Connect to a remote Xvfb server using VNC and a SSH tunnel

Xvfb is an in-memory display server commonly used to execute programs that require a UI in a server which does not have a screen output. Using Xvfb is very convenient when your automated tests are executed in a remote server and orchestrated by a Continuous Integration system.

While having a VNC server running in production instances is not always a great idea due to the potential security flaws, opening port 5900 on this server to allow external connections sounds even worse. This post will guide you through the steps required to access a remote VNC server via an SSH tunnel, without opening any additional ports.

Assuming that Xvfb is already running in your server and the display has been exported to :99, the next step is to install x11vnc:

sudo yum install -y x11vnc

IMPORTANT: Connections to remote x11vnc servers are not password protected by default which leaves your server accessible to potential attackers. Make sure x11vcn is always started with the argument ‘-rfbauth ‘.

We will now establish the tunnel to access the x11vnc server through SSH. This needs to be done in your workstation:

ssh -i [SSH key] -l [username] -L 5900:localhost:5900 [server hostname] ‘x11vnc -display :99 -localhost -rfbauth [VNC server password file]’

You are now ready to access your remote server screen by using a VNC client in your workstation and connecting to localhost:5900

  • Pedro

    Great post! Love it! I will try this!

    But I think that the servername, domain or IP is missing in the ssh command, am I right?

    What if I need to manage several remote servers using this technique? Is possible to use different vnc instances against different (localhost) ports to access different servers? One port per server?

    • tediroca

      You are completely right. The server hostname (plus other arguments) where missing from the command – it seems the WordPress editor didn’t like the surrounding ” on the body of the post.

      You can establish as many tunnels as you want. You just need to specify the ports that you want to use. For example, you could run 2 VNC services on different servers and route the traffic from the first server to from port 5900 to port 5901 in your localhost, and router the traffic from the second server from port 5900 to port 5902 in your localhost.