A VNC server is a program that shares a desktop with other computers over the Internet. You will need a VNC server if you want other people to see your desktop. Every VNC server has different strengths and weaknesses and is appropriate for different uses. This page will discuss each of the VNC servers available in Ubuntu, and ways to configure them for most common uses of VNC.
Common security options
The most important thing when setting up a VNC server is to only let the right people access your desktop. The safest way to do that is usually to have someone sitting at the desktop deciding who gets to use it, but that's not always practical - for example, if you want to log in to your own computer from somewhere else.
If you want to confirm each connection manually, you should look for these options:
Request access each time - pop a window up asking whether to allow each connection as it comes in
view-only access - allow VNC clients to view the destkop, but not to change anything. As well adding a little security, this avoids problems with both of you fighting over control of the mouse
Using these two options will give you the most security. Requesting access each time will ensure that nobody can connect without you noticing, and view-only access will mean that they can't change anything without asking you to do it for them.
If you want to access your desktop when nobody is sitting at it, these options will be more useful:
Only allow local connections - only let people connect if they already have access to your computer
Start your VNC server in "once" mode - tell your VNC server to allow one connection, then block anything after that
Set a password - require people to send a password before they can connect
These three options should give you a secure set-up, so long as they're used with port-forwarding. Only allowing local connections means that only people with user accounts on your computer can access your desktop. Starting the server in "once" mode means that people with user accounts on your computer would have to log in to your desktop between the time you start your VNC server and the time you connect from your VNC client. Setting a password means that, if anyone did try to connect in that brief interval, they probably wouldn't be able to get in before you noticed and stopped the server.
Although passwords add some security, hard-to-guess passwords are as difficult to create as they are to remember. If nobody else has access to your computer, you might want to skip passwords altogether.
Note: you must set a password if you want to use the in-built VNC client in Mac OS X.
Vino is the default VNC server in Ubuntu to share your existing desktop with other users. If you are using Ubuntu 8.04 LTS (Hardy Heron), you will probably need to install another server because of a known bug that stops vino working for most people.
To configure vino from within GNOME, go to System > Preferences > Remote Desktop
To set vino to request access each time, tick Allow other users to view your desktop in the Remote Desktop configuration window
- There's no way to set vino to only listen for the next connection
To set a password, tick Require the user to enter this password:, and enter a hard-to-guess password
To put vino in view-only mode, untick Allow other users to control your desktop
To only allow local connections,
In versions up to Ubuntu 8.10 ("Intrepid Ibex"): click on the tab marked Advanced, then tick Only allow local connections
In Ubuntu 9.04 ("Jaunty Jackalope") to Ubuntu 11.04 ("Natty Narwhal"): press alt-f2 to open the "run application" window, then type in gconftool -s /desktop/gnome/remote_access/network_interface lo --type string and click Run
In Ubuntu 11.10 ("Oneiric Ocelot") and newer: open a terminal and run the command gsettings set org.gnome.Vino network-interface lo
To allow connections from anywhere,
In versions up to Ubuntu 8.10 ("Intrepid Ibex"): click on the tab marked Advanced, then untick Only allow local connections
In Ubuntu 9.04 ("Jaunty Jackalope") to Ubuntu 11.04 ("Natty Narwhal"): press alt-f2 to open the "run application" window, then type in gconftool -u /desktop/gnome/remote_access/network_interface and click Run
In Ubuntu 11.10 ("Oneiric Ocelot") and newer: open a terminal and run the command gsettings reset org.gnome.Vino network-interface
Krfb is the default VNC server in Kubuntu, and is recommended for KDE users. Because it's highly integrated with KDE, running it in other environments is difficult.
To configure krfb, go to System Settings > Sharing > Desktop Sharing > Configure....
To set krfb to request access each time, tick Confirm uninvited connections before accepting
- There's no official way to set krfb to only listen for the next connection, although see below for an unofficial solution
To set a password, type a hard-to-guess password into the Password input box
To put krfb in view-only mode, untick Allow uninvited connections to control the desktop
- There's no official way to only allow local connections, although see below for an unofficial solution
Krfb doesn't have any official way to accept the next connection then stop listening for connection attempts. However, the following Python script will listen for a single connection then exit krfb:
#!/usr/bin/python # Load extra functionality from the 'socket' and 'os' modules from socket import socket, AF_INET, SOCK_STREAM from os import execl # Listen for a connection server = socket(AF_INET, SOCK_STREAM) # This is an Internet (TCP) connection server.bind(('127.0.0.1', 5900)) # Listen for a local connection on port 5,900 server.listen(1) # Listen for exactly 1 connection sock = server.accept() # Accept the connection # Attach krfb to this connection execl('/usr/bin/krfb', 'krfb', '--kinetd', str(sock.fileno()))
To use this script, open your favourite text editor and paste the contents in. Make sure that the initial '#' character is the very first character in the file, save the file as krfb.py, and set the file's permissions to make it executable. Although this simple program won't open a window of any kind, it will quietly wait for the next VNC client to connect to your computer, then pass the connection through to krfb.
This script will only listen for local connections. To allow connections from anywhere, change 127.0.0.1 to 0.0.0.0 in the script.
Krfb lets you create "invitations" - individual passwords that are deactivated after an hour or after one use. These are a handy way of giving people one-time access to a computer, but only provide limited security. For example, if you send someone an invitation by e-mail or instant messaging, an attacker could read your invitation message as it went over the Internet and use it to log in.
Invitations can be useful when you want to let other people view your desktop, but you still need to follow the normal precautions when letting other people view your desktop.
X11vnc is a VNC server that doesn't depend on GNOME or KDE, and is recommended for use by Xubuntu users. It's designed to be run from the command-line, which makes it flexible but difficult to learn. The few graphical parts of the interface are quite unattractive, because they're designed to work even on a very minimal installation. X11vnc is available in the x11vnc package in the Universe repository.
Although x11vnc does have a simple configuration file, it's generally easier to specify options on the command-line. To start x11vnc, type:
x11vnc -safer <options>
<options> is a series of commands separated by spaces. X11vnc has a lot of options, which are discussed fully in the x11vnc man page. Common options include:
To set x11vnc to request access each time, include the -nopw -accept popup:0 options
To set x11vnc to only listen for the next connection, include the -once option
To set x11vnc to continually listen for connections, include the -forever option
To set a password, include the -usepw option (and remove the -nopw option above)
To put x11vnc in view-only mode, include the -viewonly option
To set x11vnc to only allow local connections, include the -localhost option
For example, if you want x11vnc to grant view-only access to the next local connection after asking your permission, type this on the command-line:
x11vnc -safer -localhost -nopw -accept popup:0 -once -viewonly -display :0
If you use a password, you will first need to create a password file by doing:
Make sure to use a hard-to-guess password
Connecting to your login screen
Because X11vnc is run from the command-line, it can be started while your computer is still showing a login screen. Exactly how to do this depends on which derivative of Ubuntu you use. In Ubuntu (but not Kubuntu or Xubuntu), x11vnc needs superuser access, and needs the -auth /var/lib/gdm/:0.Xauth -display :0 options to be specified on the command-line.
You can run x11vnc before you've logged in by typing something like this:
sudo x11vnc -safer -localhost -once -nopw -auth /var/lib/gdm/:0.Xauth -display :0
Or you can add the following lines to the bottom of your /etc/gdm/Init/Default to have x11vnc start after your gnome login does (note that /etc/gdm/Init/Default does not exist on some Ubuntu devices):
# Start the x11vnc Server /usr/bin/x11vnc <options>
(Thanks to the x11vnc FAQ for this tip)
Whereas most VNC servers share your desktop, tightvnc creates a completely new desktop, not attached to any actual screen. This makes it much less useful for some things (like remote help), but much more useful for others (like creating a public area for collaboration). If tightvncserver won't start, you might need to uncomment the $fontpath lines in /etc/vnc.conf.
Like x11vnc, tightvnc is designed to be run from the command-line. To start it, type:
tightvncserver -nolisten tcp :1
This will tell tightvnc to listen for VNC connections on port 5,901 from anywhere on the Internet. Without the -nolisten tcp option, tightvnc will also listen for a different type of connection (X11 instead of VNC), which isn't usually very useful. Tightvnc's unusual design means that it can't create a remote desktop on the standard VNC port (5,900) if you have an ordinary desktop running on your computer.
- There's no way to set tightvncserver to request access each time
- There's no way to set tightvncserver only to accept the next connection, although see below for a similar solution
- Tightvncserver always requires a password, and will ask you to specify one the first time it's run
- There's no way to put tightvncserver in view-only mode
To set tightvncserver to only allow local connections, include the -localhost option
Tightvncserver can't be set to accept the next connection then stop listening for connection attempts. But it can be set to automatically disconnect each client when the next client connects, and can be stopped after your connection is disconnected. To only allow local connections and automatically disconnect clients, start tightvnc by typing:
tightvncserver -nolisten tcp -localhost -nevershared :1
Then when your client is disconnected by the next client connecting, type:
tightvncserver -kill :1
Customising your session
By default, tightvncserver provides a session with a simple window manager and a terminal. The first time tightvncserver runs, it creates a ~/.vnc/xstartup file that you can use to customise your session. Here is an example file that would give you a GNOME desktop:
#!/bin/sh # Change "GNOME" to "KDE" for a KDE desktop, or "" for a generic desktop MODE="GNOME" #Uncommment this line if using Gnome and your keyboard mappings are incorrect. #export XKL_XMODMAP_DISABLE=1 # Load X resources (if any) if [ -e "$HOME/.Xresources" ] then xrdb "$HOME/.Xresources" fi # Try a GNOME session, or fall back to KDE if [ "GNOME" = "$MODE" ] then if which gnome-session >/dev/null then gnome-session --session=ubuntu-2d & else MODE="KDE" fi fi # Try a KDE session, or fall back to generic if [ "KDE" = "$MODE" ] then if which startkde >/dev/null then startkde & else MODE="" fi fi # Run a generic session if [ -z "$MODE" ] then xsetroot -solid "#DAB082" x-terminal-emulator -geometry "80x24+10+10" -ls -title "$VNCDESKTOP Desktop" & x-window-manager & fi
Your changes will take effect the next time you start tightvncserver.
directvnc is a VNC server that shares a Linux framebuffer instead of a desktop
linuxvnc is a VNC server that shares a text-based console instead of a desktop
xrdp is a server for Microsoft's Remote Desktop protocol, a client for which comes with all modern versions of Windows
xserver-xephyr allows you to create a desktop within a desktop on a single computer
Apple Remote Desktop is a desktop sharing application for Mac OS that includes a VNC server
Apple Screen Sharing is a client application included in Mac OS that allows you to connect to a VNC server
Having Compiz enabled may interrupt screen updates with some servers and clients. Using -noxdamage with x11vnc can prevent this.