Sections

Skip to content. | Skip to navigation

You are here: Home HowTos Secure Use of VNC on Centos and Fedora

Secure Use of VNC on Centos and Fedora

This howto features a way you are able to use VNC, both on Fedora and Centos, in a secure manner over a WAN (or the Internet.) This solution should also work with most other vnc setups. Some VNC setups have SSL ready to go. This is for use when VNC does not already have encryption support and you are not on a private network.

This document is a work in progress, do not use.

If you still want to use it, it should work. I use it all the time. I just have not tested what I have here.

The entire of this document relies on the assumption you have a firewall protecting your server, you allow ssh logins, vncserver is configured and working and you have a working networking configuration. For this example, I will be using the following network settings:

Server:

    IP Address: 192.168.1.2
    Firewall Protecting Server; Excluding: 22:tcp (ssh)
    VNC Server Port: 5901

Client:

    IP Address: 192.168.1.3
    Firewall Protecting Client; Excluding: 22:tcp (ssh)
    Forwared VNC Client Port: 5901
    Note: You can use any available port you wish for the forwared port. For this example I am using 5901 to remain on the "VNC" ports.

Step a.

    If you don't have vncserver or vncviewer installed and you are running Centos or Fedora, you may install them with the following command:

yum install vnc vnc-server


Step 1.

    Start the vncserver on the server machine.

vncserver

Step 1a.

    Check that the vncserver is running how we expect.

netstat -an|grep 590

Should give you something like:

    tcp        0      0 ::1:5901                       :::*                        LISTEN

        -and/or-

    tcp        0      0 127.0.0.1:5901         0.0.0.0:*           LISTEN

    If the output of netstat looks like the following, you might configure vncserver to only listen on localhost (127.0.0.1):

    tcp        0      0 0.0.0.0:5901         0.0.0.0:*           LISTEN
   
tcp        0      0 :::5901                       :::*                        LISTEN

    Check what port you have been given by the server. The default first server is tcp:5901. When you start the vncserver you will also get information on where vncserver is listening.

Step 2.

    Now that you have your vncserver listening, all you need to do is connect. If you would like to verify the security of your setup, check with the following command from the client machine:

nmap -sT -p 5901 -P0 192.168.1.2

    Tip: If you don't have nmap installed, use yum to install it: yum install nmap
   
    There are two ways of building the secure tunnel for your vnc data. Basically, if you are already on the server and/or there are multiple security checkpoints you will have to pass use -R. If you are not on the server and you are able to directly ssh the server, use -L. The following are examples of use for both:

ssh -L 5901:localhost:5901 yourUserName@192.168.1.2
ssh -R 5901:localhost:5901 yourUserName@192.168.1.3

    If everything worked, you should now see port 5901 on localhost listening. Check with the following command:

netstat -an|grep 5901

This should give you something like:

    tcp        0      0 0.0.0.0:5901         0.0.0.0:*           LISTEN

    or

    tcp        0      0 127.0.0.1:5901         0.0.0.0:*           LISTEN

    At this point everything should be setup and working. On your client, connect to the vnc server:

vncviewer localhost:1

   
   
Note: localhost:1 is the same as localhost:5901... if you use a different port, adjust here.

    If this does not work, head to 'Troubleshooting'. Another cool feature of vncview is to have it build the ssh tunnel for you. You can do this by using the -via switch. I will have more information on this method of building the tunnel as well as information on building the tunnels with putty (a win32 ssh client) when I have more time. The following is a clip from the vncviewer man file:

-via gateway
Automatically create encrypted TCP tunnel to the gateway machine before connection, connect to the host through that tunnel (TightVNC-specific). By default, this option invokes SSH local port forwarding, assuming that SSH client binary can be accessed as /usr/bin/ssh. Note that when using the -via option, the host machine name should be specified as known to the gateway machine, e.g.  "localhost" denotes the gateway, not the machine where vncviewer was launched. The environment  variable VNC_VIA_CMD can override the default tunnel command of /usr/bin/ssh -f -L "$L":"$H":"$R" "$G" sleep 20. The tunnel command is executed with the environment variables L, H, R, and G taken the values of the local port number, the remote host, the port number on the remote host, and the gateway machine respectively.


Troubleshooting:

    When I have more time, I will be adding additional examples and a FAQ.
Document Actions