18.2 Configuring a VNC Server

To configure a VNC server:

  1. Install the tigervnc-server package:

    # yum install tigervnc-server
  2. Create the VNC environment for the VNC users.

    Each VNC desktop on the system runs a VNC server as a particular user. This user must be able to log in to the system with a user name and either a password or an SSH key (if the VNC desktop is to be accessed through an SSH tunnel).

    Use the vncpasswd command to create a password for the VNC desktop. The password must be created by the user that runs the VNC server and not root, for example:

    # su - vncuser
    $ vncpasswd
    Password: password
    Verify: password

    The password must contain at least six characters. If the password is longer than eight characters, only the first eight characters are used for authentication. An obfuscated version of the password is stored in $HOME/.vnc/passwd unless the name of a file is specified with the vncpasswd command.

  3. Create a service unit configuration file for each VNC desktop that is to be made available on the system.

    1. Copy the vncserver@.service template file, for example:

      # cp /lib/systemd/system/vncserver@.service \
      /etc/systemd/system/vncserver@\:display.service

      where display is the unique display number of the VNC desktop starting from 1. Use a backslash character (\) to escape the colon (:) character.

      Each VNC desktop is associated with a user account. For ease of administration if you have multiple VNC desktops, you can include the name of the VNC user in the name of the service unit configuration file, for example:

      # cp /lib/systemd/system/vncserver@.service \
      /etc/systemd/system/vncserver-vncuser@\:display.service
    2. Edit the service unit configuration files.

      Replace any instances of <USER> with the user name of the user that will run the VNC desktop, for example:

      ExecStart=/sbin/runuser -l vncuser -c "/usr/bin/vncserver %i"
      PIDFile=/home/vncuser/.vnc/%H%i.pid

      Optionally, you can add command-line arguments for the VNC server. In the following example, the VNC server only accepts connections from localhost, which means the VNC desktop can only be accessed locally or through an SSH tunnel; and the size of the window has been changed from the default 1024x768 to 640x480 using the geometry flag:

      ExecStart=/sbin/runuser -l vncuser -c "/usr/bin/vncserver %i -localhost -geometry 640x480"
      PIDFile=/home/vncuser/.vnc/%H%i.pid
  4. Start the VNC desktops.

    1. Make systemd reload its configuration files:

      # systemctl daemon-reload
    2. For each VNC desktop, start the service, and configure the service to start following a system reboot. Remember that if you specified a username in the name of the service unit configuration file, you must specify this. Equally, you should use the same display number that you specified for the service unit configuration file name. For example:

      # systemctl start vncserver-vncuser@\:display.service
      # systemctl enable vncserver-vncuser@\:display.service
    Note

    If you make any changes to a service unit configuration file, you must reload the configuration file and restart the service.

  5. Configure the firewall to allow access to the VNC desktops.

    If users will access the VNC desktops through an SSH tunnel and the SSH service is enabled on the system, you do not need to open additional ports in the firewall. SSH is enabled by default. For information on enabling SSH, see Section 27.3, “Configuring an OpenSSH Server”.

    If users will access the VNC desktops directly, you must open the required port for each desktop. The required ports can be calculated by adding the VNC desktop service display number to 5900 (the default VNC server port). So if the display number is 1, the required port is 5901 and if the display number is 67, the required port is 5967.

    To open ports 5900 to 5903, you can use the following commands:

    # firewall-cmd --zone=zone --add-service=vnc-server
    # firewall-cmd --zone=zone --add-service=vnc-server --permanent

    To open additional ports, for example port 5967, use the following commands:

    # firewall-cmd --zone=zone --add-port=5967/tcp
    # firewall-cmd --zone=zone --add-port=5967/tcp --permanent
  6. Configure the VNC desktops.

    By default, the VNC server runs the user's default desktop environment. This is controlled by the VNC user's $HOME/.vnc/xstartup file, which is created automatically when the VNC desktop service is started.

    If you did not install a desktop environment when you installed the system (for example because you selected Minimal Install as the base environment), you can install one with the following command:

    # yum groupinstall "server with gui"

    When the installation is complete, use the systemctl get-default command to check that the default system state is multi-user.target (multi-user command-line environment). Use the systemctl set-default command reset the default system state or to change it to the graphical.target (multi-user graphical environment) if you prefer.

    The $HOME/.vnc/xstartup file is a shell script that specifies the X applications to run when the VNC desktop is started. For example, to run a KDE Plasma Workspace, you could edit the file as follows:

    #!/bin/sh
    unset SESSION_MANAGER
    unset DBUS_SESSION_BUS_ADDRESS
    #exec /etc/X11/xinit/xinitrc
    startkde &

    If you make any changes to a user's $HOME/.vnc/xstartup file, you must restart the VNC desktop for the changes to take effect:

    # systemctl restart vncserver-vncuser@\:display.service 

See the vncserver(1), Xvnc(1), and vncpasswd(1) manual pages for more information.