Linux Home Office

VNC Solutions

By Rainer Wichmann rainer@nullla-samhna.de    (last update: Aug 03, 2020)

If you are occasionally, or even frequently, working from home and want to remotely access your work Linux desktop, you'll probably want to use a VNC desktop sharing solution. There are basically two different options for using VNC:

  1. Use VNC to access your running desktop session
    Pro
    Seamless switching between home and office work, because you always work in the same session.
    Contra
    You need to remotely unlock the running session on your work desktop, i.e. anyone who can enter your work office can access the session locally while you remotely work in that session.
  2. Use VNC to open a different session on your work machine
    Pro
    It's a different session, so it's not easily accessible to someone who has physical access to the machine.
    Contra
    It's a different session, so you can't seamlessly switch between home and office.

Use VNC to access your running desktop session

In Ubuntu Linux, you can simply enable desktop sharing in your preferences. You will be asked to set a password that is needed to access the VNC session.

By default, the VNC server will be accessible from everywhere, which is not the most secure solution. It is better to allow access only from the local host, and use an ssh tunnel for remote access (see below). Unfortunately, in recent Ubuntu versions, the option to listen only for local connections has been removed from the graphical interface, so you have to set it on the command line, using the following command (before turning on desktop sharing): 

gsettings set org.gnome.Vino network-interface 'lo'

You can verify that the VNC server only listens for local connections by running the command netstat -nlp | grep ':5900', which should show the 'vino-server' process listening only on '127.0.0.1:5900' and '::1:5900'. 

$; netstat -nlp | grep ':5900'
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN      7907/vino-server    
tcp6       0      0 ::1:5900                :::*                    LISTEN      7907/vino-server

Use VNC to open a different session on your work machine

For this, first you need to have a VNC server like, e.g., tightvncserver installed on your work machine. You could then start a separate session on your work machine by using the command 

/usr/bin/vncserver -localhost -depth 24 -geometry 1600x1024 :1

This will start a new session, accessible from the local host only, on port 5901. If you start the vncserver for the first time, it will ask for a password that you use to access the session. It will also create a startup file $HOME/.vnc/xstartup, which may or may not be suitable for you. I found it neccessary to replace the lines 

export XKL_XMODMAP_DISABLE=1
/etc/X11/Xsession
with the line 
startxfce4 &
to get a useable desktop.
If you want to kill the running vncserver (session), you can do it with the command 

/usr/bin/vncserver -kill :1

Of course it would be convenient to have a session starting whenever the machine boots, but for that you would need to convince the system administrator to create a systemd unit file /etc/systemd/system/vncserver@.service with the following content (note that we also use 'iptables' to block the port 6001 which is kept open by tightvncserver regardless of the '-localhost' option). 

[Unit]
Description=Start XTightVNC server at startup
After=syslog.target network.target

[Service]
Type=forking
User=USERNAME
Group=UNIX GROUP OF USER
WorkingDirectory=/home/USERNAME

PIDFile=/home/USERNAME/.vnc/%H:%i.pid
ExecStart=/usr/bin/vncserver -localhost -depth 24 -geometry 1600x1024 :%i
ExecStop=/usr/bin/vncserver -kill :%i

ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStartPre=+/bin/sh -c 'iptables -C INPUT -p tcp --dport 6001 -m state --state NEW,ESTABLISHED -j DROP 2>/dev/null || iptables -A INPUT -p tcp --dport 6001 -m state --state NEW,ESTABLISHED -j DROP'
ExecStopPost=+-/sbin/iptables -D INPUT -p tcp --dport 6001 -m state --state NEW,ESTABLISHED -j DROP

[Install]
WantedBy=multi-user.target

Access the VNC session via an SSH tunnel

In order to create an SSH tunnel from your machine to the remote host where the VNC session is running, you can use the following command: 

ssh -L 5900:127.0.0.1:5900 remote_host

This command will start a listener on port 5900 of your local machine, which tunnels to port 5900 on remote_host. This assumes that the port on which the remote VNC server is accessible is port 5900, which is usually the case for Ubuntu vino. Otherwise the server might be on port 5901.

Creative Commons License
This work is licensed under a Creative Comm ons Attribution-NonCommercial-ShareAlike 2.0 Germany License.