How to install VNC on Ubuntu 17.04 / 17.10

This guide will cover how to securely setup VNC on your Ubuntu 17.04 server. VNC stands for "Virtual Network Computing" and is a popular method of connecting to your server for remote desktop administration purposes.

Installation

Install the following packages, XFCE which is a Desktop Environment & TightVNC the popular choice for the VNC:

apt update && apt install xfce4 xfce4-goodies tightvncserver

Once the process is complete move onto the next stage.

Configuration

This step of the process is the most important. You'll need to define the user you'll want to use that'll actually run the service. Now ensure you're logged into the user and make sure it isn't root.

Type:

vncserver

Enter a 8 digit password, if you enter anything more it'll truncate anything above 8. Now you need to kill the process created in order to then setup a functional systemd file, To note if you have another vncserver instance already you'll need to ensure you kill the right one. When you setup the VNC password it'll output what instance it's running on and will look something similar to :1 or :2 etc.

vncserver -kill :1

Run the following:

nano ~/.vnc/xstartup

Delete the existing file contents then paste in:

#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &

Save the above then enter:

chmod +x ~/.vnc/xstartup

Now exit back into the root user. You've just entered the parameters required for the vncserver to reliably operate via the xfce4 desktop environment. The next stage is ensuring it runs on startup via the systemmd service & to allow you to stop, start and restart the service in case something happens. The initial port of 5901 will be used here if you wish to do 5902, 5903 etc you'll need to put the last digit into the file name after the @ symbol. In this example, it'll use port 5901.

nano /etc/systemd/system/[email protected]

[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target

[Service]
Type=forking
User=USER
PAMName=login
PIDFile=/home/USER/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 -localhost :%i
ExecStop=/usr/bin/vncserver -kill :%i

[Install]
WantedBy=multi-user.target

You'll notice the -localhost is in red, if you wish to enforce the VNC to localhost (highly recommended) you should leave this in, I'll cover how to use this to your advantage later. Now save and exit nano then:

systemctl daemon-reload
systemctl enable [email protected]
systemctl start [email protected]

The service has now been started and is based on the systemd file you just created.

Why localhost?

The biggest issue with VNC is the max password length is 8 characters. If brute force attempts are not stopped quickly, you will find yourself compromised. This then leads to further potential issues down the road. The easiest way to ensure peace of mind is to ensure you restrict the access to localhost so you can securely connect to the VNC via SSH Tunnel.

If you've not kept this in the configuration you may face times where you cannot connect to the VNC. A standard function is after several failed login attempts it'll lock out everyone for several minutes, this is a sign of someone knocking on your door waiting for you to open it.

Connection via LocalHost

This section will cover how to setup the secure connection to the vncserver that is enforced behind the -localhost parameter. I'll show you via the common method used via Linux & Windows how to actually setup this tunnel so you can connect to the VNC securely.

Linux

If you haven't already you should create an ssh config file. This is basically a file that has connection options which ultimately makes things easier in the long run. You can run:

nano ~/.ssh/config

Then within that file, you'll want to create a block similar to this but with your server details & preferences.

Host example
HostName IP-Address
user Username
port 22
#IdentityFile ~/.ssh/id_rsa
LocalForward localhost:5901 localhost:5901

The crucial row here is the LocalForward, this will setup a way for you to access the servers localhost:5901 on your localhost. Ultimately bypassing the -localhost VNC requirement set earlier but actually setting up VNC in such a way that it'll now use an SSH Tunnel.

Once you've completed this now you can connect to the server like:

ssh example

This will now establish a connection based on the options configured above. Finally, now all you have to do is use something like "Remmina Remote Desktop Client" (Default on Ubuntu Installations) via localhost:5901 then put the vnc password & you're done!

Windows

PuTTY, A popular application that'll connect to your server via SSH will be used in this example. To setup a tunnel with PuTTY simply:

  1. Expand the SSH column then select Tunnels
  2. Input 5901 into the Source Port
  3. Input localhost:5901 into the Destination Port
  4. Press Add

Once you're connected you could use TightVNC Client to connect to the VNC of your server. Just a tip when installing this make sure you deselect the server features once you're past the custom install option.

Conclusion

Thanks for visiting UbuntuWiki, I hope your underlining knowledge of how to install and use VNC has been expanded. I also hope that you understand the implications of not using the localhost parameter, if you have enjoyed this guide then I invite you to check out my other guides.