Share VNC securely using noVNC

From PeerFreedom Wiki
Jump to navigation Jump to search


You will need VNC server (like x11vnc or tigervnc), novnc, websockify and netstat.

  • On Debian based distros:
apt-get install x11vnc novnc websockify net-tools

Unless you have a ssl certificate already, generate a new one:

openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/novnc.pem -out /etc/ssl/novnc.pem -days 365

Launch using util script

/usr/share/novnc/utils/ --cert /etc/ssl/novnc.pem

Start your VNC server, make sure it listens on localhost and port 5900.
Now you can point your clients to https://your.ip.address:6080/vnc.html . They should connect using noVNC IP and port (6080) and just enter the password you have set up for your VNC server.

Launch using Systemd Service

Create a simple new systemd service in /lib/systemd/system/novnc.service

Description=noVNC server

ExecStart=/usr/share/novnc/utils/ --cert /etc/ssl/novnc.pem


Start and enable service:

systemctl daemon-reload && systemctl start novnc && systemctl enable novnc

Nginx Proxy

If you would like to run noVNC on your normal webserver with standard ports and proper SSL certificate, add following configuration to your nginx:

server {
        listen 443 ssl;
        server_name vnc.your.webserver.domain;

        root /var/www/html;
        access_log  /var/log/nginx/vnc.your.webserver.domain.log;
        error_log  /var/log/nginx/vnc.your.webserver.domain_error.log;
        ssl_certificate "/etc/letsencrypt/live/vnc.your.webserver.domain/fullchain.pem";
        ssl_certificate_key "/etc/letsencrypt/live/vnc.your.webserver.domain/privkey.pem";
        client_max_body_size 1G;

        location / { 
                proxy_set_header X-Real-IP         $remote_addr;
                proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto https;
                proxy_set_header X-Forwarded-Host  $http_host;
                proxy_set_header Host              $http_host;
                proxy_max_temp_file_size           0;  
                proxy_pass         http://your.ip.address:6080/;
                proxy_redirect                     http:// https://;
        location /websockify { 
                proxy_pass         http://your.ip.address:6080/websockify;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;