[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
howtos:window_managers:vnc [2014/10/17 09:42 (UTC)] – TightVNC is now passé, changed to TIGERVNC arfon | howtos:window_managers:vnc [2023/03/13 18:26 (UTC)] (current) – contribute new section starting Xvnc on-demand metaed | ||
---|---|---|---|
Line 7: | Line 7: | ||
====== Setup VNC Server (on Slackware)====== | ====== Setup VNC Server (on Slackware)====== | ||
USING TigerVNC: | USING TigerVNC: | ||
- | On your remote machine, install TigerVNC via slackpkg | + | On your remote machine, |
+ | | ||
| | ||
Line 23: | Line 24: | ||
USING TigerVNC: | USING TigerVNC: | ||
- | On your local machine, install TigerVNC via slackpkg | + | On your local machine, install |
+ | | ||
| | ||
Line 37: | Line 39: | ||
====== Tunnel VNC Through SSH (from Slackware) ====== | ====== Tunnel VNC Through SSH (from Slackware) ====== | ||
Open an SSH connection: | Open an SSH connection: | ||
- | ssh -L 5901:127.0.0.1:5901 -N -f -l bob 192.168.1.34 | + | ssh -L 5901:localhost:5901 -N -f -l bob 192.168.1.34 |
< | < | ||
Line 44: | Line 46: | ||
-f : Make ssh to go to background before command execution. | -f : Make ssh to go to background before command execution. | ||
-l bob : ' | -l bob : ' | ||
- | 192.168.1.34 : is the remote machine. | + | 192.168.1.34 : is the remote machine |
</ | </ | ||
Connect with VNC: | Connect with VNC: | ||
| | ||
- | Enter " | + | |
Line 69: | Line 71: | ||
Connect with VNC: | Connect with VNC: | ||
| | ||
- | Enter " | + | |
+ | |||
+ | |||
+ | ====== Reverse VNC Connection ====== | ||
+ | (Connecting to a listening VNC viewer (Useful for family IT support)) \\ | ||
+ | |||
+ | Start The VNC Viewer (on Slackware) In Listen Mode- \\ | ||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | ** IF YOUR INCOMING CONNECTION IS COMING THROUGH A FIREWALL (most home routers)** do not forget to forward the port in the router (5500 is the default port for reverse VNC connections). | ||
+ | |||
+ | |||
+ | Start the VNC SERVER on Windows and attach a listening viewer- \\ | ||
+ | Start the VNC Server | ||
+ | RIGHT CLICK on the VNC server icon in your task bar and select | ||
+ | Put in the IP address of the viewer machine: 192.168.1.34 | ||
+ | | ||
+ | (through a forwarded port), make sure to connect to the ROUTER' | ||
+ | internet address) and NOT your local address. This can be found by going to a | ||
+ | | ||
+ | |||
+ | |||
+ | |||
+ | ====== Starting '' | ||
+ | |||
+ | A nice refinement is to configure the remote host to automatically create for each user a permanent virtual terminal. | ||
+ | |||
+ | The virtual terminal gets created when the user first connects. The user can detach from their terminal and reattach from elsewhere, providing true persistent terminal service. The terminal persists until either | ||
+ | |||
+ | (i) the user destroys it by logging out, or | ||
+ | |||
+ | (ii) the system operator destroys it by rebooting. | ||
+ | |||
+ | ===== Remote host listener ===== | ||
+ | |||
+ | The remote host needs an '' | ||
+ | |||
+ | 5901 stream tcp wait arfon / | ||
+ | 5902 stream tcp wait metaed / | ||
+ | 5903 stream tcp wait doe / | ||
+ | 5904 stream tcp wait roe / | ||
+ | |||
+ | This arranges that when a VNC viewer connects to port 5901, an '' | ||
+ | |||
+ | If this is the first time you’ve used '' | ||
+ | |||
+ | # chmod 755 / | ||
+ | # / | ||
+ | # pgrep -l inetd | ||
+ | 27849 inetd | ||
+ | |||
+ | ===== Connection procedure ===== | ||
+ | |||
+ | To use, there is a two step procedure. First, the end user connects using '' | ||
+ | |||
+ | $ ssh -L 5901: | ||
+ | |||
+ | Second, the end user connects using '' | ||
+ | |||
+ | I've seen at least one VNC viewer (bVNC) that has builtin support for '' | ||
+ | |||
+ | ===== Display manager configuration ===== | ||
+ | |||
+ | This depends entirely on which display manager you have available, and is really outside | ||
+ | |||
+ | * Open ''/ | ||
+ | * Edit the line '' | ||
+ | * Disable the line by inserting a '' | ||
+ | * Open ''/ | ||
+ | * Edit the line ''# | ||
+ | * Change the '' | ||
+ | * Enable the line by deleting the ''#'' | ||
+ | |||
+ | You might not want your '' | ||
+ | |||
+ | * Open ''/ | ||
+ | * Edit the line '': | ||
+ | * Disable the line by inserting a ''#'' | ||
+ | |||
+ | You will also need to change the remote host’s default runlevel from '' | ||
+ | |||
+ | * Open ''/ | ||
+ | * Edit the line '' | ||
+ | * Change '' | ||
+ | * To make the change immediately without rebooting, run '' | ||
+ | |||
+ | For extra credit, you can customize '' | ||
+ | |||
+ | After authentication, | ||
+ | |||
+ | xterm & | ||
+ | twm | ||
+ | |||
+ | ===== Security considerations ===== | ||
+ | |||
+ | There are several layers of security available to protect the remote virtual terminals from unauthorized use. | ||
+ | |||
+ | ==== Firewall ==== | ||
+ | |||
+ | The first layer of security is the remote host’s firewall. Firewall configuration is outside the scope of this how-to, but here is a brief outline of what you need. The firewall ought to deny remote connections by default. So if you already block all ports by default, no change is needed. You will NOT be punching holes in your firewall to make this work. Supposing your remote host provides only SSH service, and you use the '' | ||
+ | |||
+ | type filter hook input priority 0; policy drop; | ||
+ | ct state vmap { 0x1 : drop, 0x2 : accept, 0x4 : accept } | ||
+ | iifname " | ||
+ | tcp dport 22 accept | ||
+ | |||
+ | With such a firewall in place, you are properly secured. | ||
+ | |||
+ | ==== Encryption ==== | ||
+ | |||
+ | Configured as recommended above, all VNC traffic between the remote host and the local terminal is encrypted, because it travels on the '' | ||
+ | |||
+ | ==== Authentication ==== | ||
+ | |||
+ | There are several authentication layers available. | ||
+ | |||
+ | - An '' | ||
+ | - The terminal can be secured using '' | ||
+ | - The '' | ||
+ | - The user can '' | ||
+ | |||
+ | ===== References ===== | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
====== Sources ====== | ====== Sources ====== | ||
Line 75: | Line 209: | ||
<!-- * Original source: [[http:// | <!-- * Original source: [[http:// | ||
<!-- Authors are allowed to give credit to themselves! --> | <!-- Authors are allowed to give credit to themselves! --> | ||
- | * Originally written by [[wiki: | + | |
- | < | + | * Contributions by [[wiki: |
<!-- Please do not modify anything below, except adding new tags.--> | <!-- Please do not modify anything below, except adding new tags.--> | ||
<!-- You must remove the tag-word " | <!-- You must remove the tag-word " | ||
{{tag> | {{tag> |