TightVNC and SSH tunnels

I have been working on some machines using Windows and the commercial X-server for Windows called X-Win32. It irritated me however to know that the users was paying a license fee to use the program, since it possible to do the same with a open source VNC client, as TightVNC. In the following I will use the name bohr as the hostname for my server and dirac as the name of the client connecting to server bohr.


Every interesting blog article has a illustration – this is a ssh tunnel transporting VNC data through the unsecure Internet. Made with Dia.

Installing the VNC server
On the server bohr, which is running Ubuntu Linux for the sake of the argument, I will install the tightvncserver. On Ubuntu and debian funded Linux distributions there are two VNC servers available: vnserver and tightvncserver. tightvncserver is more advanced, has better data encoding and works better with small bandwidth connections but if the client doesn’t support this the older vncserver should be used. In this guide we will connect with the tightvncclient, so in our case the client will support the options offered by tightvncserver. The server is installed by:

root@bohr:~$ aptitude install tightvncserver

That’s it, now the vncserver has to be started.

Starting the VNC server
Once tightvncserver has been installed on the server is has to be started as vncserver when logged in as the user on the system. The first time I use the vncserver I have to type in a password, which in the future will be remembered.

You will require a password to access your desktops.
New 'X' desktop is bohr:1
Creating default startup script /home/tjansson/.vnc/xstartup
Starting applications specified in /home/tjansson/.vnc/xstartup
Log file is /home/tjansson/.vnc/bohr:1.log

Here it is important to note the bohr:1 – this indicates the displaynumer which we will use to connect to the vncserver.

If the server bohr.dyndns.org is behind a firewall and only allows incoming ssh connections we will have to create a ssh tunnel and send the VNC data through that tunnel. So I create a tunnel from dirac to bohr:

tjansson@dirac:$ssh -f -N -L 5901:localhost:5901 bohr.dyndns.org

Here we need the display number mentioned earlier. The port number is 59XX where, XX is the the displaynumber and since my display number was 1, the port number is 5901.
If the server was had a non-standard portnumber such as 2222 instead of 22 the syntax would be:

tjansson@dirac:$ssh -p 2222 -f -N -L 5901:localhost:5901 bohr.dyndns.org

So now that the tunnel is in place we can start the tightvncviewer a tell it to connect to the end of the ssh tunnel which will in turn send the data on to bohr.

tjansson@dirac:$vncviewer localhost::5901

If no firewall is active and all ports are accessible the command without ssh tunnel would be

tjansson@dirac:$vncviewer bohr.dyndns.org::5901

This is not recommended as the data will be send through the internet unencrypted.

Even though SSH is not as integrated in the Windows environment is quite possible to connect to a server running a VNC server. To programs will be needed a VNC client, tightvnc, and a SSH client, putty. These are both opensource and free and can be downloaded here:

If the VNC server is accessible on all ports a SSH tunnel is not necessary and all there is to it is to run the tightvnc client and write.


Here we need the display number mentioned earlier. The port number is 59XX where, XX is the the displaynumber and since my display number was 1, the port number is 5901. This is not recommended as the data will be send through the Internet unencrypted. Remember the 2 colons! I always seem to forget it and only write one, which doesn’t work the same way.

If how ever the server is behind a firewall and only is accessible through ssh we will need to create a ssh tunnel with putty. The ip address or the hostname of the server is written in the normal window and the port number is normally 22. The tunnel is the created as seen in the picture:


After having successfully created the tunnel the only thing left to do is to connect the end of the tunnel by writing:


It is important to remember that this is two colons!

Using Gnome or KDE instead of KDE
Eventhough the terminal presented in a default vnc session can be fine for some uses it is usually a which to see the standard Gnome or KDE desktop. To this change the file called .vnc/xstartup, so it looks something like this:

tjansson@bohr:~$cd .vnc
tjansson@bohr:~/.vnc$cat xstartup
# Uncomment the following two lines for normal desktop:
 exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
#vncconfig -iconic &
#xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
## This starts KDE
#startkde &
## This starts GNOME
#exec gnome-session &
# This starts Xfce
xfwm4 &
xfce4-panel &
xfdesktop &

The important parts being the to commented lines and the bottomline saying i.e. exec gnome-session & to start a Gnome session and startkde & will start a KDE session. I wanted a Xfce session (Xubuntu), so I use the last block.

Stopping the server
When the session is over the VNC server should be closed

tjansson@bohr:~$vncserver -kill :1

if the displaynumber is 1.

Only registered users can comment.

  1. I just discovered a much easier way to do this:

    tjansson@dirac:~$ vncviewer -via tjansson@foo.bar localhost:16

    This creates the tunnel by it self and saved the command needed to do the ssh tunnel ­čśÇ

    1. can you explain please I am all mixed up on which is which in the commands I want to reach a remote over wan windows 7 via vnc to the ip:port and do I use my username or the one for the remote server I have putty installed on the win 7 server and have port 22 open have had no luck with ssh tunnels I can do the above and connect fine without the ssh tunnel

      1. This is a command used at the Linux shell and do know is this is possible in putty. It might be possible in cygwin, but I haven’t tried as I do not use a Windows machine very often.

Leave a Reply