TigerVNC

TigerVNC (Tiger Virtual Network Computing) is a system for graphical desktop sharing which allows you to remotely control other computers.

TigerVNC works on the client-server network: a server shares its output (vncserver) and a client (vncviewer) connects to the server.

Unlike in Fedora 15 and Red Hat Enterprise Linux 6, TigerVNC in Fedora uses the systemd system management daemon for its configuration. The /etc/sysconfig/vncserver configuration file has been replaced by /etc/systemd/system/vncserver@.service.

VNC Server

vncserver is a utility which starts a VNC (Virtual Network Computing) desktop. It runs Xvnc with appropriate options and starts a window manager on the VNC desktop. vncserver allows users to run separate sessions in parallel on a machine which can then be accessed by any number of clients from anywhere.

Installing VNC Server

To install the TigerVNC server, issue the following command as root:

# dnf install tigervnc-server

Configuring VNC Server

Configuring the first VNC connection

  1. A configuration file named /etc/systemd/system/vncserver@.service is required. To create this file, copy the /lib/systemd/system/vncserver@.service file as root:

    # cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service

    There is no need to include the display number in the file name because systemd automatically creates the appropriately named instance in memory on demand, replacing '%i' in the service file by the display number. For a single user it is not necessary to rename the file. For multiple users, a uniquely named service file for each user is required, for example, by adding the user name to the file name in some way. See TigerVNC.adoc#configuring-vncserver-2users for details.

  2. Edit /etc/systemd/system/vncserver@.service, replacing USER with the actual user name. Leave the remaining lines of the file unmodified. The -geometry argument specifies the size of the VNC desktop to be created; by default, it is set to 1024x768.

    ExecStart=/sbin/runuser -l USER -c "/usr/bin/vncserver %i -geometry 1280x1024"
PIDFile=/home/USER/.vnc/%H%i.pid

  3. Save the changes.

  4. To make the changes take effect immediately, issue the following command:

    # systemctl daemon-reload

  5. Set the password for the user or users defined in the configuration file. Note that you need to switch from root to USER first.

    # su - USER
$ vncpasswd
Password:
Verify:

    The stored password is not encrypted; anyone who has access to the password file can find the plain-text password.

Proceed to TigerVNC.adoc#s4-starting-vncserver.

Configuring VNC Server for Two Users

If you want to configure more than one user on the same machine, create different template-type service files, one for each user.

  1. Create two service files, for example vncserver-USER_1@.service and vncserver-USER_2@.service. In both these files substitute USER with the correct user name.

  2. Set passwords for both users:

    $ su - USER_1
$ vncpasswd
Password:
Verify:
$ su - USER_2
$ vncpasswd
Password:
Verify:

Starting VNC Server

To start or enable the service, specify the display number directly in the command. The file configured above in TigerVNC.adoc#configuring-vncserver works as a template, in which %i is substituted with the display number by systemd. With a valid display number, execute the following command:

# systemctl start vncserver@:display_number.service

You can also enable the service to start automatically at system start. Then, when you log in, vncserver is automatically started. As root, issue a command as follows:

# systemctl enable vncserver@:display_number.service

At this point, other users are able to use a VNC viewer program to connect to the VNC server using the display number and password defined. Provided a graphical desktop is installed, an instance of that desktop will be displayed. It will not be the same instance as that currently displayed on the target machine.

Configuring VNC Server for Two Users and Two Different Displays

For the two configured VNC servers, vncserver-USER_1@.service and vncserver-USER_2@.service, you can enable different display numbers. For example, the following commands will cause a VNC server for USER_1 to start on display 3, and a VNC server for USER_2 to start on display 5:

# systemctl start vncserver-USER_1@:3.service
# systemctl start vncserver-USER_2@:5.service

Terminating a VNC Session

Similarly to enabling the vncserver service, you can disable the automatic start of the service at system start:

# systemctl disable vncserver@:display_number.service

Or, when your system is running, you can stop the service by issuing the following command as root:

# systemctl stop vncserver@:display_number.service

VNC Viewer

vncviewer is the program which shows the shared graphical user interfaces and controls the server.

For operating the vncviewer, there is a pop-up menu containing entries which perform various actions such as switching in and out of full-screen mode or quitting the viewer. Alternatively, you can operate vncviewer through the terminal. Enter vncviewer -h on the command line to list vncviewer's parameters.

Installing VNC Viewer

To install the TigerVNC client, vncviewer>, issue the following command as root:

# dnf install tigervnc

Connecting to VNC Server

Once the VNC server is configured, you can connect to it from any VNC viewer. In order to do so, issue the vncviewer command in the following format:

vncviewer address:port_number

Where address is an IP or host name.

Example 1. One Client Connecting to VNC Server

With the IP address 192.168.0.4 and display number 3 the command looks as follows:

$ vncviewer 192.168.0.4:3

Configuring the Firewall for VNC

When using a non-encrypted connection, firewalld might block the connection. To allow firewalld to pass the VNC packets, you can open specific ports to TCP traffic. When using the -via option, traffic is redirected over SSH which is enabled by default in firewalld.

The default port of VNC server is 5900. To reach the port through which a remote desktop will be accessible, sum the default port and the user’s assigned display number. For example, for the second port: 2 + 5900 = 5902.

For displays 0 to 3, make use of firewalld's support for the VNC service by means of the service option as described below. Note that for display numbers greater than 3, the corresponding ports will have to be opened specifically as explained in TigerVNC.adoc#proc-Opening-Ports_in_firewalld.

Enabling VNC Service in firewalld

  1. Run the following command to see the information concerning firewalld settings:

    $ firewall-cmd --list-all

  2. To allow all VNC connections from a specific address, use a command as follows:

    # firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.122.116" service name=vnc-server accept'
success

    See the Red Hat Enterprise Linux 7 Security Guide for more information on the use of firewall rich language commands.

  3. To verify the above settings, use a command as follows:

    # firewall-cmd --list-all
public (default, active)
  interfaces: bond0 bond0.192
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
	rule family="ipv4" source address="192.168.122.116" service name="vnc-server" accept

To open a specific port or range of ports make use of the --add-port option to the firewall-cmd command Line tool. For example, VNC display 4 requires port 5904 to be opened for TCP traffic.

Opening Ports in firewalld

  1. To open a port for TCP traffic in the public zone, issue a command as root as follows:

    # firewall-cmd --zone=public --add-port=5904/tcp
success

  2. To view the ports that are currently open for the public zone, issue a command as follows:

    # firewall-cmd --zone=public --list-ports
5904/tcp

A port can be removed using the firewall-cmd --zone=zone --remove-port=number/protocol command.

For more information on opening and closing ports in firewalld, see the Red Hat Enterprise Linux 7 Security Guide.

Connecting to VNC Server Using SSH

VNC is a clear text network protocol with no security against possible attacks on the communication. To make the communication secure, you can encrypt your server-client connection by using the -via option. This will create an SSH tunnel between the VNC server and the client.

The format of the command to encrypt a VNC server-client connection is as follows:

$ vncviewer -via user@host:display_number
Example 2. Using the -via Option

  1. To connect to a VNC server using SSH, enter a command as follows:

    $ vncviewer -via USER_2@192.168.2.101:3

  2. When you are prompted to, type the password, and confirm by pressing Enter.

  3. A window with a remote desktop appears on your screen.

Restricting VNC Access

If you prefer only encrypted connections, you can prevent unencrypted connections altogether by using the -localhost option in the systemd.service file, the ExecStart line:

ExecStart=/sbin/runuser -l user -c "/usr/bin/vncserver -localhost %i"

This will stop vncserver from accepting connections from anything but the local host and port-forwarded connections sent using SSH as a result of the -via option.

For more information on using SSH, see OpenSSH.

Additional Resources

For more information about TigerVNC, see the resources listed below.

Installed Documentation

  • vncserver(1) — The VNC server manual pages.

  • vncviewer(1) — The VNC viewer manual pages.

  • vncpasswd(1) — The VNC password manual pages.