How to Set Up VNC from Windows to Fedora 14 Over the Internet 39


Installing the VNC server in Fedora 14 is a little bit different than I described it for Fedora 12, so here are some updated instructions for setting up VNC in Fedora 14 and connecting to it via Windows over the Internet.

Step 1: Make sure SSH is Running

In all versions prior to Fedora 14, SSH is turned on by default. However, this is no longer the case with Fedora 14. Before being able to connect to your Fedora 14 box over a network, you must have physical access to the machine and explicitly enable SSH from the console. To do this, log in as root and do:

service sshd start
chkconfig sshd on

You should also make sure that your firewall settings (if any) allow remote access to port 22 (the default SSH port). I’ve also written a separate blog post on steps you can take to secure SSH on your server.

Step 2: Install TigerVNC Server on the Remote Fedora 14 Box

The TigerVNC server package may have been installed by default on your Fedora 14box when you installed the OS, but to make sure, become root (or sudo) and type:

yum install tigervnc-server

If it’s already installed, Fedora will let you know. If it’s not, it will be now!

Step 3: Configure Screen Resolutions, Port Number, and Users on the Remote Fedora 14 Box

The /etc/sysconfig/vncservers file controls which users are allowed to access your Fedora box via VNC, as well as what ports they will connect to, and what screen resolutions each of those users will use when connecting. As root (or with sudo), open the /etc/sysconfig/vncservers file with your favorite text editor and find the lines at the bottom that look something like this:

# VNCSERVERS="2:myusername"
# VNCSERVERARGS[2]="-geometry 800x600 -nolisten tcp -localhost"
Uncomment those lines, then change “myusername” to your Linux username on the first line. On the second line, change the geometry to whatever screen resolution you’d like for your desktop when remotely connecting (to avoid seeing scroll bars, make sure it’s smaller than the size of your local desktop), and then, for right now, remove the default -localhost option. We’ll test your VNC connection without it first, and then add that option back later when we’re sure VNC is working. Assuming your Linux username was clyde, those lines should now read:
VNCSERVERS="2:clyde"
VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp"
This tells the VNC server to set up VNC display port #2 (the default for remote access) to for clyde to connect with a screen resolution of 800×600.

Step 4: Configure the VNC Desktop Environment and Password

For the next step, you should be logged in to your Fedora box as the user whose desktop you’ll want to access. If you’re already logged in as root, and your username is clyde, type:

su - clyde

The hyphen is important, as it will load the local path for clyde, which we’ll need for the next step. Now type:

vncserver

This will run the vncserver program, and will set up default versions of the necessary desktop environment files for whichever user ran the program (in this case, clyde).

The first time you run vncserver, it will look like this:

You will require a password to access your desktops.

Password:
Verify:
xauth:  creating new authority file /home/stevej/.Xauthority

New 'server.hostname:1 (clyde)' desktop is server.hostname:1

Creating default startup script /home/clyde/.vnc/xstartup
Starting applications specified in /home/clyde/.vnc/xstartup
Log file is /home/clyde/.vnc/server.hostname:1.log

When it prompts you for a password, this will be your VNC password, which you’ll use to connect to your remote desktop. If you choose, this can be different than your Linux account password. If you ever want to change your VNC password, just type vncpasswd while logged on as the user whose password you want to change.

The newly created files will be in  the .vnc directory under the user’s home directory (for our example, /home/clyde/.vnc). Using your favorite text editor, edit the /home/username/.vnc/xstartup file.

Go to the bottom of the file, comment out the twm & line, and then add a line that tells VNC to start your desktop of choice. If you want a GNOME desktop, the last two lines should read:

# twm &
startx &

If you prefer a KDE desktop, they should read:

# twm &
startkde &

Step 5: Start the VNC Server Service

To start and stop services, you’ll need to be logged in as root. If you’re still logged in as a different user, type exit to get back to the root user. Make sure any previous instance of vncserver service is stopped by typing:

service vncserver stop

If you get a FAILED message in reply, it’s OK. That just means that the server wasn’t running.

Now, start the service with all the settings you’ve entered with:

service vncserver start

You should get a success message that says something like:

Starting VNC server: 2:clyde
New 'server.hostname:2 (clyde)' desktop is server.hostname:2
Starting applications specified in /home/clyde/.vnc/xstartup
Log file is /home/clyde/.vnc/server.hostname:2.log

If you get a FAILED message, double-check the previous steps. Check for typos in the /etc/sysconfig/vncservers file, such as username, and make sure that you don’t have any spaces in the screen resolution parameter.

Step 6: Allow sshd to Forward Ports (SELinux users only)

Check to see if you have SELinux enabled on your system with:

sestatus

If you get a reply that says it’s disabled, you can skip to the next step. If it is enabled, then you need to allow the sshd daemon to forward ports – otherwise, you’ll only be able to connect over the local network. Tell SELinux that sshd can forward ports with:

setsebool -P sshd_forward_ports 1

(Thanks to James Butler for pointing this out!)

Step 7: Configure Firewall Settings

If you have the Linux Firewall turned off on your Fedora 14 box, you can skip this step.

If you’re using the built-in firewall on your Fedora 14 box, you’ll need to tell it to allow incoming connections on the port you set up in Step 2 above. The number(s) you used in the VNCSERVERS= line(s) of the /etc/sysconfig/vncservers file determine which port numbers VNC will listen on. Our example used VNCSERVERS=”2:clyde”, which means you’d need to open port 5902 in your firewall. If you set up other users and/or other ports, then you’ll need to open those as well: 1=port 5901, 2= port 5902, 3=port 5903, etc.

To add the appropriate port(s) to your firewall, edit the /etc/sysconfig/iptables file and add the following line:

 -A INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT

If you’re using additional ports for VNC, add a separate line for each.

The following line should already appear somewhere in your /etc/sysconfig/iptables file, but if it isn’t there for some reason, now is a good time to add it so you can connect to your VNC server securely in a later step:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Once you’ve added the appropriate line(s), restart your firewall with:

service iptables restart

Step 8: Configure Router Port Forwarding

If your network lives behind a router (and most home-based broadband users’ networks do), and you only want to access your Fedora 14 desktop from inside the same local network, then you don’t need to mess with port forwarding on your router and can skip to the next step.

If the only way you plan on connecting to your Fedora 14 desktop over the Internet is via a secure SSH tunnel (which is what I recommend), then you’ll need to verify that you’ve properly forwarded port 22 (the default SSH port) on your router to the internal IP address of your Fedora 14 box. If you’re able to SSH into your Fedora 14 box from outside your router, then you’ve already got things forwarded properly. Check your router’s instructions (or the instructions for your router’s firmware if you’re using something like DD-WRT or Tomato) on how to set up port forwarding.

If you would like to connect to your Fedora 14 desktop over the Internet without a secure SSH tunnel (and I would recommend doing this only for testing and troubleshooting purposes and only when first getting things set up), then you’ll need to forward the appropriate VNC port(s) from your router to your Fedora 14 box (we used port 5902 in our example). Again, this is recomended only for testing purposes, as it is not a secure connection.

Step 9: Install a VNC Client on Windows

Because it’s lightweight, stable, supports the secure connection we’ll be setting up in a minute, and completely FREE, I recommend TightVNC client, which can be downloaded here. But there are many other good VNC clients available out there, including RealVNC, and an interesting one called Terminals, which allows you to set up multiple tabs in one application with both Windows RDC and Linux VNC connections, kind of like tabs in your Web browser.

So download and install the VNC client of your choice.

Step 10: Connect to your VNC Server

Open your VNC client and connect to the appropriate IP address of your Fedora 14 box and the port that you chose in /etc/sysconfig/vncservers.

If you’re connecting from inside your network and the IP address of your Fedora 14 box is 192.168.1.100, then to connect to port #2 as in our example, you’d connect to 192.168.1.100:5902.

If you’re connecting from outside your nework and want to connect to port #2 as in our example, then use your WAN IP and VNC port instead, as in 222.33.444.55:5902.

You’ll be prompted for the VNC password you set up in an earlier step, and the desktop you configured in /home/username/.vnc/xstartup should display.

If you are unable to connect, go back and carefully re-check each step. It’s probably a very simple typo or a small thing you forgot.

Step 11: Connect to your VNC Server with SSH Tunneling

Now that you know your VNC server is running properly, it’s time to secure things. This isn’t necessary when connecting to your Fedora 14 box via VNC inside a trusted network. But if you want to connect over the Internet, you really should take this extra step, which will only take a couple of minutes to configure.

First, you’ll need a Windows SSH client. I use SecureCRT (which is a commercial app with a free trial period), but you can also do it easily with a very popular freeware Windows SSH client called PuTTY.

The idea behind SSH tunneling is to establish a secure SSH connection between your Windows box and the remote Fedora 14 box, and then “tunnel” the VNC connection through your SSH connection. Don’t worry… it’s much easier than it sounds.

In SecureCRT: create a new connection to the IP address or hostname of your remote Fedora 14 box (or the external IP address of the router if you’re connecting from outside the local network). Under the Connection category, set the protocol to SSH2. In the SSH2 sub-category, use port 22, and be sure to use the username on the Fedora 14 box that you configured in /etc/sysconfig/vncservers (in our example, it was clyde). In the Port Fowarding sub-category, hit Add…, enter a descriptive name for the forwarded connection (such as VNC), then put the port number that corresponds to the number you set up in /etc/sysconfig/vncservers for that username in both port fields (in our example, both would be 5902). None of the checkboxes need to be selected. Save your new connection, then click Connect. A terminal window should appear, and you’ll be prompted for your username and password. Use your Fedora account username and password (which may be different than the VNC password you set up).

In PuTTY: enter the IP address or hostname of your remote Fedora 14 box (or the external IP address of the router if you’re connecting from outside the local network). Click the + next to the SSH sub-category, then click Tunnels. Enter the port number that corresponds to the number you set up in /etc/sysconfig/vncservers in the Source port field (in our example, it would be 5902), then enter localhost:5902 (or a different port if applicable) in the Destination field, then click on Add. Scroll up and click on the Session category. Type in a name for the session in the Saved Sessions field then press Save. Click Open to establish the connection. A terminal window should appear, and you’ll be prompted for your username and password. Use your Fedora account username and password (which may be different than the VNC password you set up).

You’ve essentially told your SSH client to “listen” for local connections to port 5902 on localhost (your Windows box), and then tunnel those connections over to port 5902 on the remote host (your Fedora 14 box) using your secure SSH connection.

Once your SSH connection is established (whether by SecureCRT, PuTTY, or some other client), open your VNC client viewer and connect to localhost:5902. The VNC client should establish the connection, prompt for the VNC password (which may not be the same as your Fedora account password), and then display the remote desktop.

Step 12: Securing Things and Tidying Up

To finish securing your VNC server, there are a few final steps you should take.

First, exit your VNC client (you can just close it), then exit your SSH tunneling session by typing exit from the command prompt. Re-connect to your Fedora 14 box with a standard (non-tunneling) SSH connection and become root. Edit the /etc/sysconfig/vncservers file and add the -localhost option to the VNCSERVERARGS line, so that it reads:

VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp -localhost"

This option tells the VNC server not to accept remote connections from VNC clients without a secure tunnel.

Restart the VNC server with this new option by typing:

service vncserver restart

Next, if you forwarded port 5902 on your router (or any other ports for your VNC server) for testing purposes in Step 6 above, now would be a good time to undo that forwarding. You don’t need those ports forwarded anymore now that you’ve got SSH tunneling working. You do, however, still need the VNC ports open on your Fedora box’s firewall, so keep any /etc/sysconfig/iptables changes you made while setting up VNC.

Optional Step: Starting Multiple VNC Sessions

If you’d like to start multiple instances of the VNC server on your Fedora box, you can simply edit your /etc/sysconfig/vncservers file. Multiple instances are helpful if you want to allow multiple users to connect to the Fedora box via VNC. You can also set up multiple profiles for the same user, which is useful if you want to allow the same user to access the Fedora box from multiple  remote systems that may have different screen resolutions.

If you’d like to set up an additional user (we’ll use joe in this example), your /etc/sysconfig/vncservers file should include:

VNCSERVERS="2:clyde 3:joe"
VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp -localhost"
VNCSERVERARGS[3]="-geometry 800x600 -nolisten tcp -localhost"

Notice that the VNCSERVERS= line has both users listed on the same line. This is important so that when the vncserver service starts, it will start for all users listed. Add a separate VNCSERVERARGS= line for each new user, along with whatever arguments you want. Note also that by using the #3, your VNC server will now also be listening on port 5903 for that user, so set up your firewall, tunnel, and/or VNC client appropriately to listen and/or forward all the ports you want to use.

If you’d like to set up multiple profiles for the same user, your /etc/sysconfig/vncservers file should include:

VNCSERVERS="2:clyde 3:clyde"
VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp -localhost"
VNCSERVERARGS[3]="-geometry 800x600 -nolisten tcp -localhost"

Now when clyde connects to the VNCSERVER on port 2 5902, he’ll get 1024×768 desktop. If he connects on port 5903, he’ll get a separate login instance on a separate desktop at 800×600. It’s possible to be connected to both ports at the same time, and have two different desktops running.

Be sure to do a service vncserver restart after making any changes to /etc/sysconfic/vncservers. You should see output from all instances being started, such as:

Starting VNC server: 2:clyde
New 'server.hostname:2 (clyde)' desktop is server.hostname:2
Starting applications specified in /home/clyde/.vnc/xstartup
Log file is /home/clyde/.vnc/server.hostname:2.log
3:clyde
New 'server.hostname:3 (clyde)' desktop is server.hostname:3
Starting applications specified in /home/clyde/.vnc/xstartup
Log file is /home/clyde/.vnc/server.hostname:3.log

Congratulations!

You’ve successfully set up your remote Fedora box to accept VNC connections securely. Enjoy your new Windows to Fedora 14 VNC connection!

UPDATE: If you’re trying to set up VNC on an RHEL 5.5 or a CentOS 5.5 box, I’ve made a new blog post that walks you through a couple additional steps.