Secure VNC on Ubuntu 20.04: Set Up VNC Over SSH Tunnel (Step-by-Step)
We recently covered the process of installing and configuring a TightVNC server on Ubuntu 20.04. In addition to this, the process of setting up a secure SSH tunnel for a VNC connection will now be described. This is because VNC itself is not secure. Using an SSH tunnel corrects the situation.
While VNC (Virtual Network Computing) provides an easy way to access a remote desktop environment on Ubuntu 20.04, it does not offer encryption by default — making it vulnerable to eavesdropping and unauthorized access. To address this, the recommended practice is to secure your VNC connection with an SSH tunnel. This ensures that all data transmitted between the client and the server is encrypted, providing a safe and private remote desktop experience. In this guide, we’ll show you how to configure your system to use a secure VNC over SSH tunnel, step by step, including both command-line and PuTTY-based instructions.
Preparation
In the first part, we opened firewall port 5901. The connection will now be directed through the SSH tunnel, so you need to close the ports open for VNC.
You also need to close all running TightVNC sessions.
And start a session listening only for internal connections. After opening the SSH tunnel, this will be our connection.
If you have configured the TightVNC service, open its configuration.
Find the ExecStart parameter and make it look like this:
Reload systemd:
And start (or restart) the service:
Creating a SSH Tunnel
The following command must be run on the client computer from which you are connecting to the VNC server. It connects port 61000 on the local machine to port 5901 on the server via an SSH tunnel.
The following options are used to create a tunnel:
- -L - forwarding information from local port 61000 to remote port 5901 via SSH tunnel;
- -N - specifies to only forward ports, not execute the command;
- -l - specifies the username to create the tunnel.
Replace username and VNC_server_IP with your own parameters. If you connect using an SSH key, do not forget to add the -i parameter, as with a usual SSH connection.
Using Putty to create a SSH tunnel
Use normal connection parameters in Putty. Besides these, you need to add some settings. Namely, go to Connection - SSH - Tunnels, enter 61000 in the Source port and localhost:5901 in the Destination.
Click Add and Apply.
Connecting to a remote desktop
The tunnel has now been created. To connect to the remote desktop, use the same client as in the first part of the tutorial - any VNC client you like. Enter localhost:61000 as the VNC server.
Conclusion
By setting up a secure VNC connection over SSH on Ubuntu 20.04, you combine the flexibility of remote desktop access with the strong encryption of SSH. This method helps protect sensitive data, system credentials, and session contents from being intercepted on unsecured networks. Whether you're managing a remote server or simply accessing your desktop from another location, tunneling VNC through SSH is an essential best practice for safe and secure remote administration. Always remember to close direct VNC ports and keep SSH access protected with strong credentials or key-based authentication.
FAQ: Secure VNC over SSH Tunnel on Ubuntu 20.04
- Q: Why is VNC not secure by default?
A: VNC transmits data, including login credentials, in plain text. Without encryption, anyone on the network can potentially intercept this information. - Q: What does the SSH tunnel do in this setup?
A: An SSH tunnel encrypts all VNC traffic by forwarding it through a secure SSH connection, preventing unauthorized access and data leaks. - Q: Do I still need to open port 5901 on the firewall?
A: No. In a secure setup, you close port 5901 and access VNC exclusively through the SSH tunnel, typically using a local forwarded port like 61000. - Q: Can I use any VNC client with this setup?
A: Yes, any standard VNC client (like TigerVNC, RealVNC, or UltraVNC) will work. Just connect to localhost:61000 instead of the server’s IP. - Q: How do I create an SSH tunnel on Windows?
A: Use PuTTY, go to Connection → SSH → Tunnels, enter 61000 as the source port and localhost:5901 as the destination, then click Add. - Q: Is this method suitable for public networks?
A: Absolutely. Using SSH tunneling adds a layer of encryption, making remote desktop access safe even over insecure networks, like public Wi-Fi.