Running VNC Sessions on HEP Linux Systems
VNC sessions can be started on personal HEP Linux desktops or on central interactive nodes. Please use an interactive node if you do not have your Linux desktop, don't start up sessions on other people's desktops or on gateway.
Starting a Standalone Session
First log in (usually via SSH) to the system you wish to run the VNC session on. This can be a desktop or interactive node.
To start a vnc session on the linux system just run, at a command prompt:
The command should tell you which session number was assigned. You need this number when connecting with the VNC client.
To start a session with a specific session number N
If you are using ROOT in the session you may need to disable backing store by adding -bs, to prevent the session being killed by ROOT,
The first time you use VNC it should prompt you to set a password. You can run 'man vncserver' to see additional options. It's easy to accidentally set up more than one session. Check which sessions are running locally with
and to kill any sessions that are no longer required use
- vncserver -kill :session (eg vncserver -kill :1)
To connect to it you use a vnc client, e.g. vncviewer from linux, or TightVNC
for windows (google, there should be free downloads for the clients for both). 'Chicken of the VNC' or RealVNC
are free clients for Mac OS X.
Vnc can run multiple displays on a single system, and these correspond to the ports it uses. So display :0 listens on port 5900, display :1 listens on port 5901, :2 on 5902, and so on. When you start the server it will tell you which VNC display it is (by default it uses the next available display, you can also specify a display when you start it). You need to know this to tunnel to it with SSH.
Direct Access to Linux Desktop Display
It is possible to enable VNC access to the main Linux desktop display. This allows you to access applications that are already running on your desktop. It is enabled under Applications>System Tools>Settings>Sharing. Enable Screen Sharing. You should set a password (any existing VNC password won't be automatically used). The VNC service will be available on session :0 (port 5900).
Unfortunately this service enables security that very few clients actually support. You will need to disable it by typing in a terminal on your desktop
- gsettings set org.gnome.Vino require-encryption false
Now clients should be able to connect as for a standalone session.
The service can be very slow when accessed from off-campus so this is probably only useful for remote access in the labs or emergencies.
Tunneling to a VNC session from Off Site Using Linux
If you are working on-campus or are connected with the University VPN you can simply connect your vnc viewer to hostname:N eg phi.ph.liv.ac.uk:5.
If you are working off-campus without VPN you need to tunnel your VNC viewer to the session on the desktop or node you started it on. You can tunnel to a VNC session with SSH like this:
- ssh -L5901:<desktop>:<vncport> <user>@<desktop>
where desktop is the name of the system you're running vncserver on, and <vncport> is the port your vnc session is running on (e.g. 5901 if it's display :1).
Once the SSH connection is established, you can then connect to it with your local vnc client by pointing that to localhost:1
With the current Working From Home situation nodes are available directly via SSH, so it is sufficient for a fully encrypted connection to just set up an SSH tunnel between your local system and the node eg for session 5 on gamma.ph.liv.ac.uk use
The following is left for information but shouldn't be required:
To SSH in from outside, you'll need to go via gateway. You can either tunnel your VNC session just through gateway (which is then encrypted between you and
gateway, but not between gateway and your desktop) like this:
- ssh -L5901:<desktop>:<vncport> <user>@gateway.ph.liv.ac.uk
or you can use two SSH connections, one to gateway, and one tunneled through gateway to your desktop (with the VNC connection tunneled through the second
one) like this:
ssh -L2222:<desktop>:22 <user>@gateway.ph.liv.ac.uk
ssh -p2222 -L5901:<desktop>:<vncport> <user>@localhost
You can also configure these options in a .ssh/config file like so:
LocalForward 5901 <desktop>:<vncport>
for the first, single connection approach, or:
LocalForward 2222 <desktop>:22
LocalForward 5901 localhost:<vncport>
For the two connection approach. You can then just 'ssh livgateway' (and then 'ssh livdesktop' in a second window for the two connection approach), before opening your vnc client and pointing it to 'localhost:1' as above.
The only other thing to note is that if there's a vncserver running on the system you're connecting from, you may need to change the local '5901' port specified to '5902' (or similar) and point your vnc client at localhost:2 (or similar) accordingly to avoid a conflict.
Tunneling to a VNC session from Off Site Using Windows
Similar to Linux you will need an SSH client to set up the secure tunnel. There are two main options, PuTTY
. Note the port number depends on your VNC session number eg if you start VNC session number 4 the port is 5904. If you are connecting to a systems main display the port number is usually 5900.
Tunneling with Putty
- To start, download PuTTY and open the client.
- The main Session menu allows you to type your server IP address or hostname. Type your SSH server address in the Host Name (or IP address) text box (usually gateway.ph.liv.ac.uk).
- You’ll also want to save this session, so in the Saved Sessions text box, add a suitable name for your SSH connection, then click the Save button.
- In the left-hand menu, expand the Connection tab, then do the same for the SSH. Click on Tunnels.
- In the Port forwarding section of the Tunnels menu, you’ll be providing the details to allow PuTTY to tunnel your VNC connection over SSH. In the Source port text box, type the session number (eg 5901 for session number 1). In the Destination text box, type your remote IP address:5901, using the IP address of the remote desktop PC or server. For instance, gamma.ph.liv.ac.uk:5901 would be suitable.
- Return to the Session section, click on your saved session name under Saved Sessions, then click Save to save your settings.
- With your PuTTY settings ready, make the SSH connection by clicking Open at the bottom. You’ll be required to insert the username and password required to make your SSH connection as PuTTY makes the attempt.
- Once the login process is complete, you’ll be given access to the SSH terminal window for your remote desktop.
has a similar setup but uses a more simple graphical interface. See https://blog.mobatek.net/post/ssh-tunnels-and-port-forwarding/
Once you've established the SSH tunnel you can then use your client to connect but you must connect to the tunnel ie use the hostname 'localhost:port' not the hostname of the system you are connecting to. For the above example the client should connect to localhost:5901.
Our Linux desktops should have a VNC viewer preinstalled. Run vncviewer on a command line or look in the Internet section of your desktop menus, eg
provide a very featureful client on all operating systems for free. This is commercial software with a free license so we cannot guarantee it will always be available.
There are numerous clients for Windows, TigerVNC
On Mac OS X there is a client built in to the OS. In a Safari browser window connect using vnc://hostname:port (here the port should be 590X instead of the usual X, eg for session 1 use port 5901). This should launch the screen sharing application. There are also free clients such as Chicken (previously Chicken of the Sea) or commercial clients such as JollysFastVNC
(this has to be paid for).
Clients with built-in tunneling
Some clients have SSH tunneling included, eg Vinagre (also called Remote Desktop Viewer in Centos 7). Choose the VNC protocol, enter the VNC session you wish to connect to (eg session 1 on hep196.ph.liv.ac.uk) and use yourusername@gatewayREMOVETHIS.ph.liv.ac.uk
as the hostname to tunnel with.