What is VNC?
Often, we need desktop/GUI (graphical User Interface) resources “on the other side of the wire” and we want to avoid walking over (or driving!) to a remote computer. At times, it may even be impossible to reach the remote system as it is on the other side of the world.
Welcome to the world of remote desktop computing, which allows you – by using a VNC (Virtual Network Computing) software package – to connect to the desktop/GUI of a remote computer.
Under the hood, the VNC software will use the RFB (Remote Frame Buffer) protocol to send key strokes and mouse movements to the remote system. It is as if you were sitting at the remote computer, albeit with some caveats and a bit of extra latency.
VNC Caveats
There are some limitations when using VNC to manage and/or use remote desktops. One of the main ones is that the display updates can be slow. Watching 4K video on a remote desktop whilst using an ADSL Internet connection is unlikely to give favorable results. At times, even clicking an icon to start an application can cause a slight delay as the screen needs to refresh.
Security may be another consideration. Various options are included with various VNC software, but configuring them is often left to the user, especially with open source based solutions. Another issue is that VNC does not scale well to many users. It is mostly suited for home use, and small office users may find it helpful too, for example by having a single desktop on a single machine shared remotely and used by 1-3 users.
Even for large corporations, remote server management (with one or two system administrators per VNC enabled server) is definitely an option. Then again, large corporations often disable and/or uninstall any graphical desktop from their servers, and remote management is done by using commands entered in a terminal, with SSH used to connect to the server. SSH (Remote Secure Shell) can even be used from your mobile phone!
Connecting with VNC to a Remote Linux Computer
You will need both a VNC server as well as a VNC client to be able to use a remote desktop. The VNC server operates on the remote end, ensuring that a VNC client, used from a connecting workstation (almost always your own computer), can connect and that the desktop output, mouse and keyboard strokes are all relayed in an as good as fashion as possible.
At times, minor network hiccups or slowness may cause partial screen renders etc. though generally speaking, if you have a fast network (and fast Internet connection if you are using a computer across the Internet), the screen rendering will be good enough to do some level of remote work.
Installing the VNC server
The VNC server needs to be installed on the remote workstation or server. This could be done over SSH remotely, though at times you could opt to go to the remote computer (if reasonably nearby), connect a keyboard and mouse, and setup VNC there. The best answer depends on your existing infrastructure, where the remote machine is located and whether you have a keyboard and mouse handy or not.
Which VNC server software you select will vary on a few factors. The main one is preference, and it takes a bit of time to learn the myriad of options out there, and then to test a few.
On the commercial side, there is RealVNC. It is an excellent, well working and supported software package, intended for small business that do not want to spent too much time on getting something to work well. Commercial solutions generally work well if you’re managing many servers and clients as an SME.
If you are more into open source, the Ubuntu list of VNC solutions has a nice starting list of VNC servers. A popular one is x11vnc, which runs a barebones VNC server. Ubuntu also comes with vino preinstalled. You will generally tend to find that each VNC server solution comes with it’s own benefits and features as well as shortcomings and caveats.
Finally, you want to consider the operating systems you will be using VNC on. Will you be connecting from Windows to Linux, or from a tablet to your Macintosh Laptop? It is all possible, but you will find that some VNC solutions may only work Linux-to-Linux, or Windows-to-Windows etc.
Assuming you’re on Linux, x11vnc is a simple open source VNC server recommended by Ubuntu that you can install. The installation is simple, as it’s available from apt:
Then, you can start an SSH tunnel on port 5900, which handles authentication and exposes the port to any local VNC client:
And start the VNC server:
You can also automatically run x11vnc via systemd.
Using the VNC client
The VNC client is often used a standalone binary somewhere. A system administrator may have the VNC client utility/binary sitting directly on their local desktop for example. A vendor like RealVNC will you the VNC client ‘for free’, whereas the VNC server is a paid solution.
It is important that the authentication of the VNC client and VNC server match. Whereas there are often fallback mechanisms in place, these would provide lower security by every level of fallback to a lower quality authentication method.
When there is a need to employ proper authentication, one can configure the VNC server to require a high level authentication mechanism. One can also force the client to use a similarly high level. Using a VPN also ensures your VNC data is encrypted end-to-end.
One final aspect to consider when looking at a client/server solution is that, unless you use a commercial based solution, there is usually a somewhat strict need to ensure that the client and the server are made by the same software creator/distributor.
There may be small differences in implementation of the underlying protocol, the authentication mechanisms and the software itself, making one VNC client not always compatible with another VNC server, or may produce undefined results. Using a mismatched VNC client and VNC server may negatively affect the security strength as well as the reliability of the setup.
For an open-source, and cross platform solution, there’s TightVNC, which runs in a Java applet on any host machine.
Firewalls You Say?
Firewalls may require reconfiguration when you install VNC. Usually it is as easy as opening a few ports for a specific range of IP addresses. Being as restrictive as possible when creating a rule (or in other words ‘a hole’) in your firewall, it is best to only allow a limited range of IP address the connect.
You can use CIDR to limit the range of IP addresses. For example, a rule limiting the range to 192.168.0.1/24 will allow addresses from 192.168.0.1 to 192.168.0.254 to connect.
The actual port numbers are often configurable inside the VNC server, and it is best practice to change them to a non-default source port for security purposes. Make sure to match the port numbers configured in the VNC server with the new firewall rule.
If you’re using RealVNC, the installer will ask if you would like to create a rule in the firewall. It creates a rule which is quite open and you may want to restrict it further, but is easier to understand the setup when the basic rule is in place already.
VNC: TLDR;
As we have seen, there are many possible avenues and solutions available when it comes to implementing a VNC solution. If you just need a quick setup, and only have two Ubuntu based workstations, it may be easy enough to use a free and open source solution from the list by the Ubuntu team. If you are trying to manage a handful of desktops as an SME, commercial software like RealVNC may an easier solution.
Once the software is installed, it’s time to configure the firewall, tune your VNC server options to your liking, tuning authentication if required, and enjoying the benefits a remote desktop solution can offer!
Enjoy!