VNC notes

From Helpful
Jump to: navigation, search
Linux-related notes
Linux user notes

Shell, admin, and both:

Shell - command line and bash notes · shell login - profiles and scripts · Shells and execution ·· find and xargs and parallel · screen and tmux
Linux admin - disk and filesystem · users and permissions · Debugging · security enhanced linux · health and statistics · kernel modules · YP notes · unsorted and muck
Logging and graphing - Logging · RRDtool and munin notes
Network admin - Firewalling and other packet stuff ·


Remote desktops
VNC notes
XDMCP notes




linux tl;dr

Classical

VirtualGL and stuff

Decide between TurboVNC and TigerVNC. The below assumes TurboVNC.


Server-side:

  • Have 3D drivers (and its development package) installed
  • Install VirtualGL
e.g. package from https://sourceforge.net/projects/virtualgl/files/
  • Install TurboVNC / TigerVNC
e.g. package from https://sourceforge.net/projects/turbovnc/files/


Client-side has no particular requirements, though TurboVNC / TigerVNC may be somewhat faster.


separate session
whole destop

Windows tl;dr

VNC implementations

These are primarily notes
It won't be complete in any sense.
It exists to contain fragments of useful information.

(Note that practical details vary a bit with platform. E.g. on windows you can only directly share a logged-in sessions, while on X you can host many completely separate sessions)


Newer ones first (roughly)


windows, linux, osx
In part meant to update TurboVNC, and provides a few modern features (RealVNC-like) and some TurboVNC updates, though for performance TurboVNC is generally preferable(verify).
http://www.turbovnc.org/About/TigerVNC


windows, linux, osx
focuses on speed. By itself a little cleverer, so does better than tight at video and 3D content
the optional use of VirualGL gives more performance for 3D
the research / implementation details behind some of its design choices have been adopted by others, including TigerVNC, libvncserver, and recently UltraVNC
on Linux there is a server (verify) (see also VirtualGL instructions. Use of VirtualGL is optional)
on windows, the server end is recommended to be a post-2015 UltraVNC (verify)[1]


windows and *nix
Otherwise fairly minimal (e.g. no GLX support in the server(verify))
Tight protocol was a good choice for a decent while (roughly until tiger/turbo)
Not actively developed
  • UltraVNC: Similar to RealVNC, but free.
windows-only
supports e.g. tight
and since a 2015 patch is
  • RealVNC: server and client, free and paid-for versions,
windows-only
has extra features like file transfer. Seems targeted at helpdesks.


Other notes:

  • "WinVNC" is a bit vague, in that more than one thing has been referred to as such (verify)
  • about various turbos:
libjpeg-turbo is a SIMD-optimized variant of libjpeg (mostly drop-in)
TurboJPEG is a higher-level API (developed for VirtualGL, TurboVNC) which can be backed by libjpeg-turbo, or similar such optimizations
TurboVNC's speed comes in part from using TurboJPEG, partly from spending less (CPU)time deciding what to send how (itself in part because sending with jpeg is a bit cheaper via turbojpeg)
  • about VirtualGL
intercepts rendered GL results in-process, works out as indirect but hardware-accelerated rendering
(where available; can also be built against mesa to be able to use 3D on GPU-less servers)
which makes it pretty efficient to view 3D apps results (and video) rendered elsewhere on a fairly thin client (pretty impressive on LAN, by previous standards)
intercepts: meaning does not require apps to be built against it, you just have to start it in a specific way (vglrun)
transport:
can do its own transport, e.g. displaying the results of one X (3D) server in another (2D)
perhaps more frequently seen with TurboVNC (or similar). This requires more CPU but provides other features, e.g. tending to be more reactive on high-latency, low-bandwidth connections.
associated but not tied to TurboVNC
http://www.virtualgl.org/
http://www.virtualgl.org/About/Background


  • some special cases where one or more of the more modern details apply, e.g. in virtualbox (verify)
  • Other/specialzed: See e.g. [2]


More technical notes

Ports

A VNC client connects to an IP and either a display-number-dependent port.

The port VNC serves on is usually 5900+displaynumber (...on X. On windows that's usually 1)

(Port 5800+displaynumber, if you see it, is for serving the java client, if applicable)

(Port 6000+displaynumber is X windows, which should only matter internally when serving from *nix)

VNC, X and window managers

Most VNC servers are X servers so are a session upon themselves. A few leech onto existing sessions somehow.


When they are independent, you often start one as and for a specific user. (In some setups it makes sense to run a session manager so that anyone can connect and the authentication is handled by it)


One of the few differences with a regular X server is that it has its own configuration file that lists what it should do when started.

For example, the TightVNC server places this in ~/.vnc/xstartup, and might e.g. contain:

xrdb $HOME/.Xresources
xsetroot -solid grey
xterm -geometry 80x24+10+10 -ls &
twm &


xrdb sets a number of properties on the root window that is created (I'm not sure how necessary this actually is)
xsetroot sets the background (the 'root window') to a solid color instead of the default pattern so that it compresses better
xterm -ls gives you a login shell in an xterm to start working with. (this shell is a child of the vnc server process, meaning it will outlive you killing the window manager, unlike shells you started from the window manager)
twm is a very simple window manager. You may like blackbox or xfce4 or others. (Or even something like KDE if you turn the fancy graphics all the way down.)


On xfce and Tab: http://blog.zerosum42.com/2011/10/tech-fixing-tab-key-in-vnc.html


TightVNC

Starting a vnc server:

vncserver

This is a perl script that will assume some defaults and start a vncserver on the first available X display. The local display, if applicable, usually takes up only :0, so this starts at :1. When more than one local / VNC display is used, you may want to specify a specific number to avoid confusion.

You can use more options:

vncserver :2 -geometry 900x700 -depth 16

Geometry controls the desktop size. Can be anything, I prefer something that makes the client window not cover everything.

Depth 16 will be a little easier on the network than 24, and a little uglier.


Stopping a vnc server:

vncserver -kill :2

You should save things, of course, and possibly log out of your windowing environment to let it save its settings.

Multiple monitors

Security

Note that by default, VNC is not encrypted. Some flavours support it, but for more general security you may wish to look at ssh tunneling or the zebedee tunneling (apparently faster than ssh for this purpose) mentioned here.


A password is hashed and stored for a particular server (usually per-user), always one for interaction, and possibly one for viewing.

Clients may store this hash (The TightVNC client can store all connection info in a file so that a simple double-click will reconnect you). Therefore: don't use your best password, it may be brute forcable. Of course, the same goes for the password hash on the server side.

From an applet

Go to the TightVNC download page and download the 'javabin'.

Then put up a page that contains something like:

   <applet code="VncViewer.class" archive="VncViewer.jar" width="1024" height="776">
    <param name="PORT" value="5901">
   </applet>

This example counts on this running on the same machine. Because of Java network security (the limitations on where applets can connect to), that's the easiest setup.


The applet has a pre-set size (as java applets do) and when this is smaller than the VNC screen's size it is simply not shown. The extra 8 pixels of height is for the buttons.


Possible applet parameters include:

  • "HOST": Seems to default to localhost. Java's security restrictions apply.
  • "PORT": Port you want to connect to.
    5901
    is :1,
    5902
     :2, etc.
  • "Open New Window": "Yes" or anything else for no.
  • "Show Controls": "No" to disable the buttons on top.
  • "Offer Relogin": "No", or anyhing else for yes.
  • "Show Offline Desktop" "Yes" to continue showing desktop if remotely disconnected.
  • "PASSWORD" hard-coded password. Not generally a good idea to use.
  • "ENCPASSWORD", just as bad an idea. (Don't know which hash yet, (verify))


Tuning:

  • "Defer screen updates"
  • "Defer cursor updates"
  • "Defer update requests"


These (additionally GUI-configurable) options are also settable by PARAM:

  • "Encoding": "Tight" by default, other possiblities are "Hextile", "RRE", "CoRRE", "Zlib"
  • "Compression level": "Default" by default. (Range: 1..9)
  • "JPEG image quality": "6" by default. (Range: 0..9)
  • "Cursor shape updates": "Enable" by default. (Other options? "Ignore"?)
  • "Use CopyRect": "Yes" by default
  • "Restricted colors": "No" by default ("Yes" means 256 colors).
  • "Mouse buttons 2 and 3": "Normal" by default, can be "Reversed".
  • "View only": "No" by default.
  • "Share desktop": "Yes" by default (multiple logins cooperate).

On speed

Client side config

On the same PC, bandwidth is irrelevant because it's largely a RAM transfer

  • So Raw is the lowest-latency option


On LAN, bandwidth is barely relevant, and lowering latency is noticeable

  • avoiding compression is usually worth the lower overhead
Hextile is probably the most efficient of the raw-style variants (auto seems to prefer it because of that)
  • it can help to avoid server-side and/or client-side pixelformat conversion
if both sides are full color, then e.g. transferring 256 color is two conversions and probably not worth the saved bandwidth


On the internet, and particularly on wifi bandwidth can become important to response latency

  • "auto" may land on hextile
    • on wifi, ZRLE (lossless compression), or Tight without JPEG (then also lossless) tends to behave better than hextile when there are images and gradients
  • if you want responsiveness and can accept lossful transfer, consider:
    • tight with JPEG and/or 256 colors



Server-side config

Encodings - quality, bandwidth, and latency

  • Hextile - sends tiles, as either raw or RRE.
Basically "spend minimal CPU time on some wins we can easily get" [3]
so often preferable over Raw, but still requires decent bandwidth. E.g. makes sense for LAN office use.
Auto often ends up on this.
  • Ultra - experimental, UltraVLC only.
Uses LZO compresison, which is a more generic "whatever compression we can do for little CPU time"
but lossless so not good at photographic areas (like most)
So in theory something inbetween ZLRE and HexTile
  • ZRLE - similar to tight, but:
came later than tight(verify)
seems slightly batter than it at the lossless part (verify), but is only lossless.
good for mostly-monocolored regions
does fewer incremental upgrades than tight, so tight may seem faster on certain types of regions(verify)
For high-bandwidth the extra processing may actually be a bottlneck
specific to realvnc, ultravnc (verify), whereas tight is supported by more
  • Tight
based on zlib, with some pre-processing that should help compression ratio and CPU use
optional JPEG compression, with quality setting
handy for low-bandwidth connections in that it allows that lossiness tradeoff
For high-bandwidth the extra processing may actually mean lower responsiveness than some others
  • TurboVNC
extends the tight protocol, giving more tweakability to JPEG
other improvements are optinal use of libjpeg-turbo, multithreaded encoding, and ability to do interframe comparison
requires TurboVNC or TigerVNC server. Recent UltraVNC servers also support it (1.2.0.9, judging from the changelog)
  • ZYWRLE ('ZLib YUV Wavelet Run Length Encoding')
lossy, video-aware.
May be a decent tradeoff when e.g. HexTile eats too much bandwidth and ZRLE is too slow.
http://forum.ultravnc.info/viewtopic.php?t=9167


Usually less interesting

  • Raw
least latency added by extra work, but also the largest bandwidth needs.
usually less interesting, because in many all cases, Hextile can be at least a little cleverer
  • RRE and CoRRE - basically a 2-D variant of RLE.
Efficient for large single-color-area interfaces, and e.g. office use, not for photographic regions.
less interesting to use specicailly, when Hextile exists and uses it adaptively
  • Zlib - higher compression than ZRLE butat higher CPU cost.
These days only useful as a fallback, e.g. when Tight or ZRLE are not available


Options:

  • CopyRect - will send only areas that update (for any, or just for raw?(verify))
generally helps, leave it on
  • Cache encoding - needs CPU for checking, so is only worth it if you expect a bunch of areas to recur
regularly doesn't help, so you can leave it off
(note that artifacts from turbo mode and such can accumulate)


See also

Semi-sorted

There are various VNC toys, like the vnc2swf program that you can use to record interaction as Flash video. Various details and more are at eg. this page.


Passwords

The actual exchange looks like a nonce challenge response thing.


VNC encrypts passwords using (ECB-mode) DES, with some extra details:

If shorter than 8 bytes, the password is padded with NULs up to 8 bytes.
ECB key is based on the password
in ASCII form
8 bytes (truncated or right-padded with NULs as necessary)
each byte bit-reversed


If you want to generate the password hash in other contexts, you may wish to find a utility like [4]


VNC servers tend to store the password hash in a file (or the Windows registry)

(I've noticed at least one doing some padding of the resulting hex hash)


On linux you can change the password with
vncpasswd
, which deaults to alter
~/.vnc/passwd
- alternatively, point it at a specific file. Can also work from stdin, e.g.
echo -n foofoo | vncpasswd -f

Problems

Black right half in multi-monitor (UltraVNC)

Symptoms:

The data seems to get to you (scrolling left and right on a smaller window works)
making the window two monitors wide means the right side is black

Theory: The UltraVNC client seems to allocate a viewport it will draw in. By default this seems to be the first/left monitor's size (and order indeed seems to matter when you have monitors of different size). Presumably the reason is that the client allocates this before connecting, i.e. before knowing how large this viewport should be(verify)

Evidence: Some older clients allowed manual control this, with a dropdown that essentially listed each individual monitor size, and the combined desktop size. Choosing the larger one works.

Workaround: for me was an older client (e.g. 1.1.9.6), and choosing the largest size in that dropdown. You probably also want to "save connection settings as default".

HOWEVER, once you maximize the window it goes wrong again. So don't.

"Server did not offer supported security type"

Probably to Ubuntu desktop sharing, vino - by default it requires encryption, which tightvnc does not support.(verify)

(More technically, vino only allows auth method rfbTLS, and while it's auth, it also forces the socket to TLS - and it's the only one that does that)


So either

  • Switch to a VNC client that supports encryption (e.g. remmina),
  • tell the server to not require encryption. Know what this means to security, though.


There is a vino-preferences, but it is just the basic settings that you also get via the taskbar icon.

To not require encryption, use
dconf-editor
to find and uncheck:
org → gnome → desktop → remote-access → require-encryption


Note that if you are comfortable with SSH, you can use it for an encrypted tunnel,

and you could additionally set
network-interface
to
lo


"Unknown authentication scheme from VNC server: 18" (Remmina)

Not disabling encryption helps.

More details: https://github.com/FreeRDP/Remmina/issues/433


Ultravnc forgets password, and other settings (WinXP)

That is, the Admin properties dialog lets you apply things, but once you click OK the settings are not saved in your ultravnc.ini


In our case, file permissions were not the problem.

It turns out it was a WinXP antimalware feature, specifically the "protect my computer and data from unauthorized program activity" checkmark on the "Run as" dialog that comes up when saving.

Uncheck that and you're fine.

See also http://www.uvnc.com/docs/uvnc-server.html