Secure VNC Connection Using a SSH Tunnel in Linux

Written by:

One of the most important aspects to a good server is even better administration tools. Logging in locally is nice and all but not always feasible, so the need for a good and secure remote administration method is necessary. If you want a to use VNC for your administration, then be sure to create a secure VNC connection to keep away any prying eyes. With a few simple and free tools like TightVNC server and a little bit of SSH, we are off to the races with a great, secure solution.

Basics of remote administration with a user interface using VNC

For remote administration, you might not want to be forced to use a command line. So having a desktop interface as an option is always a good choice to have available. To get the desktop experience you have two choices: VNC or remote desktop. VNC is what most people will use for Linux, partially because Remote Desktop is actually a Windows tool used to remotely login to Windows computer that have it enabled. It is not commonly found on Linux machines for that reason. It’s not impossible to do though, and I will show how to set that up in a different article!

Want to learn Linux but you have a Windows computer. Try installing Linux as a virtual machine using free software like VirtualBox. Checkout my ultimate guide to virtual machines.

After getting a VNC server installed, we will need to install a desktop environment on our Linux server. If you are using a server edition of a linux distro, it likely won’t have one by default. So you will have to install one. I prefer using the xfce desktop environment for mine because it is smaller and more lightweight, which goes a long way on VNC! Once you have those programs installed on your Linux server, you just need to download a SSH client and VNC client on any computer you want to be able connect to your Linux server on with VNC thought your secure connection.

Personally, I like to use Putty for my Windows SSH client. For the VNC viewer and server, I like to user TightVNC. Both the client and server applications are very light weight yet still robust. And as an added benefit, you can get the client application as a standalone binary for some easy portability.

Check this out:  Make Bootable USB (on any computer) with Unetbootin

Establish a secure SSH connection

First step is to configure the secure connection to the server. We also need to make the SSH tunnel that will allow us to send the VNC traffic though an encrypted SSH connection to our server. So open the Putty client and navigate to the “SSH” menu option on the left side.

Loopback Connection

Enter the following information into putty:

  • Source Port: 5901
  • Destination: “localhost:5901” (without quotes)

This will allow us to a loopback connection. Basically it will allow us to be able open the VNC connection on the localhost machine on port 5901 and it will send the traffic though the SSH connection. Super nifty! Now on the main “Session” menu in Putty, enter the IP address for your server and enter the port number.

Save your SSH connection in putty

The default port number for SSH is 22, so if you haven’t manually changed that yourself it is most likely still 22. If you want to save this login configuration for use again later, then enter a name into the “Saved Sessions” box and click the Save button. Now Open the connection to your server by clicking the Open button and login on your server at the black window that appears.

Be sure to save your SSH connection, because it will make your life so much easier when you want to launch your secure VNC connection.

Installing TightVNC on the linux server

Run the following two commands to ensure that all of your repositories and all your applications are as up to date as possible. It is always a good idea to check for updates to your software periodically, and I especially do it prior to installing something new. It’s just good practice.

sudo apt-get update sudo apt-get upgrade

Once your current software is up to date, now we can install our new tools. Like I said before, I am going to use TightVNC. Run the following two commands in your terminal to install the TightVNC server and the xfce desktop environment:

sudo apt-get install tightvncserver
Installing TightVNC Server

Next you must install the xfce desktop environment; this may take a little while to download. So go grab a cup of coffee and come back.

sudo apt-get install xfce4
Installing xfce4

Once these programs have been installed, we need to configure the VNC server to allow use of the desktop environment. Fortunately, we just need to add one line to the default configuration file. Super simple! Edit the config file located at “~/.vnc/xstartup” with a command line text editor like nano.

sudo nano ~/.vnc/xstartup

This configuration file tells the VNC server how to display itself to the client. It allows you to run any command you so choose when people make a VNC connection with the username you logged in as. By default, the VNC server application doesn’t give you a usable desktop environment; you will just see a gray screen with a black X on it. Not very useful. We need to tell the VNC server to launch our chosen desktop environment. So at the very very end of the config file, add the following line of text:

startxfce4 &

Note that their is no space between “start” and “xfce4”. Also note that their is a “&” at the end. It is very important that you have this line exactly as I have it above, if not, then VNC will not be able to view the desktop environment. After you have made your changes, you should have something like the image below.

Config file Editing

Starting the TightVNC server from linux terminal

All that is left on the server side is to run the VNC server application to allow us to remotely see our desktop. Simply run the vncserver command. The first time you run the server, you will have to enter a password and select if you want a view only password. Just select now for the view only. It is not helpful for remote administration. And just like that the server is now accepting secure VNC connections.

Check this out:  Ultimate Beginner Guide to Virtual Machines (VirtualBox Tutorial)
VNC Server First Start

Connecting to the linux server on the VNC client

VNC Client Connection

When you open your VNC client application, enter the server address as the localhost:5901 loopback we created earlier. A thing to note is that if and when you close your SSH terminal session, you will lose the VNC connection as well since it is tunneling though the SSH connection.

Just like that and now we have our secure VNC connection to our server! Now you can do all of the super sweet remote administration things you have always dreamed of. Like dragging and dropping files and looking at all them icons and mouse clicking. Ohh yeah!

Always close your VNC connection when done working! Always.

When you are done performing whatever VNC tasks you need to, be sure to stop the VNC server. This way, the server will only be running when you are trying to use it and no more. The downside to this is you will have to start and stop the server every time you use it. But the up side is that you don’t leave a open connection for attackers to compromise your server. So what is two commands in the terminal really worth to you? To stop the VNC server, run the following command: (where “:1” is the VNC session number that was given to you when you started the server.

vncserver -kill :1

Now that you can enjoy a nice and secure remote administration setup using some good old fashion VNC and a little bit of SSH!

One Reply to “Secure VNC Connection Using a SSH Tunnel in Linux”

  1. […] Next article in the series: Secure remote administration with VNC and SSH […]

Leave a Reply

%d bloggers like this: