Department of Engineering

Remote access to CUED using VNC

VNC lets you run a CUED desktop and see the results on a machine elsewhere. You can use the VNC commands (vncserver, etc) from the command line or use a friendlier program (see the Program-specific details section) that runs the lower-level programs for you. You may have trouble the first time you try to connect because it's easy to go wrong, but after that you can save your configuration, making subsequent connections easier.

How to do it - the basics

This is what you do if you're user abc123 and you have the basic software installed.

• From your home machine type

    slogin abc123@gate.eng.cam.ac.uk
  

• From gate type

    slogin ts-access
  

• From ts-access type

    vncserver
  

  If you're doing for the first time you'll be asked to choose a VNC password. It will reply with something like

    New 'X' desktop is scimitar:3
  
    Starting applications specified in /users/s/abc123/.vnc/xstartup
    Log file is /users/s/abc123/.vnc/scimitar:3.log
  

• From your machine type

      ssh -N -f -L 5903:ts-access.eng.cam.ac.uk:5903  abc123@gate.eng.cam.ac.uk
  

  (it's 5903 because the desktop is number 3)
• From your machine type

      vncviewer localhost:3
  

  (it's :3 because the desktop is number 3). A desktop should appear
• To close down, on ts-access type

      vncserver -kill :3
  

  (it's :3 because the desktop is number 3).

Customising

gnome-session

vncserver -kill $DISPLAY

       vncserver -geometry 1024x768

How it works

Many things can go wrong. Before reading the Troubleshooting section it's worth knowing a few technical details

This is easy to do but there's a problem with it. Because everything you see and type passes between these 2 programs, the connection needs to be secure, otherwise snoopers could get your passwords. ssh ("secure shell") provides secure connections between machines. Don't use VNC without it. ssh uses port 22. Commercial versions of VNC have ssh integrated in. To combine ssh and VNC you'll need to use tunneling.

Tunneling (Port-forwarding)

Tunneling is when traffic for one port travels via another port. ssh has port-forwarding options. For example, this is possible

  ssh -L 5901:localhost:5901 -N -f abc123@remote_machine.eng.cam.ac.uk

• -L 5901:localhost:5901 : Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. Here you are using port 5901 on the localhost to be forwarded to remote_machine on port 5901 (localhost is relative to the remove machine). So when you access local port 5901 you're actually accessing the remote machine's port.
• -N : Do not execute a remote command i.e. just forward ports.
• -f : Requests ssh to go to background just before command execution. Once a password is supplied it will go to background and you can use prompt for type commands on local system.
• abc123@remote_machine.eng.cam.ac.uk. Remote system with VNC server

You'll get the following

More complications

Unfortunately, life's not that simple

• Other users - On a system like ours there may be several VNCservers running on a machine, each with their unique server number. So the client won't know if the remote display will be number 1 (i.e. port 5901) until it's been created. Some people use a random port number like 5973 and hope for the best.
• Other machines - This document mentions ts-access but there's also tw2... tw9 (and maybe others too). Don't just use ts-access - it'll get too busy. Some of these machines are used for timetabled sessions. Don't use them then unless you're timetabled to do so (see the linux servers page for details).
• gate's limitations - gate (the only machine visible from outside CUED) lacks many of the programs you'd like to use (vncserver (from summer 2010), matlab, etc), so normally you need to access another machine once you've accessed gate, using gate as a relay. This is what

      ssh -N -f -L 5901:ts-access.eng.cam.ac.uk:5901  abc123@gate.eng.cam.ac.uk
  

  does, creating the following situation, which matches the instructions at the top of the page

  

• NAT - it is common for computers not to be directly connected to the Internet, but to be behind a firewall or a NAT router. In this case, the IP address displayed by VNC Server is a private IP address and is only valid if you are connecting from a computer behind the same firewall/router. From any other location, the same IP address may correspond to a different computer, or it may not correspond to any computer at all. See Port forwarding for VNC for details
• speed - the encryption and use of graphics makes performance slow. There's little you can do about that.

Troubleshooting VNC

• Log into a DPO terminal
• Open a terminal window
• Run
  vncserver
  Choose a password if it asks for one. It will then say something like

        New 'X' desktop is tw207:4
  

• Run
  vncviewer :4
  (the number should match the one in the New 'X' desktop message). You'll be prompted for the password you chose earlier. You should now have a desktop within your original desktop.

If that works, your password and xstartup file are ok. Kill the viewer and run

to kill the server. Now try to use a remote machine that's within CUED.

• Type
  slogin ts-access
  and log into ts-access using your usual password. Note that ts-access is an alias for another machine whose name appears in the command-line prompt.
• Run
  vncserver
  from the new window. It will say something like

        New 'X' desktop is scimitar:4
  

• Open another terminal window on your local window and type

      ssh -L 5904:localhost:5904 -N -f scimitar
  

• Then type
  vncviewer scimitar:4
  (the name should match the one in the New 'X' desktop message). You'll be prompted for the password you chose earlier. You should now have a remote desktop within your original desktop.

If that works, you're ready to try accessing the CUED machines from outside CUED.

Other Pages

These page have more specialised information

Mac

• VNCOverSSH (for Mac users)
• MacOS's "Remote Desktop" uses VNC. You can configure this to work with CUED.
• See the Mac login section

Windows/Vista

• Offsite access to MATLAB License Server (Windows XP/Vista) - from CUED
• Offsite access to Windows machines using Virtual Network Computing (VNC) forwarding - from CUED
• Tunnelling VNC over SSH with PuTTY
• HOW-TO: VNC secure tunneling using Windows PuttY ssh client (from freesco)
• How to Tunnel Web Traffic with SSH Secure Shell (from makeuseof.com, using PuttY)

Port forwarding

• How do I use port forwarding? (from the openssh FAQ)
• Local_And_Remote_Forwarding (from SSH Communications Security Corp)
• Port_Forwarding (from SSH Communications Security Corp)
• SSH Port Forwarding (from Symantec; includes a section on debugging)
• Port Forwarding (from O'Reilly's "SSH, The Secure Shell: The Definitive Guide")

General

• Port forwarding for VNC (what to do about "Connection refused" and "Connection timed out" problems - from realvnc)
• Making VNC more secure using SSH (from the archives of AT&T Laboratories Cambridge)
• Viewing a VNC Session with an SSH Tunnel (from the University of Waterloo)

Technical Background

VNC essentially keeps copying screendumps over from a virtual screen on the remote machine to the screen you're sat at. It does this efficiently, so that only modified areas of the screen are copied over. An extra program needs to run on the distant machine and on the local machine, but these needn't be too complex. Because VNC only deals with the end product - the graphics - it doesn't care how the graphics are produced. Some kinds of graphics will produce more network traffic with X11 than with VNC, and some less. According to VNC over SSH2 - A TightVNC Tutorial "Compared to running X over SSH, TightVNC uses more CPU resources on the server side; however, it uses less bandwidth in the remote Desktop Environment tests that were conducted."

VNC is stateless - you can disconnect from a server and reconnect from another machine to continue the session.

Getting the Software

• real VNC (Windows XP, Linux)
• tight VNC (Windows, Linux, Java)
• Chicken of the VNC (MacOS)
• PuTTY (ssh for Windows and Linux)

Using Krdc

Krdc is a Linux program to help with remote access.

• From your home machine (assuming you're user abc123) type

    slogin abc123@gate.eng.cam.ac.uk
  

• From gate type

    slogin ts-access
  

• From ts-access type

    vncserver
  

  You'll get something like

     New 'X' desktop is scimitar:2
  
     Starting applications specified in /users/s/abc123/.vnc/xstartup
     Log file is /users/s/abc123/.vnc/scimitar:2.log
  

• Start krdc on your local machine, filling in the remote desktop name

  

  and press Return. You'll get the following window. Click on ok

  

  Kwallet will start. Choose a one-off password as you fill in the details.

  

  You'll get a desktop eventually

  

  You'll need at least a window-manager. If you type

      gnome-session
  

  in the new window you'll get a familiar environment

Using Terminal Server Client

This program, available on Linux, can save you some typing.

• From your home machine (assuming you're user abc123) type

    slogin abc123@gate.eng.cam.ac.uk
  

• From gate type

    slogin ts-access
  

• From ts-access type

    vncserver
  

  It will reply with something like

    New 'X' desktop is scimitar:4
  
    Starting applications specified in /users/s/abc123/.vnc/xstartup
    Log file is /users/s/abc123/.vnc/scimitar:4.log
  

• From your machine type

  ssh -N -f -L 5904:scimitar.eng.cam.ac.uk:5904  abc123@gate.eng.cam.ac.uk
  

  (it's 5904 because the desktop is number 4)
• Now start Terminal Server Client and click the VNC option.

  

  If you fill in the display number correctly you should see a Desktop.

Using Chicken of the VNC

• From your home machine (assuming you're user abc123) type

    slogin abc123@gate.eng.cam.ac.uk
  

• From gate type

    slogin ts-access
  

• From ts-access type

    vncserver
  

  It will reply with something like

    New 'X' desktop is scimitar:4
  
    Starting applications specified in /users/s/abc123/.vnc/xstartup
    Log file is /users/s/abc123/.vnc/scimitar:4.log
  

  If you're doing for the first time you'll be asked to choose a VNC password.
• From your machine type

  ssh -N -f -L 5904:scimitar.eng.cam.ac.uk:5904  abc123@gate.eng.cam.ac.uk
  

  (it's 5904 because the desktop is number 4). You'll need to use your CUED password. It won't display a message if it succeeds.
• From your machine run Chicken of the VNC setting it up as follows, taking care to set the display correctly.

  

• Click on Connect to get a desktop running on ts-access.

Using Putty

The references in the Windows/Vista include general instructions.

Avoiding VNC

One alternative is to do the following - if you're running X windows on your machine (Xwin32/XMing on Windows, or X on MacOS) from your machine, and your ID is abc123 do

    slogin -X abc123@gate.eng.cam.ac.uk  

then from gate do

    slogin -X ts-access

On ts-access you can now type a program's name (e.g. xclock &) and have the display appearing on your machine. This is safe, but it won't be fast (try Matlab for an example). Also you won't be able to enjoy the full CUED desktop experience. But it's easy (especially from a Mac - you might not need to install anything) and might be all you want.