Remote access to a Linux host's desktop with VNC

The following article explains how to access the desktop of a Linux host residing inside the ETH network from another host on the in- or outside by using Virtual Network Computing (VNC)¹. Throughout his article, the following placeholders are used:

• current_host: This is a remote host in- or outside the ETH network, i.e. your office computer or home computer; the host you are currently working on. It will run the software to view a remote Linux desktop, the VNC viewer.

• gateway_host: This is the entrance gateway to the ETH network to bypass the firewall restrictions for connections from the outside, by the name of login.ee.ethz.ch. It is used to tunnel SSH connections in case you choose not to use VPN.

• internal_host: This is the fully qualified DNS name of the target host you intend to connect to, as shown by the command hostname -f on the target host. Students can use an arbitrary shared student room PC like tardis-d12. If you're using a shared student PC, check it's availability at login.

• eth_username: This is the username you use to log in anywhere on an ETH provided IT service.

• eth_password: This is your password used in combination with your eth_username which lets you access ETH provided IT services, except for network authentications (see below).

• eth_network_password: This is your password also used in combination with your eth_username which is used for authentication to network services like Wifi and VPN. It is different from your eth_password.

• L: This variable is used as a placeholder for the local port on current_host where VNC connections will be made to. Set it to 1 unless you have other plans.

• R: This variable is used as a placeholder for the remote port on internal_host where a VNC server will be listening after a successfull startup. Set it to 1 unless you have other plans.

---

Quick Help for fast access

If you wanna have fast access by using VNC, do this. If you wanna get into more deeply, read next paragraphs.

 1. Establish a connection to ETH network with VPN

 2. SSH to your machine at ETH just like:
    $ ssh <username>@<machine>.ee.ethz.ch

 3. Start VNC server on <machine> in a konsole, just like:
    $ vncserver

 4. On your computer at home, connect to the VNC Session via vncviewer app:
    <my_ETH_machine>:<session_number>  e.g. saturn.ee.ethz.ch:1

Notice:
* In order to kill your VNC session you have to make a standard 'Logout' within your VNC operating system.
* If you close the VNC Window by clicking on X (above to the right), the session keeps running and you can login again by using the same <session_number>
* Every start of a new vncserver instance increases the <session_number> (= <display_number>) by one.
* All VNC personal settings are stored in '~/.vnc' directory. You can easily remove this dir (e.g. for cleanup reasons). It will be recreated after you execute a 'vncserver' command next time. 
* To see what VNC sessions are currently running on your ETH machine, type on a terminal:  $ ps -ef | grep vnc
* To kill a 'lost' (orphaned) VNC session do: vncserver -kill :1   (where ':1' is your session resp. display number depending on how many VNC instances you are running)

---

Connect to the ETH network

If current_host resides outside of the ETH network, you need to connect to it thorugh either a VPN connection or an SSH tunnel. Connecting through VPN is the preferred method as it uses a dedicated infrastructure. Both methods are explained in the following steps.
If current_host is alreay inside the ETH network, skip to Start a VNC server on internal_host.

Preferred method: Connect through a VPN connection

Know your ETH network password

If you're unsure about your eth_network_password, login on password.ethz.ch with your regular eth_password and change your former eth_network_password to a new password.

Install the VPN client on your current host

• Go to sslvpn.ethz.ch and follow the instructions provided there to download, install and configure the Cisco AnyConnect VPN client provided by central IT services.

• To log in here you have to use your eth_username with an added realm in combination with your eth_network_password, as described on sslvpn.ethz.ch.

• If you have access to additional realms, a.k.a virtual private Zones (VPZ), you can list them by visiting realms.ethz.ch.

Initiate a VPN connection to internal_host

Now you are ready to connect to the ETH network by using VPN. After establishing connection you can SSH from your device outside ETH to your target machine inside ETH network and/or using VNC. Using SSH and VNC are described in detail below.

Alternative method: Connect through an SSH tunnel

SSH tunnel on Linux

The host login.ee.ethz.ch is the entry point for an SSH connection. More information about SSH connections can be found in the article RemoteAccess: SSH -remote_terminal_session.

• Establish an SSH tunnel from the local port 590L on current_host to login.ee.ethz.ch for the VNC server port 590R with your eth_username. The syntax for this is

  ssh -L 590L:current_host:590R eth_username@login.ee.ethz.ch 

• For convenience use the default VNC port on both sides of the tunnel and replace current_host with localhost:

  ssh -L 5901:localhost:5901 eth_username@login.ee.ethz.ch 

• Do not close the terminal window wherein you opened the tunnel

The default VNC port will only be known for sure after you start the VNC server on internal_host

SSH tunnel on Windows 10 with OpenSSH

• Install the optionally installable feature OpenSSH Client in Apps → Optional features → OpenSSH Client

• Establish the SSH tunnel as described for Linux

SSH tunnel on Windows with PuTTY

• Start PuTTY

• Create a session to login.ee.ethz.ch

• Configure a tunnel with port forwarding to internal_host for this session under Connection → SSH

• In Source port enter 590L

• In Destination enter internal_host:590R

• Select IPv4

• Klick on Add, the line 4l590L internal_host:590R appears in the previously empty list of tunnels

• Save the session

A comfortable setup of PuTTY is described in Windows "direct" SSH access with PuTTY

Initiate a SSH connection to internal_host

SSH connection on Linux

• If you previously opened a VPN connection, issue the command following command

  ssh eth_username@internal_host 

• If you established an SSH tunnel, enter the above command in the terminal window still connected to login.ee.ethz.ch

• With neither a VPN connection or SSH tunnel, issue the command

  ssh -o ProxyJump=eth_username@login.ee.ethz.ch eth_username@internal_host 

SSH connection on Windows 10 with OpenSSH

• Install the optionally installable feature OpenSSH Client in Apps → Optional features → OpenSSH Client

• Establish the SSH connection as described for Linux

SSH connection on Windows with PuTTY

Follow the article Windows "direct" SSH access with PuTTY

Start a VNC server on internal_host

To start a VNC server instance on internal_host, you need to initiate a SSH connection to it (see paragraph above).
If you previously opened a VPN connection, make sure it is still active

Setup and start the VNC server

Configuration and start of a VNC server works with an ISG D-ITET-provided wrapper script by issuing the command

vncserver

in your shell connected to internal_host.

Setup and first startup

If this is the first time you start vncserver, you will be asked to provide a password to allow access to the VNC server instance you start now and in the future. It is possible to set the password to allow only observing or also interacting with the VNC session. Choose a strong password, as anyone on the ETH network can connect to your internal_host while a VNC server is running. The password should contain:

• 8 characters²

• Uppercase letters
• Lowercase letters
• Numbers

The setup followed by the startup process will look like this:

Creating directory /home/eth_username/.vnc......
Creating startup_file /home/eth_username/.vnc/xstartup.....

You will require a password to access your desktops.

Password:
Verify:
Would you like to enter a view-only password (y/n)? n

New 'default' desktop is internal_host:R

Creating default config /home/eth_username/.vnc/config
Starting applications specified in /home/eth_username/.vnc/xstartup
Log file is /home/eth_username/.vnc/internal_host:R.log

Note the virtual display number R of your VNC server appearing after internal_host:. It is needed later to connect your VNC viewer on current_host to the VNC server instance on internal_host or to kill a vncserver process manually.
The default desktop started now is Xfce4. If you prefer a different desktop you have to kill the running vncserver process and start it again with the desktop of your choice.
Otherwise the vncserver process terminates after you log out of your desktop environment.

Terminating a running VNC server process

Issue the command

vncserver -kill :R

in a shell on internal_host.

Choose a non-default desktop

To start the VNC session with a non-default desktop, provide one of the options [xfce|gnome|kde|light|xterm]:

vncserver gnome

• Option light starts the light desktop Fluxbox

• Option xterm starts a minimal desktop with a window manager and a xterm terminal window. This option should be used if you intend to use your session to run only one application at the time and start said application on the command line.

Use a VNC viewer to view and control the desktop on internal_host

• If your current_host is an ISG D-ITET-managed Linux computer a VNC viewer is installed.

• If it is a ISG D-ITET-managed Windows computer you have to request installation of a VNC viewer.
• If you use your self-managed office or your personal home computer you have to install a viewer yourself.

VNC viewer software

The listed VNC software contains a viewer component and is available for both Linux and Windows:

• TightVNC: Opensource

• TigerVNC: Opensource, a fork of TightVNC with additional features

• TurboVNC: Opensource, a fork of TightVNC with peak 3D/video performance as a goal

• RealVNC: Freeware

The above list is not meant to be complete, feel free to install other solutions on your self-managed computer.

• TigerVNC viewer is installed on managed Linux clients
• On managed Windows clients, RealVNC viewer is installed on request.
• On private clients, use of RealVNC is discouraged. Some versions show error messages similar to "RFB protocol error bad rectangle size 10794x10794" and fail to connect.

Connect your VNC viewer to the VNC server on internal_host

VNC connection from Linux

On Linux issue the command

vncviewer internal_host:590R

VNC connection from Windows or macOS

On Windows or macOS, open your VNC viewer and connect to internal_host:590R.
If you terminate your VNC viewer without logging out of your desktop environment, your VNC session will stay active and you can reconnect to it later on.

VNC connection from macOS alternative

On macOS the built-in VNC viewer may be started by pressing Command-K and entering the url vnc://internal_host:590R. No support is given for this way to connect to a VNC session.

Check (student) host availability

Check with the command htop if any other users are using internal_host 's resources right now. If they do, log out and log in to a different host.
A list of student hosts can be shown by issuing the command grep tardis /etc/hosts

VNC server configuration

The first start of vncserver creates the directory /home/eth_username/.vnc. It contains startup scripts for the different desktop options mentioned in Choose a non-default desktop. Logfiles of VNC sessions will also be stored there. If you experience problems, check the logfiles for hints what went wrong. As a last resort in troubleshooting, delete the directory and start again with Setup and start the VNC server.
If no specific desktop session is given then /etc/X11/Xsession which defaults to the Xfce4 desktop will be used. The desktop type light selects the light desktop Fluxbox. To use a desktop outside from Xfce4, GNOME, KDE, Fluxbox and Xterm please edit your xstartup file in /home/eth_username/.vnc according to your needs. The desktop type xterm starts a minimal desktop with a window manager and a xterm terminal window, applications are then started from the command line in the xterm.

The start of vncserver with no desktop parameter always looks for the xsession startup file ~/.vnc/xstartup in your home, if not found it's created with a desktop startup of the default xsession ( /etc/X11/Xsession ) which points to Xfce4. If you start vncserver with the optional desktop parameter a xstartup file ~/.vnc/xstartup.<desktop> is created in your home and used for subsequent startups with the same desktop parameter.

If you are using vncserver only for remote accessing some applications on the target machine please use the desktop type light or xterm but not the extremely heavyweight desktops GNOME or KDE. For "Work at home" you can use the heavyweight desktops (p.e. the default GNOME) but please logout from your computer in the office before you go home. We do not support the parallel usage of two heavyweight desktops (local and remote) from the same user on one machine.

For the GNOME desktop we use the TurboVNC server, all other desktops are provided by the TigerVNC server. TurboVNC's config file is ~/.vnc/config.turbo while TigerVNC uses ~/.vnc/config. To switch the configured default resolution of 1600x950 of the vncserver created display please comment out the geometry line in the configuration file and correct the resolution to your need.