try remapping the incoming key [https://insaner.com/blog/2013/05.html#20130422063137]:
 +
 +
$ x0vncserver -RemapKeys="0x3c->0x2c"

Latest revision as of 20:41, 15 May 2016

Related articles

TigerVNC is an implementation of the VNC protocol. This article focuses on the server functionality.

Installation

Install the tigervnc package.

Note: This packages provides the requisite vncserver, x0vncserver and also vncviewer.

Vncserver provides two major remote control abilities:

  1. Virtual (headless) server which is similar to the standard X server, but has a virtual screen rather than a physical one. The virtual server runs completely parallel to the physical X server should one be running.
  2. Direct control of the local X session(s) which do run on the physical monitor.

Running vncserver for virtual (headless) sessions

Create environment, config, and password files

Vncserver will create its initial environment, config, and user password file the first time it is run. These will be stored in ~/.vnc which will be created if not present.

$ vncserver
You will require a password to access your desktops.

Password:
Verify:

New 'mars:1 (facade)' desktop is mars:1

Creating default startup script /home/facade/.vnc/xstartup
Starting applications specified in /home/facade/.vnc/xstartup
Log file is /home/facade/.vnc/mars:1.log

Notice the :1 trailing the hostname. This is indicating the TCP port number on which the virtual vncserver is running. In this case, :1 is actually TCP port 5901 (5900+1). Running vncserver a second time will create a second instance running on the next highest, free port, i.e 5902 (5900+2) which shall end in :2 as above.

Note: Linux systems can have as many VNC servers as physical memory allows, all of which running in parallel to each other.

Shutdown the vncserver by using the -kill switch:

$ vncserver -kill :1

Edit the environment file

Vncserver sources ~/.vnc/xstartup which functions like an .xinitrc file. At a minimum, users should start a DE from this file. For more, see: General recommendations#Desktop environments.

For example, starting lxqt:

~/.vnc/xstartup
#!/bin/sh
exec startlxqt

Edit the optional config file

With the release of tigervnc 1.60-1, support for parsing options in ~/.vnc/config has been implemented which obviates the need to call vncserver with command line switches. The format is one option per line. An example is provided:

~/.vnc/config

## Supported server options to pass to vncserver upon invocation can be listed
## in this file. See the following manpages for more: vncserver(1) Xvnc(1).
## Several common ones are shown below. Uncomment and modify to your liking.
##
securitytypes=tlsvnc
desktop=sandbox
geometry=1200x700
dpi=96
localhost
alwaysshared

Starting and stopping vncserver via systemd

Systemd can manage the vncserver via a service in one of two modes using either a user or system service. Both are presented below.

User mode

Note: In order to keep the vncserver alive when the user logs out (physically or via ssh), one must enable the linger option for loginctl like this: # loginctl enable-linger username Failure to do so will result in the vncserver getting killed when the user logs off the machine.

Start the service in usermode:

$ systemctl --user start vncserver@:1

Enable the service in usermode:

$ systemctl --user enable vncserver@:1

System mode

Create /etc/systemd/system/vncserver@:1.service and modify it defining the user to run the server, and the desired options.

/etc/systemd/system/vncserver@:1.service

# The vncserver service unit file system mode
#
# 1. Copy this file to /etc/systemd/system/vncserver@:<display>.service
# 2. Edit User=
#   ("User=foo")
# 3. Edit the vncserver parameters appropriately
#   ("/usr/bin/vncserver %i -arg1 -arg2 -argn")
# 4. Run `systemctl --system daemon-reload`
# 5. Run `systemctl enable vncserver@:<display>.service`
#
# DO NOT RUN THIS SERVICE if your local area network is untrusted! 
#
# See the wiki page for more on security
# https://wiki.archlinux.org/index.php/Vncserver

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=simple
User=foo
PAMName=login

ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/bin/vncserver -geometry 1440x900 -alwaysshared -fg %i
ExecStop=/usr/bin/vncserver -kill %i

[Install]
WantedBy=multi-user.target

Start vncserver@:1.service and optionally enable it to run at boot time/shutdown.

Multi-user mode

One can use systemd socket activation in combination with XDMCP to automatically spawn VNC servers for each user who attempts to login, so there is no need to set up one server/port per user. This setup uses the display manager to authenticate users and login, so there is no need for VNC passwords. The downside is that users cannot leave a session running on the server and reconnect to it later. To get this running, first set up XDMCP and make sure the display manager is running. Then create:

/etc/systemd/system/xvnc.socket

[Unit]
Description=XVNC Server

[Socket]
ListenStream=5900
Accept=yes

[Install]
WantedBy=sockets.target
/etc/systemd/system/xvnc@.service

[Unit]
Description=XVNC Per-Connection Daemon

[Service]
ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1920x1080 -once -SecurityTypes=None
User=nobody
StandardInput=socket
StandardError=syslog

Use systemctl to start and enable xvnc.socket. Now any number of users can get unique desktops by connecting to port 5900.

If the VNC server is exposed to the internet, add the -localhost option to Xvnc in xvnc@.service and follow the instructions below about connecting over SSH (Note that the 'localhost' in -query localhost is not -localhost). Since we only select a user after connecting, the VNC server runs as user 'nobody' and uses xvnc directly instead of the 'vncserver' script, so any options in ~/.vnc are ignored. Optionally autostart vncconfig so that the clipboard works (vncconfig exits immediately in non-VNC sessions). One way is to create:

/etc/X11/xinit/xinitrc.d/99-vncconfig.sh

#!/bin/sh
vncconfig -nowin &

Running vncserver to directly control the local display

Using tigervnc's x0vncserver

tigervnc provides the x0vncserver binary which allows direct control over a physical X session. Invoke it like so:

$ x0vncserver -display :0 -passwordfile ~/.vnc/passwd

For more see

man x0vncserver

Using x11vnc

Another option is to use x11vnc which has the advantage or disadvantage, depending on one's perspective, of requiring root to initiate the access. For more, see: X11vnc.

Connecting to vncserver

Warning: It is ill-advised to connect insecurely to a vncserver outside of the LAN; readers are encouraged read the rest of this article in its entirety if use cases require connections outside of one's LAN. That being said, TigerVNC is encrypted by default unless it is specifically instructed otherwise by setting SecurityTypes to a non-secure option, although this lacks identity verification and will not prevent MITM attack during the connection setup. X509Vnc is the recommended option for a secure connection.

Any number of clients can connect to a vncserver. A simple example is given below where vncserver is running on 10.1.10.2 on port 5901 (:1) in shorthand notation:

$ vncviewer 10.1.10.2:1

Passwordless authentication

The -passwd switch allows one to define the location of the server's ~/.vnc/passwd file. It is expected that the user has access to this file on the server through SSH or through physical access. In either case, place that file on the client's file system in a safe location, i.e. one that has read access ONLY to the expected user.

$ vncviewer -passwd /path/to/server-passwd-file

Example GUI-based clients

TigerVNC's vncviewer also has a simple GUI when run without any parameters:

$ vncviewer

Accessing vncserver via SSH tunnels

An advantage of SSH tunneling is one does not need to open up another port to the outside, since the traffic is literally tunneled through the SSH port which the user already has open to the WAN. It is highly recommended to use the -localhost switch when running vncserver with this method since this switch only allows connections from the localhost and by analogy, only by users physically ssh'ed and authenticated on the box.

Note: TigerVNC uses TLSVnc encryption by default, unless specifically instructed via the SecurityTypes parameter. Authentication and traffic is encrypted, but there is no identity verification. TigerVNC supports alternative encryption schemes such as X509Vnc that allows the client to verify the identity of the server. When the SecurityTypes on the server side is set to a non-secure option as high-priority (such as None, VncAuth, Plain, TLSNone, TLSPlain, X509None, X509Plain; which is ill-advised), it is not possible to use encryption. In that case, one can tunnel the VNC over SSH. When running vncviewer, it is a good idea to explicitly set SecurityTypes and not accept any unencrypted traffic.

On the server

Below is an example invoking vncserver with the -localhost flag:

$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 -localhost :1

Alternatively, simply add the "localhost" option as a single line in ~/.vnc/config. Below is the example above in this format:

~/.vnc.config

## Supported server options to pass to vncserver upon invocation can be listed
## in this file. See the following manpages for more: vncserver(1) Xvnc(1).
## Several common ones are shown below. Uncomment and modify to your liking.
##
geometry=1200x700
alwaysshared
dpi=96
localhost

On the client

With the server now only accepting connection from the localhost, connect to the box via ssh using the -L switch to enable tunnels. For more on this feature, see the manpage for ssh itself. For example:

$ ssh 10.1.10.2 -L 5901:localhost:5901

This forwards the server port 5901 to the client box also on port 5901. Note that one does not have to match the port numbers on the server and client. For example:

$ ssh 10.1.10.2 -L 8900:localhost:5901

This forwards the server port 5901 to the client box on port 8900.

Once connected via SSH, leave that xterm or shell window open since it is acting as the secured tunnel to/from server. To connect via this encrypted tunnel, simply point the vncviewer to the client port on the localhost.

Using the matched ports on the server/client:

$ vncviewer localhost:1

Using different ports on the server/client:

$ vncviewer localhost:8900

Connecting to a vncserver from Android devices over SSH

To connect to a VNC Server over SSH using an Android device:

1. SSH server running on the machine to connect to.
2. VNC server running on the machine to connect to. (Run server with -localhost flag as mentioned above)
3. SSH client on the Android device (ConnectBot is a popular choice and will be used in this guide as an example).
4. VNC client on the Android device (androidVNC).

Consider some dynamic DNS service for targets that do not have static IP addresses.

In ConnectBot, type in the IP and connect to the desired machine. Tap the options key, select Port Forwards and add a new port:

Nickname: vnc
Type: Local
Source port: 5901
Destination: 127.0.0.1:5901

Save that.

In androidVNC:

Nickname: nickname
Password: the password used to set up the VNC server
Address: 127.0.0.1 (we are in local after connecting through SSH)
Port: 5901

Connect.

Tips and tricks

Connecting to an OSX system

See https://help.ubuntu.com/community/AppleRemoteDesktop. Tested with Remmina.

Copying clipboard contents from the remote machine to the local

If copying from the remote machine to the local machine does not work, run autocutsel on the server, as mentioned below reference:

$ autocutsel -fork

Now press F8 to display the VNC menu popup, and select Clipboard: local -> remote option.

One can put the above command in ~/.vnc/xstartup to have it run automatically when vncserver is started.

Fix for no mouse cursor

If no mouse cursor is visible when using x0vncserver, start vncviewer as follows:

$ vncviewer DotWhenNoCursor=1 <server>

Or put DotWhenNoCursor=1 in the tigervnc configuration file, which is at ~/.vnc/default.tigervnc by default.

Recommended security settings

Note: If using ssh tunnels (i.e. #Accessing vncserver via SSH tunnels), X509Vnc is not required since the encryption is handled by the sshd.

SecurityTypes controls the preferred security algorithms. The default in the current version 1.5.0 is "X509Plain,TLSPlain,X509Vnc,TLSVnc,X509None,TLSNone,VncAuth,None". A more secure alternative is "X509Vnc,TLSVnc", which will disable all unencrypted data traffic.

It is recommended to use X509Vnc, as TLSVnc lacks identity verification.

$ vncserver -x509key /path/to/key.pem -x509cert /path/to/cerm.pem -SecurityTypes X509Vnc :1

Issuing x509 certificates is beyond the scope of this guide. However, this is expected to be straightforward after the public launch of Let's Encrypt. Alternatively, one can issue certificates using OpenSSL and manually share the keys between server and client using email for instance.

Toggling Fullscreen

This can be done through vncclient's Menu. By default, vncclient's Menu Key is F8.

Unable to type less than character (<)

If pressing < on a remote client emits the > character, try remapping the incoming key [1]:

$ x0vncserver -RemapKeys="0x3c->0x2c"