Using bVNC with tigervnc and vencrypt

679 views

Skip to first unread message

iior...@gmail.com

unread,

Nov 13, 2020, 2:30:17 PM11/13/20

to bVNC, aRDP, aSPICE, Opaque Remote Desktop Clients

A user posted a question about bVNC to an old issue in the TigerVNC issue tracker here:

https://github.com/TigerVNC/tigervnc/issues/507

Upon investigated the answer turned out to be valuable for me, so I am posting it here just in case. I hadn't used this tigervnc-scraping-server, but it piqued my interest so I figured out how to use it. It turns out it is a good drop-in replacement for Vino and x11vnc server that show your real X display remotely.

I like the responsiveness and security options, so thanks to michael-ts for pointing it out.. Also, it seems people are still reading that old tigervnc issue, so I'll post a complete solution here and link it there - hopefully it helps more people that way.

Basically any of the tigervnc SecurityTypes that start with "TLS" use AnonDH, and so can't be used with the current version of bVNC on Android past API 23. As a result, DO NOT use TLSNone, TLSVnc, or TLSPlain.

For VNC auth types (VncAuth and X509Vnc below) you want to set a VNC password with the vncpasswd utility first. If using X509Plain or X509None, this is not applicable.

1) If you do indeed want TLS encryption, here is generating a key and cert for use with tigervnc. I just accepted all defaults for all fields openssl asked for because I was just testing. The key is valid for 100 years with these options, you may or may not want to change that. You don't really need to runnel this over SSH, but you totally can if you want. I.e. both Plain VNC and VNC over SSH options work with this:

openssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 -keyout x509.key -out x509_cert.pem

2) After installing the server, some options that appear to work nicely.

# 2a) OS Account authentication with VeNCrypt (Recommended since there is no 8 character limit on the password and requires a user name). Note that you should be using your own OS login user name in place of YOURUSERNAME:

/usr/bin/x0tigervncserver -SecurityTypes "X509Plain" -rfbport 5901 -X509Cert x509_cert.pem -X509Key x509_cert.pem -PlainUsers YOURUSERNAME

# 2b) VNC Authentication with VeNCrypt (not as good):

/usr/bin/x0tigervncserver -SecurityTypes "X509Vnc" -rfbport 5901 -rfbauth ~/.vnc/passwd -X509Cert x509_cert.pem -X509Key x509_cert.pem

# 2c) No authentication (NOT ADVISABLE, JUST FOR TESTING):

/usr/bin/x0tigervncserver -SecurityTypes "X509None" -rfbport 5901 -X509Cert x509_cert.pem -X509Key x509_cert.pem

3) If you are having trouble with X509, this works for plain VNC authentication, but with no encryption. I STRONGLY ADVISE you to use VNC over SSH if you decide to run tigervnc this way:

/usr/bin/x0tigervncserver -SecurityTypes "VncAuth" -rfbport 5901 -rfbauth ~/.vnc/passwd

Cheers!

iordan

Reply all

Reply to author

Forward

0 new messages