Remote access to the desktop Linux with SSL encryption: x11vnc + SSVNC client
In the latest versions of the GNOME Desktop software is available that allows for remote access to the desktop with a simple client VNC from any other operating system. I'm talking about WINE. Although it is simple to set up, it does not guarantee a sufficiently strong encryption of data. In fact, we may be subject (for technical reasons that I am not here to explain) to attack man-in-the-middle attacks. For this reason I decided to show the configuration of another VNC server and a VNC client slightly more advanced: x11vnc (server) and SSVNC (client). All topped off with an SSL tunnel that provides us shelter from prying eyes!
First, an introduction. The guide covers the installation of the server (x11vnc) on a Debian Sid (unstable release), but the procedure is the same for Ubuntu and other Debian-based distribution with the appropriate changes to the commands to install the packages of interest. In addition, it is very important to remember that after you install the server, you must open TCP port of VNC (default 5900) on the firewall you may have installed on the server. Still, to be able to conveniently access from the outside (ie from the Internet) should evaluate to a free subscription with a service like Dyndns or no-ip that allow you to have a host name in network with our ADSL. At this point I would say that we are ready to start.
- Installing and configuring the server + x11vnc openssl
x11vnc and openssl are present in repositories of debian and ubuntu and then just type the usual apt-get command in a terminal and logged in as root:
# Apt-get install x11vnc openssl
The openssl package is needed to create encryption certificates to be used for remote connections protected by SSL. The next step will be to create certificates to be used for subsequent connections. I chose to use the most secure method, ie the use of a Certification Authority (henceforth CA) to sign the various certificates. In this way we will be sure to use the client side of the original and not a counterfeit. Proceed with the creation of the certificate and key to our CA (be careful, you have to type these commands from a simple user and not as root!)
$ X11vnc-sslGenCA
When you ran the command shown above, you will see that you will create all the necessary dir in your user's home dir and then you will be asked to enter a passphrase. It 's best to choose a password long and difficult and if you are anxious to forget, will you start using some soft of password management such as those of which I have spoken on other occasions. After typing your passphrase, you will be prompted us all the information concerning our CA. I will give you a small example of what you'll see on the terminal and what I've typed:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-
You are about to be asked to enter information That will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-
Country Name (2 letter code) [AU]: U.S.
State or Province Name (full name) [mystate]: Italy
Locality Name (eg, city) []: Power
Organization Name (eg, company) [x11vnc server CA]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) [zeno x11vnc server CA]:
Email Address [x11vnc@CA.nowhere]:------------------------
Your public x11vnc CA cert is:/ Home / zeno / .vnc / certs / CA / cacert.pem
It may be copied to other applications, eg Web browser, Java
Applet keystore, or stunnel cfg, to use to verify signed server
or client certs, etc..Your x11vnc CA private key is:
/ Home / zeno / .vnc / certs / CA / private / cakey.pem
It will be used to sign the server or client certs, keep it secret.
------------------------
Now we are ready to proceed to the next step, namely the creation of chavi and certificates for the VNC server. So, again from the terminal and simple user, launch the following command:
$ X11vnc-server sslGenCert
You'll find yourself having to answer some questions in a manner very similar to what happened with the previous command. It 'important for you to insert a PEM passphrase for the certificate and, when prompted, to plug even the passphrase used previously for the CA certificate. Here is a small example of what you will see where you have to act on the terminal and entering the passphrase:
Do you want to protect the generated private key with a passphrase?
Doing so will significantly decrease the chances someone could steal
the key and pretend to be your x11vnc server. The downside is it is
inconvenient Because You will have to supply the passphrase every
time you start x11vnc using this key.Protect key with a passphrase? [Y] / n
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:------------------------
Now signing the new key with CA private key. You will need to supply
the CA key passphrase and reply "y" to sign and commit the key.Using configuration from / home/zeno/.vnc/certs/tmp/cnf.11234
Enter pass phrase for. / CA / private / cakey.pem:
Check That the request matches the signature
Signature ok
Until now we have created the keys and certificates to encrypt the connection and, therefore, there rirtoveremo with the following files in our home directory:
~ / .vnc / Certs / CA / cacert.pem -> the public certificate of our CA
~ / .vnc / Certs / CA / private / cakey.pem -> the private key of our CA
~ / .vnc / Certs / server.crt -> the public certificate of the VNC server
~ / .vnc / Certs / server.pem -> the private key + certificate of our VNC server
At this point we have to copy the file cacert.pem with a secure method on the computer on which it will use the VNC client. Of course I leave it to you to decide what to do, but it is really imperative that this step is done in the safest way possible. Personally I transfer it via a USB stick or through the use of scp. If you need to use the VNC client on another Linux machine you can copy the files in your home dir of the user who will launch the client itself (~ / .vnc / certs / CA / cacert.pem). In addition, we must ensure that the certificate of our CA is then used by the VNC client that we will use in our case and we will see how to proceed with the client SSVNC.
We have not finished with the configuration of the server, we are missing the last step which consists in the creation of the password to access the server. In fact, the current state of the configuration, the server is running, but is not required to use any password from the client to access and, therefore, it is enough to have the certificate. Obviously this is not very secure and for this reason we insert a password to access the server:
$ X11vnc-storepasswd
The command you typed earlier you return the following prompt:
Enter VNC password:
Verify password:
Write password to / home / zeno / .vnc / passwd? [Y] / ny
Password written to: / home / zeno / .vnc / passwd
Now the server is ready to be started. For this you could type the following command:
$ Usepw-x11vnc-ssl SAVE-display: 0
You will be prompted to enter the pass phrase chosen during the creation of the certificates of the server (the server does not CA!) And then the VNC server is started and listening on port 5900. Wishing we can choose to start the server on a port other than the standard adding to the boot command the following parameter:
-Rfbport <port_number>
We have finished with the server. Proceed with the installation of the client.
- Installation and use of client SSVNC
In reality the client to the server will not be installed 
E 'can directly download the binaries available for Windows, MAC OS and Unix / Linux. We can grab the file from here . If you want you can collect the files containing the binaries of the operating system only of interest to us, or those containing the source code of the client by going to this page . I decided to use SSVNC also because downloading on a USB stick all the binaries for various operating systems can access our desktop with any computer available in the world without having to install anything! ... Also for example in an Internet Cafe in London ... Obviously forewarned how conserved encryption certificates and do not miss the USB stick!
After downloading the file of interest to us, we need to unpack and inside it, having downloaded the file with the tracks that I have pointed out in the first link, we will find different folders for different operating systems. We identify what interests us and we start "ssvnc." We will find ourselves in front of this screen (the client was started on Win XP):
First click on the button "Certs ..." that allows us to open the window to enter the SSL certificate for our server to the client. Obviously, this certificate must be previously copied to the computer where the client is started, exactly as explained earlier when we talked about the server configuration. Here is shielded interest
In the row for the "ServerCert" we have to load our certificate "cacert.pem". When we did that we can click on the "Done" button and return to the previous screen. Here we must first enter the IP address or hostname of the server into our line. You'll have to find yourself qulcosa look like this:
Click if you want (not required) to file "Fetch Cert"
And the client will connect to the server and acquire the certificate from the server:
When you finish viewing the certificate, click on "Dismiss". This last step serves to control consistency between the server certificate and the certificate which we have just loaded manually to prevent the server certificate or manually loaded on the client that has been compromised. This manual control can be avoided SSVNC leave unchecked the option to "Verify all certs." Now I'd say it's time to start the VNC session itself. So, click on the "Connect" button and it will start trying to connect to the server:
If everything went well, in a few moments you will see the screen that asks for the password:
We enter the password you chose earlier and finally we are ready to use our Remote Desktop protected by an encrypted connection SSL tunnel! 
If you have questions, especially on how to access the Internet and how to configure the NAT of your router, ask!
Did you like this article? Subscribe to our newsletter to receive information about updates to the blog:
This post is addictive!
I was just doing the first experiments to protect ssh vnc serverino of my home ...
Just one question: If you do not want to use a CA (I use a vnc client on iphone and pass the certificate I see it hard!) But a "simple" pair of public / private key thing would change in the process?
@ IPaco:
The entire section on the creation of the CA, of course, you should not follow it more. In fact, the procedure using a "simple" key pair is different and follows a path that is to create a certificate on the fly (or permanent) without signing with the keys of the CA.
You do not need to launch the command "x11vnc-sslGenCa" and the following commands to create certificates, but you have to start up your VNC server with the command "-usepw x11vnc-ssl SAVE-display: 0". This will create a certificate on the fly (only the first time, then the server will always use the same created the first time
). Of course, before starting the server, created the pwd to access the VNC server!
Keep in mind one thing ... I recommend you use the client SSVNC also because it "embeddato" stunnel. In fact, for access to the VNC server using SSL you still need to create an SSL tunnel
If you have further questions do not hesitate to ask
@ IPaco:
I forgot to tell you .... eye with the procedure without the CA you are subject to attack man-in-the-middle
I know ke you can encrypt the connection also with ssh, k differences (security, and ease of use) are there?
@ UTL:
also the use of an ssh tunnel is an excellent solution. Obviously you need to configure the SSH server and for good, for example, prevent access the USER root directly, install some soft banni that attempts to access bruteforce (fail2ban is a good software solution), in short cure some security aspects of ssh server. In addition, when you want to start the VNC server will need to tell SSH to create a tunnel with a special command must be used and some x11vnc options to make it accessible by clients!
Honestly, I prefer to use the method that I have described in
Once again it was really enlightening, this time I was of real help. Keep it up.
@ Fabio:
thanks Fabio
I would like to ask why he chose the SSL encryption to make an encrypted tunneling, what criteria did you choose this method of encryption, and instead an ssh tunnel, or an openvpn?
I'm very curious about the reason, partly because I do not ever consider the SSL technology, always used openvpn to connect to your home PC from another PC and openssh to make secure connections.
@ Fabio:
basically why I chose ssl is configured, in fact, along with x11vnc. Obviously the use of a VPN is a strategically best choice from the point of view of safety, but it means having to configure OpenVPN first and then x11vnc.
On the choice of Openssh: that's fine if you must maneuver a server, but there are a number of risks inherent to the securing of OpenSSH (as demonstrated by the recent bug on the debian openssh known since 2006 and made public only in 2008) that, my opinion does not make ssh the best choice for use with VNC
Beautiful, sooner or later I'll have to try it ... for now I will stick with the choice vnc + ssh.
Hello, and thanks for the guide .. really very clear.
I did everything written in the guide, but a problem has arisen when starting x11vnc with the following command line: x11vnc-display: 0-forever-ssl SAVE-rfbauth / home / sercik / .vnc / passwd
the only difference is that it does not use the switch-usepw, but-rfbauth .. erroe message that I get from this is
openssl_init: SSL_CTX_use_certificate_chain_file () failed.
ssl error: error: 0906D06C: PEM routines: PEM_read_bio: no start line
Thanks again, I hope you can help
@ Francesco:
The problem is with the SSL certificate. Verify that the SSL certificates are correctly installed. It 'very likely that they are not used in the correct manner.
Unfortunately I can not reproduce your problem
Hi, as I wrote earlier, his article is like a beacon in the fog for me. He does not know how many configuration problems I solved it. Client SSvnc the transport its a mini MMC card is encrypted. And on every PC I can access my home computer and check it.
I was lacking a work that I needed, namely the transfer of files with the same program. I had fixed by installing another program further OpenSSH Server and Winscp to transfer files. But for obvious safety reasons, I have tried if there was implemented a function of file transfer in ssvnc and x11vnc and I read that there is something and it is mentioned in Putty.
You know how you can transfer files (even large files) with this accopiata programs that you depend on. It would be a great solution without installing an additional server and open other doors.
Thank you. And keep writing great guides like this.
@ Fabio:
Hello Fabio. First of all, please give me the "you" as I do with you
A memory remember that the latest versions of servers and clients provide the ability to transfer files directly from the client ... try to look for this feature!
Hello clarification, following your guide the first time I connect from the client to the server works .. if I do it the second time I have to restart the server otherwise it will not let me connect in short, as if even if I close connection to the client side to the server appears hung, I do something wrong? can you help me? a greeting and thanks
@ Francesco:
I see ... the chiudura as you make the connection? Just close the client?
Hello,
I too have followed all the step by step guide on Xubuntu, but at the time the server gives me an error:
x Error of failed request: BadShmSeg (invalid shared segment parameter)
Some help?
@ Alessandro:
Check if you have the directory "/ home/tuo_utente/.x11vncrc" and if so rimovila and restart x11vnc
The directory is not present, but I solved the problem. The error was mine in typing (display: 0 instead of display: 0).
I have more questions perc.
1) The use of this method in addition to being more secure, it is also slower than the same wine or x11vnc without SSL encryption?
2) Is there a way to make sure that does not need to login to your server and run the command but to load the server as a service? Loaded before the login. So if I have to reboot the server remotely I can riconettermi.
3) The use of other systems (Wine, XDMCP) is much less secure than this?
Meanwhile comlimenti for the excellent guide, well done and very useful.
At the moment I tried it from Windows clients, tomorrow I try Linux as a client (the steps are the same?)
Thanks
Stephen,
your post is very nice. Better that than the SSL tunnel SSH. I followed the procedure and everything seems to work. The only problem is that ssvnc (bootable USB key) while you start with Ubuntu 8.10 not manage to do the same thing in Ubuntu 9.04. In Win all OK.
Can you help me solve this problem?
Thanks in advance.
@ Luigi:
ssvnc try to start from the terminal and see what brings you to output
Stephen,
I solved it. It was necessary only to install (with Synaptic) dependence "tk8.5".
Anyway, thank you for your kindness.
A warm greeting.
Dear Stephen,
every time I go back to bother you.
How are you doing?
I had a doubt regarding the use of x11vnc as described in your article,
if I understand it if the client computer does not have the certificate cacert.pem you can not connect to the server x11vnc, is that right?
But this cacert.pem file is not password protected, in theory, that is, if someone you care about the file cacert.pem x11vnc can connect to your server, anceh if he should know the password.
But then the real protection is the password? what need is there to do everything I'm working with my certificates?
If it were possible it would be best to protect the public certificate cacert.pem with a password, type as does my bank gives me a certificate to be added to the browser, but at the time of import and export also asks for my password .
Then if I wanted to automate the starting of x11vnc? is currently impossible because the password prompt used in the server certificate, so it is very convenient ...
Hello and thanks again for everything
I'm sorry,
a small addition. I raised the command x11vnc-sslGenCert server and this time I entered the password, among others reading this right was written precisely my problem: "If you then enter a password every time you start putting x11vnc .... "
One thing I have therefore resolved: start automatically.
What do you think of the safety of my solution?
Then I want to give a little advice to all!
It 's very comfortable to x11vnc server start automatically each time you log in the linux machine, then that machine if the server type used, as I do, you can set the automatic login (I use gdm and just give gdmsetup as root) and then automatically run x11vnc in this way you have to do is turn on the linux machine and then you can collegravi to it via ssvnc from where you want.
With regard to the autostart x11vnc to the X server depending on which DE used on the internet you will find information about how to run commands automatically at startup.
The line to be executed is:
usepw-x11vnc-ssl SAVE-display: 0-5432-rfbport forever &
I changed the default port in 5432 and added-forever, so x11vnc does not die when you close the connection from the client side and you can then connect from lo9ntano whenever you want.
CIAOOOOOOO
@ Sercik:
Great!
Thanks for the tips!
Hello, comes to me an error when I try to connect, use ubuntu as a server while another PC in LAN using xp and I get a window that says exactly this: readexat: soket error while reading you give me a tip Thank you so much for this very interesting guide ..
@ Marco
the error that you have reported it could happen when there are multiple instances of VNC that are turning.
Check the server does not have other clients connected
@ Stefano:
I had no active connection to the server you spot what happened on the server maybe
do you have an idea you can do, I have one last thing to ask, from what I could understand
I can also connect to a PC outside my LAN
with this address ie 192.168.1.25 which is the address of the server that passes through the created certificate
and copied to the client ..
SSL handshake with helper process succeeded.
26/05/2010 13:14:34 other clients:
26/05/2010 13:14:34 Disabled X server key autorepeat.
26/05/2010 13:14:34 to force back on run: 'xset r on' (3 times)
26/05/2010 13:14:34 xdamage created object: 0x3e00035
26/05/2010 13:14:34 rfbProcessClientProtocolVersion: client gone
26/05/2010 13:14:34 client_count: 0
26/05/2010 13:14:34 Restored X server key autorepeat to: 1
26/05/2010 13:14:34 sending SIGTERM to ssl_helper_pid: 2218
26/05/2010 13:14:35 connect_once: invalid password or early disconnect.
26/05/2010 13:14:35 connect_once: waiting for next connection.
26/05/2010 13:14:35 Client 192.168.1.27 gone
26/05/2010 13:14:35 Statistics events Transmit / RawEquiv (saved)
26/05/2010 13:14:35 TOTALS: 0 | 0/0 (0.0%)
26/05/2010 13:14:35 Statistics events Received / RawEquiv (saved)
26/05/2010 13:14:35 TOTALS: 0 | 0/0 (0.0%)
26/05/2010 13:14:39 SSL: accept_openssl (OPENSSL_VNC)
26/05/2010 13:14:39 SSL spawning helper process to handle: 192.168.1.27:1549
26/05/2010 13:14:39 SSL: ssl_helper [2219]: SSL_accept () failed for: 192.168.1.27:1549
26/05/2010 13:14:39 SSL: accept_openssl: cookie from ssl_helper FAILED. 0
26/05/2010 13:14:39 xdamage destroyed object: 0x3e00035
@ Mark: Then I saw that on the client side, vnc uses port 5930, you can change it?
Thanks
First of all congratulations for the very nice guide that makes us appreciate more and more Linux.
Minding talk, after creating the SSL certificate on the Server PC I can not copy it to the USB stick
to bring it into the Notebook, considering that my USB stick is / dev/scb1 / media/7578-3CAE thought
to make $ scp ~ / .vnc / certs / CA / cacert.pem / / media/7578-3CAR / (but it gives me error).
Could you give me a practical example of how the public key inserirmi ssl PC Server in the USB stick and
there in the other PCs to share the VNC protected. Greetings to all and see you soon.
@ Lino:
$ Cp ~ / .vnc / certs / CA / cacert.pem / media/7578-3CAR /
and copy it to the client?
is right: $ scp / media/7578-3CAR/cacert.pem ~ / .vnc / certs / / CA /
Beautiful ......... that is taking the first steps have fun! Hello and Thank you for the patience you soon.
How do from a terminal client to understand if I put in the right way the CA server?
While entering into the folder. Vnc and giving $ ls-al I can not understand
Meanwhile, I offer my congratulations to you the guide ... then I wanted to ask if I can use only a psw (robusta) for everything ... there are problems?
thanks,
You can also use a single passw, but it is not recommended if you want to maintain high levels of safety
Stephen,
There I did it! Soon I want to try with a Windows client using the 'emulator Cygwin.
Greetings and see you soon.
@ Stephen:
Good day, I would be very interested in a way to access the internet via my home server, I am a neophyte to ubuntu and I'm not able to configure openvpn in a correct manner, there would be a way to access remotely via VNC (not in the same network) , perhaps in a manner analogous to that of logmein on windows???
Many thanks in advance for the help
Andrea