Simple VNC access

2020-12-14

Several family members have Linux-based computers which I help them with. Most things can be done through SSH, but every once in a while a GUI is required.

toe@silverstone ~ % pwgen 20 1
Dohp4rei6eisieyoosiz

toe@silverstone ~ % vncpasswd
Password:
Verify:
Would you like to enter a view-only password (y/n)? n

toe@silverstone ~ % x0vncserver -display :0 -rfbport 5900 -rfbauth ~/.vnc/passwd

According to TigerVNC GitHub Issue #344, restricting the VNC server to localhost only recently became available and is not available in some distributions (yet). Make sure you have restrictive iptables rules in place and don't allow external access to the VNC server!

toe@silverstone ~ % ss -tulpn
(...)
tcp         LISTEN       0            5                        0.0.0.0:5900                     0.0.0.0:*

Rejecting instead of dropping traffic is nicer for troubleshooting, as legitimate clients get an instant failure rather than 90+ seconds wait time for a drop timeout.

toe@silverstone ~ % sudo iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 (...)
  446 17840 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
 131K   72M REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-proto-unreachable