By finid and Hazel Virdó
###Introduction
VNC, or “Virtual Network Computing”, is a connection system that allows you to use your keyboard and mouse to interact with a graphical desktop environment on a remote server. It makes managing files, software, and settings on a remote server easier for users who are not yet comfortable with the command line.
In this guide, we will be setting up VNC on an Ubuntu 16.04 server and connecting to it securely through an SSH tunnel. The VNC server we will be using is TightVNC, a fast and lightweight remote control package. This choice will ensure that our VNC connection will be smooth and stable even on slower internet connections.
##Prerequisites
To complete this tutorial, you’ll need:
-
An Ubuntu 16.04 Droplet set up via the Ubuntu 16.04 initial server setup tutorial, which includes having a sudo non-root user. Note that this tutorial can be completed using any size Droplet, but a VNC built on a smaller droplet may have more limits on functionality than a larger one.
-
A local computer with a VNC client installed that supports VNC connections over SSH tunnels. If you are using Windows, you could use TightVNC, RealVNC, or UltraVNC. Mac OS X users can use the built-in Screen Sharing program, or can use a cross-platform app like RealVNC. Linux users can choose from many options:
vinagre,krdc, RealVNC, TightVNC, and more.
##Step 1 — Installing the Desktop Environment and VNC Server
By default, an Ubuntu 16.04 Droplet does not come with a graphical desktop environment or a VNC server installed, so we’ll begin by installing those. Specifically, we will install packages for the latest Xfce desktop environment and the TightVNC package available in the official Ubuntu repository.
On your server, install the Xfce and TightVNC packages.
To complete the VNC server’s initial configuration after installation, use the vncserver command to set up a secure password.
You’ll be prompted to enter and verify a password, and also a view-only password. Users who log in with the view-only password will not be able to control the VNC instance with their mouse or keyboard. This is a helpful option if you want to demonstrate something to other people using your VNC server, but isn’t necessary.
Running vncserver completes the installation of VNC by creating default configuration files and connection information for our server to use. With these packages installed, you are now ready to configure your VNC server.
##Step 2 — Configuring the VNC Server
First, we need to tell our VNC server what commands to perform when it starts up. These commands are located in a configuration file called xstartup in the .vnc folder under your home directory. The startup script was created when you ran the vncserver in the previous step, but we need modify some of the commands for the Xfce desktop.
When VNC is first set up, it launches a default server instance on port 5901. This port is called a display port, and is referred to by VNC as :1. VNC can launch multiple instances on other display ports, like :2, :3, etc. When working with VNC servers, remember that :X is a display port that refers to 5900+X.
Because we are going to be changing how the VNC server is configured, we’ll need to first stop the VNC server instance that is running on port 5901.
The output should look like this, with a different PID:
OutputKilling Xtightvnc process ID 17648
Before we begin configuring the new xstartup file, let’s back up the original.
Now create a new xstartup file with nano or your favorite text editor.
Paste these commands into the file so that they are performed automatically whenever you start or restart the VNC server, then save and close the file.
~/.vnc/xstartup#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &
The first command in the file, xrdb $HOME/.Xresources, tells VNC’s GUI framework to read the server user’s .Xresources file. .Xresources is where a user can make changes to certain settings of the graphical desktop, like terminal colors, cursor themes, and font rendering. The second command simply tells the server to launch Xfce, which is where you will find all of the graphical software that you need to comfortably manage your server.
To ensure that the VNC server will be able to use this new startup file properly, we’ll need to grant executable privileges to it.
Now, restart the VNC server.
The server should be started with an output similar to this:
OutputNew 'X' desktop is your_server_name.com:1
Starting applications specified in /home/sammy/.vnc/xstartup
Log file is /home/sammy/.vnc/liniverse.com:1.log
##Step 3 — Testing the VNC Desktop
In this step, we’ll test the connectivity of your VNC server.
First, we need to create an SSH connection on your local computer that securely forwards to the localhost connection for VNC. You can do this via the terminal on Linux or OS X with following command. Remember to replace user and server_ip_address with the sudo non-root username and IP address of your server.
If you are using a graphical SSH client, like PuTTY, use server_ip_address as the connection IP, and set localhost:5901 as a new forwarded port in the program’s SSH tunnel settings.
Next, you may now use a VNC client to attempt a connection to the VNC server at localhost:5901. You’ll be prompted to authenticate. The correct password to use is the one you set in Step 1.
Once you are connected, you should see the default Xfce desktop. It should look something like this:
You can access files in your home directory with the file manager or from the command line, as seen here:
##Step 4 — Creating a VNC Service File
Next, we’ll set up the VNC server as a systemd service. This will make it possible to start, stop, and restart it as needed, like any other systemd service.
First, create a new unit file called /etc/systemd/system/vncserver@.service using your favorite text editor:
Copy and paste the following into it. Be sure to change the value of User and the username in the value of PIDFILE to match your username.
/etc/systemd/system/vncserver@.service[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target
[Service]
Type=forking
User=sammy
PAMName=login
PIDFile=/home/sammy/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i
[Install]
WantedBy=multi-user.target
Save and close the file.
Next, make the system aware of the new unit file.
Enable the unit file.
The 1 following the @ sign signifies which display number the service should appear over, in this case the default :1 as was discussed above.
Stop the current instance of the VNC server if it’s still running.
Then start it as you would start any other systemd service.
You can verify that it started with this command:
If it started correctly, the output should look like this:
vncserver@1.service - TightVNC server on Ubuntu 16.04
Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2016-04-25 03:21:34 EDT; 6s ago
Process: 2924 ExecStop=/usr/bin/vncserver -kill :%i (code=exited, status=0/SUCCESS)
...
systemd[1]: Starting TightVNC server on Ubuntu 16.04...
systemd[2938]: pam_unix(login:session): session opened for user finid by (uid=0)
systemd[2949]: pam_unix(login:session): session opened for user finid by (uid=0)
systemd[1]: Started TightVNC server on Ubuntu 16.04.
##Conclusion
You should now have a secured VNC server up and running on your Ubuntu 16.04 server. Now you’ll be able to manage your files, software, and settings with an easy-to-use and familiar graphical interface.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
About the author(s)
Jack of all trades, master of a few
hi! i write do.co/docs now, but i used to be the senior tech editor publishing tutorials here in the community.
Still looking for an answer?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Awesome, worked like a charm. I would like to note, though, that I did not need step 3 (tunneling via PuTTY) – I was able to connect directly to my droplet ( IP:port ) using VNC Viewer. Thank you!
Thank you for the great article. I especially like how you always provide a little more information than essentially necessary to accomplish the goal.
This way you enable us to see the context - I really enjoyed it.
sudo systemctl enable vncserver@1.service
should be?
sudo systemctl enable vncserver@.service
or not, @1 means its a parameter “1” that is passed to the service, so to start a service on display 1? Can I use
sudo systemctl enable vncserver@1.service
sudo systemctl enable vncserver@2.service
sudo systemctl enable vncserver@3.service
To have 3 vnc displays running?
Excellent Tutorial!! I got “connection refused” on ssh command in Step 3. It may be due to I tried to set up xRDP before.
sudo apt-get install xfce4 xfce4-goodies tightvncserver
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
tightvncserver : Depends: x11-utils
xfce4 : Depends: xfce4-panel (>= 4.10.0) but it is not going to be installed
Depends: xfce4-mixer (>= 4.10.0) but it is not going to be installed
Depends: orage (>= 4.8.0) but it is not going to be installed
Recommends: xorg but it is not going to be installed
xfce4-goodies : Depends: xfce4-battery-plugin but it is not going to be installed
Depends: xfce4-clipman-plugin but it is not going to be installed
Depends: xfce4-cpufreq-plugin but it is not going to be installed
Depends: xfce4-cpugraph-plugin but it is not going to be installed
Depends: xfce4-datetime-plugin but it is not going to be installed
Depends: xfce4-diskperf-plugin but it is not going to be installed
Depends: xfce4-fsguard-plugin but it is not going to be installed
Depends: xfce4-genmon-plugin but it is not going to be installed
Depends: xfce4-mailwatch-plugin but it is not going to be installed
Depends: xfce4-mount-plugin but it is not going to be installed
Depends: xfce4-netload-plugin but it is not going to be installed
Depends: xfce4-notes-plugin but it is not going to be installed
Depends: xfce4-places-plugin but it is not going to be installed
Depends: xfce4-quicklauncher-plugin but it is not going to be installed
Depends: xfce4-sensors-plugin but it is not going to be installed
Depends: xfce4-smartbookmark-plugin but it is not going to be installed
Depends: xfce4-systemload-plugin but it is not going to be installed
Depends: xfce4-timer-plugin but it is not going to be installed
Depends: xfce4-verve-plugin but it is not going to be installed
Depends: xfce4-wavelan-plugin but it is not going to be installed
Depends: xfce4-weather-plugin but it is not going to be installed
Depends: xfce4-xkb-plugin but it is not going to be installed
Depends: thunar-media-tags-plugin but it is not going to be installed
Depends: mousepad but it is not going to be installed
Depends: xfce4-dict but it is not going to be installed
Depends: xfce4-screenshooter but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
Can you offer more details about the SSH tunnel settings? I can’t get this working with PuttY
EDIT: Found a better description here: http://www.liquidweb.com/kb/how-to-configure-a-vnc-server-to-use-an-ssh-tunnel-on-ubuntu-14-04-lts/
To Connect via PuTTy
Under Connection -> SSH -> Tunnels add:
Source port: 5901 Destination: localhost:5901
And connect to your server at its IP address and port 22 via PuTTY.
And then connect to localhost:5901 via a VNC viewer such as TightVNC.
Hmm when I login with the tunneling, it just throws me into a normal SSH session. Is it because I’m using ssl keys login ? Does this effect what happens?
I have 3 problems
- After “sudo systemctl start vncserver@1” command
I have an error
Job for vncserver@1.service failed because the control process exited with error code. See "systemctl status vncserver@1.service" and "journalctl -xe" for details.
I update with sudo apt-get update but problem persist
-
how can i login into VNC changing user from root to normal user in ubuntu 16,04?
-
Some UI XFCE4 elements are missed - why happens? sudo apt install xfce4 xfce4-goodies tightvncserver command is uncomplete?
I solve with this plus command
sudo apt-get install gnome-icon-theme-full tango-icon-theme
This guide is totally useless, went through every step EXACTLY and get errors at ssh -L 5901:127.0.0.1:5901 -N -f -l username server_ip_address and sudo systemctl enable vncserver@1.service and so far the support from DigitalOcean via support ticket has NOT BE up to par.
Thanks for this great tutorial. The only change that I have been force to do was here: ssh -L 5901:127.0.0.1:5901 -N -f -l username server_ip_address
It didn’t work for me but
ssh -L 8080:127.0.0.1:5901 -N -f -l username server_ip_address
works great with vmc://localhost:8080
Thanks again !
sudo systemctl enable vncserver@1.service
gives an output below:
Failed to execute operation: Invalid argument
I have tried using username as my login name and root, neither of them worked.
So as soon as i remote is with the VNC session (the xfce4 desktop is displayed) but with errors.
xfce unable to determine failsafe session name. possible causes: xfconfd isn’t running (D-Bus setup problem); environment variable $XDG_CONFIG_DIRS is set incorrectly (must include… and so on.
Read elsewhere that this is a permissions problem of some kind and was wondering if someone could explain how to resolve?
I recorded my screen while setting up VNC on Ubuntu 16.04. Here’s the YouTube video if anyone want to watch and learn. https://www.youtube.com/watch?v=f-NS4IM3NEI
I have a problem with keyboard layout I have installed the server on “Debian stretch”. Works well. But when i access from the client in Kde (also on Debian streth - krdc or VNC Viewer) I get an error with keyboard. For instance, pressing “f”, appear letter “h”
Some idea?
This tutorial is totally useless. There is no $HOME/.Xresources in Ubuntu 16.04, to start with. I could not manage to create a working VNC connection to my Ubuntu machine, despite the very promising name.
What if ssh is running in another port? Do I have to change anything here? ssh -L 5901:127.0.0.1:5901 -N -f -l username server_ip_address
I try to start the service but I get an error:
bomberb17@odroid:~$ sudo systemctl start vncserver@1
[sudo] password for bomberb17:
Job for vncserver@1.service failed because the control process exited with error code. See "systemctl status vncserver@1.service" and "journalctl -xe" for details.
Also:
bomberb17@odroid:~$ systemctl status vncserver@1.service
● vncserver@1.service - Start TightVNC server at startup
Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2017-02-25 11:46:17 EET; 34s ago
Process: 2417 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i (code=exited, status=217/USER)
Process: 2414 ExecStartPre=/usr/bin/vncserver -kill :%i > /dev/null 2>&1 (code=exited, status=217/USER)
Any ideas?
You should probably add a section to change the port number for tightvnc. It hasn’t been a week since I setup a quick machine that I needed with VNC and I’m already getting blocked from getting into my VPS via VNC because of the “too many authentication failure” message.
To fix that, I have to restart tightvnc:
vncserver -kill :1 vncserver
The best way to prevent that error message and thus to prevent you from killing your vncserver and losing your windows from last time, is to change the internal port number to something else. Another way to do it would be to change the failed loggin threshold to a higher number, but changing the port number is preferred.
Got as far as step 3 but haven’t successfully connected. Attempts to connect via the viewer produces the message ‘the connection was refused by the computer’. Obviously sounds like a permissions issue. I did execute the ‘sudo chmod +x ~/.vnc/xstartup’ command as described - even repeated it a second time just now - but no joy. I’m very much a newbie so if responding I’d appreciate a detailed how to, thanks.
Re started the vncserver and got to the authentication phase and authentication fails. It could be that I have mis recorded the password, so I’ll try to resent that. Not sure how, but will research that.
It get to the point of systemctl start vncserver@1 but then I get Job for vncserver@1.service failed because the control process exited with error code. See "systemctl status vncserver@1.service" and "journalctl -xe" for details.
Hello, I just followed this tutorial. I am a Mac user. I have to keep typing in ssh -L 5901:127.0.0.1:5901 -N -f -l “username” “IPADDRESS” everytime i want to connect via Screen Sharing. Have I done something wrong?
when I attempt to create the SSH connection (Step 3). I get the following error:
ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused
Any recommendations on anything I may be overlooking?
Have this issue. Not sure what this means. I’m not tech savy when it comes to this kinda stuff.
ssh -L 5901:127.0.0.1:5901 -N -f -l plex xxx.xxx.xxx.xxx plex@xxx.xxx.xxx.xxx’s password: bind: Address already in use channel_setup_fwd_listener_tcpip: cannot listen to port: 5901 Could not request local forwarding.
Hi, Thanks for this.
Got a question.
At the end of step 2 after successfully starting vncserver I get a “Out of memory: kill process (xtightvnc) … killed process …” message.
My droplet is 512MB 20GB space… What could be the cause of this or should I just ignore it? Thanks.
Registered just to say - thanks! Everything you need, all crystal clear.
For MATE not xfce, the ~/.vnc/xstartup is:
#!/bin/sh
# Uncomment the following two lines for normal desktop:
# unset SESSION_MANAGER
# exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
mate-session &
mate-panel &
Hello! everything was working good upto step 3 when i execute: ssh -L 5901:127.0.0.1:5901 -N -f -l username server_ip_address
i switched the username to the device’s username and its ip address, however i get the following:
bind: Address already in use channel_setup_fwd_listener_tcpip: cannot listen to port: 5901 Could not request local forwarding.
do i have to change the command 5901:127.0.0.1:5901?
This comment has been deleted
In the service file change:
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
to
ExecStart=/usr/bin/vncserver -localhost -nolisten tcp -depth 24 -geometry 1280x800 :%i
So that only users connected via ssh port forward have access to the service.
:)
Tutorial heavily outdated for Ubuntu 17.10
Also, you should mention that File transfer with UltraVNC viewer and TightVNC server is not compatible.
And sudo update-rc.d vncserver defaults not needed anymore?
Great tutorial! One thing for me is that the “Enable the unit file.” step did not work for me. Any ideas as to why?
I can’t seem to get past Step 3. Rather, I can’t complete it. I’ve added the tunnel (which I don’t know if I did correctly but I wrote the 5901 in the Source Port and localhost:5901 in the destination, but after that I cannot connect via VNC. The ‘best’ I got was “gracefully terminated by host” as a message from VNC the moment I try to establish a connection.
Great tutorial. I’d go a step further and use ufw to block all incoming ports other than 22 for ssh.
apt-get install ufw
ufw allow 22
ufw enable
This used to work great for me, but, trying to setup new servers in Ubuntu 16 now fail at creating a service file. I get a “TightVNC failed at startup”.
Ideas?
This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.