The Virtual Network Computer or VNC software is used to open remote desktop sessions on the servers running it.
The VNC server listens for tcp connections on port 5901 and up. One port can only service one connection at a time. So if you want to have up to 10 VNC sessions in one server, you'll need to configure ports 5901-5910.
There are different software packages that provide VNC but we will cover just TigerVNC. To install TigerVNC we can use yum or dnf:
[root@rhce7]# dnf -y install vinagre tigervnc tigervncserver
After installation we will find a file called /lib/systemd/system/vncserver@.service. That file lays out the instructions on how to setup VNC server, but we shall go through them...
First we copy the template to the location systemd looks for configuration files:
[root@rhce7]# cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service
Then we edit the new file replacing the “<USER>” variable with the username that will be using this port. For instance, if “marc” will be using this port for VNC connections, the file should look something like this:
Description=Remote desktop service (VNC)
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/sbin/runuser -l marc -c "/usr/bin/vncserver %i -geometry 1024x768 -nolisten tcp
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
In the example above we have added the “-nolisten tcp” and “-localhost” options. The first one is to reject erroneous X windows connections to the VNC port. The second one is to reject non-local connections that do not use SSH.
When we are done with the modifications, we should save the file with a self-explanatory name: vncserver@:1.service. If we create more configuration files they should can named vncserver@:2.service, vncserver@:3.service, etc.
With that done then we should assign a password to use the VNC sessions: logged in as the user meant to use the VNC sessions in the target host, we just run vncpasswd and type the chosen password twice.
We then run the following 3 commands:
[root@rhce7]# systemctl daemon-reload
[root@rhce7]# systemctl enable vncserver@:1.service
[root@rhce7]# systemctl start vncserver@:1.service
By now the VNC server should be up and running listening on port 5901. We can check the status of the VNC server with the command:
[root@rhce7]# systemctl --all | grep vncserver | grep service
vncserver-marc_1@:1.service loaded active running Remote desktop service (VNC)
We could now try to connect remotely with a VNC session with the command:
[root@rhce7]# vncviewer <vncserver_IP_address>:<display#>
[root@rhce7]# vncviewer 192.168.0.190:1
If we had not used the “localhost” option in the configuration file it would work. But having used it, we need to tunnel the VNC session through SSH for it to be accepted. We can do that with the “-via” option:
[root@rhce7]# vncviewer -via firstname.lastname@example.org localhost:1
With the command above we are opening a VNC connection to 192.168.0.190 on port 5901 and we are tunneling it from our localhost:5901 to the VNC server using marc's credentials (you will be prompted for the marc's OS password as well as the VNC session password).