Q: I am coming from the Windows world where I am used to using Remote Desktop to access my systems on the network.  I recently set up a new CentOS system.  I have done some reading and understand I need to use VNC for this. How can I install and configure a VNC server on my CentOS 7 system so I can “Remote Desktop” into it?

A: This can be done easily with the some basic software.  In CentOS 7 (or RHEL 7) the default VNC server is tigervnc. Let’s install and configure VNC for a single user, then we will cover how to install VNC for multiple users.

Install TigerVNC and It's Dependencies

Use yum to install tigervnc-server package:

yum install tigervnc-server

Copy Sample Configuration and Edit

When you install tigervnc it creates a sample configuration file in /lib/systemd/system that is called vncserver@.service.  It is best to copy this file and edit it to meet your needs.

cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service

Now we have to edit the /etc/systemd/system/vncserver@.service file and at minimum must change the USER name who will be connecting to the VNC server.

Example File:

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c ‘/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :’
ExecStart=/sbin/runuser -l <USER> -c “/usr/bin/vncserver %i”
PIDFile=/home/<USER>/.vnc/%H%i.pid
ExecStop=/bin/sh -c ‘/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :’

[Install]
WantedBy=multi-user.target

NOTE: Change <USER> to the username of the account who will be logging into the system.

To make the changes to the configuration file take effect, run the following command:

systemctl daemon-reload

Setup User with vncpasswd

Now you have to set the VNC password for the user you specified in the file above.  This command MUST be run by the user, so let’s switch to the user account and set the password like so:

[root@putor ~]# su - vncuser
[vncuser@putor ~]$ vncpasswd
Password:
Verify:

Start and Enable the Service

Before we log into the system with VNC, we have to start the service.

systemctl start vncserver@:1.service

If you want the service to start at boot:

systemctl enable vncserver@:1.service

Configure Firewall For VNC

You must allow or open the firewall to allow vnc connections.

VNC Servers listen on ports specific to their display number.  For example, we started the service above with the display number 1.  This will listen on port 5901.  If we started it with display number 2, it would listen on 5902.

Firewall configuration are very specific to the system. Here are some example that should work on default configurations.

Open VNC Port using firewalld:

firewall-cmd --add-rich-rule='rule family="ipv4" service name=vnc-server accept'

Open VNC port using iptables:

How to Configure VNC for Multiple Users

If you want to setup VNC server for multiple users the directions are basically the same.  The only difference is you MUST create multiple service files, set both users VNC passwords,  and open additional ports in the firewall.

For example, you could create two service files like so:

cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver-user1@.service


cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver-user2@.service

You would edit each file the same way we did in the single user setup, this time you would change <USER> to the specific username that file is for.

NOTES:

  • VNC listens on 5900+diplay# when using a VNC client.
  • If you are depending on the server to give you a java applet, you also need 5800+display#, and 6000+display# for the X Server Port.  If you are using a client, typically only 5900+display# is needed.

if you are going to start user1 on display 1, and user2 on display 2, then you have to open both tcp ports 5901 and 5902 on the firewall.

Example:

Start user1 VNC server on display 1, and user2 on display 2:

systemctl start vncserver-user1@:1.service
systemctl start vncserver-user2@:2.service

Now let’s use netstat to check what ports VNC is listening on.

# netstat -tulp | grep vnc
tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      8062/Xvnc
tcp        0      0 0.0.0.0:5902            0.0.0.0:*               LISTEN      8507/Xvnc
tcp        0      0 0.0.0.0:6001            0.0.0.0:*               LISTEN      8062/Xvnc
tcp        0      0 0.0.0.0:6002            0.0.0.0:*               LISTEN      8507/Xvnc

Open the necessary ports on the firewall:

iptables -I INPUT -p tcp --dport 5901 -j ACCEPT
iptables -I INPUT -p tcp --dport 5902 -j ACCEPT

Conclusion

The VNC service is a finicky beast, but if you take your time and configure it correctly you should be ok. We learned how to install vnc, setup the a basic configuration, add users, and even how to open ports on the firewall for vnc. This is the base information you need to get started. See the resources below for more information.

Resources