TightVNC Server on Ubuntu 16.04

Due to the popularity of the request of how to setup a VNC serever on Linux, I've taken some of the issue that have been seen to write about ideas that you'd want to consider when setting-up a VNC server on your own Linux server. Please note that this article has been created to give some direction and would require Linux administrative experience to know when the directions may require slight alteration to meat the requirement of your system. This is not officially supported by softlayer.

The first consideration is that network manager is also installed when installing most desktop environment on Linux. This is an issue because network manager will over write the network configurations that were already configured on the server. The second consideration is VNC is transmitted over the network unencrypted. Also, you may also want to limit access to the root account through VNC. Thus, there are some security considerations while setting up a VNC server. So next I'll start with the basic installation, and then give some possible security configuration.

First, you'll want to start with an updated system.

apt-get update
apt-get upgrade
apt-get dist-upgrade

Second, you'll want to install the desktop. This is where we have the first consideration. If you install Gnome or KDE, two popular desktop environments, then this will also install network manager. Gnome and KDE are also optimized for the desktop. If you are using a server with limited resources then you'll want a light weight desktop. One example of a light weight desktop that can be installed without the network manager dependancy is LXDE. Installing this is very easy with the package manager as follows:

apt-get install xorg lxde-core 

The third step is to install a VNC server. This following command will install the TightVNC server.

apt-get install tightvncserver

That's about it for the installation steps. So before proceeding it would be worth concerding the security at the configuration steps. As anyone that has access to login to VNC has direct access to the desktop and thus the server, we'll want to keep this access as limited as possible. Thus you may want to create a user on the server to run the following commands. To create a new user just run the following commands to create this user and its password.

useradd -m <user name>

passwd <user name>

So for this article, lets assume that we created the user de. Then you'll want to login as this user. And then you'll want to run the VNC server to initially create the needed files for the users VNC session with the following command.

tightvncserver -localhost :1

The -localhost option is passed to tell the VNC server to bind to just the network loopback interface. Otherwise without this option the VNC server would bind to all IP assigned to all interfaces which would allow anyone to login to the VNC session using the public IP of the server. After you enter this command, you'll be prompted to enter a VPN password. This password will be used to access the VNC session and not the password that was given to the user that we created. You'll also have an option to create a "video only" password. This wasn't tested here and you can skip this. After you complete the VNC setup wizard prompts, you can stop the VNC service, as we'll edit the configuration to start the desktop environment that was installed. You'd just use the following command to stop the VNC service.

tightvncserver -kill :1

Then open the users VNC start up with nano or your favorite editor.

nano ~/.vnc/xstartup

At the end of this file put the following lines:

lxterminal &
/usr/bin/lxsession -s LXDE &

Now the VNC server can be started again.

tightvncserver -localhost :1

The port that the TightVNC service should use by default in 5901. To check, you can use the following command.

netstat -plan| grep Xtightvnc

Now that the VNC service is configured on the server, we can connect to this using a VNC client. Although, since we setup the VNC service to listen to the loop back interface, we cannot directly connect to the VNC service. First it will be needed to setup port forwarding on your local machine with an ssh client. You'll want to have connections on your local machine's local port, eg 5901 forwarded to the server loopback interface on the port that the VNC serivce is listening to, e.g. 127.0.0.1:5901. This can be done in Putty by setting up the ssh tunnel configuration and login to the server via the public or private interface. In putty enter the source port 5901 and the destination 127.0.0.1:5901 and click add. With ssh at a Linux or Mac terminal use the command ssh -L 5901:127.0.0.1:5901 de@<server IP>. Once you have the ssh client running with the port forwarding, you can start the TightVNC client and login to 127.0.0.1:5901. Note that the port 5901 may be different for your configuration. You should then be prompted for a password when you connect via the TightVNC client on your local machine. You'd enter the VNC password that you created when you setup the TightVNC server on the server. You should then have a window open with a desktop after entering the password. You are now connected to the server via VNC.