VNC (Remote Access) on Mint 19.x

[rene]

Answered a few questions regarding VNC on the forum lately and as a result thought it might be useful to supply a short tutorial on using VNC with Mint 19.x (at least) since the once OOTB-supplied vino VNC server is no more; even though it still exists in the repositories I would not recommend it these days due to being seemingly unmaintained.

First for a tiny bit of description since the issue tends to confuse new users: a VNC server is basically a full X server, just with input and output coming in from resp. going out over the network via VNC rather than from local input devices resp. local graphics adapters. This is to say that, normally, starting a VNC server starts a second and of the "main" X server independent X server; would normally be available on display :1 rather then the :0 of the standard X server. That secondary display one would need/want to configure from scratch with e.g. its own session manager or discrete set of X applications through ~/.vnc/xstartup --- but that's not what we will be doing: we will be installing a so-called "scraping" VNC server that shares the main display :0 over VNC instead.

For a desktop distribution such as Linux Mint this would tend to be more applicable to user desires even if you may want to look into the stand-alone server for e.g. graphical access to a VPS. For a scraping server Mint 19.x has a few alternatives available: x11vnc, TigerVNC and vnc4server, where the latter is based on the externally available RealVNC which is certainly also an option. We will be using vnc4server. Note that the also from the repositories available TightVNC while a fine VNC server in and of itself is/has not a scraping server so isn't applicable here.

The setup is really minimal and for those that like to access remote systems graphically rather than through e.g. SSH therefore quite convenient. Let me however immediately note that "remote" should in this preferably be considered to be within a LAN, i.e., behind a standard firewall and/or NAT-router. VNC is an old and not hugely security focussed protocol: if you'd want VNC access to your system(s) available from the internet you'd preferably set things up through an SSH tunnel which this tutorial will not go into.

Even if only to not spoil the easy and straightforward setup on a LAN: on the server, the system that is to be remotely graphically accessed, you install

Code: Select all

sudo apt-get install vnc4server

and on the client, the system that is to do said remote accessing, you installl

Code: Select all

sudo apt-get install xvnc4viewer

or, in fact, on said client use any of the multitude of remote access programs that support VNC such as RealVNC, Remmina, what have you. Clearly one should also feel free to install both on both systems if both systems are expected to be both server and client. If vnc4server and xvnc4viewer are the only server and viewer the system has installed things will be setup correctly automatically but if you have more pairs installed and the vnc4 ones are not the last such installed pair, you may want to

Code: Select all

sudo update-alternatives --config x0vncserver

and the same for vncserver, vncviewer and vncpasswd to set your preferred ones(s) to the vnc4 ones. Alternatively use explicitly x0vnc4server, vnc4viewer and vnc4passwd rather than the generic names in what follows.

Starting the server without any form of authentication is easiest and done simply as, on the server,

Code: Select all

x0vncserver -SecurityTypes=none

which you may moreover of course also add as an e.g. desktop startup application to have it started always. Viewing from the client should be a simple matter of

Code: Select all

vncviewer <server>

in which <server> is an address or resolvable name for the server --- which you may again of course also feel free to turn into an e.g. desktop launcher on the client, with or without a spiffy icon.

Even on a LAN you may of course want password-based access instead, lest potentially any user on the client logs in over VNC as whichever user runs the VNC server on the server, and this is still about as easy. In that case first on the server generate a password into ~/.vnc/passwd with

Code: Select all

vncpasswd

I suggest to use the user's normal login password. Then start the VNC server with instead

Code: Select all

x0vncserver -PasswordFile=/home/<user>/.vnc/passwd

for the applicable user <user>. On the client this will cause the simple

Code: Select all

vncviewer <server>

to prompt for the password or you can start it as

Code: Select all

vncviewer -passwd ~/.vnc/passwd <server>

after either copying the ~/.vnc/passwd file from server to client or simply using vncpasswd with the same password also on the client. I'd as said not make even password-based VNC available directly from the internet without tunnelling things through SSH but on a LAN, most home-user LANs certainly, this should be all there is to it.

Hope this is useful.

[GuyLeclair]

Answered a few questions regarding VNC on the forum lately and as a result thought it might be useful to supply a short tutorial on using VNC with Mint 19.x.
[...]
Let me however immediately note that "remote" should in this preferably be considered to be within a LAN, i.e., behind a standard firewall and/or NAT-router. VNC is an old and not hugely security focussed protocol: if you'd want VNC access to your system(s) available from the internet you'd preferably set things up through an SSH tunnel which this tutorial will not go into.

Thank you for this tutorial Rene!
However in my particular case, I'm looking for a similar solution to get access to a remote PC (running Mint 19.3), but over the internet.
Is there a secured solution - not too difficult to set up - to achieve this?
Ideally, I would like to have the ability to allow only 1 given user (on the target PC) to be able to open a session with. Plus logging (on the target PC) of remote connection attempts.
I do not want to go through any 3rd party server, between my PC and the target PC. And I want to rely on libre software exclusively.
Any idea/recommendation?
Thank you.

[rene]

Yes, as a high-level sketch you'd just, on the server, the to be remotely accessed machine,

1. Setup things for a normal, secured LAN as above.
2. Provide regular SSH access to said given user over the internet.

and on the client,

3. Tunnel VNC traffic over SSH.

I left it out of the above by design since 2 and 3 are essentially unrelated to VNC itself whereas they'd on this forum probably still cause the readership enough issues to muddy the subject/post. But, with a bit more detail, ...

Providing SSH access to a given user over the internet is a matter of

2a. Providing SSH access to said given user on your secured LAN.
2b. For regular, IPv4-based access (i.e., as opposed to IPv6-based if you have a public IPv6 address) set up a port-forward in your modem/router to forward SSH to the server.

Tunnelling VNC traffic over SSH is then a simple matter of, on the client,

3a. Create an SSH tunnel from e.g. localhost:5900 to <server>:5900:

Code: Select all

ssh -N -L 5900:localhost:5900 -f <user>@<server>

3b. Start your VNC viewer to localhost:5900

Code: Select all

vncviewer localhost

I would suggest using public key based and only public key based authentication for SSH: on a LAN it's convenient, and over the internet it is both that and secure. If you do password-based you are at (3a) asked for the user's login password for the sake of SSH and unless you used the password-less VNC access from the tutorial, in (3b) for the VNC password which was advised to also be the user's login password.

Let me for now only specify further:

- as to (2b) the standard SSH port to be 22, although you may choose whichever public port in your modem/router setup to forward to 22 on the server.

- as to (3a) that <server> is your public IP or a DNS-name that resolves to such, such as obtainable via an e.g. dynamic DNS service. If your public IP is "steady enough" first will do for now but you'd preferably use any such dynamic DNS service to be able to specify <server> over the internet by name in the long run.

- also as to (3a) that that first 5900 is the local port number, the second the remote. The second needs to match the port that the VNC server is listening on on <server> and is 5900 when having followed the tutorial for (1). The first can basically be any on the client unused port greater or equal 1024. If you use something other than the standard 5900 --- which might be necessary if the "client" is in fact also a VNC server, i.e.. has its port 5900 already used --- you in (3b) connect as vncviewer localhost:<port>.

- as to allowing only public key based authentication for SSH, uncomment PasswordAuthentication and change it to "no" in the server's /etc/ssh/sshd_config:

Code: Select all

PasswordAuthentication no

Further detail might depending on your level of expertise not be needed. If it is feel free to follow up with specific questions but as to not muddying a VNC rather than SSH tutorial I hope this is detailed enough.

[benjammin1001]

I realize this thread's a little old - but FWIW,

RealVNC also offers their server for Linux that works through their cloud/proxy system.

As an example, my mom has one of my (paid for) licenses running on her laptop so I can give her remote support.

It mirrors the :0 display -- it also allows sound/file transfer and is secured with over SSL through the RealVNC mothership.

So that's also a solution when the remote device is something like a laptop on a dynamic IP address.

But it does cost a few bucks... but in the right situations, it's worth it.

(RealVNC is - thankfully - cheaper than LogMeIn and TeamViewer.)

Cheers,

-Ben