27.05.2020

Installing and configuring a VNC server on CentOS 7

In this guide, we will look at how to install and configure a VNC server on the CentOS 7.x operating system to allow remote connections from any VNC clients, such as TightVNC, RealVNC, and others. In particular, we will do this using the TigerVNC Server software, a free tool that allows using a stand-alone virtual desktop.

Introduction

VNC (Virtual Network Computing) is a client-server protocol that allows a client computer (running a VNC client) to connect and control a remote computer (running on a VNC server). The software was developed by the Olivetti & Oracle research lab in Cambridge, UK, and its source code is still up to date and available under the General Public License (GNU).

Depending on the server software, the VNC client will connect to the active desktop (for example, as TeamViewer or AnyDesk programs) or a standalone virtual desktop (like the Windows RDP remote desktop protocol). The latter, perhaps more powerful and secure, especially if you need to manage the server computer because each session will be a unique environment, configured with the permissions and rights of the connected user. That’s why we choose TigerVNC, which runs parallel sessions of the desktop environment of the computer (GNOME, KDE, or another GUI): this means that a virtual desktop will be created for each connection — this is exactly what we want.

Installing TigerVNC

Now let’s see how we can install and configure TigerVNC on CentOS. The first thing to do is to install the TigerVNC Server program by opening a terminal session and entering the following command with root privileges:

$ sudo yum install tigervnc-server

Immediately after that, you need to create a separate VNC user from which the connection will be made (with a dedicated password). To do this, enter the following:

$ sudo adduser vncuser
$ sudo passwd vncuser

Important: never do this as a root user — this will pose a serious threat to the security of your system. The best solution would be to leave the root user without access to VNC and set up a dedicated account with limited rights.

After you create vncuser and set a password for logging in, you also need to set a unique VNC password for this user. The command to do this is:

$ su - vncuser
$ vncpasswd

(the first line may be omitted if we are already logged in as vncuser in advance).

The next thing to do is create a VNC configuration file for vncuser. The quickest way to do this is to copy the shared VNC template file located in the /lib/systemd/system/ folder, and then change it:

$ cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.service

The number 1 that we added to the new file name is the display number that will be used for this particular instance of the service. This is important to know because it will also determine the TCP port that will be used by our VNC server, equal to 5900 + display number. The first will be 5901, then 5902 and so on.

Immediately after copying you need to edit the new file using Vi, Nano or another text editor, and replace [USER] with the name of the user created recently (in our case, vncuser). This is how the file should look after the update (except for the long commented part at the beginning):

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target
[Service]Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser -l vncuser -c "/usr/bin/vncserver %i -geometry 1280x720"
PIDFile=/home/vncuser/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
[Install]
WantedBy=multi-user.target

Once you do this, you can reload the VNC daemon and run vncserver @ 1 with the following commands:

$ systemctl daemon-reload
$ systemctl start vncserver@:1

Before proceeding, verify that the service is running by entering the systemctl status command:

$ systemctl status vncserver@:1

and create a symbolic link so that it always runs at system startup using the following command:

$ systemctl enable vncserver@:1

Another test that you can perform before trying to connect to the server is to look at the active network sockets using thesscommand: if everything works correctly, you should see that the VNC server is working and uses TCP port 5901. Execute the command:

$ ss -tulpn| grep vnc

The result should be as follows:

tcp LISTEN 0 5 *:5901 *:* users:(("Xvnc",pid=38344,fd=9))
tcp LISTEN 0 128 *:6001 *:* users:(("Xvnc",pid=38344,fd=6))
tcp LISTEN 0 5 :::5901 :::* users:(("Xvnc",pid=38344,fd=10))
tcp LISTEN 0 128 :::6001 :::* users:(("Xvnc",pid=38344,fd=5))

If you see this, then everything is set up correctly.

Firewall setup

Since our VNC service is listening on TCP port 5901, you must be sure that such a port is open and accessible to external clients. Therefore, if you have a firewall installed, you must create an appropriate rule that allows VNC clients to connect.

How many ports to open will depend on how many VNC server instances you need. In our scenario, we did only 1, so you only need to open the first dedicated VNC port: TCP 5901, as we already said. The command to open this port on Firewalld:

# firewall-cmd --add-port = 5901 / tcp
# firewall-cmd --add-port = 5901 / tcp --permanent

It will not be superfluous to mention that you can also restrict this port to certain groups, IP addresses, network cards, or other simple or complex firewall rules.

Installing the graphical user interface (GUI)

If you already have GNOME, KDE, or other installed desktop environments, you can skip this step. Otherwise, you need to install one of them: the TigerVNC server will start a parallel instance of this desktop environment for each login session, which means that we must have at least one GUI.

GNOME

If you want a great, but heavyweight GNOME interface, enter the following:

$ sudo yum groupinstall "GNOME Desktop"

Xfce

If you need a lightweight alternative, we can offer Xfce, a free, open-source environment for Unix-like platforms that works great with TigerVNC. GNOME also works great, but it quite resources intensive: if you want to save resources on your server machine, Xfce might be the best choice. To install it, enter the following:

$ yum install epel-release
$ yum groupinstall xfce

Additional settings for Xfce

If you decide to use Xfce, you will also need to modify the file that was executed when the VNC session started. To do this, edit the file /home//.vnc/xstartup and change the exec entry (usually line 4) from etc/X11/xinit/xinitrc to startxfce4, as shown below:

#!/bin/sh
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
exec startxfce4
vncserver -kill $DISPLAY

VNC client connection

Now that everything is set up, we can try to connect to our VNC service using a VNC client, such as TightVNC, UltraVNC or RealVNC, and see what happens. Remember to specify TCP port 5901 (if you followed our guide).

Possible problems

If your client cannot establish a working VNC connection, you need to check the following:

1. Connection problems — Firewall configuration: if you see pop-up errors that the client cannot connect to the remote host, you need to check your network and firewall configuration to make sure there are no blocking problems that could prevent the client from connecting to TCP server port 5901.

2. Black screen with the mouse — updating YUM or reinstalling the GUI: if you see a black screen with a working mouse cursor, it probably means that your VNC connection is working fine, but there is something that prevents the GUI from starting correctly desktop. For correction: