Home > Linux Admin , Linux Desktop , Open Source-Free Software , Security > Remote access to the Linux desktop with SSL encryption: x11vnc + SSVNC client

Remote access to the Linux desktop with SSL encryption: x11vnc + SSVNC client

In the latest versions of the GNOME desktop software is available that allows for remote access to the desktop with a simple client VNC from any other operating system. I'm talking about WINE. Although it is easy to set up, it does not guarantee a sufficiently strong encryption of data. In fact, we may be subject (for technical reasons that I'm not here to explain) to bouts of man-in-the-middle. For this reason I decided to show the configuration of another VNC server and a VNC client slightly more advanced: x11vnc (server) and SSVNC (client). All seasoned with a SSL tunnel that provides us shelter from prying eyes!

First, an introduction. The guide covers the installation of the server (x11vnc) on Debian Sid (unstable release), but the procedure is the same for Ubuntu and other Debian-based distribution with the appropriate changes to the commands to install the packages of interest. In addition, it is very important to remember that after you install the server, you must open TCP port VNC (default 5900) on the firewall you may have installed on the server. Still, to be able to conveniently access from the outside (ie from the Internet) should evaluate to a free subscription to a service such as Dyndns or no-ip that allow you to have a host name on the network with our connection. At this point I would say that we are ready to start.

  1. Installing and configuring the server x11vnc + openssl

x11vnc openssl and are present in the Debian and Ubuntu repositories, so you can type the usual apt-get command in a terminal and logged in as root:

# Apt-get install openssl x11vnc

The openssl package is needed to create encryption certificates to be used for remote connections protected by SSL. The next step will be to create the certificates to be used for subsequent connections. I chose to use the most secure method, or the use of a Certification Authority (hereafter CA) to sign the various certificates. In this way we will be sure to use the client side of the original and not a counterfeit. Let's create the certificate and key to our CA (be careful, you have to type these commands from a simple user and not as root!):

$ X11vnc -sslGenCA

When you ran the command shown above, you will see that you will create all the necessary say in your user's home directory and then you will be prompted to enter a passphrase. It 'a good idea to choose a password long and difficult and if you are anxious to forget, will you start using some soft of password management as those of which I have spoken on other occasions. After you type the passphrase, you will be prompted for all information regarding our CA. We carry a small sample of what you'll see on the terminal and what I've typed:

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-
You are about to be asked to enter information That will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [mystate]: Italy
Locality Name (eg, city) []: Power
Organization Name (eg, company) [x11vnc CA server]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) [zeno x11vnc CA server]:
Email Address [x11vnc@CA.nowhere]:

------------------------
Your public x11vnc CA cert is:

/home/zeno/.vnc/certs/CA/cacert.pem

It may be copied to other applications, eg Web browser, Java
Applet keystore, or stunnel cfg, to use to verify signed server
or client certs, etc.

Your x11vnc CA private key is:

/home/zeno/.vnc/certs/CA/private/cakey.pem

It will be used to sign the server or client certs, keep it secret.
------------------------

We are now ready to proceed to the next step, namely the creation of Chavi and certificates for the VNC server. Then, again from the terminal and simple user, we run the following command:

$ X11vnc server -sslGenCert

You'll find yourself having to answer some questions in a manner very similar to what happened with the previous command. It 'important to you to insert a PEM passphrase for the certificate and that, when asked, to insert also the passphrase used previously for the certificate of the CA. Here is a small sample of what you will see on the terminal and where you work by entering the passphrase:

Do you want to protect the generated private key with a passphrase?
Significantly Doing so will decrease the chances someone could steal
the key and pretend to be your x11vnc server. The downside is it is
inconvenient Because You will have to supply the passphrase every
time you start x11vnc using this key.

Protect key with a passphrase? [Y] / n
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

------------------------
Now signing the new key with the CA private key. You will need to supply
the CA key passphrase and reply "y" to sign and commit the key.

Using configuration from /home/zeno/.vnc/certs/tmp/cnf.11234
Enter pass phrase for ./CA/private/cakey.pem:
Check That the request matches the signature
Signature ok

So far we have created the keys and certificates to encrypt the connection and, therefore, there rirtoveremo with the following files in our home directory:

~ / .vnc / Certs / CA / cacert.pem -> public certificate from our CA
~ / .vnc / Certs / CA / private / cakey.pem -> the private key of our CA
~ / .vnc / Certs / server.crt -> the public certificate of the VNC server
~ / .vnc / Certs / server.pem -> the private key + certificate of our server VNC

At this point, we have to copy the file cacert.pem with a safe on the PC on which we will use the VNC client. Of course I leave it to you to decide what to do, but it really is essential that this step is done in the safest way possible. Personally I transfer it via a USB stick or by using scp. If you need to use the VNC client on another Linux machine, you can copy the file to the home directory of the user who will launch the client itself (~ / .vnc / certs / CA / cacert.pem). Moreover, we must ensure that the certificate of our CA is then used by the VNC client that we will use and in our case we will see how to proceed with the client SSVNC.

We have not yet finished with the configuration of the server, we are missing the last step which is to create the password to access the server. In fact, the current state of the configuration, the server is operational but is not required the use of a password from the client to access and, therefore, it is sufficient to obtain the certificate. Obviously this is not very safe, and for this reason we insert a password to access the server:

$ X11vnc -storepasswd

The command you typed earlier you return the following prompt:

Enter the VNC password:
Verify password:
Write to /home/zeno/.vnc/passwd password? [Y] / ny
Password written to: /home/zeno/.vnc/passwd

Now the server is ready to be started. To do this we can type the following command:

-usepw -ssl SAVE $ x11vnc -display: 0

You will be prompted to enter the pass phrase chosen when creating the certificate of the server (the server does not CA!) And then the VNC server will be started and listening on port 5900. If you want we can choose to start the server on a different port from the standard adding to the boot command the following parameter:

-rfbport <port_number>

We finished with the server. We proceed with the installation of the client.

  1. Installation and use of client SSVNC

In fact the client to the server will not be installed :) It 'can directly download the binaries available for Windows, Mac OS and Unix / Linux. We can get the file from here . If you want you can get the files containing the binary only operating system of our interest or those containing the source code of the client by going to this page . I decided to use SSVNC also because downloading to a USB stick all the binaries for various operating systems can access your desktop from any computer available in the world without having to install anything! ... Also, for example, in an Internet Cafe in London ... Of course, mind you as stored in the encryption certificates and do not miss the USB stick!

After downloading the file of interest to us, we need to unpack it and in it, having downloaded the file with the tracks that I mentioned in the first link, we will find different folders for different operating systems. We identify what interests us and we start "ssvnc." We will meet in front of this screen (the client was started on Win XP):

ssvnc

First click on the button "Certs ..." that allows us to open the window to enter the SSL certificate from our server to the client. Of course, this certificate must be previously copied to your computer where you start the client just like just explained when we talked about the configuration of the server. Here is the shielded region

ssvnc certs

In the row for "ServerCert" we have to load our certificate "cacert.pem." When we did that we can click on the "Done" and return to the previous screen. Here we must first enter the IP address or hostname of our server in the line. You'll have to find yourself qulcosa like this:

Click if you want (not mandatory!) The file "Fetch Cert"

And the client will connect to the server and acquire the certificate from the server:

When you finish viewing the certificate, click on "Dismiss". This last step is used to control a consistency between the server certificate and the certificate that we have just uploaded manually to ensure that the server certificate or the manually loaded on the client have been compromised. This manual control can be avoided by leaving unchecked the option to SSVNC "Verify all certs". Now I'd say it's time to start the VNC session itself. So, click on the "Connect" button and it will start trying to connect to the server:

If everything went well, in a few moments we will see the screen that asks for the password:

We enter the password you chose earlier and finally we are ready to use our Remote Desktop protected by a secure connection with SSL tunnel! : D

If you have any questions, especially on how to access the Internet and how to configure NAT on your router, ask!

Did you like this article? Sign up for the newsletter to receive information on updates of the blog:


  1. August 28, 2008 at 11:58 | # 1

    This post comes right on cue!

    I was just doing the first experiments to protect ssh vnc serverino of my home ...

    Just one question: if you wanted to use a CA (use a VNC client on iphone and pass the certificate I see it hard!) But a "simple" pair of public / private key what would change in the process?

  2. stefano
    August 28, 2008 at 12:21 | # 2

    @ IPaco:
    All the part concerning the development of CA, of course, you should not follow it more. In fact, the procedure using a "simple" key pair is different and follows a path that is to create a certificate on the fly (or permanent) without signing it with the keys of the CA.

    You must not run the command "x11vnc -sslGenCa" and the following commands to create the certificates, but you have to start up your server vnc with the command "x11vnc -usepw -ssl SAVE -display: 0". This will create a certificate on the fly (only the first time, then the server will always use the same created the first time ;) ). Obviously, before you start the server, created the pwd access to the VNC server!

    Keep in mind one thing ... I recommended to use the client SSVNC also because he "embeddato" stunnel. In fact, to access the VNC server using SSL you must still create an SSL tunnel ;)

    If you have further questions do not hesitate to ask :)

  3. stefano
    August 28, 2008 at 24:26 | # 3

    @ IPaco:
    I forgot to tell you .... eye with the procedure without the CA you are subject to man-in-the-middle ;)

  4. UTL
    August 28, 2008 at 16:09 | # 4

    ke know you can encrypt the connection with ssh, ke differences (security, and ease of use) are there?

  5. stefano
    August 28, 2008 at 16:35 | # 5

    @ UTL:
    Also the use of an ssh tunnel is an excellent solution. Obviously you need to configure the SSH server for good and, for example, prevent access to the USER root directly, install some soft that banni access attempts to bruteforce (fail2ban is a good software solution), then cure certain safety aspects of ssh server. Also, when you'll want to start the VNC server must tell SSH to create the tunnel with a special command and should be used some options x11vnc to make it accessible by the client!

    Honestly I prefer to use the method I have described in the article :)

  6. Fabio
    August 29, 2008 at 13:29 | # 6

    Once again it was really enlightening, this time I was of real help. Continues.

  7. stefano
    August 29, 2008 at 15:07 | # 7

    @ Fabio:
    thanks Fabio :)

  8. Fabio
    September 9, 2008 at 13:59 | # 8

    I would like to ask why he chose SSL encryption to make an encrypted tunneling, with criteria that has chosen this method of encryption, and not instead an ssh tunnel, or an openvpn?

    I'm very curious about the reason, why do not I ever consider SSL technology, increasingly used openvpn to connect to your home PC from another PC and openssh to make secure connections.

  9. stefano
    September 11, 2008 at 13:53 | # 9

    @ Fabio:
    basically I chose ssl because you configure, in fact, along with x11vnc. Obviously the use of a VPN is a strategically best choice from the point of view of safety, but it means having to configure OpenVPN before and then x11vnc.
    On the choice of Openssh: that's great if you have to maneuver a server, but there are a number of risks inherent to the safety of OpenSSH (as demonstrated by the recent bug on openssh debian known since 2006 and published only in 2008) that, I think not make ssh the best choice for use with VNC

  10. October 10, 2008 at 11:47 | # 10

    Beautiful, sooner or later I'll have to try it ... for now I will stick with the choice vnc + ssh.

  11. francis
    November 2, 2008 at 17:17 | # 11

    Hello, and thanks for the guide .. really very clear.
    I did everything written in the guide, but a problem arose when starting x11vnc with the following command line: x11vnc -display: 0 -forever -ssl SAVE -rfbauth /home/sercik/.vnc/passwd

    the only difference is that it does not use the switch -usepw but -rfbauth .. message erroe that gives me is this

    openssl_init: SSL_CTX_use_certificate_chain_file () failed.
    ssl error: error: 0906D06C: PEM routines: PEM_read_bio: no start line

    Thanks again, I hope you can help me

  12. stefano
    November 5, 2008 at 16:07 | # 12

    @ Francis:
    The problem is related to the SSL certificate. Verify that SSL certificates are properly installed. And 'highly likely that they are not used in the correct manner.
    Unfortunately I can not reproduce your problem :(

  13. Fabio
    November 23, 2008 at 16:03 | # 13

    Hi, as I wrote earlier, his article is like a beacon in the fog for me. He does not know how many configuration problems I have solved. Client SSvnc the transport its a mini MMC encrypted. And on every PC I can access my home computer and check it.

    I was lacking a work that I needed, that is, the transfer of files with the same program. I was solved by installing another program further OpenSSH Server and Winscp to transfer files. But for obvious safety reasons I tried if there was implemented a function of file transfer in ssvnc and x11vnc and I have read that there is something and it mentions Putty.

    You know how you can transfer files (large files also) with the driven this program she used. It would be a good solution without installing an additional server and open other doors.

    Thank you. And keep writing great guides like this.

  14. stefano
    November 23, 2008 at 16:26 | # 14

    @ Fabio:
    Hello Fabio. First, please give me the "you" as I do with you :)

    A memory recall that the latest versions of servers and clients provide the ability to transfer files directly from the client ... try looking for this feature!

  15. Francis
    March 2, 2009 at 12:36 | # 15

    Hello clarification, following your guide the first time I connect from the client to the server funziona..se I do it the second time I have to restart the server otherwise it does not make me connect in short, as if even if I close connection to the client side to the server appears hung, I missed something? can you help me? a greeting and thanks

  16. stefano
    March 7, 2009 at 20:14 | # 16

    @ Francis:
    I see ... the chiudura connection as you make? Close simply the client?

  17. Alexander
    March 23, 2009 at 21:33 | # 17

    Hello,

    also I have followed all the step by step guide on Xubuntu, but at the time the server gives me an error:

    X Error of failed request: BadShmSeg (invalid shared segment parameter)

    Some help?

  18. stefano
    March 24, 2009 at 00:07 | # 18

    @ Alessandro:
    Check if you have the directory "/home/tuo_utente/.x11vncrc" and if so rimovila and restarts x11vnc

  19. Alexander
    March 25, 2009 at 21:33 | # 19

    The directory is not present, but I solved the problem. The error was my typing (display: 0 instead of display: 0).

    I have more questions Perc.
    1) The use of this method in addition to being safer, it is also slower than the same wine or x11vnc without SSL encryption?
    2) Is there a way to make sure that does not need to log in to the server and run the command but to load the server as a service? Loaded before the login. So if I have to restart the remote server can riconettermi.
    3) The use of other systems (Wine, XDMCP) is much less secure than this?

    Meanwhile comlimenti for the excellent guide, well done and very useful.
    At the time I tried to Windows client, tomorrow I try from Linux client (the steps are the same?)
    Thanks

  20. Louis
    September 7, 2009 at 7:45 | # 20

    Stefano,
    Your post is very nice. Better that than the SSL tunnel SSH. I followed the procedure and everything seems to work. The only problem is that ssvnc (bootable USB pen) while starting with Ubuntu 8.10 fails instead to do the same thing in Ubuntu 9.04. In Win all OK.

    Can you help me solve the problem?

    Thanks in advance.

  21. stefano
    September 7, 2009 at 18:32 | # 21

    @ Louis:
    try starting from terminal ssvnc and see what takes you on output ;)

  22. September 7, 2009 at 22:08 | # 22

    Stefano,

    I solved. It was necessary only to install (with Synaptic) dependence "tk8.5".
    Anyway thanks for the kindness.
    Best wishes.

  23. sercik
    November 12, 2009 at 10:18 | # 23

    Dear Stephen,
    every time I go back to bother you.
    How you doing?
    I had a doubt regarding use of x11vnc as described in your article,
    if I understand it if the client computer is not present the certificate cacert.pem you can not connect to the server x11vnc, is that right?
    Pero cacert.pem this file is not protected by a password that is in theory if someone you care about the file cacert.pem can connect to your server x11vnc, anceh if he should know the password.

    But then the real protection is the password? what need is there to do everything I'm working with certificates?

    If it were possible it would be best to protect the public certificate cacert.pem with a password, type as does my bank gives me a certificate to add to the browser, but that at the time of import and export of even asking me the password .

    Then if I wanted to automate the departure of x11vnc? at the moment it is impossible because the password prompt used in the server certificate, so it is not very convenient ...

    Hello and thank you again for everything

  24. sercik
    November 12, 2009 at 10:35 | # 24

    Sorry,
    a small addition. I raised the command x11vnc -sslGenCert server and this time I have not entered your password, among other good reading was written precisely my problem: "if you type a password you'll have to then put it every time you start x11vnc .... "
    One thing I have therefore resolved: start automatically.
    What do you think of the safety of my solution?

    Then a little advice I want to give everyone!

    It 'very comfortable doing starting x11vnc server automatically every time you log in the linux machine, then that machine if the server type used, as I do, you can set the automatic login (I use gdm and just give gdmsetup as root) and then automatically run x11vnc in this way does not have to do is turn on the linux machine and then you can collegravi to it via ssvnc from where you want.

    As for the automatic start of x11vnc with the X server whichever DE used on the internet you will find information on how to run commands automatically at startup.

    The row to be carried out is:
    x11vnc -usepw -ssl SAVE -display: 0 -rfbport 5432 -forever &

    I have changed the default port in 5432 and added -forever, so x11vnc does not die when you close the connection from the client side and then you can connect from lo9ntano whenever you want.

    Ciaooooooo

  25. stefano
    November 12, 2009 at 16:19 | # 25

    @ Sercik:
    Great!
    Thanks for the tips!

  26. Mark
    May 26, 2010 at 24:56 | # 26

    Hello, me out an error when I try to connect, use Ubuntu as a server while with another PC in LAN use xp and I get a window that says exactly that: readexat: soket error while reading would you give me a straight thanks for this guide very interesting ..

  27. stefano
    May 26, 2010 at 14:41 | # 27

    Marco
    the error you reported could happen when there are multiple instances of VNC that are turning.
    Check the server does not have other clients connected :)

  28. Mark
    May 26, 2010 at 18:40 | # 28

    @ Stefano:
    I had no active connection to the server will place what happened on the server maybe
    do you can do an idea, I have one last thing to ask; from what I can gather
    I can also connect to a PC outside my lan
    with this address or 192.168.1.25 which is the address of the server that passes through the certificate created
    and copied to the client ..

    SSL handshake with helper process succeeded.
    26/05/2010 13:14:34 other clients:
    26/05/2010 13:14:34 Disabled X server key autorepeat.
    26/05/2010 13:14:34 to force back on run: 'xset r on' (3 times)
    26/05/2010 13:14:34 xdamage created object: 0x3e00035
    26/05/2010 13:14:34 rfbProcessClientProtocolVersion: client gone
    26/05/2010 13:14:34 client_count: 0
    26/05/2010 13:14:34 Restored X server key autorepeat to: 1
    26/05/2010 13:14:34 sending SIGTERM to ssl_helper_pid: 2218
    26/05/2010 13:14:35 connect_once: invalid password or early disconnect.
    26/05/2010 13:14:35 connect_once: waiting for next connection.
    26/05/2010 13:14:35 Client 192.168.1.27 gone
    26/05/2010 13:14:35 Statistics events Transmit / RawEquiv (saved)
    26/05/2010 13:14:35 TOTALS: 0 | 0/0 (0.0%)
    26/05/2010 13:14:35 Statistics events Received / RawEquiv (saved)
    26/05/2010 13:14:35 TOTALS: 0 | 0/0 (0.0%)
    26/05/2010 13:14:39 SSL: accept_openssl (OPENSSL_VNC)
    26/05/2010 13:14:39 SSL: spawning helper process to handle: 192.168.1.27:1549
    26/05/2010 13:14:39 SSL: ssl_helper [2219]: SSL_accept () failed for: 192.168.1.27:1549
    26/05/2010 13:14:39 SSL: accept_openssl: cookie from ssl_helper FAILED. 0
    26/05/2010 13:14:39 destroyed xdamage object: 0x3e00035

  29. Mark
    May 27, 2010 at 7:10 | # 29

    @ Mark: Then I saw that on the client side, vnc uses port 5930 you can change it?
    Thanks

  30. Linen
    September 2, 2010 at 15:14 | # 30

    First of all congratulations for the very nice guide that makes us appreciate more and more Linux.
    Minding talk, after you create the SSL certificate on the server PC can not copy it on a USB drive
    to bring it into the Notebook, whereas my USB drive is / dev / SCB1 / media / 7578-3CAE thought
    to make $ scp ~ / .vnc / certs / CA / cacert.pem / / media / 7578-3CAR / (but it gives me error).

    Could you give me an example how to blend the public key ssl PC Server in the USB stick and
    there in the other PC to share the VNC protected. Greetings to all and see you soon.

  31. stefano
    September 2, 2010 at 15:52 | # 31

    Lino:

    $ Cp ~ / .vnc / certs / CA / cacert.pem / media / 7578-3CAR /

  32. Linen
    September 3, 2010 at 23:08 | # 32

    and copy it to the client?
    is right: $ scp /media/7578-3CAR/cacert.pem ~ / .vnc / certs // CA /

    ......... Nice is that taking the first steps you are having fun! Hello and Thank you for the patience you soon.

  33. Linen
    September 5, 2010 at 24:44 | # 33

    How do terminal client to figure out if I put in the right way the CA server?

    While entering into the folder .vnc and giving $ ls -al can not understand

  34. maximum
    September 9, 2010 at 4:20 | # 34

    Meanwhile, I make you my compliments for the driving ... then I wanted to ask if I can use a single psw (robust) for all ... there are problems?

  35. stefano
    September 9, 2010 at 13:42 | # 35

    Thanks,

    You can also use a single passw, but it is not recommended if you want to maintain high levels of safety ;)

  36. Linen
    September 13, 2010 at 22:31 | # 36

    Stefano,
    There I did it! Soon I want to try a Windows client using the 'emulator Cygwin.

    Greetings and see you soon.

  37. Andrea
    March 4, 2011 at 9:24 | # 37

    @ Stephen:
    Good day, I would be very interested in a way to access my home server via the Internet, are a neophyte of ubuntu and I am not able to configure openvpn properly, there would be a way to access remotely via VNC (not in the same network) , in a manner perhaps analogous to that of logmein on windows ???

    Many thanks in advance for the help

    Andrea

  1. May 7, 2009 at 13:16 | # 1