12.3. VNC Viewer

vncviewer is a program which shows the graphical user interfaces and controls the vncserver remotely.
For operating the vncviewer, there is a pop-up menu containing entries which perform various actions such as switching in and out of full-screen mode or quitting the viewer. Alternatively, you can operate vncviewer through the terminal. Enter vncviewer -h on the command line to list vncviewer's parameters.

12.3.1. Installing VNC Viewer

To install the TigerVNC client, vncviewer, issue the following command as root:
~]# yum install tigervnc

12.3.2. Connecting to VNC Server

Once the VNC server is configured, you can connect to it from any VNC viewer.

Procedure 12.4. Connecting to a VNC Server Using a GUI

  1. Enter the vncviewer command with no arguments, the VNC Viewer: Connection Details utility appears. It prompts for a VNC server to connect to.
  2. If required, to prevent disconnecting any existing VNC connections to the same display, select the option to allow sharing of the desktop as follows:
    1. Select the Options button.
    2. Select the Misc. tab.
    3. Select the Shared button.
    4. Press OK to return to the main menu.
  3. Enter an address and display number to connect to:
    address:display_number
  4. Press Connect to connect to the VNC server display.
  5. You will be prompted to enter the VNC password. This will be the VNC password for the user corresponding to the display number unless a global default VNC password was set.
    A window appears showing the VNC server desktop. Note that this is not the desktop the normal user sees, it is an Xvnc desktop.

Procedure 12.5. Connecting to a VNC Server Using the CLI

  1. Enter the viewer command with the address and display number as arguments:
    vncviewer address:display_number
    Where address is an IP address or host name.
  2. Authenticate yourself by entering the VNC password. This will be the VNC password for the user corresponding to the display number unless a global default VNC password was set.
  3. A window appears showing the VNC server desktop. Note that this is not the desktop the normal user sees, it is the Xvnc desktop.

12.3.2.1. Configuring the Firewall for VNC

When using a non-encrypted connection, firewalld might block the connection. To allow firewalld to pass the VNC packets, you can open specific ports to TCP traffic. When using the -via option, traffic is redirected over SSH which is enabled by default in firewalld.

Note

The default port of VNC server is 5900. To reach the port through which a remote desktop will be accessible, sum the default port and the user's assigned display number. For example, for the second display: 2 + 5900 = 5902.
For displays 0 to 3, make use of firewalld's support for the VNC service by means of the service option as described below. Note that for display numbers greater than 3, the corresponding ports will have to be opened specifically as explained in Procedure 12.7, “Opening Ports in firewalld”.

Procedure 12.6. Enabling VNC Service in firewalld

  1. Run the following command to see the information concerning firewalld settings:
    ~]$ firewall-cmd --list-all
  2. To allow all VNC connections from a specific address, use a command as follows:
    ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.122.116" service name=vnc-server accept'
    success
    Note that these changes will not persist after the next system start. To make permanent changes to the firewall, repeat the commands adding the --permanent option. See the Red Hat Enterprise Linux 7 Security Guide for more information on the use of firewall rich language commands.
  3. To verify the above settings, use a command as follows:
    ~]# firewall-cmd --list-all
    public (default, active)
      interfaces: bond0 bond0.192
      sources:
      services: dhcpv6-client ssh
      ports:
      masquerade: no
      forward-ports:
      icmp-blocks:
      rich rules:
    	rule family="ipv4" source address="192.168.122.116" service name="vnc-server" accept
To open a specific port or range of ports make use of the --add-port option to the firewall-cmd command Line tool. For example, VNC display 4 requires port 5904 to be opened for TCP traffic.

Procedure 12.7. Opening Ports in firewalld

  1. To open a port for TCP traffic in the public zone, issue a command as root as follows:
    ~]# firewall-cmd --zone=public --add-port=5904/tcp
    success
  2. To view the ports that are currently open for the public zone, issue a command as follows:
    ~]# firewall-cmd --zone=public --list-ports
    5904/tcp
A port can be removed using the firewall-cmd --zone=zone --remove-port=number/protocol command.
Note that these changes will not persist after the next system start. To make permanent changes to the firewall, repeat the commands adding the --permanent option. For more information on opening and closing ports in firewalld, see the Red Hat Enterprise Linux 7 Security Guide.

12.3.3. Connecting to VNC Server Using SSH

VNC is a clear text network protocol with no security against possible attacks on the communication. To make the communication secure, you can encrypt your server-client connection by using the -via option. This will create an SSH tunnel between the VNC server and the client.
The format of the command to encrypt a VNC server-client connection is as follows:
vncviewer -via user@host:display_number

Example 12.1. Using the -via Option

  1. To connect to a VNC server using SSH, enter a command as follows:
    ~]$ vncviewer -via USER_2@192.168.2.101:3
  2. When you are prompted to, type the password, and confirm by pressing Enter.
  3. A window with a remote desktop appears on your screen.

Restricting VNC Access

If you prefer only encrypted connections, you can prevent unencrypted connections altogether by using the -localhost option in the systemd.service file, the ExecStart line:
ExecStart=/usr/sbin/runuser -l user -c "/usr/bin/vncserver -localhost %i"
This will stop vncserver from accepting connections from anything but the local host and port-forwarded connections sent using SSH as a result of the -via option.
For more information on using SSH, see Chapter 11, OpenSSH.