By Rainer Wichmann rainer@
la-samhna.de (last update: Aug 03, 2020)If you are occasionally, or even frequently, working from home and want to remotely access your work Linux desktop, you'll probably want to use a VNC desktop sharing solution. There are basically two different options for using VNC:
- Use VNC to access your running desktop session
- Pro
- Seamless switching between home and office work, because you always work in the same session.
- Contra
- You need to remotely unlock the running session on your work desktop, i.e. anyone who can enter your work office can access the session locally while you remotely work in that session.
- Use VNC to open a different session on your work machine
- Pro
- It's a different session, so it's not easily accessible to someone who has physical access to the machine.
- Contra
- It's a different session, so you can't seamlessly switch between home and office.
Use VNC to access your running desktop session
In Ubuntu Linux, you can simply enable desktop sharing in your preferences. You will be asked to set a password that is needed to access the VNC session.
By default, the VNC server will be accessible from everywhere, which is not the most secure solution. It is better to allow access only from the local host, and use an ssh tunnel for remote access (see below). Unfortunately, in recent Ubuntu versions, the option to listen only for local connections has been removed from the graphical interface, so you have to set it on the command line, using the following command (before turning on desktop sharing):
gsettings set org.gnome.Vino network-interface 'lo'
You can verify that the VNC server only listens for local connections by running
the command netstat -nlp | grep ':5900'
, which should show
the 'vino-server' process listening only on '127.0.0.1:5900' and '::1:5900'.
$; netstat -nlp | grep ':5900'
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN 7907/vino-server
tcp6 0 0 ::1:5900 :::* LISTEN 7907/vino-server
Use VNC to open a different session on your work machine
For this, first you need to have a VNC server like, e.g., tightvncserver
installed on
your work machine. You could then start a separate session on your work machine by using the command
/usr/bin/vncserver -localhost -depth 24 -geometry 1600x1024 :1
This will start a new session, accessible from the local host only, on port 5901.
If you start the vncserver for the first time, it will ask for a password that you use to
access the session. It will also create a startup file $HOME/.vnc/xstartup
, which may
or may not be suitable for you. I found it neccessary to replace the lines
export XKL_XMODMAP_DISABLE=1
/etc/X11/Xsession
with the line
startxfce4 &
to get a useable desktop.If you want to kill the running vncserver (session), you can do it with the command
/usr/bin/vncserver -kill :1
Of course
it would be convenient to have a session starting whenever the machine boots, but for that
you would need to convince the system administrator to create a systemd unit file
/etc/systemd/system/vncserver@.service
with the following content (note that
we also use 'iptables' to block the port 6001 which is kept open by tightvncserver regardless
of the '-localhost' option).
[Unit]
Description=Start XTightVNC server at startup
After=syslog.target network.target
[Service]
Type=forking
User=USERNAME
Group=UNIX GROUP OF USER
WorkingDirectory=/home/USERNAME
PIDFile=/home/USERNAME/.vnc/%H:%i.pid
ExecStart=/usr/bin/vncserver -localhost -depth 24 -geometry 1600x1024 :%i
ExecStop=/usr/bin/vncserver -kill :%i
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStartPre=+/bin/sh -c 'iptables -C INPUT -p tcp --dport 6001 -m state --state NEW,ESTABLISHED -j DROP 2>/dev/null || iptables -A INPUT -p tcp --dport 6001 -m state --state NEW,ESTABLISHED -j DROP'
ExecStopPost=+-/sbin/iptables -D INPUT -p tcp --dport 6001 -m state --state NEW,ESTABLISHED -j DROP
[Install]
WantedBy=multi-user.target
Access the VNC session via an SSH tunnel
In order to create an SSH tunnel from your machine to the remote host where the VNC session is running, you can use the following command:
ssh -L 5900:127.0.0.1:5900 remote_host
This command will start a listener on port 5900 of your local machine, which tunnels to port 5900 on remote_host. This assumes that the port on which the remote VNC server is accessible is port 5900, which is usually the case for Ubuntu vino. Otherwise the server might be on port 5901.
This work is licensed under a Creative Comm ons Attribution-NonCommercial-ShareAlike 2.0 Germany License.