TigerVNC

From ArchWiki

TigerVNC is an implementation of the Virtual Network Computing (VNC) protocol. This article focuses on the server functionality.

Installation

Install the tigervnc package.

Running vncserver for virtual (headless) sessions

Initial setup

Note: Linux systems can have as many VNC servers as memory allows, all of which will be running in parallel to each other.

For a quick start, see the steps below. Users are encouraged to read vncserver(8) for the complete list of configuration options.

  1. Create a password using vncpasswd which will store the hashed password in $XDG_CONFIG_HOME/tigervnc/passwd. Ensure the file's permission is set to 0600.
  2. Edit /etc/tigervnc/vncserver.users to define user mappings. Each user defined in this file will have a corresponding port on which its session will run. The number in the file corresponds to a TCP port. By default, :1 is TCP port 5901 (5900+1). If another parallel server is needed, a second instance can then run on the next highest, free port, i.e 5902 (5900+2).
  3. Create $XDG_CONFIG_HOME/tigervnc/config and at a minimum, define the type of session desired with a line like session=foo where foo corresponds to whichever desktop environment is to run. One can see which desktop environments are available on the system by seeing their corresponding .desktop files within /usr/share/xsessions/. For example:
$XDG_CONFIG_HOME/tigervnc/config
session=lxqt
geometry=1920x1080
localhost
alwaysshared
Note: The previous step requires additional security setup to fully work; see #Accessing vncserver via SSH tunnels to complete the setup. For testing purposes, omit this step to allow unsecured connections from outside of localhost.

Starting and stopping tigervnc

Start an instance of the vncserver@.service template and optionally enable it to run at boot time/shutdown. Note that the instance identifier in this case is the display number (e.g. instance vncserver@:1.service for display number :1).

Note:
  • Direct calls to /usr/bin/vncserver are not supported as they will not establish a proper session scope. The systemd service is the only supported method of using TigerVNC. See: Issue #1096.
  • Remove drop-in service files created for earlier versions of TigerVNC before starting vncserver. Prior versions required drop-in service files for each display, e.g. for display :1 /etc/systemd/system/vncserver@:1.service. vncserver will fail to start if the old drop-in file is present when started with the new templated service file.

Expose the local display directly

TigerVNC includes libvnc.so, which can be seamlessly loaded during X initialization for enhanced performance. To utilize this feature, create the following file and then restart X:

/etc/X11/xorg.conf.d/10-vnc.conf
Section "Module"
Load "vnc"
EndSection

Section "Screen"
Identifier "Screen0"
Option "UserPasswdVerifier" "VncAuth"
Option "PasswordFile" "/root/.vnc/passwd"
EndSection

Running x0vncserver to directly control the local display

tigervnc also provides x0vncserver(1) which allows direct control over a physical X session. After defining a session password using the vncpasswd tool, invoke the server like so:

$ x0vncserver -rfbauth $XDG_CONFIG_HOME/tigervnc/passwd
Note:
  • x11vnc is an alternative VNC server which can also provide direct control of the current X session.
  • x0vncserver does not currently support clipboard sharing between the client and the server (even with the help of autocutsel). See: Issue #529.

With xprofile

A simple way to start x0vncserver is adding a line in one of the xprofile files such as:

~/.xprofile
...
x0vncserver -rfbauth $XDG_CONFIG_HOME/tigervnc/passwd &

With systemd

With a system service

This option will allow the users to access the current display, including the login screen provided by the display manager.

The service will be relaunched automatically every time an user logs off of their session.

LightDM is used for the example below, but it should be possible to adapt it to other display managers by modifying the XAUTHORITY variable.

/etc/systemd/system/x0vncserver.service
[Unit]
Description=Remote desktop service (VNC) for :0 display
Requires=display-manager.service
After=network-online.target
After=display-manager.service

[Service]
Type=simple
Environment=HOME=/root
Environment=XAUTHORITY=/var/run/lightdm/root/:0
ExecStart=x0vncserver -display :0 -rfbauth $XDG_CONFIG_HOME/tigervnc/passwd
Restart=on-failure
RestartSec=500ms

[Install]
WantedBy=multi-user.target

As this is a system unit, -rfbauth $XDG_CONFIG_HOME/tigervnc/passwd refers to /root/.vnc/passwd

Start/enable x0vncserver.service.

With a user service

In order to have a VNC Server running x0vncserver, which is the easiest way for most users to quickly have remote access to the current desktop, create a systemd unit as follows replacing the user and the options with the desired ones:

~/.config/systemd/user/x0vncserver.service
[Unit]
Description=Remote desktop service (VNC)

[Service]
Type=simple
ExecStartPre=/bin/sh -c 'while ! pgrep -U "$USER" Xorg; do sleep 2; done'
ExecStart=/usr/bin/x0vncserver -rfbauth %h/.vnc/passwd

[Install]
WantedBy=default.target

The ExecStartPre line waits for Xorg to be started by ${USER}.

To login with a specific username and password, replace ExecStart by /usr/bin/x0vncserver -PAMService=login -PlainUsers=${USER} -SecurityTypes=TLSPlain.

Start/enable the x0vncserver.service user unit.

Running Xvnc with XDMCP for on demand sessions

One can use systemd socket activation in combination with XDMCP to automatically spawn VNC servers for each user who attempts to login, so there is no need to set up one server/port per user. This setup uses the display manager to authenticate users and login, so there is no need for VNC passwords. The downside is that users cannot leave a session running on the server and reconnect to it later.

To get this running, first set up XDMCP and make sure the display manager is running. Then create:

/etc/systemd/system/xvnc.socket
[Unit]
Description=XVNC Server

[Socket]
ListenStream=5900
Accept=yes

[Install]
WantedBy=sockets.target
/etc/systemd/system/xvnc@.service
[Unit]
Description=XVNC Per-Connection Daemon

[Service]
ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1920x1080 -once -SecurityTypes=None
User=nobody
StandardInput=socket
StandardError=syslog

Start/enable xvnc.socket. Now, any number of users can get unique desktops by connecting to port 5900.

If the VNC server is exposed to the internet, add the -localhost option to Xvnc in xvnc@.service (note that -query localhost and -localhost are different switches) and follow #Accessing vncserver via SSH tunnels. Since we only select a user after connecting, the VNC server runs as user nobody and uses Xvnc directly instead of the vncserver script, so any options in $XDG_CONFIG_HOME/tigervnc are ignored. Optionally, autostart vncconfig so that the clipboard works (vncconfig exits immediately in non-VNC sessions). One way is to create:

/etc/X11/xinit/xinitrc.d/99-vncconfig.sh
#!/bin/sh
vncconfig -nowin &

Connecting to vncserver

Warning: The default's TigerVNC security method is not secure. It lacks identity verification and will not prevent man-in-the-middle attack during the connection setup. Take care to understand the security settings of the server and do not connect insecurely to a vncserver outside of a trusted LAN.
Note: By default, TigerVNC uses the TLSVnc authentication/encryption method unless specifically instructed via the SecurityTypes parameter. With TLSVnc, there is standard VNC authentication and traffic is encrypted with GNUTLS but the identity of the server is not verified. TigerVNC supports alternative security schemes such as X509Vnc that combines standard VNC authentication with GNUTLS encryption and server identification; this is the recommended mode for a secure connection. When SecurityTypes on the server is set to a non-encrypted option as high-priority (such as None, VncAuth, Plain, TLSNone, TLSPlain, X509None, X509Plain), which is ill-advised, then it is not possible to use encryption. When running vncviewer, it is safer to explicitly set SecurityTypes and not accept any unencrypted traffic. Any other mode is to be used only when #Accessing vncserver via SSH tunnels.

Any number of clients can connect to a vncserver. A simple example is given below where vncserver is running on 10.1.10.2 port 5901, or :1 in shorthand notation:

$ vncviewer 10.1.10.2:1

Passwordless authentication

The -passwd switch enables one to specify the location of the server's $XDG_CONFIG_HOME/tigervnc/passwd file. This file is expected to be accessible to the user through SSH or physical access to the server. In either case, place the file on the client's file system in a safe location, i.e. one in which only the intended user has read access.

$ vncviewer -passwd /path/to/server-passwd-file

The password can also be provided directly.

Note: The password below is not secured; anyone who can run ps on the machine will see it.
$ vncviewer -passwd <(echo MYPASSWORD | vncpasswd -f)

Example GUI-based clients

TigerVNC's vncviewer also has a simple GUI when run without any parameters:

$ vncviewer

Accessing vncserver via SSH tunnels

For servers offering SSH connection, an advantage of this method is that it is not necessary to open any other port than the already opened SSH port to the outside, since the VNC traffic is tunneled through the SSH port.

On the server

On the server side, vncserver or x0vncserver must be run.

When running either one of these, it is recommended to use the localhost option in $XDG_CONFIG_HOME/tigervnc/config or the -localhost switch (for x0vncserver) since it allows connections from the localhost only and by analogy, only from users ssh'ed and authenticated on the box. For example:

$XDG_CONFIG_HOME/tigervnc/config
session=lxqt
geometry=1920x1080
localhost
alwaysshared

Make sure to Start or Restart the vncserver@.service, for example (see also #Initial setup):

# systemctl start vncserver@:1

or for x0vncserver:

$ x0vncserver -localhost -SecurityTypes none

On the client

The VNC server has been setup on the remote machine to only accept local connections. Now, the client must open a secure shell with the remote machine (10.1.10.2 in this example) and create a tunnel from the client port, for instance 9901, to the remote server 5901 port. For more details on this feature, see OpenSSH#Forwarding other ports and ssh(1).

$ ssh 10.1.10.2 -L 9901:localhost:5901

Once connected via SSH, leave this shell window open since it is acting as the secured tunnel with the server. Alternatively, directly run SSH in the background using the -f option. On the client side, to connect via this encrypted tunnel, point the vncviewer to the forwarded client port on the localhost.

$ vncviewer localhost:9901

What happens in practice is that the vncviewer connects locally to port 9901 which is tunneled to the server's localhost port 5901. The connection is established to the right port within the secure shell.

Tip: It is possible, with a one-liner, to keep the port forwarding active during the connection and close it right after:
$ ssh -fL 9901:localhost:5901 10.1.10.2 sleep 10; vncviewer localhost:9901

What it does is that the -f switch will make ssh go in the background; it will still be alive executing sleep 10. vncviewer is then executed and ssh remains open in the background as long as vncviewer makes use of the tunnel. ssh will close once the tunnel is dropped which is the wanted behavior.

Alternatively, vncviewer's -via switch provides a shortcut for the above command:

$ vncviewer -via 10.1.10.2 localhost::5901

(Notice the double colon – vncviewer's syntax is [host]:[display#] or [host]::[port].)

Connecting to a vncserver from Android devices over SSH

To connect to a VNC server over SSH using an Android device as a client, consider having the following setup:

  1. SSH running on the server
  2. vncserver running on server (with -localhost flag for security)
  3. SSH client on the Android device: ConnectBot is a popular choice and will be used in this guide as an example
  4. VNC client on the Android device: androidVNC used here

In ConnectBot, connect to the desired machine. Tap the options key, select Port Forwards and add a port:

Type: Local
Source port: 5901
Destination: 127.0.0.1:5901

In androidVNC, connect to the VNC port; this is the local address following the SSH connection:

Password: the vncserver password
Address: 127.0.0.1
Port: 5901

Tips and tricks

Connecting to a macOS system

See https://help.ubuntu.com/community/AppleRemoteDesktop. Tested with Remmina.

Recommended security settings

If not #Accessing vncserver via SSH tunnels where the identification and the encryption are handled via SSH, it is recommended to use X509Vnc, as TLSVnc lacks identity verification.

$ vncserver -x509key /path/to/key.pem -x509cert /path/to/cert.pem -SecurityTypes X509Vnc :1

Issuing x509 certificates is beyond the scope of this guide. However, Let's Encrypt provides an easy way to do so. Alternatively, one can issue certificates using OpenSSL, share the public key with the client and specify it with the -X509CA parameter. An example is given below the server is running on 10.1.10.2:

$ vncviewer 10.1.10.2 -X509CA /path/to/cert.pem

Toggling fullscreen

This can be done through vnc client's menu. By default, vnc client's mkey is F8.

Workaround for mouse back and forward buttons not working

The VNC protocol currently only uses 7 mouse buttons (left, middle, right, scroll up, scroll down, scroll left, scroll right) which means if the mouse has a back and a forward button, these are not usable and input will be ignored.

evrouter can be used to work around this limitation by sending keyboard key presses when clicking the mouse back/forward buttons. Optionally, xte found in xautomation and xbindkeys can be used on the server to map the keyboard key presses back to mouse button clicks if needed.

Substituting mouse back/forward buttons with keyboard keys XF86Back/XF86Forward

This method is simple and suitable if you only need a way to navigate backward/forward while using web browsers or file browsers for example.

Install evrouterAUR and xautomation on the client. Configure evrouter, see Mouse buttons#evrouter and evrouter man pages for instructions and tips on how to find the correct device name, window name, button names etc. Example config:

~/.evrouterrc
Window "OtherComputer:0 - TigerVNC": # Window title used as filter

# Using Shell to avoid repeating key presses (see evrouter manual)
"USB mouse" "/dev/input/by-id/usb-Mouse-name-event-mouse" none key/275 "Shell/xte 'key XF86Back'"
"USB mouse" "/dev/input/by-id/usb-Mouse-name-event-mouse" none key/276 "Shell/xte 'key XF86Forward'"

# Use XKey below instead if repeating keys is desired (see evrouter manual)
#"Logitech Gaming Mouse G400" "/dev/input/by-id/usb-Logitech_Gaming_Mouse_G400-event-mouse" none key/275 "XKey/XF86Back"
#"Logitech Gaming Mouse G400" "/dev/input/by-id/usb-Logitech_Gaming_Mouse_G400-event-mouse" none key/276 "XKey/XF86Forward"

Start evrouter on the client. With above configuration keyboard key XF86Back is sent to the VNC server when clicking the back button on the mouse, and XF86Forward is sent when clicking the forward button.

Mapping the keyboard key presses back to mouse button clicks on the server

If needed, it is possible to map the keyboard keys back to mouse button clicks on the server. In this case, it might be a good idea to use keyboard keys which are never on the client or server. In the example below, keyboard keys XF86Launch8/XF86Launch9 are used as mouse buttons 8/9.

Evrouter configuration on the client:

~/.evrouterrc
Window "OtherComputer:0 - TigerVNC": # Window title

# Using Shell to avoid repeating key presses (see evrouter manual)
"USB mouse" "/dev/input/by-id/usb-Mouse-name-event-mouse" none key/275 "Shell/xte 'key XF86Launch8'"
"USB mouse" "/dev/input/by-id/usb-Mouse-name-event-mouse" none key/276 "Shell/xte 'key XF86Launch9'"

Install xautomation and xbindkeys on the server. Configure xbindkeys to map keyboard keys XF86Launch8/XF86Launch9 to mouse buttons 8/9 with xte.

~/.xbindkeysrc
"xte 'mouseclick 8'"
     XF86Launch8

"xte 'mouseclick 9'"
     XF86Launch9

Start xbindkeys (xbindkeys -f ~/.xbindkeysrc). The server will now map XF86Launch8/XF86Launch9 to mouse buttons 8/9.

Troubleshooting

Black rectangle instead of window

Most probably, this is due to the application strictly requiring the composite Xorg extension. For example webkit based app: midori, psi-plus, etc.

Restart vncserver in this case using something like following:

$ vncserver -geometry ... -depth 24 :1 +extension Composite

It looks like Composite extension in VNC will work only with 24bit depth.

Empty black window with mouse cursor or xinit: connection to X server lost

Verify that the user is not logged into a physical X session, unless this option was configured with x0vncserver. Multiple X sessions for a single user are not supported, see 684#issuecomment-494385395 and #1634.

Conversely, trying to log into a local X session while a VNC server service is running for that user will likely not work, and may get stuck on a splash screen when using a desktop environment.

No mouse cursor

If no mouse cursor is visible when using x0vncserver, start vncviewer as follows:

$ vncviewer DotWhenNoCursor=1 server

Alternatively, put DotWhenNoCursor=1 in the TigerVNC configuration file, which is at $XDG_CONFIG_HOME/tigervnc/default.tigervnc by default.

Copying clipboard content from the remote machine

If copying from the remote machine to the local machine does not work, run autocutsel on the server, as mentioned in [1]:

$ autocutsel -fork

Now, press F8 to display the VNC menu popup, and select Clipboard: local -> remote option.

No window decoration / borders / titlebars / cannot move windows around

Start a window manager to fix an empty xterm frame. For example, on Xfce, run xfwm4 &.

Desktop environment is displaying only boxes for font

Some desktop environments might be missing necessary font to display ASCII characters. Install ttf-dejavu.

VNC server terminates immediately while using xfce4 session

Create new .desktop file under /usr/share/xsessions. For example xfce4vnc.desktop:

/usr/share/xsessions/xfce4vnc.desktop
[Desktop Entry]
Version=1.0
Name=Xfce4vnc Session
Exec=dbus-launch startxfce4
Icon=
Type=Application
DesktopNames=XFCE4VNC

Make sure Exec key is using dbus-launch to start xfce4 within new session bus instance context. Remember to change session value in $XDG_CONFIG_HOME/tigervnc/config to xfce4vnc.

See also