VNC notes

From Helpful
Revision as of 17:14, 11 August 2017 by Helpful (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Shell, admin, and both:

Shell - command line and bash notes · shell login - profiles and scripts ·· find and xargs and parallel · screen and tmux
Linux admin - disk and filesystem · users and permissions · Debugging · security enhanced linux · health and statistics · kernel modules · YP notes · unsorted and muck
Logging and graphing - Logging · RRDtool and munin notes
Network admin - Firewalling and other packet stuff ·


Remote desktops
VNC notes
XDMCP notes




linux tl;dr

Classical

VirtualGL and stuff

Decide between TurboVNC and TigerVNC. The below assumes TurboVNC.


Server-side:

  • Have 3D drivers (and its development package) installed
  • Install VirtualGL
e.g. package from https://sourceforge.net/projects/virtualgl/files/
  • Install TurboVNC / TigerVNC
e.g. package from https://sourceforge.net/projects/turbovnc/files/


Client-side has no particular requirements, though TurboVNC / TigerVNC may be somewhat faster.


separate session
whole destop

Windows tl;dr

VNC implementations

These are primarily notes
It won't be complete in any sense.
It exists to contain fragments of useful information.

(Note that practical details vary a bit with platform. E.g. on windows you can only directly share a logged-in sessions, while on X you can host many completely separate sessions)


Newer ones first (roughly)


windows, linux, osx
In part meant to update TurboVNC, and provides a few modern features (RealVNC-like) and some TurboVNC updates, though for performance TurboVNC is generally preferable(verify).
http://www.turbovnc.org/About/TigerVNC


windows, linux, osx
focuses on speed. By itself a little cleverer, so does better than tight at video and 3D content
the optional use of VirualGL gives more performance for 3D
the research / implementation details behind some of its design choices have been adopted by others, including TigerVNC, libvncserver, and recently UltraVNC
on Linux there is a server (verify) (see also VirtualGL instructions. Use of VirtualGL is optional)
on windows, the server end is recommended to be a post-2015 UltraVNC (verify)[1]


  • UltraVNC: Similar to RealVNC, but free.
windows-only
has tight protocol
and since a 2015 patch is
  • RealVNC: server and client, free and paid-for versions,
windows-only
has extra features like file transfer. Seems targeted at helpdesks.
windows and *nix
Otherwise fairly minimal (e.g. no GLX support in the server(verify))
Tight protocol was a good choice for a decent while (roughly until tiger/turbo)
Also not actively developed since XP




Other notes:

  • "WinVNC" is a bit vague, in that more than one thing has been referred to as such (verify)
  • about various turbos:
libjpeg-turbo is a SIMD-optimized variant of libjpeg (mostly drop-in)
TurboJPEG is a higher-level API (developed for VirtualGL, TurboVNC) which can be backed by libjpeg-turbo, or similar such optimizations
TurboVNC's speed comes in part from using TurboJPEG, partly from spending less (CPU)time deciding what to send how (itself in part because sending with jpeg is a bit cheaper via turbojpeg)
  • about VirtualGL
intercepts rendered GL results in-process, works out as indirect but hardware-accelerated rendering
(where available; can also be built against mesa to be able to use 3D on GPU-less servers)
which makes it pretty efficient to view 3D apps results (and video) rendered elsewhere on a fairly thin client (pretty impressive on LAN, by previous standards)
intercepts: meaning does not require apps to be built against it, you just have to start it in a specific way (vglrun)
transport:
can do its own transport, e.g. displaying the results of one X (3D) server in another (2D)
perhaps more frequently seen with TurboVNC (or similar). This requires more CPU but provides other features, e.g. tending to be more reactive on high-latency, low-bandwidth connections.
associated but not tied to TurboVNC
http://www.virtualgl.org/
http://www.virtualgl.org/About/Background


  • some special cases where one or more of the more modern details apply, e.g. in virtualbox (verify)
  • Other/specialzed: See e.g. [2]


More technical notes

Ports

A VNC client connects to an IP and either a display-number-dependent port.

The port VNC serves on is usually 5900+displaynumber (...on X. On windows that's usually 1)

(Port 5800+displaynumber, if you see it, is for serving the java client, if applicable)

(Port 6000+displaynumber is X windows, which should only matter internally when serving from *nix)

VNC, X and window managers

Most VNC servers are X servers so are a session upon themselves. A few leech onto existing sessions somehow.


When they are independent, you often start one as and for a specific user. (In some setups it makes sense to run a session manager so that anyone can connect and the authentication is handled by it)


One of the few differences with a regular X server is that it has its own configuration file that lists what it should do when started.

For example, the TightVNC server places this in ~/.vnc/xstartup, and might e.g. contain:

xrdb $HOME/.Xresources
xsetroot -solid grey
xterm -geometry 80x24+10+10 -ls &
twm &


xrdb sets a number of properties on the root window that is created (I'm not sure how necessary this actually is)
xsetroot sets the background (the 'root window') to a solid color instead of the default pattern so that it compresses better
xterm -ls gives you a login shell in an xterm to start working with. (this shell is a child of the vnc server process, meaning it will outlive you killing the window manager, unlike shells you started from the window manager)
twm is a very simple window manager. You may like blackbox or xfce4 or others. (Or even something like KDE if you turn the fancy graphics all the way down.)


On xfce and Tab: http://blog.zerosum42.com/2011/10/tech-fixing-tab-key-in-vnc.html


TightVNC

Starting a vnc server:

vncserver

This is a perl script that will assume some defaults and start a vncserver on the first available X display. The local display, if applicable, usually takes up only :0, so this starts at :1. When more than one local / VNC display is used, you may want to specify a specific number to avoid confusion.

You can use more options:

vncserver :2 -geometry 900x700 -depth 16

Geometry controls the desktop size. Can be anything, I prefer something that makes the client window not cover everything.

Depth 16 will be a little easier on the network than 24, and a little uglier.


Stopping a vnc server:

vncserver -kill :2

You should save things, of course, and possibly log out of your windowing environment to let it save its settings.

Multiple monitors

Security

Note that by default, VNC is not encrypted. Some flavours support it, but for more general security you may wish to look at ssh tunneling or the zebedee tunneling (apparently faster than ssh for this purpose) mentioned here.


A password is hashed and stored for a particular server (usually per-user), always one for interaction, and possibly one for viewing.

Clients may store this hash (The TightVNC client can store all connection info in a file so that a simple double-click will reconnect you). Therefore: don't use your best password, it may be brute forcable. Of course, the same goes for the password hash on the server side.

From an applet

Go to the TightVNC download page and download the 'javabin'.

Then put up a page that contains something like:

   <applet code="VncViewer.class" archive="VncViewer.jar" width="1024" height="776">
    <param name="PORT" value="5901">
   </applet>

This example counts on this running on the same machine. Because of Java network security (the limitations on where applets can connect to), that's the easiest setup.


The applet has a pre-set size (as java applets do) and when this is smaller than the VNC screen's size it is simply not shown. The extra 8 pixels of height is for the buttons.


Possible applet parameters include:

  • "HOST": Seems to default to localhost. Java's security restrictions apply.
  • "PORT": Port you want to connect to.
    5901
    is :1,
    5902
     :2, etc.
  • "Open New Window": "Yes" or anything else for no.
  • "Show Controls": "No" to disable the buttons on top.
  • "Offer Relogin": "No", or anyhing else for yes.
  • "Show Offline Desktop" "Yes" to continue showing desktop if remotely disconnected.
  • "PASSWORD" hard-coded password. Not generally a good idea to use.
  • "ENCPASSWORD", just as bad an idea. (Don't know which hash yet, (verify))


Tuning:

  • "Defer screen updates"
  • "Defer cursor updates"
  • "Defer update requests"


These (additionally GUI-configurable) options are also settable by PARAM:

  • "Encoding": "Tight" by default, other possiblities are "Hextile", "RRE", "CoRRE", "Zlib"
  • "Compression level": "Default" by default. (Range: 1..9)
  • "JPEG image quality": "6" by default. (Range: 0..9)
  • "Cursor shape updates": "Enable" by default. (Other options? "Ignore"?)
  • "Use CopyRect": "Yes" by default
  • "Restricted colors": "No" by default ("Yes" means 256 colors).
  • "Mouse buttons 2 and 3": "Normal" by default, can be "Reversed".
  • "View only": "No" by default.
  • "Share desktop": "Yes" by default (multiple logins cooperate).

On speed

Client side config

On the same PC, bandwidth is irrelevant because it's largely a RAM transfer

  • So Raw is the lowest-latency option


On LAN, bandwidth is barely relevant, and lowering latency is noticeable

  • avoiding compression is usually worth the lower overhead
Hextile is probably the most efficient of the raw-style variants (auto seems to prefer it because of that)
  • it can help to avoid server-side and/or client-side pixelformat conversion
if both sides are full color, then e.g. transferring 256 color is two conversions and probably not worth the saved bandwidth


On the internet, and particularly on wifi bandwidth can become important to response latency

  • "auto" may land on hextile
    • on wifi, ZRLE (lossless compression), or Tight without JPEG (then also lossless) tends to behave better than hextile when there are images and gradients
  • if you can accept lossful transfer, consider:
    • tight with JPEG and/or
    • 256 colors
  • Zlib is mainly just a fallback for when ZRLE and Tight are not available


For reference (UltraVNC's list):

  • Tight
based on zlib, with some pre-processing that should help compression ratio and CPU use
optional JPEG compression, with quality setting
good for low-bandwidth connections
For high-bandwidth the extra processing may actually mean lower responsiveness than some others
  • ZRLE - similar to tight, but:
lossless (no JPEG), good for mostly-monocolored regions
came later than tight(verify), may do a little better at the lossless part (verify)
does fewer incremental upgrades than tight, so tight may seem faster on certain types of regions(verify)
For high-bandwidth the extra processing may actually be a bottlneck
specific to realvnc, ultravnc (verify), whereas tight is supported by more
  • Ultra - experimental, non-standard. Uses LZO compresison, which favours speed over compression. Lossless, so in theory a better variant of ZRLE.
Specific to UltraVNC
  • ZYWRLE ('ZLib YUV Wavelet Run Length

Encoding')

wavelet-based, should do better on video-like uses
http://forum.ultravnc.info/viewtopic.php?t=9167
  • Zlib - but CPU-costly. These days meant as a fallback when the more efficient Tight is not supported


  • Hextile - sends small tiles, each as raw or RRE.
for LAN office use this may be the lowest-latency choice
  • RRE and CoRRE - basically 2d RLE. Efficient for simple graphics like office use, not for photographic regions.
  • Raw
least overhead when on the same machine


Options:

  • CopyRect - will send only areas that update (for any, or just for raw?(verify))
generally helps, leave it on
  • Cache encoding - needs CPU for checking, so is only worth it if you expect a bunch of areas to exactly recur (artifacts from turbo mode and such can accumulate)
generally doesn't help, leave it off


Tight: most of the above, minus ZRLE and Ultra


OSX

  • Screen Sharing: raw, ZLib, ZRLE, and some custom mac stuff (features for mac-to-mac connections)
  • JollysFastVNC:
  • Chicken:


See also

Server-side config

Semi-sorted

There are various VNC toys, like the vnc2swf program that you can use to record interaction as Flash video. Various details and more are at eg. this page.


Passwords

The actual exchange looks like a nonce challenge response thing.


VNC encrypts passwords using (ECB-mode) DES, with some extra details:

If shorter than 8 bytes, the password is padded with NULs up to 8 bytes.
ECB key is based on the password
in ASCII form
8 bytes (truncated or right-padded with NULs as necessary)
each byte bit-reversed


If you want to generate the password hash in other contexts, you may wish to find a utility like [3]


VNC servers tend to store the password hash in a file (or the Windows registry)

(I've noticed at least one doing some padding of the resulting hex hash)


On linux you can change the password with
vncpasswd
, which deaults to alter
~/.vnc/passwd
- alternatively, point it at a specific file. Can also work from stdin, e.g.
echo -n foofoo | vncpasswd -f

Problems

Black right half in multi-monitor (UltraVNC)

Symptoms:

The data seems to get to you (scrolling left and right on a smaller window works)
making the window two monitors wide means the right side is black

The UltraVNC client seems to allocate a viewport it will draw in. By default this seems to be the first/left monitor's size (and order indeed seems to matter when you have monitors of different size).


Some older clients allowed you to control this, with a dropdown that essentially listed each individual monitor size, and the combined desktop size.

Presumably the reason is that the client allocates this before connecting, i.e. before knowing how large this viewport should be(verify) The workaround for me was an older client, and choosing the largest size in that dropdown.



"Server did not offer supported security type"

Probably to Ubuntu desktop sharing, vino - by default it requires encryption, which tightvnc does not support.(verify)

(More technically, vino only allows auth method rfbTLS, and while it's auth, it also forces the socket to TLS - and it's the only one that does that)


So either

  • Switch to a VNC client that supports encryption (e.g. remmina),
  • tell the server to not require encryption. Know what this means to security, though.


There is a vino-preferences, but it is just the basic settings that you also get via the taskbar icon.

To not require encryption, use
dconf-editor
to find and uncheck:
org → gnome → desktop → remote-access → require-encryption


Note that if you are comfortable with SSH, you can use it for an encrypted tunnel,

and you could additionally set
network-interface
to
lo


"Unknown authentication scheme from VNC server: 18" (Remmina)

Not disabling encryption helps.

More details: https://github.com/FreeRDP/Remmina/issues/433


Ultravnc forgets password, and other settings (WinXP)

That is, the Admin properties dialog lets you apply things, but once you click OK the settings are not saved in your ultravnc.ini


In our case, file permissions were not the problem.

It turns out it was a WinXP antimalware feature, specifically the "protect my computer and data from unauthorized program activity" checkmark on the "Run as" dialog that comes up when saving.

Uncheck that and you're fine.

See also http://www.uvnc.com/docs/uvnc-server.html