Friday, December 11, 2009

Overview of VNC

VNC, or Virtual Networked Computing, is a way of controlling a remote computer just as though you are sitting in front of it. In the Windows world it
is also known as remote desktop but it's normally referred to as VNC in the Linux world. All that happens is that you connect using a VNC client to a
remote computer running the VNC server, then an image of the remote desktop is transmitted to your local computer and you can see and control the desktop
just as though you are there since all keyboard and mouse commands are sent from your client machine to the server.

Gnome Remote Desktop

If you are running the Gnome desktop on Fedora Core then you already have a VNC server built in. Click on the Fedora icon > Desktop > Preferences >
Remote Desktop to open the dialog shown.

Gnome remote desktop

The screen is pretty self explanatory but basically when set up this way another computer can connect to your computer using the command listed on
the dialog. There are a few important things to note, you must open port 5900 on the server for this to work since by default the Gnome Remote
Desktop (called vino) listens on this port, also the person connecting will see the same session that you are currently logged in as. This means that
any programs you have open will also be visible to the client, of course this is very useful if you are helping someone remotely.

A more flexible way to use VNC is to install the VNC server and client software via yum, these are rpm's based on
RealVNC.


vncserver and vncviewer

Check what's installed

First check if you already have them installed on your system, open a terminal and type:

$ rpm -qa|grep vnc
vnc-server-4.1.1-36
vnc-4.1.1-36


If you get an output something like this then you're all ready, if not you need to install them via yum.

Add a user(s)

Next we need to add at least 1 VNC user, open the file /etc/sysconfig/vncservers as root and add the information shown:

$ vi /etc/sysconfig/vncservers

# The VNCSERVERS variable is a list of display:user pairs.
#
# Uncomment the lines below to start a VNC server on display :2
# as my 'myusername' (adjust this to your own). You will also
# need to set a VNC password; run 'man vncpasswd' to see how
# to do that.
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted! For a secure way of using VNC, see
# .

# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.

# Use "-nohttpd" to prevent web-based VNC clients connecting.

# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel. See the "-via" option in the
# `man vncviewer' manual page.

VNCSERVERS="1:bobpeers"
VNCSERVERARGS[1]="-geometry 1024x768 -depth 16"


The important part is the VNCSERVERS="1:bobpeers", this sets up a users for the vnc server, you can add as many as you like here. The VNCSERVERARGS[1]
line refers to the arguments for user 1, in this case the only user. Geometry sets the size and depth sets the colour depth, you can adjust these to
suit your preferences but in my case the client machine has a resolution of 1024x768 and the depth 16 makes the connection a bit faster since the less
information that needs to be sent the more responsive the session will feel.

Knowing which port to use

It's also important to note the session number user as this will tell us which port vncserver will listen on. Remember the Gnome Remote Desktop
asked us to use computername:0 as the connection string, the number needs to be added to 5900 to get the listening port. In this case we need to use
port 5901 since we are using session 1. In the same way we could use any number, for example:

VNCSERVERS="2000:bobpeers"
VNCSERVERARGS[2000]="-geometry 1024x768 -depth 16"


In this case we need to use port 5900+2000 so port 7900.

Setting a password

To add some security we need to add a password that must be given before a connection can be established, open a terminal and type:

$ vncpasswd
Password:
Verify:


This creates a hidden folder called .vnc in your home folder containing the password file.

Starting the server and startup options

To start the server we type the command 'vncserver' and the session you wish to start (if you have set up more than 1 entry in the
/etc/sysconfig/vncservers file:

$ vncserver :1
Starting VNC server: 1:bobpeers
New 'linux.bobpeers:1 (bobpeers)' desktop is linux.bobpeers:1

Starting applications specified in /home/bobuser/.vnc/xstartup
Log file is /home/bobuser/.vnc/linux.bobpeers:1.log

[ OK ]


Now the server is started and a user could connect, however they will get a plain grey desktop by default as the connection will not cause a new
session of X to start by default, to fix this we need to edit the startup script in the .vnc folder in your home directory.

$ vi ~/.vnc/xstartup

#!/bin/sh

# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &


As the file says make sure the two lines at the top are uncommented by removing the leading # sign. Next we need to restart vncserver to pick up
the changed we just made. To restart the vncserver we need to kill the process and start a new one as root:

$ vncserver -kill :1
Killing Xvnc process ID 13728


$ vncserver :1
Starting VNC server: 1:bobpeers
New 'linux.bobpeers:1 (bobpeers)' desktop is linux.bobpeers:1

Starting applications specified in /home/bobuser/.vnc/xstartup
Log file is /home/bobuser/.vnc/linux.bobpeers:1.log

[ OK ]


Using vncviewer

To start the viewer type:

$ vncviewer localhost:5901


This open a dialog as shown for us to enter our password we set earlier, enter the password and you should now see a copy of your desktop. Note
that unlike the Gnome Remote Desktop this has started a new session of X so any applications open on the host machine are not visible to the new
session, it's basically a whole new logon running at the same time.

If you just type 'vncviewer' at the prompt then you will asked for the host to connect to, then you can type localhost:5901 for example.
Remember to use the correct port number when connecting, if you set your VNCSERVERS to be 2000:myname then you would need to connect on localhost:7900.

VNCVIEWER logon

Stopping the vncserver

There are two ways to stop the server, either as root:

$ /sbin/service vncserver stop
Shutting down VNC server: 1:bobpeers [ OK ]


or you can explicitly kill a particular session without being root:

$ vncserver -kill :1
Killing Xvnc process ID 13728


Just replace the 1 with the vnc session you wish to stop.

Allowing remote connections

So far we have only connected to our own computer using localhost so we have not needed to open any ports in the firewall, however if we want to
allow remote connection we will have to do the following. This can either be done from the command line or using system-config-security if you have
it installed.

Using system-config-security to opens ports.

First we'll look into the GUI system-config-security. Go to the Fedora start menu > Desktop > Administration >
Security Level and Firewall, then type your root password when prompted to see this:

system-config-security

Click on other ports at the bottom and enter the port you wish to open, 5901 in my case, select tcp, then click OK and OK again to save your
settings. That's all there is to it, but remember to close the port again when you are finished.

Select the port to open

Editing the iptables manually to opens ports.

To do the same from the command line add the line in bold to the file /etc/sysconfig/iptables while logged in as root:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


Finally we need to restart the iptables service to reload the changes.

$ sudo /sbin/service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]


Connecting from the remote machine.

Now from the remote client computer start up vncviewer but this time use the IP address of the host computer followed by the port number. So on my
home network this might be:

$ vncviewer 192.168.1.105:5901


You should see a copy of the hosts desktop, if things seem a bit slow you can try adjusting the colour depth or screen resolution on the vncserver
to see if that helps.

No comments: