This walkthrough will show you how to create a VNC service on a linux server, configure a window manager to spawn, and establish a reverse tunnel for connection security. I have chosen to utilize tigervnc as the VNC service, as this is a standard VNC package that ships with RHEL/CentOS currently.

The first step is to install the necessary packages for the tigervnc setup. This tutorial assumes that the CentOS 7 installation is a basic server install, with no X server installed. There is a good chance, that if you are attempting to install these packages on a server with a GUI installed, that some packages will have already been installed. These are simply the raw requirements. This tutorial will show you how to install DWM as the default window manager, but you can use whatever you desire.

yum install Xorg tigervnc dwm

Next up, you will next need to create a .vnc folder under the local user’s home directory, in which you will have to create a xstartup file. This file will start the window manager of your choice.

#!/bin/sh
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
vncconfig -iconic &
dbus-launch --exit-with-session dwm &

Next up, create a tigervnc systemd file as show below. This will be the .service that will need to be started and enabled. Replace with the local user that will be authenticating to the VNC server.

/etc/systemd/system/vncserver@:1.service

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
User=<username>

# Kill any pre-existing vnc servers
ExecStartPre=/usr/bin/vncserver -kill %i 
ExecStart=/usr/bin/vncserver %i -localhost -nolisten tcp -securitytypes Plain -geometry 1920x1080 -pam_service=sshd -DisconnectClients=0 -NeverShared -PlainUsers=<username> 
PIDFile=/home/<username>/.vnc/%H%i.pid
ExecStop=-/usr/bin/vncserver -kill %i 

[Install]
WantedBy=multi-user.target
  • -localhost is specified, as we do not want TigerVNC to be accessible over the egress, instead relying on an SSH tunnel to provide security for the insecure VNC protocol
  • -nolisten tcp is should be specified in order to speed up client connections
  • -securitytypes Plain is used to allow username and password authentication
  • -geometry can be whatever resolution that you desire, but HD is recommended
  • -pam_service; This is what enables local users to be able to authenticate via the server’s local ssh authentication
  • -DisconnectClient 0 -NeverShared needs to be set so that only one user can connect to the VNC server at a time
  • -PlainUsers value must be set to the same local user as the [Service] field
    At this point, start and enable the vnc service with systemctl start vncserver@:1.service && systemctl enable vncserver@:1.service.

After the service has been started, connect to your Linux server with an ssh client, such as putty, and establish a reverse ssh tunnel to port 5901. This port is not specified in the service file show above; however, since it is a VNC service, and it is the first service, it will attach to 127.0.0.1:5901. A second tunnel with a service file named vncserver@:2.service will attach to 5902, and so on.

To create a reverse tunnel to port 5901 with putty, open up putty and navigate to connection > SSH > Tunnels. For your source port, enter 5901. For your destination, enter localhost:5901. Save the setting if you choose, then connect to the Linux server. This should forward the remote localhost port 5901 to your client machine’s port 5901.

Next up, download the TigerVNC vncviewer application to connect here. If you go into settings, be sure to disable all TLS related items, and use only plain authentication.




Has been tested on OpenBSD 6.4