||<>|| VNC is a protocol that allows a desktop to be viewed and controlled remotely over the Internet. To use VNC, a [[/Servers|VNC server]] must be run on the computer sharing the desktop, and a [[/Clients|VNC client]] must be run on the computer that will access the shared desktop. If you're connecting to a client behind a firewall, you may need to use [[/Reverse|Reverse VNC]] instead. = Common uses = == Helping someone via VNC over the Internet == A common usage scenario is helping another Ubuntu user over the internet via screen sharing. == Accessing your desktop over the Internet == Although VNC has some optional security features, you should not run VNC directly over an untrusted network like the Internet. Instead, you should set an SSH server up as discussed in the [[SSH|SSH guide]] and configure a VNC server that you can start in so-called '''once mode'''. When you have set up your SSH and VNC servers, you can use SSH to log in to your computer over the Internet, start your VNC server, and use [[#port-forwarding|port-forwarding]] to securely access the VNC server. <> == Let other people view your desktop == If a small group of people regularly want to access your desktop, the best solution might be to [[SSH|set up an SSH server]], then add their public keys to your '''authorized_keys''' file, with very limited rights. As [[SSH/OpenSSH/Keys#keys-with-specific-commands|discussed]] in the SSH guide, you can limit the SSH features that each public key can use - typically, a user that should only have VNC access would have a line like the following in '''authorized_keys''': {{{ command="/bin/sleep 4294967295",no-agent-forwarding,no-pty,no-user-rc,no-X11-forwarding,permitopen="localhost:5900" }}} This will allow the specified person to log in to your computer using your username and their public key instead of your password. The long list of ''no-xyz'' statements disallow them from doing just about anything except connect to a VNC server. Because the Internet is a high speed public network, an attacker anywhere in the world could connect to an unsecured VNC server and start guessing passwords at a rate of thousands per minute. Even if they couldn't guess your password, they could snoop on the VNC session much like someone in an Internet cafe might peer over your shoulder. If securing your connection is not an option, it's possible to provide an unsecured VNC connection with a fairly low risk of disaster, so long as you follow three basic safety precautions: * only allow the other person to view your desktop, '''not''' to control it * tell your VNC server to request permission before allowing anyone to see your desktop * don't do anything that you wouldn't do in an Internet cafe If you're not comfortable with the risks, and the secure options discussed above aren't appropriate, you might be able to [[Ubuntu:TakingScreenshots|take screenshots]] instead, and send them to the other person. Whichever of the above techniques you use, you might find that you can connect to your VNC server from computers on your local network, but that other people can't connect to your server over the Internet. If that happens, you might need to [[ServersBehindNAT|reconfigure your router]]. An application called [[https://launchpad.net/remote-help-assistant|Remote Help Assistant]] is being developed to help smooth the setup of remote connections, and needs unskilled volunteers to help test new versions. <> == SSH port-forwarding == SSH has a feature called [[SSH/OpenSSH/PortForwarding|local port forwarding]]. Among many other things, this lets you securely connect to a computer over the Internet, then access that computer's VNC server over the secure connection. Using the command-line SSH client that comes with Ubuntu, you would normally do something like the following: {{{ ssh -L 5900:localhost:5900 joe@laptop }}} This would log in to Joe's laptop and forward his shared desktop to your computer. You could then start your VNC client and connect to port 5900 on your computer to see his shared desktop. This is covered in more detail on the [[SSH/OpenSSH/PortForwarding|SSH port forwarding page]]. <> {{{#!wiki comment The above anchor was put here long ago, when this page had separate "VNC Servers" and "VNC Clients" sections. I don't know whether anything links to it any more, but I don't see any benefit in deleting it }}} = VNC Software = To view a desktop remotely, you need a VNC server to share the desktop, and a VNC client to view the shared desktop. There are many [[/Servers|VNC Servers]] and [[/Clients|VNC Clients]] for every operating system. <> = Guide to example scenarios = This section discusses some situations where you would want to use VNC, and how to set a server up for that situation. The first scenario [[#accessing-your-pc| Accessing your desktop over the internet]] describes how to set VNC up for a computer that logs in automatically as soon as it starts up. As accessing a shared login screen requires more security privileges than accessing your personal desktop, the second scenario [[#accessing-family-pc|Accessing a family PC over the Internet]] describes the extra steps you need to take in order to access your computer before you've logged in. <> == Accessing your PC over the Internet == This section describes how to connect to your own desktop computer from somewhere else on the Internet. See below for instructions about logging in to a shared computer. To set your VNC server up, follow these steps. You should only need to do this once: 1. [[InstallingSoftware|Install]] the ''x11vnc'' and ''openssh-server'' packages on your PC ([[apt:x11vnc,openssh-server|click here to install x11vnc and openssh-server]]) 1. If you have previously reconfigured the firewall on your PC, make sure the firewall allows incoming connections on port `22` from anywhere, and on port `5900` from `localhost` (also known as `127.0.0.1`) 1. If your PC is behind a home router, or any other device that uses NAT, [[ServersBehindNAT#Procedure|configure your router]] to send connection attempts on port `22` (but '''not''' port `5900`) to your PC 1. [[SSH/OpenSSH/ConnectingTo|Choose an SSH client]] for the computer you'll log in from, and create a public key for that computer 1. In a text editor on your PC, open the file ''``''`/.ssh/authorized_keys`, then add the public key you just created to the bottom of the file Each time you want to connect to your PC, follow these steps: 1. Find your PC's public name or IP address. Unless your PC has been assigned a memorable name, the easiest way to do this is to go to [[http://whatismyip.com/|whatismyip.com]] from your PC. You can assign your PC a name by getting one from a [[DynamicDNS|dynamic DNS]] provider 1. Start the SSH client on the computer you'll log in from. 1. Tell the SSH client to use local port-forwarding to connect port 5,900 on your desktop to port 5,900 on localhost. 1. Via the SSH client, run the command `x11vnc -safer -localhost -nopw -once -display :0` on the computer whose desktop you will view. 1. Tell the SSH client to connect to your PC (in case it's not already connected). 1. Start a VNC client on the computer you'll log in from, and tell the VNC client to connect to port 5,900 on `localhost`. If you have a dial-up Internet connection, your IP address will change every time you connect to the Internet. If you have a broadband Internet connection, your address will probably only change once every few months - usually right around the day you forget to check your address. If the VNC connection is terribly slow, then you may want to try compressing the session using {{{vncviewer -encodings "tight" localhost:0}}} instead of {{{vncviewer localhost:0}}}. Exactly how to perform the above steps depends on the SSH client you use. Here are some examples. === Logging in from another Ubuntu PC === Rebecca wants to connect to her Ubuntu desktop from her Ubuntu laptop. She is using the standard software that comes with Ubuntu. Before her first connection, she creates a shell script: 1. She sets up a [[DynamicDNS|dynamic DNS]] address for her desktop computer: ''rebeccas-pc.dyndns.org'' 1. From her laptop, she goes to ''Applications > Accessories > Text Editor'' 1. In ''Text Editor'', she types in the following shell script: {{{ #!sh #!/bin/sh ssh -C -f -L 5900:localhost:5900 rebecca@rebeccas-pc.dyndns.org \ x11vnc -safer -localhost -nopw -once -display :0 \ && sleep 5 \ && vncviewer localhost:0 }}} 1. In ''Text Editor'', she saves the script to her Desktop as ''Connect to rebeccas-pc.sh'' 1. From her laptop, she right-clicks on the desktop icon she's created, and clicks ''Properties'' 1. From the ''Properties'' window, she clicks ''Permissions'', then ''Allow executing file as program'' 1. From the ''properties'' window, she clicks ''Close'' Then each time she connects to her desktop PC, she double-clicks on ''Connect to rebeccas-pc.sh'', and waits about 5 seconds. === Logging in from a Windows PC === Simon wants to connect to his Ubuntu PC from his work computer, running Windows. He has installed [[http://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] and [[http://www.tightvnc.com/|TightVNC Viewer]] on his work computer. Before his first connection, he sets up PuTTY: 1. From his home computer, he visits [[http://whatismyip.com/|www.whatismyip.com]], and finds that his computer's IP address is 1.2.3.4 1. From his work computer, he runs PuTTY. 1. In the PuTTY configuration window, he goes to ''Connection > SSH > Tunnels'' 1. In the ''Tunnels'' section of PuTTY, he types ''5902'' for ''Source port'', ''localhost:5900'' for ''Destination'', then clicks ''Add'' 1. He goes back to the ''Session'' section of the PuTTY configuration window 1. He types ''simon@1.2.3.4'' for ''Host Name (or IP address)'', and clicks ''SSH'' 1. He types ''Home'' for ''Saved Sessions'' and clicks ''Save'' Then each time he connects to his home PC, he does this: 1. From his work computer, he runs PuTTY 1. From PuTTY, he clicks the ''Home'' saved session, then clicks ''Open'' 1. In the PuTTY window, he types his password and presses ''Return'' 1. In the PuTTY window, he types `x11vnc -safer -localhost -nopw -once -display :0` and presses ''Return'' 1. From his work computer, he runs TightVNC Viewer 1. In TightVNC Viewer, he types ''localhost::5902'' for ''VNC server'' and presses Connect. <> == Accessing a family PC over the Internet == Accessing a family PC is a similar problem to accessing your own PC, except that the VNC server needs more security privileges in order to show your login screen. First, make sure that you can [[#accessing-your-pc|access your own desktop after logging in]] - once you've logged in, accessing a shared PC is no different to accessing your own PC. Second, follow the instructions to [[/Servers#x11vnc-before-login|get x11vnc working before you log in]]. Finally, go through the procedure to [[#accessing-your-pc|access your own desktop after logging in]], but instead of running the command `x11vnc -safer -localhost -nopw -once -display :0`, use `sudo x11vnc -safer -localhost -nopw -once -auth /var/lib/gdm/:0.Xauth -display :0`. If the computer you'll log in from is an Ubuntu PC, you could do: {{{ ssh -L 5900:localhost:5900 @ \ sudo x11vnc -safer -localhost -nopw -once \ -auth /var/lib/gdm/:0.Xauth -display :0 \ ; bg \ && vncviewer localhost:0 }}} After you log in, you will be asked to type your password. Once you've typed your password in, you should press ctrl-Z to continue. == Reverse VNC == If you want to help someone who is remote, the usual problem is their machine is behind NAT or a firewall, and they don't know how to change it. There is however a simple solution available if: * You are directly connected to the internet * OR * You have control over your own NAT device and can set-up a port forwarding The solution is to use ''reverse VNC'' to solve the NAT problems. Usually you have to establish a connection to the computer you would like to control. Reverse VNC does the opposite. You open a port where your vncviewer listens and the computer you would like to control connects to your computer. The security risks involved are that the content of the other user's computer screen is transmitted unencrypted over the internet. Here are the steps to make it work: 1. Install a VNC viewer on your machine (follow the steps below). Tested with the ``xvnc4viewer`` package. 1. If you are not directly connected to the internet, [[ServersBehindNAT|set-up port-forwarding]] on your router for port 5500 to your PC. 1. Make sure your firewall does not block port 5500 (see below) 1. Find out your public IP address, for example by visiting [[http://www.whatismyip.com/]] 1. Start vnc in listen mode on your computer: `vncviewer -listen` (using Alt-F2 or via the shell) 1. Ask the user you are trying to help to install the ''x11vnc'' package. 1. Ask the user to execute `x11vnc -connect YOURIPADDRESS` using Alt-F2 or via the shell = Further information = Remote desktop solutions are a broad and complex topic. The following links provide more detail about the technologies involved: * [[WikiPedia:Vnc|Wikipedia's VNC page]] * [[WikiPedia:Remote_administration|Wikipedia's remote administration page]] * [[WikiPedia:Remote_Desktop_Protocol|The Remote Desktop Protocol]] is a similar protocol, popular in Windows * [[WikiPedia:NX_technology|The NX Protocol]] is another similar protocol * [[WikiPedia:XDMCP|XDMCP]] is a protocol which also enables remote login * [[http://tldp.org/HOWTO/XDMCP-HOWTO/|The XDMCP How-to]] and two Ubuntu [[http://ubuntuforums.org/showpost.php?p=5229232&postcount=458|forum]] [[http://ubuntuforums.org/showpost.php?p=4963842&postcount=1|posts]] give explanations about how to use XDMCP * [[DynamicDNS]] is a way to obtain a stable DNS name even if your IP changes dynamically * [[WikiPedia:KVM_switch|KVM switches]] are hardware devices that switch a keyboard, monitor and mouse between two or more computers * [[Xen]] is a way of running a virtual machine in Linux * [[WikiPedia:Wake-on-LAN||Wake-on-LAN]] is a way of powering a computer on over a network or the Internet. * [[http://ubuntuguide.org/wiki/Ubuntu:Karmic#Remote_Access|Ubuntuguide Remote Access]] -- clear, concise, up-to-date information about VNC, XDMCP, SSH, and the alternatives CategoryNetworking CategoryInternet