VNC Deployment Recipe

This recipe documents the deployment of a VNC sever on a cloud VM

This guide to assumes you have already created a VM running Ubuntu 20.04, noted its IP address (e.g. 10.186.xx.xx), and plan for both admin(s) and users to connect via the gateway machines.

For details about how to launch a new VM and connect as root, see the general documentation.

Procedure

0. Initial setup for all VMs:

   Create a security group called vnc-gates. Its purpose is to allow VNC connections from the gateway machines to the VNC server(s). The IP range of the gateway machines is: 130.183.12.24/31. VNC usually requires TCP ports 5900 to 5900+N, where N is the number of seperate displays.

   openstack security group create vnc-gates
   openstack security group rule create --protocol tcp --dst-port 5900:6000 --remote-ip 130.183.12.24/31 vnc-gates
   

1. Initial setup to be performed by an admin of the VM:

   Install the necessary software packages:

   apt update
   apt upgrade -y
   apt install -y xorg icewm nautilus eog evince firefox libturbojpeg
   update-alternatives --set x-terminal-emulator /usr/bin/xterm
   wget -O /tmp/turbovnc_2.2.6_amd64.deb https://sourceforge.net/projects/turbovnc/files/2.2.6/turbovnc_2.2.6_amd64.deb/download
   apt install -y /tmp/turbovnc_2.2.6_amd64.deb
   

   At this point it is a good idea to reboot the VM.

   Add the pre-made vnc-gates security group to the VM.

2. Initial setup performed by the each user:

   mkdir ~/.vnc
   cat << EOF > $HOME/.vnc/xstartup
   #!/bin/sh
   unset SESSION_MANAGER
   unset DBUS_SESSION_BUS_ADDRESS
   exec icewm-session
   EOF
   chmod 755 ~/.vnc/xstartup
   cp ~/.vnc/xstartup ~/.vnc/xstartup.turbovnc
   /opt/TurboVNC/bin/vncpasswd
   

3. Users can now launch their own VNC sessions by running /opt/TurboVNC/bin/vncserver -autokill on the VM and then vncviewer -via MPCDF_USER@gate.mpcdf.mpg.de 10.186.XX.XX::PORT from their personal computer. The port number is defined as the display number added to 5900, e.g. 5901 for display :1, 5902 for display :2, and so on.

Alternative (tunneled connection)

A slightly more secure solution is to bind the vnc session to the localhost on the VM and use an ssh tunnel directly to the VM to gain access. This way no VNC connection is required from the gate.mpcdf.mpg.de node to the VM serving the VNC.

1. Launch the VNC session on the VM as follows /opt/TurboVNC/bin/vncserver -localhost -autokill.

2. Idnetify the VNC port /opt/TurboVNC/bin/vncserver -list on the VM

3. Create an ssh tunnle from your local server to the VM ssh -L 2345:localhost:PORT -J <username>@gate.mpcdf.mpg.de <VM-IP-ADDRESS>

4. Connect to the vnc server from your locaL server vncviewer localhost::2345