Installing and configuring VNC client to connect through an SSH tunnel

Summary

This article details information on connecting with the TigerVNC Viewer software through an SSH tunnel for remote GUI access to a Linux host.

Environment

Windows and Mac to Linux

Directions

Using VNC over an SSH tunnel versus connecting directly through the VNC ports, adds one additional step that you will need to take when you want to connect, but it will guarantee you don't have any firewall conflicts, as the SSH port is generally open for connections, and it is a much more secure option, as it sends all the data through an encrypted tunnel, which VNC alone does not provide.

Change your VNC password on the remote host

The administrator on the Linux server will have set up a temporary VNC password for you on the server to keep that display session secure. You can either use this password (if they have shared it with you for you first connection to the VNCserver), or you can SSH into to the server ahead of time as your regular user account, and set/change your password with the instructions provided to you by your administrator, which will be something similar to below.

  1. Login to the remote server via SSH, and then issue the command like this:
    • $ vncpasswd
  2. The command prompts you for a new Password, and then to Verify that entry. (NOTE: It doesn't ask for the old password.)

Following is what the response to the command above looks like. We also recommend not creating a view-only password for simplicity.

Password:
Verify:
Would you like to enter a view-only password (y/n)? n
A view-only password is not used

Download and install the TigerVNC Viewer software

You will need to install the TigerVNC Viewer on your local system to connect to VNC. The binary installers are on the sourceforge site..

Scroll down through the Files list to select the appropriate download for your Operating System type.

Mac users

  1. For Mac, scroll down the list of downloads and look for the TigerVNC-*.dmg file.
  2. Once it is downloaded, double click to open the dmg file, then drag the TigerVNC app into your Applications folder.
  3. If you are running MacOS 10.15, you will probably need to do this next step to get it added to your security exceptions to allow it to run.
  4. In your Applications folder, you may need to Ctrl-click on the TigerVNC icon, and click Open.
  5. From there it should prompt you with another Open button. Click that, and it should open up a simple TigerVNC connection window.

Windows users

  1. For Windows, select either the tigervnc-*.exe or the tigervnc64-*.exe file to download and install.
  2. Once you've downloaded the installer, double click the file and follow the installation instructions.

Set up your SSH Tunnel

Once you have the TigerVNC Viewer installed, you can set up your SSH tunnel.

Your administrator should have informed you of the VNC network port to use for your tunnel. If you were assigned display 2, then your port would be 5902. (The network port number is always the display number plus 5900.)

Mac Users

Example user: uniqname1
Example server name: computer1.astro.lsa.umich.edu
Example assigned VNC network display port: 5902

(In this example, the uniqname1 user account's VNC display has been set to 2 in the TigerVNC configuration on the server, so their connection port is 5902.)

  1. In a terminal window, type:
  • $ ssh -L 5902:localhost:5902 uniqname1@computer1.astro.lsa.umich.edu
  1. Enter your normal server account password for this remote machine here when prompted.
  2. Now once connected, leave this terminal window open (you can minimize it if you'd like). If you close the terminal, it closes the SSH tunnel.
  3. Now you can open up your TigerVNC Viewer app if it isn't already open.
  4. In the "VNC server" field enter: localhost:5902 (For reference, 127.0.0.1 works in place of localhost)
  5. Click Connect.
  6. It should now prompt you for your VNC password. (This would be the one you've set it in the above section on Change your VNC password on the remote host with the vncpasswd command.)
  7. Now, if everything worked correctly, the remote machine's desktop GUI window will open up on your local computer, and you can keep on working.
For setting fixed resolution upon startup:

You can set up your own default resolution for your GUI window to open to when you connect, by creating a file with your command line editor of choice in your /home/username/.vnc/ directory named: config

  1. To create the file you can use your editor of choice, in this example we use vim.
    • $ vim /home/username/.vnc/config
  2. According to the documentation, it seems to require the 'session' parameter. The other value that you would then put in would be the geometry that you want. So for example if you wanted your display window to open with a default resolution of 1920x1018, your config file should contain the two lines as such:
$session=xfce
$geometry=1920x1080

Windows Users

For Windows users, we will use PuTTY to connect with in this example. You will have to do a little more configuration within PuTTY to create your SSH tunnel, and save the profile.

Example user: uniqname1
Example server name: computer1.astro.lsa.umich.edu
Example assigned VNC network display port: 5902

(In this example, the uniqname1 user account's VNC display has been set to 2 in the TigerVNC configuration on the server, so their connection port is 5902.)

  1. Open up PuTTY, highlight Session on the left side of the window, then on the right side, enter the full name of the machine and domain in the "Host Name" field, i.e: computer1.astro.lsa.umich.edu (leave the Port set to 22)
  2. Then on the left side of the window, expand Connection --> SSH by clicking the plus sign, and highlight Tunnels
  3. In the right side, for the "Source port" field, you will enter: 5902
  4. Also on the right, for "Destination" field, you will enter: localhost:5902 (For reference, 127.0.0.1 works in place of localhost)
  5. Then click the Add button (very important or it won't save)
  6. Now on the left side of the window, highlight the Session choice again. I would recommend saving these settings under "Saved Sessions". So, give it a name like "Computer1 VNC SSH Tunnel", and click Save.
  7. You should now be able to highlight that saved session in the list, and click Load. Then check to make sure your Tunnel you created is still listed under the Connection --> SSH --> Tunnels
  8. Once everything looks in place, and it is loaded as the active session on the Session window, click Open.
  9. A terminal window should open, and you can login to the remote machine with your remote machine account and remote machine account password.
  10. Once your terminal window is up and running, you can minimize it, don't close it, or it will close your SSH tunnel.
  11. Now open up the Tiger VNC Viewer on your local machine
  12. In the "VNC server" field type: localhost:5902 (For reference, 127.0.0.1 should work in place of localhost as well)
  13. Click Connect.
  14. It should now prompt you for your VNC password. (This would be the one you've set it in the above section on Change your VNC password on the remote host with the vncpasswd command.)
  15. Now, if everything worked correctly, the remote machine's desktop GUI window will open up on your local computer, and you can keep on working.

Caution: Very important! DO NOT log out of the VNC remote desktop window, just close the window using the X in the upper corner of the window if you want to be able to reconnect to the same session. Once you've closed the window with the X, you can exit out of your SSH tunnel session. That SSH tunnel session is only needed while you are working in the VNC remote GUI window.

If you do log out of the remote desktop, (and not just close the window with the X), it will also stop the VNC service for your individual display. You will then need to put in a ticket to contact the administrator of the machine to manually restart your display service on the remote server before you are able to connect again. Sudo or root access is required to restart sessions, which is why you would need to contact the administrator if you accidentally log out.

Also, if your administrator set up your display as a service, the display will start at boot automatically, so if the whole machine is rebooted, it will restart your VNC display and have it ready for use at startup.

 

 

Print Article