Feature #365
Updated by Daniel Curtis about 10 years ago
VNC stands for Virtual Network Computing, which allows you to connect to your server remotely, and be able to use your keyboard, mouse, and monitor to interface with that server. The end of this guide will also show how to tunnel a VNC connection through SSH, for secure remote browsing.
h3. Step 1 - Install VNC server and XFCE 4 desktop.
To get started, we will install a VNC server on Ubuntu 12.10 x64 Server droplet. Login as root and install packages:
<pre>
apt-get -y install ubuntu-desktop tightvncserver xfce4 xfce4-goodies
</pre>
h3. Step 2 - Add a VNC user and set its password.
<pre>
adduser vnc
passwd vnc
</pre>
If you would like to get root as user vnc you would have to add it to sudoers file. Make sure you are logged in as root:
<pre>
echo "vnc ALL=(ALL) ALL" >> /etc/sudoers
</pre>
Set user vnc's VNC Server password:
<pre>
su - vnc
vncpasswd
exit
</pre>
This step sets the VNC password for user ‘vnc’. It will be used later when you connect to your VNC server with a VNC client:
Now you can login as user ‘vnc’ and obtain root by running ‘sudo su -‘ and entering your password:
h3. Step 4 - Install VNC As A Service
Login as root and edit /etc/init.d/vncserver and add the following lines:
> #!/bin/bash
> PATH="$PATH:/usr/bin/"
> export USER="vnc"
> DISPLAY="1"
> DEPTH="16"
> GEOMETRY="1024x768"
> OPTIONS="-depth ${DEPTH} -geometry ${GEOMETRY} :${DISPLAY}"
> . /lib/lsb/init-functions
>
> case "$1" in
> start)
> log_action_begin_msg "Starting vncserver for user '${USER}' on localhost:${DISPLAY}"
> su ${USER} -c "/usr/bin/vncserver ${OPTIONS}"
> ;;
>
> stop)
> log_action_begin_msg "Stoping vncserver for user '${USER}' on localhost:${DISPLAY}"
> su ${USER} -c "/usr/bin/vncserver -kill :${DISPLAY}"
> ;;
>
> restart)
> $0 stop
> $0 start
> ;;
> esac
> exit 0
Edit @/home/vnc/.vnc/xstartup@ and replace with:
<pre>
#!/bin/sh
xrdb $HOME/.Xresources
xsetroot -solid grey
startxfce4 &
</pre>
*NOTE*: I am setting up vnc with Kali Linux and it uses the gnome-fallback for its session. So to the xstartup file needs to be different, create the following instead:
<pre>
#!/bin/sh
xrdb $HOME/.Xresources
xsetroot -solid grey
gnome-session --session=gnome-classic &
</pre>
Update file permissions and allow any user to start X Server:
<pre>
chown -R vnc. /home/vnc/.vnc && chmod +x /home/vnc/.vnc/xstartup
sed -i 's/allowed_users.*/allowed_users=anybody/g' /etc/X11/Xwrapper.config
</pre>
Make @/etc/init.d/vncserver@ executable and start VNC server:
<pre>
chmod +x /etc/init.d/vncserver && service vncserver start
</pre>
Add your VNC server to automatically start on reboot:
<pre>
update-rc.d vncserver defaults
</pre>
h3. Step 5 - Connect to your droplet with TightVNC
TightVNC is a great VNC client that allows SSH tunnel. It can be downloaded from http://www.tightvnc.com/download.php Make sure to use IP::port as your remote host, where IP is your droplet’s IP and port is 5901:
You will be asked for VNC password that you specified in step 2 with vncpasswd:
And now you are connected:
h2. Recommended Step - Secure your VNC server session with encryption.
A basic VNC server setup has no encryption, which makes it vulnerable to snooping.
We will create an SSH tunnel with Putty and connect to VNC via this tunnel.
First, we need to make sure VNC server only listens on localhost.
Edit @/etc/init.d/vncserver@ and add @-localhost@ to @OPTIONS@:
> OPTIONS="-depth ${DEPTH} -geometry ${GEOMETRY} :${DISPLAY} -localhost"
Restart VNC server:
<pre>
/etc/init.d/vncserver restart
</pre>
Make sure VNC server is only listening on localhost IP:
<pre>
netstat -alpn | grep :5901
</pre>
Download Putty from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
For Windows: http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
Start Putty and enter your droplet IP under Session:
Don’t connect just yet.
Scroll down to +Connection -> SSH -> Tunnels+ and *Add New Forwarded Port* and click *Add*:
Now you can connect by clicking Open. You can login as user vnc:
Make sure you don’t close this SSH session, as it creates a tunnel between your PC (localhost) and your droplet, mapping ports 5901 on both ends.
Connect with TightVNC to localhost::5901
Enter your VNC password from Step 3 above:
And you are now connected via a secure connection.
h2. Resources
* https://www.digitalocean.com/community/articles/how-to-setup-vnc-for-ubuntu-12