Virtual Network Computing (VNC) has remained a popular remote desktop protocol for over 25 years. This comprehensive 3200+ word guide will teach you how to install and configure a VNC server on Fedora Linux, optimizing performance and security for accessing graphical workspaces over the network.
Overview of VNC Protocol & Architecture
Since its open sourcing in 1998, VNC has become a ubiquitous solution for remote access to GUI desktop environments. The VNC architecture consists of:
- VNC server – Shares out a desktop display and input devices which clients can remotely view and interact with
- VNC client – Client software that renders the graphical display from the server and communicates inputs back
VNC utilizes the RFB (Remote Framebuffer) protocol – RFB carries user input to the server and framebuffer updates back to clients. This is different from RDP and X11 which transmit the complete video pixel data, making VNC more optimized for WAN/internet connections.
As an open protocol, VNC has been ported to many operating systems and platforms. And with the remote work boom, VNC remains one of the most used protocols for accessing remote desktops and applications. According to Enterprise Management Associates, VNC continues to have high adoption for engineered and technical workloads.
Now let‘s jump in to get VNC running on your Fedora server!
Prerequisites
Before we get started:
- Have Fedora Linux 35 or later installed
- Create a non-root user account with sudo privileges
- Verify you have a basic firewall enabled
- Have a VNC client viewer ready to connect later (Remmina, TigerVNC, TightVNC, RealVNC, etc)
Install TigerVNC Server & Dependencies
There are a few open source VNC server implementations, but TigerVNC is recommended as it is included within Fedora‘s main repositories:
-
Update all packages:
sudo dnf update
-
Install the tigervnc-server package:
sudo dnf install tigervnc-server
This will install the vncserver binary along with default configuration files under /etc/sysconfig/vncservers
and desktop icons.
Some optional TigerVNC capabilities require a few extra dependencies. Let‘s proactively grab those too:
sudo dnf install tigervnc-server-module-stream-compression \
tigervnc-icons tigervnc-server-minimal
tigervnc-server-module-stream-compression
– Enables JPEG compression to improve slow connectionstigervnc-icons
– Provides helper icons for remote desktop control promptstigervnc-server-minimal
– Lightweight binary for advanced configuration methods
With TigerVNC now installed, we‘ll configure and launch the server.
Create VNC User & Set Password
Good security practice is to avoid running the VNC server process with root privileges. Let‘s create a standard user account called vncuser
to associate our VNC session with:
sudo useradd vncuser -m -d /home/vncuser
sudo passwd vncuser
Run the vncpasswd
utility to configure an access password. This will be needed for clients connecting in:
sudo -iu vncuser
vncpasswd
Password: ********
Verify: ********
This stores an obfuscated password hash at ~/.vnc/passwd
rather than plaintext.
Launch VNC Server Process
TigerVNC comes with systemd integration to run vncserver
as a service. This will hot-reload the configuration on reboot.
Let‘s launch an instance listening on display port 1 (5901) and lock it to the vncuser
.
sudo systemctl start vncserver@:1.service
sudo systemctl enable vncserver@:1.service
Check that it started successfully:
sudo systemctl status vncserver@:1.service
By default this uses GNOME for the desktop environment. We‘ll customize this later.
Open Firewall for VNC Access
With the server now running, open up ports to allow remote client connections:
sudo firewall-cmd --permanent --add-service=vnc-server
sudo firewall-cmd --reload
Now TCP ports 5900-5999 will be accessible to receive inbound VNC traffic.
Optional But Recommended: Restrict access to only allow from certain IP subnets or addresses that need to connect remotely.
Connect a VNC Viewer Client
It‘s time to test remote access by firing up a VNC viewer on another machine.
Compatible open source clients include TigerVNC Viewer, Remmina, TightVNC, Krdc, Vinagre, RealVNC, TightVNC, or UltraVNC.
On your VNC client machine, enter:
VNC Server: 192.168.1.5:1
Replace the IP with your actual server address, along with the display number chosen earlier.
You will be prompted to enter the VNC password set previously. When authenticated, you should see a basic GNOME desktop from the Fedora server! Mouse around and launch some apps to verify remote control.
Now we‘re ready to optimize and refine things…
Customize VNC Session Configuration
The default VNC session works but lacks Polish. Let‘s tweak performance and customize the look & feel.
Set Desktop Geometry Resolution
Remote VNC sessions default to a 1024×768 pixel display. Force the desktop size to match your server‘s physical screen resolution instead:
sudo --user=vncuser mkdir /home/vncuser/.vnc
sudo --user=vncuser vi /home/vncuser/.vnc/config
Add a geometry setting matching your resolution – for example 1920×1080:
geometry=1920x1080
Enable JPEG Compression
Every screen update sends raw bitmap images which can choke slower connections. Enable JPEG compression to dramatically improve remote performance over the internet or VPNs:
sudo --user=vncuser vi /home/vncuser/.vnc/config
Append:
EncodingCompression=6
QualityLevel=8
This enables JPEG anddial in an image quality vs compression ratio balance.
Use Mate Desktop Instead of GNOME
While functional, a plain GNOME desktop lacks some refinement we‘d expect in 2023. The Mate desktop delivers better aesthetics and usability:
-
Edit the systemd service file:
sudo vi /etc/systemd/system/vncserver@:1.service.d/mate.conf
-
Set the ExecStart line to launch Mate on display :1 instead of GNOME:
[Service] ExecStart= ExecStart=/usr/sbin/runuser -l vncuser -c "/usr/bin/vncserver %i -geometry 1920x1080 -alwaysshared -fg -rfbauth /home/vncuser/.vnc/passwd" PIDFile=/home/vncuser/.vnc/%H%i.pid
-
Reload systemd and restart the service for the Mate change to apply:
sudo systemctl daemon-reload sudo systemctl restart vncserver@:1.service
Once reloaded, you should now see a shiny Mate desktop environment! Much better.
Audio Passthrough
Listen to sounds and audio from your remote session:
-
Install pulseaudio on both VNC server and client machines
-
Edit
/home/vncuser/.vnc/config
on server:AudioEnabled=1 AudioDriver=pulse
-
Connect your client and enable sound forwarding
Now you‘ll hear server audio play locally on the client end.
Transfer Files via Drag & Drop
Transfer files easily between client and server by enabling drag and drop support:
EnableDragDrop=1
Now just drag files between endpoints to copy back and forth.
Customize Keyboard Layouts
If your client machine uses a different keyboard layout than the VNC server:
sudo --user=vncuser vi /home/vncuser/.vnc/config
Set the desired server-side keyboard map, ie:
Keymap=de
There are many other performance and feature tweaks available once up and running with TigerVNC. But this covers what‘s necessary for a solid remote desktop experience.
Secure Connections & Data Transfer
While very useful, VNC lacks built-in encryption which poses security issues. Anyone sniffing traffic between client and server can view screen content or inject keystrokes.
Here are 3 ways to secure VNC connections:
SSH Tunneling
Encapsulate VNC traffic through an encrypted SSH tunnel for free:
On Server:
- Ensure openssh-server installed
- Set
GatewayPorts clientspecified
in/etc/ssh/sshd_config
- Restart sshd
On Client:
- Establish an SSH tunnel before connecting your VNC viewer:
ssh -L 5901:127.0.0.1:5901 -C -N -l vncuser 192.168.1.5
This tunnels VNC over SSH, encrypting the connection without any additional configuration needed.
Enable Native TLS Encryption
For native VNC encryption without the overhead of SSH encapsulation:
-
Create a self-signed certificate:
sudo --user=vncuser /usr/bin/openssl req -new -x509 -days 365 -nodes -out ~/certificate.pem -keyout ~/certificate.pem
-
Add the following to
/home/vncuser/.vnc/config
:SecurityTypes=TLSNone,TLSNone,TLSVnc,TLSVnc x509_key_file=/home/vncuser/certificate.pem
Clients must support TLS and won‘t validate your self-signed cert, but enables encryption.
For trusted certificates, replace the self-signed file with files from a real Certificate Authority.
Virtual Network Encryption (VNE)
If your VNC viewer supports Virtual Network Computing Encryption (like UltraVNC), enable VNCE encryption by:
-
Generate a password for encryption:
vncpasswd /home/vncuser/.vnc/vnce.passwd
-
Enable VNCE mode in
/home/vncuser/.vnc/config
:SecurityTypes=VncAuth,TLSVnc,VNCAuth AuthVNCAuth=1 PasswordFile=/home/vncuser/.vnc/vnce.passwd
This activates 256-bit Blowfish encryption without costly TLS handshakes.
Lock Down Access Controls
Beyond encrypting traffic, it‘s good practice to lock down VNC access by:
- Set the server to Read-Only mode – Disable remote input unless explicitly enabled each session
- Restrict source IP addresses – Firewall whitelist the allowed client IPs
- Require Two Factor authentication – Integrate with mechanisms like Duo to require 2FA when connecting
Building defense-in-depth around remote access vectors like VNC hardens security posture.
Conclusion & Next Steps
In this comprehensive guide, you configured TigerVNC on Fedora Linux to securely access graphical workloads remotely.
Specifics included VNC architecture breakdowns, optimized server installation steps, performance tuning, encryption support, and security hardening. You should now feel empowered setting up, connecting to, and managing remote Fedora desktops across platforms and networks.
Here are some next steps and additional capabilities to explore:
- Stream server desktops live over the web via HTML5
- Sandbox remote sessions in Docker containers
- Automate VNC connection configuration with Ansible
- Build custom branded clients with Java, Python, C++ or web tech like WebRTC
With open source VNC‘s flexibility, the possibilities are endless for how we access and share graphical interfaces. Especially as remote work and computing continue evolving!
Hopefully this guide served as the ultimate resource for your VNC server journey. Let me know if any questions come up when putting these capabilities into production.