Here are quick steps for how to install tigervnc on RHEL/CentOS/Fedora

1. Installation of the software

    Ensure you are logged in as 'root' 
    If you have connectivity to RHN or a Satellite Server :
    # yum install tigervnc-server
    If you do not have connectivity to RHN or a Satellite Server,
or your local mirrored repository :
    Create a local 'yum' repository  

2. Configure VNC password for the user(s)

Switch user to the user you want to user for VNC:

        # su - vncuser1 

Note: replace 'vncuser1' with the correct username for you case

    Set the VNC password for the user : 
    $ vncpasswd
    $ exit
    Repeat for each VNC user as necessary  

3. Configure resolution for the user(s) 

    Edit '/etc/sysconfig/vncservers' with your favorite editor
    Append the following lines : 

        VNCSERVERS="1:vncuser1 2:vncuser2" 
        VNCSERVERARGS[1]="-geometry 1024x768"
        VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp -localhost" 

Note: Replace 'vncuser1' and 'vncuser2' with the correct usernames. You can add more users as needed. In addition, you can change the resolution value as needed.
Note: Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.
Note: Use "-localhost" to prevent remote VNC clients connecting except when doing so through a secure tunnel.  See the "-via" option in the `man vncviewer' manual page. 

4. Start the VNC server

    Start the service :

        # service vncserver start 

    Ensure service is started on reboots :

    # chkconfig vncserver on    

5. Configure the firewall 

    # iptables -I INPUT -m state --state NEW -p tcp --destination-port 5901 -j ACCEPT 
    # iptables -I INPUT -m state --state NEW -p tcp --destination-port 5902 -j ACCEPT  

NOTE : Each user requires an additional firewall port opened starting at 5901. Because we added two users above, we need to open two ports. 

    # service iptables save 

 Note: By default, VNC uses RFB which is not a secure protocol, so make sure you aware the security risk before you open the port to public

6. Access VNC server via ssh tunnel 

VNC doesn't encrypted data, so never use VNC in a untrusted LAN or the connection go through public network, however, there is a way to setup a secure ssh tunnel for VNC connection

Step1: On server side 

In server configuration file: /etc/sysconfig/vncservers
Use -localhost option to prevent remote vnc client connection
    Edit '/etc/sysconfig/vncservers' with your favorite editor 

    Append the following lines : 
        VNCSERVERS="1:vncuser1 "
        VNCSERVERARGS[1]="-geometry 1024x768 -localhost" 

Step2: On client side

When run VNC client, use option 'via'

$vncviewer via fibrevillage:5901 

TigerVNC Viewer for X version 1.1.0 - built Oct 27 2014 12:19:39
Copyright (C) 1999-2011 TigerVNC Team and many others (see README.txt)
See for information on TigerVNC.

Mon Feb  2 22:56:06 2015
 CConn:       connected to host fibrevillage port 5901
 CConnection: Server supports RFB protocol version 3.8
 CConnection: Using RFB protocol version 3.8

Here is detail info about via

       -via gateway

    Automatically create encrypted TCP tunnel to the gateway machine before connection, 
connect to the host through that tunnel (TigerVNC-specific).
By  default,  this option  invokes  SSH local port forwarding, assuming that
SSH client binary can be accessed as /usr/bin/ssh.
Note that when using the -via option, the host machine name should be specified as known to
the gateway machine, e.g.  "localhost" denotes the gateway, not the machine where vncviewer
was launched.  

The  environment variable  VNC_VIA_CMD can override the default tunnel command of
/usr/bin/ssh -f -L "$L":"$H":"$R" "$G" sleep 20. 
The tunnel command is executed with the environment variables L, H, R, and G taken
the values of the local port number, the remote host, the port number on the remote host,
and the gateway machine respectively.  

Note: in this case, you do not need to open port 5901 for the vnc server

7. Access VNC server via an explicit ssh tunnel

Setp1: setup a ssh tunnel to the vnc server host

Suppose the node is vnc_server, the the vnc user is listening the port 5901

ssh -L 3300:localhost:5901 vnc_server

Step2: Start vncviewer through the tunnel

$vncviewer localhost:3300

The vnc client will get connected to vnc_server via a secure ssh tunnel, this is equvilent to vnc client 'via' option

$vncviewer via vnc_server:5901

Note: In this case, you don't need to open firewall for port 5901 on vnc_server

See How to setup SSH tunnel on Linux for more complicated ssh tunnel setup


8. Access VNC server via an explicit ssh tunnel created via putty

On windows machine, you can use putty, or similar terminal tool to create a ssh tunnel, the speciy the tunnel port to vncviewer to have a secure connection.

Detail info you can find in Use putty to create a ssh tunnel



Comments powered by CComment