Set up VNC from Windows to Fedora 12 Over the Internet 13


I’m writing this in a VNC session from Windows 7, via a secure SSH tunnel over the Internet, to a remote Fedora 12 desktop (if you’re running Fedora 14, I’ve written a separate blog post about how to do that, too). If you’d like to be able to do the same thing, just follow these 10 easy steps:

Step 1: Install VNC on the Remote Fedora 12 Box

There are many VNC servers available for Fedora. The TigerVNC server package may have been installed by default on your Fedora 12 box when you installed the OS, but to make sure, become root (or sudo) and type:

yum install vnc-server

If it’s already installed, Fedora will let you know. If it’s not, it will be now!

Step 2: Configure Screen Resolutions, Port Number, and Users on the Remote Fedora 12 Box

The /etc/sysconfig/vncservers file controls which users are allowed to access your Fedora box via VNC, as well as what ports they will connect to, and what screen resolutions each of those users will use when connecting. As root (or with sudo), open the /etc/sysconfig/vncservers file with your favorite text editor and find the lines at the bottom that look something like this:

# VNCSERVERS="2:myusername"
# VNCSERVERARGS[2]="-geometry 800x600 -nolisten tcp -localhost"
Uncomment those lines, then change “myusername” to your Linux username on the first line. On the second line, change the geometry to whatever screen resolution you’d like for your desktop when remotely connecting (to avoid seeing scroll bars, make sure it’s smaller than the size of your local desktop), and then, for right now, remove the default -localhost option. We’ll test your VNC connection without it first, and then add that option back later when we’re sure VNC is working. Assuming your Linux username was clyde, those lines should now read:
VNCSERVERS="2:clyde"
VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp"
This tells the VNC server to set up VNC display port #2 (the default for remote access) to for clyde to connect with a screen resolution of 800×600.

Step 3: Configure the VNC Desktop Environment and Password

For the next step, you should be logged in to your Fedora box as the user whose desktop you’ll want to access. If you’re already logged in as root, and your username is clyde, type:

su - clyde

The hyphen is important, as it will load the local path for clyde, which we’ll need for the next step. Now type:

vncserver

This will run the vncserver program, and will set up default versions of the necessary desktop environment files for whichever user ran the program (in this case, clyde).

The first time you run this, you’ll be prompted for a password. This will be your VNC password, which you’ll use to connect to your remote desktop. This can be different than your Linux account password, if you choose. If you ever want to change your VNC password, just type vncpasswd while logged on as the user whose password you want to change.

The newly created files will be in  the .vnc directory under the user’s home directory (for our example, /home/clyde/.vnc). Using your favorite text editor, edit the /home/username/.vnc/xstartup file.

Go to the bottom of the file, comment out the twm & line, and then add a line that tells VNC to start your desktop of choice. If you want a GNOME desktop, the last two lines should read:

# twm &
startx &

If you prefer a KDE desktop, they should read:

# twm &
startkde &

Step 4: Start the VNC Server Service

To start and stop services, you’ll need to be logged in as root. Make sure any previous instance of vncserver service is stopped by typing:

service vncserver stop

It’s OK if you get a FAILED message in reply. That just means that the server wasn’t running.

Start the service with all the settings you’ve entered with:

service vncserver start

You should get a success message that says something like:

Starting VNC server: 2:clyde
New 'server.hostname:2 (clyde)' desktop is server.hostname:2
Starting applications specified in /home/clyde/.vnc/xstartup
Log file is /home/clyde/.vnc/server.hostname:2.log

Step 5: Configure Firewall Settings

If you have the Linux Firewall turned off on your Fedora 12 box, you can skip this step.

If you’re using the built-in firewall on your Fedora 12 box, you’ll need to tell it to allow incoming connections on the port you set up in Step 2 above. The number(s) you used in the VNCSERVERS= line(s) of the /etc/sysconfig/vncservers file determine which port numbers VNC will listen on. Our example used VNCSERVERS=”2:clyde”, which means you’d need to open port 5902 in your firewall. If you set up other users and/or other ports, then you’ll need to open those as well: 1=port 5901, 2= port 5902, 3=port 5903, etc.

To add the appropriate port(s) to your firewall, edit the /etc/sysconfig/iptables file and add the following line:

 -A INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT

If you’re using additional ports for VNC, add a separate line for each.

The following line should already appear somewhere in your /etc/sysconfig/iptables file, but if it isn’t there for some reason, now is a good time to add it so you can connect to your VNC server securely in a later step:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Once you’ve added the appropriate line(s), restart your firewall with:

service iptables restart

Step 6: Configure Router Port Forwarding

If your network lives behind a router (and most home-based broadband users’ networks do), and you only want to access your Fedora 12 desktop from inside the same local network, then you don’t need to mess with port forwarding on your router and can skip to the next step.

If the only way you plan on connecting to your Fedora 12 desktop over the Internet is via a secure SSH tunnel (which is what I recommend), then you’ll need to verify that you’ve properly forwarded port 22 (the default SSH port) on your router to the internal IP address of your Fedora 12 box. If you’re able to SSH into your Fedora 12 box from outside your router, then you’ve already got things forwarded properly. Check your router’s instructions (or the instructions for your router’s firmware if you’re using something like DD-WRT or Tomato) on how to set up port forwarding.

If you would like to connect to your Fedora 12 desktop over the Internet without a secure SSH tunnel (and I would recommend doing this only for testing and troubleshooting purposes and only when first getting things set up), then you’ll need to forward the appropriate VNC port(s) from your router to your Fedora 12 box (we used port 5902 in our example). Again, this is recomended only for testing purposes, as it is not a secure connection.

Step 7: Install a VNC Client on Windows

Because it’s lightweight, stable, supports the secure connection we’ll be setting up in a minute, and completely FREE, I recommend TightVNC client, which can be downloaded here. But there are many other good VNC clients available out there, including RealVNC, and an interesting one called Terminals, which allows you to set up multiple tabs in one application with both Windows RDC and Linux VNC connections, kind of like tabs in your Web browser.

So download and install the VNC client of your choice.

Step 8: Connect to your VNC Server

Open your VNC client and connect to the appropriate IP address of your Fedora 12 box and the port that you chose in /etc/sysconfig/vncservers.

If you’re connecting from inside your network and the IP address of your Fedora 12 box is 192.168.1.100, then to connect to port #2 as in our example, you’d connect to 192.168.1.100:5902.

If you’re connecting from outside your nework and want to connect to port #2 as in our example, then use your WAN IP and VNC port instead, as in 222.33.444.55:5902.

You’ll be prompted for the VNC password you set up in an earlier step, and the desktop you configured in /home/username/.vnc/xstartup should display.

If you are unable to connect, go back and carefully re-check each step. It’s probably a very simple typo or a small thing you forgot.

Step 9: Connect to your VNC Server with SSH Tunneling

Now that you know your VNC server is running properly, it’s time to secure things. This isn’t necessary when connecting to your Fedora 12 box via VNC inside a trusted network. But if you want to connect over the Internet, you really should take this extra step, which will only take a couple of minutes to configure.

First, you’ll need a Windows SSH client. I use SecureCRT (which is a commercial app with a free trial period), but you can also do it easily with a very popular freeware Windows SSH client called PuTTY.

The idea behind SSH tunneling is to establish a secure SSH connection between your Windows box and the remote Fedora 12 box, and then “tunnel” the VNC connection through your SSH connection. Don’t worry… it’s much easier than it sounds.

In SecureCRT: create a new connection to the IP address or hostname of your remote Fedora 12 box (or the external IP address of the router if you’re connecting from outside the local network). Under the Connection category, set the protocol to SSH2. In the SSH2 sub-category, use port 22, and be sure to use the username on the Fedora 12 box that you configured in /etc/sysconfig/vncservers (in our example, it was clyde). In the Port Fowarding sub-category, hit Add…, enter a descriptive name for the forwarded connection (such as VNC), then put the port number that corresponds to the number you set up in /etc/sysconfig/vncservers for that username in both port fields (in our example, both would be 5902). None of the checkboxes need to be selected. Save your new connection, then click Connect. A terminal window should appear, and you’ll be prompted for your username and password. Use your Fedora account username and password (which may be different than the VNC password you set up).

In PuTTY: enter the IP address or hostname of your remote Fedora 12 box (or the external IP address of the router if you’re connecting from outside the local network). Click the + next to the SSH sub-category, then click Tunnels. Enter the port number that corresponds to the number you set up in /etc/sysconfig/vncservers in the Source port field (in our example, it would be 5902), then enter localhost:5902 (or a different port if applicable) in the Destination field, then click on Add. Scroll up and click on the Session category. Type in a name for the session in the Saved Sessions field then press Save. Click Open to establish the connection. A terminal window should appear, and you’ll be prompted for your username and password. Use your Fedora account username and password (which may be different than the VNC password you set up).

You’ve essentially told your SSH client to “listen” for local connections to port 5902 on localhost (your Windows box), and then tunnel those connections over to port 5902 on the remote host (your Fedora 12 box) using your secure SSH connection.

Once your SSH connection is established (whether by SecureCRT, PuTTY, or some other client), open your VNC client viewer and connect to localhost:5902. The VNC client should establish the connection, prompt for the VNC password (which may not be the same as your Fedora account password), and then display the remote desktop.

Step 10: Securing Things and Tidying Up

To finish securing your VNC server, there are a few final steps you should take.

First, exit your VNC client (you can just close it), then exit your SSH tunneling session by typing exit from the command prompt. Re-connect to your Fedora 12 box with a standard (non-tunneling) SSH connection and become root. Edit the /etc/sysconfig/vncservers file and add the -localhost option to the VNCSERVERARGS line, so that it reads:

VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp -localhost"

This option tells the VNC server not to accept remote connections from VNC clients without a secure tunnel.

Restart the VNC server with this new option by typing:

service vncserver restart

Next, if you forwarded port 5902 on your router (or any other ports for your VNC server) for testing purposes in Step 6 above, now would be a good time to undo that forwarding. You don’t need those ports forwarded anymore now that you’ve got SSH tunneling working. You do, however, still need the VNC ports open on your Fedora box’s firewall, so keep any /etc/sysconfig/iptables changes you made while setting up VNC.

Optional Step: Starting Multiple VNC Sessions

If you’d like to start multiple instances of the VNC server on your Fedora box, you can simply edit your /etc/sysconfig/vncservers file. Multiple instances are helpful if you want to allow multiple users to connect to the Fedora box via VNC. You can also set up multiple profiles for the same user, which is useful if you want to allow the same user to access the Fedora box from multiple  remote systems that may have different screen resolutions.

If you’d like to set up an additional user (we’ll use joe in this example), your /etc/sysconfig/vncservers file should include:

VNCSERVERS="2:clyde 3:joe"
VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp -localhost"
VNCSERVERARGS[3]="-geometry 800x600 -nolisten tcp -localhost"

Notice that the VNCSERVERS= line has both users listed on the same line. This is important so that when the vncserver service starts, it will start for all users listed. Add a separate VNCSERVERARGS= line for each new user, along with whatever arguments you want. Note also that by using the #3, your VNC server will now also be listening on port 5903 for that user, so set up your firewall, tunnel, and/or VNC client appropriately to listen and/or forward all the ports you want to use.

If you’d like to set up multiple profiles for the same user, your /etc/sysconfig/vncservers file should include:

VNCSERVERS="2:clyde 3:clyde"
VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp -localhost"
VNCSERVERARGS[3]="-geometry 800x600 -nolisten tcp -localhost"

Now when clyde connects to the VNCSERVER on port 2 5902, he’ll get 1024×768 desktop. If he connects on port 5903, he’ll get a separate login instance on a separate desktop at 800×600. It’s possible to be connected to both ports at the same time, and have two different desktops running.

Be sure to do a service vncserver restart after making any changes to /etc/sysconfic/vncservers. You should see output from all instances being started, such as:

Starting VNC server: 2:clyde
New 'server.hostname:2 (clyde)' desktop is server.hostname:2
Starting applications specified in /home/clyde/.vnc/xstartup
Log file is /home/clyde/.vnc/server.hostname:2.log
3:clyde
New 'server.hostname:3 (clyde)' desktop is server.hostname:3
Starting applications specified in /home/clyde/.vnc/xstartup
Log file is /home/clyde/.vnc/server.hostname:3.log

Congratulations!

You’ve successfully set up your remote Fedora box to accept VNC connections securely. Enjoy your new Windows to Fedora 12 VNC connection!

(To give credit where credit is due, this article was very helpful when I was trying to set up VNC on my system for the first time)

UPDATE: If you’re trying to set up VNC on an RHEL 5.5 or a CentOS 5.5 box, I’ve made a new blog post that walks you through a couple additional steps.