Setting up a remote graphical session is often the first requirement for managing a headless Linux server. Whether you are troubleshooting a misconfigured firewall or deploying a desktop environment, a Virtual Network Computing setup provides a visual interface over the network. This guide walks through the precise steps to install and configure a secure VNC server on a modern Linux distribution.
Choosing the Right VNC Server Software
The Linux ecosystem offers several implementations, but TigerVNC and TightVNC are the most reliable for server environments. TigerVNC strikes the best balance between performance and modern feature support, making it the ideal choice for most users. Before installation, ensure your package repository index is up to date to fetch the latest stable version.
Installing TigerVNC on the Server
On Debian-based systems like Ubuntu, the installation relies on the APT package manager. You will need to install the tigervnc-standalone-server package along with a desktop environment if one is not already present. For Red Hat-based distributions such as CentOS or Rocky Linux, the DNF or YUM tools handle the dependency resolution automatically.
Required Packages
Configuring the VNC Service
Unlike traditional system services, VNC instances are user-specific and tied to display numbers. You must set a password for the VNC connection using the vncpasswd command, which stores the credentials in the user's home directory. Configuration files are usually stored in ~/.vnc/xstartup, where you define which window manager to launch after a successful connection.
Opening Firewall Ports
By default, the VNC server listens on TCP port 5900, with display :1 corresponding to port 5901. You must explicitly allow this traffic through the server's firewall to prevent connection timeouts. On systems using UFW, the rule is straightforward, while firewalld requires adding a rich rule to the trusted zone or the specific service port.
Securing the Connection
Transmitting an unencrypted VNC session over the internet is a security risk that exposes keystrokes and screen data. To mitigate this, you should tunnel the traffic through SSH. This method encrypts the entire session without requiring the VNC server to support SSL natively. Alternatively, configuring VNC to listen only on localhost and using an SSH tunnel is the standard practice for production environments.
Managing the Server Process
Once configured, you can start the VNC server using the vncserver command, which initializes the X session and generates a log file. If you need to stop the display, the vncserver -kill command terminates the process cleanly. To ensure the environment persists across reboots, you might need to integrate the startup command into the user's crontab or systemd user service.
