Friday, August 17, 2018

Configuring OpenVPN on AWS EC2 (Update: Aug 2018)

Update Aug 2018

When we configure OpenVPN on AWS few months back, OpenVPN is still in the Amazon repo. However, if we start a new instances now, we would not be able to install OpenVPN. Therefore, we need to configure epel as additional repo and install OpenVPN from CentOS. Using epel repo, we managed to installed the latest version of OpenVPN (2.4.6).  Please note that the configuration is quite different. New OpenVPN uses systemd instead of chkconfig. 

If you are still using old AWS image or you are using old version of OpenVPN, this post is not for you. Please check out our older post  Configuring OpenVPN on AWS EC2.

This post is for those who are using the latest AWS AMI image and OpenVPN version 2.4.x.

Creating and Starting AWS Instance

We would not be going through the process of starting the instance. Please check out our previous post Configuring OpenVPN on AWS EC2. Alternatively, you can also checkout Amazon AWS tutorial on Launch a Linux Virtual Machine.

Connecting to Instance

In this section, we will be connecting to the server via ssh. First, we copy the key file to ssh folder:

cp ~/Downloads/myServerKey.pem ~/.ssh/

If there is no .ssh folder, use the home folder first. 

cp ~/Downloads/myServerKey.pem ~

Next, we need to change the permission:

chmod 400 myServerKey.pem

We connect to ssh with:

ssh -i ~/.ssh/myServerKey.pem
# (xxx refers to ip address from our instance summary)

Once the connection is successful, we have the following screen

Next, we would like to prepare the server for openvpn.

Installing OpenVPN and Preparation

Before we start installing openvpn, we need to update the system as follows:

# EC2 maintenance
sudo yum update -y

Next, try to install OpenVPN using the command below. 

# Install openvpn try 
sudo yum install openvpn -y
sudo yum install easy-rsa -y --enablerepo=epel

If it works, please skip the next section of configuring epel repo. Otherwise, please continue to configure epel repo.
To configure the latest epel repo using the following command:

# If we cannot install openvpn configure epel for centos 7
# we believe AMI it is base on centos 7
sudo yum install
Next, we would like to update the system first before installing openvpn and easy-rsa:

# After install epel perform system update and install openvpn
sudo yum update -y
sudo yum install openvpn -y
sudo yum install easy-rsa -y

Next, we would like to create a directory for easy-rsa under /etc/openvpn. This way any configuration will not be lost when there is an update. It is not advisable to store the configuration under /usr/share folder.

# make a direcotry for easy-rsa
sudo mkdir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
sudo cp -rv /usr/share/easy-rsa/3.0.3/* ./

Setup OpenVPN and Generate Keys

This section of setting up keys remains the same. To setup openvpn, first we initialize PKI and build the certificate authority:

# Build PKI and CA
sudo ./easyrsa init-pki
sudo ./easyrsa build-ca

Please note that we will be asked to create the password for the CA. It is advisable to create a good and long password.

Next, we will generate a Diffie-Hellman key. This is to provide forward secrecy.

sudo ./easyrsa gen-dh

Next we generate the vpn server certificate. Please create a good password for the server certificate. Please note that for the second command, it will prompt a signing password. We need to use CA PASSWORD FOR SIGNING.

# Generate server cert and signed
# Create a good server password
sudo ./easyrsa gen-req server
# When prompt, use CA password for signing
sudo ./easyrsa sign-req server server

Next, we generate client certificate. Similarly, create a good password for the client certificate. If we are generating the client certificate for family or friends; we may need to ask them to enter the passphrase. Similarly, use CA password for signing certificate.

# Generate client
sudo ./easyrsa gen-req client
sudo ./easyrsa sign-req client client

We can create as many client certificate according to our needs.

Finally for added security we add TLS security by generating a ta.key. This feature is to prevent DDOS attack.

# add TLS security
cd /etc/openvpn
sudo openvpn --genkey --secret ta.key

Copy Keys

We need to copy keys generated to client for connection. For that, we prefer to create a separate folder and park the necessary keys to the folder.

Please note that while preparing the key files, it is easier if we use operate as root.

# *********************************************
# Below is the step to copy key files to a folder for scp

sudo su
cd /etc/openvpn
mkdir keys
cp ta.key keys
cp /etc/openvpn/easy-rsa/pki/dh.pem keys
cp /etc/openvpn/easy-rsa/pki/ca.crt keys
cp /etc/openvpn/easy-rsa/pki/private/ca.key keys
cp /etc/openvpn/easy-rsa/pki/private/client.key keys
cp /etc/openvpn/easy-rsa/pki/issued/client.crt keys
cd keys
chmod 777 *

# ls to confirm
# exit from root
# ************************************************

Please note that all the keys and certificate are necessary for the client to use except one key. The key that are not required is ca.key. We copy this key for safe keeping offline since it is not necessary for the server to use this key.

Just a reminder, .crt files are public key and .key are private key. If we are working with multiple clients, then we can only give them the appropriate client private key. Clients can have all the crt files. ta.key are for extra security, similar to dh.pem.

# Below is instruction for local machine
# Copy from local machine
scp -i ~/.ssh/myServerKey.pem* ~/localpath/

Finally, we clean up the ca.key and change the permission to the more restrictive one.

# Must only do after ca.key is copied to local machine
sudo rm /etc/openvpn/easy-rsa/pki/private/ca.key
sudo rm /etc/openvpn/keys/ca.key
cd /etc/openvpn/keys
sudo chmod 600 *

Summary we only provide client with the follow:
  • ta.key
  • dh.pem
  • ca.crt
  • client.crt - must be the same certificate create for the user.
  • client.key - must be the same key create for the user.
On the client side, please also make sure that the key files are secured with permission a 400 or 600. Please also reminded to safe keep ca.key.

Setup OpenVPN Server Configuration

We can get a sample server configuration from the openvpn site. It is easier to copy the config file from the server.

IMPORTAT CHANGED: Please note that we no longer place the config file server.conf on /etc/openvpn. Instead we will be keeping under root folder /etc/openvpn/server. 

Use the following command to copy the sample:

cd /usr/share/doc/openvpn-2.4.6/sample/sample-config-files
sudo cp server.conf /etc/openvpn/server/

To configure the server file using the command

#### Configure server file
sudo nano /etc/openvpn/server/server.conf

Listed below are the configuration we use:

IMPORTANT CHANGED: Please note that for tls-auth no longer work. Please use tls-crypt instead.

We add 2 lines as shown below


The following are changes we made or setting we uncomment:

# We set the protocol to TCP as some firewall block UDP.
proto tcp

# SSL/TLS root certificate (ca), certificate
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key

# Diffie hellman parameters.
dh /etc/openvpn/easy-rsa/pki/dh.pem

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS"
push "dhcp-option DNS"

# tls-auth no longer worked
# Please also provide full path of ta key
tls-crypt /etc/openvpn/ta.key 0 # This file is secret

# Enable compression on the VPN link and push the
compress lz4-v2
push "compress lz4-v2"

# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody

# We need to command out the following
# This is for udp, to use tcp, this must be disabled.
#explicit-exit-notify 1

The follow are the defaults we use:

port 1194
dev tun
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
status openvpn-status.log
verb 3

Start OpenVPN Server

IMPORTANT CHANGE: Please note that OpenVPN server start to use systemd for services.

To start openvpn use the command:

# Use the following command to start server
sudo systemctl start openvpn-server@server.service
# server.service: name server os the name of .conf file
# If foo.conf is the config file command will be
# sudo systemctl start openvpn-server@foo.service

To check if the server is running use the command:

# Use the following command to check server status
sudo systemctl status -l openvpn-server@server.service
To start server on boot, use the command:

# Use the following command to enable server on boot
sudo systemctl enable openvpn-server@server.service
If error occurs, use the command to check for errors:
# If error occurs use the following command to check for error
journalctl -xe
We can also check for error log at /var/logs/messages

Configure IP Routing 

we also need to configure ip routing. Create a shell script file with the following command:

# Copy the section below on the script
# chkconfig: 345 99 10
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Once the shell script is done, we need to change the permission of the file using the command below:
sudo chmod +x

Once the shell script is done, we can test the script using the command below:

sudo ./

To make the script run every reboot, we need to create a service. Use the step as follows:

Step 1: Create a service file using the command:

sudo nano /etc/systemd/systemiproute.service

Step 2: Copy the following section to the service file:

# Enter the following section on the file



Step 3: Use the following command to start and enable the service:

sudo systemctl start iproute.service
sudo systemctl status -l iproute.service
sudo systemctl enable iproute.service

Configuring Client

Before we start connecting the vpn session, we need to configure the client file. Copy the sample file from openvpn site.

We add the following line:


We need to made changes to the following:

# The hostname/IP and port of the server.
remote ip-address-my-server-1 1194

# Use tcp for vpn
proto tcp

# tls-auth no longer work
# tls-auth ta.key 1
tls-crypt ta.key 1

#Need to change if keys are in different location
ca ca.crt
cert client.crt
key client.key

The following are default:

dev tun
resolv-retry infinite
remote-cert-tls server
cipher AES-256-CBC
verb 3

For Mac OS X user, we recommend Tunnelblick. We can get their software at Please follow the site tutorial on how to use tunnelblick. But it is quite intuitive.

For Ubuntu (Debian class) or Red Hat class user,  we can install openvpn using yum or apt-get. After that we can launch the session using the command line

# To connect openvpn vis command line
sudo openvpn --config '/pathToClientConfigFile'

enter client password when asked.

Alternatively, we can also use network manager.

Connecting From Client and Troubleshooting

Now, we can start the session. To test connection, please ping If ping test is successful then we are good to go.

If client failed to make connection, first check the server log to see if openvpn is running. The most common error is the location of all the keys.

If server is running well with no error, disable tls-auth. Comment them out. Please note that tls-auth is deprecated, use tls-crypt instead.

If server is running well with no error and client still failed to make connection, perhaps we should try to make connection in a public wifi. Try to make connection from different location to see if the problem lies with the firewall.

If connection is successful but we cannot use the browser, then we need to check the DNS settings. Please remember to check the server configuration file.


Wednesday, August 15, 2018

Syntax Highlighting with Prism.JS on

To enable syntax highlighting using Prism.JS. Insert the following code at the end of the header of your Blogger theme.

<link href='' rel='stylesheet'/>

<script src='' type='text/javascript'/>

To include code in the blog, switch to html and insert the following code:

<pre class="lang-bash"><code>

#This is programming code for shell script


For other language we replace bash with c,  cpp, csharp, docker, javascript, swift, objectivec or python.

For more language code please refer to the end of the main page of Prism.JS.


Sunday, August 5, 2018

Install Fedora 28 on Mac Mini (late 2009)

This is a basic guide to install Fedora 28 on Mac Mini (late 2009) version.  This version is quite unstable as we received message that our boot image crash. Despite the error message, we manage to get Fedora to work. 

Preparing to Install Fedora 28

We prepare a Fedora USB driver, we can download the Fedora Media Writer App. Using this app, we can download Fedora and burn to the USB drive directly.

Installing Fedora 28

Bootup from USB using option (Alt) key. Then select Try Fedora 28. Once the live image is booted, we can use the disk app to remove any partition that we want to get rid of. Alternatively, we can do that during installation.

Click and run the app to install Fedora. The welcom screen is as follows:


Select the appropriate language, click Continue. You will be presented something similar to the following screen, except that the disk was not defined.

We can change the time zone and keyboard if we thin k the automated selection is wrong. Under System, click on Installation Destination to configure the drive.

Select the disk if you have more than one disk. Then select if you would want the system to configure the drive automatically for you. 

We select custom and click Done.

Due to the way Mac Mini was design, we need a few more partition. We need the following partition:

PartitionFile SystemDrive SpaceMount Point / Flag
sda1FAT16200MBFlag: boot, esp
sda4linux swap8GB/swap
sda5ext4rest of free space/

If you find defining partition is a hassle, you can allow the system to configure for you automatically. If you have not remove any unwanted partition, you will be ask to reclaim disk space. Click Done.

We will go back to this screen. Please note that as long as there is a red warnings words, we cannot proceed with the installation. Once we are ready, click Begin Installation.

The installation will proceed as shown above. Once it is completed, we can click Quit as shown below.

Reboot the system when ready.

Post Installation Configuration

During the first boot, we are given the chance to create user ID and even make connection to external storage services. We usually just create the user ID. We can start using Fedora when we have create the ID.

Update Fedora

Once we login to the system, the first thing is to update the system. Run the following command to update the system from a terminal:

sudo dnf update

Once the update is completed, reboot the system.

Enable Additional Repository 

We can enable additional repository from the Software app. Open the app as shown below.

Notice that There is a blue banner for us to enable additional repository. We can enabled that.

Next, we select Software Repositories from the drop down menu. We can enable or disable each repository.

Although RPM Fusion repository is included, but only Nvidia driver and Steam are available. We need to add the complete RPM fusion repositories using the command line. Run the following command:

sudo dnf install$(rpm -E %fedora).noarch.rpm$(rpm -E %fedora).noarch.rpm

Install Additional Software

Most of the software can be install via Software app. We need to download Chrome separately from Google site. Please note that Chromium and Chrome is different product. Chromium is the opens source web browser, Google Chrome is Google web browser that are tightly integrated with Google services.

Download the package that indicate 64bit Fedora.

Click Accept and Install. Once the software is downloaded, click Install as shown below.

We also install additional software via command line as below:

sudo dnf install -y vlc
sudo dnf install -y fuse-exfat exfat-utils

Final Note

Please note that we have no luck in installing any Broadcom wifi drivers. If wifi is a must please get another wifi adapter.


Saturday, August 4, 2018

Installing and Configuring Raspbian for Raspberry Pi

This is a simple guide on installing and configuring Raspbian for Raspberry Pi. Although Noobs is recommended for beginner, we find that downloading and transferring the image to SD card is much faster.

Installing Raspbian

First download the latest version Raspbian from Raspberry Pi website. To transfer the image to SD card, we need to unzip the file first. We also need to prepare a SD card with an adapter for card reader or USB drive.

Next we install and launch Etcher. This a free and open source tool to make bootable drive from Debian/Ubuntu based Linux. Select the image and drive and begin the transfer.

Once it is done, insert the SD card into Pi and boot the system. During first boot we have addition configuration such as setting password etc. Once the setup is completed, please run update as follows:

sudo apt-get update

Once the update is complete we are good to go. 

Configuring Raspbian

Raspbian is similar to other Linux distribution. In addition we can configure essential service such as ssh server and vnc server using the Raspberry Pi Configuration app. The app is located at Preference > Raspberry Pi Configuration as shown below:

Once the GUI interface is launch, select Interface.  We can enable camera, ssh or vnc.

Raspberry Pi has RealVNC installed, once we enabled VNC and we are good to go. For further configuration please refer to our post under server configuration. 

There are times that we need to reset Pi password or we need to perform audio configuration. We can perform that by launching from command line:

sudo raspi-config

A text based configuration box will appear as follows:

Forget Pi Password or Pi Password Not Accepted

To reset password select the first option, and you will be prompt to set a new password.

Reclaim Empty Space in SD Card

Raspbian image only uses lesss than 2GB of data. We can expand the os so that it could reclaim and use the remaining empty space in the SD card. To do that under Advanced Options, select the first option: Expand Filesystem.

Set Raspberry Pi Audio

If you have HDMI attached to the monitor, the audio will pass through HDMI by default. However, we can direct the audio to head phone jack user Advance Options > A4: Audio.

For configuration that are specific to Raspberry Pi, it is either in the GUI interface or the command line raspi-config.


Thursday, August 2, 2018

Install Linux Mint 19 on Mac Mini (late 2009)

This post is part of a series of installation guide to install Linux on Mac Mini (late 2009) version.  For other Linux distribution, please refer to the list at the bottom of this post.

Video and Wifi Driver

As we have mention in the main post, the video and wifi driver will be our main stumbling block. Based on our experience testing with various distribution, same driver can behave differently in different distribution. For Linux Mint, we find that third party driver will cause us more problem. The recommended Broadcom BCM4321 wifi driver does not work at all. We need to install another driver. If we install Nvidia display driver, the windows will not launch if we boot the system with monitor attached. The best solution is use the default nouveau video driver.

Preparing USB Boot Drive

Preparing USB boot drive is quite straight forward. Please be aware that for Linux Mint 19, there are problem with the original installation image (linuxmint-19-cinnamon-64bit). The installer will crash unless we disable network connection. The developer did not remove the original image, instead they introduce another version (linuxmint-19-cinnamon-64bit-v2). Please download version 2 of Linux Mint 19 instead of the original one. Preparing USB driver is the same as Ubuntu, download Etcher and burn to USB driver using this tool.

Booting Up Linux Mint from USB

To boot up from Mac, press option key (Alt for windows keyboard) when the Mac chimes during startup. The boot menu will show various boot drive. Select the USB drive.

Please note that if the OS hang during boot up, we might need to clear SMC or reset PRAM. Please search the web on the shortcut or check out our main post here. If SMC and PRAM has been reset and you still encounter problem, you might need to check the package or change USB driver.

Once the live image is loaded, we can proceed to install Linux Mint.

Installing Linux Mint 19

The first screen of the installation app is shown as below:

Select your language and click Continue.

Select the keyboard layout and click Continue.

Make sure third party software are check so that we can install other software such as vlc since the repository has been added. Click Continue.

Select Erase data and install Linux Mint and click Install Now. The system will present to us how the system will partition the drive. Basically Linux Mint need 2 partition. The first partition is about 500MB formatted with FAT32. It will mount /boot/efi with boot flag as boot, esp. The rest of the dis space is use to mount the root system. 

Click Continue. Next a map will appear.

The location map is used to set your time zone. Select your appropriate time zone and click Continue.

Enter user name and password. Click Continue. The system will proceed to install the software.

At the end, we should have the choice of keep testing the OS or reboot the system

Once Linux Mint is booted, you will be presented will a startup screen.

There are various option. The most important is to install update. Launch Update Manager.

Make sure updates are installed. Reboot the system if required.

Install Wifi Driver

As mention earlier, the driver recommended for us in Driver Manager is not good. Please make sure we do not install these driver.

The alternative driver works better in Linux Mint. Use the following command:

sudo apt-get install firmware-b43-installer b43-fwcutter

Once installation is completed, edit the file using the command:

sudo nano /etc/modprobe.d/blacklist.conf

Remove the line or commented the line: blacklist bcm43xx

Reboot the system. Now we are good to go.

For additional software installation, please use the app Software Manager.

Since third party repository are included, we can install gparted or vlc from the app.


Wednesday, August 1, 2018

Install and Configure RealVNC in Linux Ubuntu 18.04 LTS

RealVNC is a commercial company that sell VNC license for the enterprise market. However, the company allow home user to setup VNC server for personal use. The limitation is that you are only allow 5 connection. User must register an ID with the company. The configuration of your VNC will be stored on the company's server.

Since RealVNC is professionally produce, it is much better compare to the open source product in Linux. The main advantage is easy configuration although there are steps to install and start the server especially on Linux platform. We do not need to worry about ip address and port number. What the server and client required is our RealVNC ID which we have created. Unlike the default Vino server that comes with Ubuntu, RealVNC will start without user login. The system is created with security in mind. Encryption is done transparently without any intervention from user.

We will be showing a simple guide on how to install and Configure RealVNC Connect (server) in Ubuntu 18.04 LTS.

Setting up RealVNC Account

Goto watch the video and create an account starting with entering your email address. You need to verified your email address before everything is ready.

Download RealVNC Connect Server

Goto this site and choose Linux as the platform. Select DEB x64 and click to download.

The download folder should have the deb file as shown below:

Wayland Compatibility Issue

Unfortunately,  ReadVNC Connect (Service mode) is not supported in Ubuntu 18.04 LTS with Wayland enabled. We can still install RealVNC Connect in Ubuntu 18.04, however, we need to disable Wayland.

Before we disable Wayland, we need to switch to open source linux video driver instead of Nvidia third party driver. We can switch the driver by going to Software & Update app, select Additional Drivers and change to driver. Perform a reboot first before we continue.

After reboot, open a terminal and edit the file

sudo nano /etc/gdm3/custom.conf

Uncomment WaylandEnable=false. Save the file and reboot Ubuntu.

Install RealVNC Connect Server in Ubuntu 18.04

To install RealVNC Connect, double click on the downloaded file in the download folder. Ubuntu Software will take over the file, click Install to proceed with the installation.

 Once installation is completed, we should have the screen below.

Start VNC Server

To start RealVNC server, use the command below:

sudo systemctl start vncserver-x11-serviced.service

Setting Server Start on Boot

Next, we need to set the server such that the service will start on reboot. Use the following command:

sudo systemctl enable vncserver-x11-serviced.service

We should have the following response:

Created symlink /etc/systemd/system/ → /usr/lib/systemd/system/vncserver-x11-serviced.service.

Server Configuration

Once the server is started, a VNC icon will appear near the top right corner. Click on the icon and the following screen will appear.

The screen shows that it has not been configured. Click on the red X and the following screen will pop up.

Click Resolve on the lower right corner to resolve the license issue. The following screen appear.

Since we are using the home used license, we just need to sign in the RealVNC account. Click Next.

Enter the email address and the password. Once the email and password field is populated, we should be able to sign in. Click Sign In.

Once the sign in is successful, we need to set VNC password for every client to login. Please note that this is not the password of RealVNC account. This password is required when any other workstation need to connect this VNC server. Set and confirm the password. Click Next.

This box will present the server information including your RealVNC account information. Click Apply. Once it is completed, click Done

The server message will disappear.

On the main server page, there will be a green tick sign showing configuration is done.

Launching VNC Client

To launch VNC Client, we need to download RealVNC Viewer. RealVNC Viewer is available in Windows, Mac and Linux. Once we install the viewer, there will be no configuration required.

We just need to login our RealVNC account and the viewer will automatically populate the remote station.

We just need to launch the pre-configured remote station and enter the VNC server password we have are set.

Removing RealVNC

To uninstall the server, we need to use the following command:

apt-get purge realvnc-vnc-server 

Please note that to completely remove any related data please follow the advise on the following post.

We also need to remove the computer information on the RealVNC account. To do that, please login to RealVNC using your account. Under your login name, select Computer. In the computer page, it will contain the VNC server information which we previously setup. We can remove any remote workstation we want.

Installing RealVNC with Linux Mint

Installing RealVNC with Linux Mint is much easier. Please note that we only tested Linux Mint on Cinnamon, so we do not need to disable Wayland. However, if you install Linux Mint with Gnome, you might also need to disable Wayland.

Using Linux Mint with Cinnamon, installation process is straight forward. Configuration is also the same as above. The only caveat is that Nvidia driver is not recommend when using with RealVNC. This is because, during boot up, if no monitors are detected, the system will not start X window. RealVNC server will be running but it could not show desktop since no windows was started.

We would recommend to use the default nouveau driver. The system could boot up without monitor attached.

Installing RealVNC with Fedora

Please note that Fedora is also not compatible with RealVNC server. We need to disable Wayland. The location of the file is at /etc/gdm/custom.conf.

In addition, we need to remove tigervnc using the command below:

sudo dnf remove tigervnc-server-minimal

Download the rpm package such as VNC-Server-6.3.1-Linux-x64.rpm

Install the package as shown below:

Refer to the note on top to start and launch the services. Please also note that Fedora need to be run with monitor attached. RealVNC will not work well if Fedora was booted headless (with monitor connected).


Unable to Set License

If for some reason, you are not able to login your RealVNC account and configure the license, you can activate the license wizard using the command below:

sudo vnclicensewiz

You can also use the above command when you have difficulties in completing the wizard due to insufficient privilege. Once we login with our RealVNC ID and the wizard completed its configuration, the VNC service will be available.


For any further question, pease refer to the following post:

Tuesday, July 31, 2018

Secure Screen Sharing with Linux Ubuntu 18.04 LTS

To share screen from Ubuntu Workstation securely, we need to configure the pre-installed VNC server Vino and then we also need to install ssh server if we have not already done so. 

Server side configuration are as follows:
  1. Configure Vino server
  2. Install and configure ssh server 

We have 2 methods of launching VNC client. They are as follows:

Method 1
  1. Established ssh connection over VNC port
  2. Launch VNC client over ssh tunnel

Method 2
  1. Using a VNC client that can perform both at the same time.

Server Side Configuration

Configure Vino Server

Install and Configure SSH Server

Please refer to this post
Install and Configure SSH Server on Linux

Client Side Connection

Method 1A: Launching VNC from Linux/Mac OS X

Established SSH Tunnel from Client
At this point we assume that we have installed and tested the ssh server. To established secure ssh tunnel over VNC port, we must have the ip address of the VNC server and the port number it is using.

We can use the following command to established connection:

ssh -f -L 5999:localhost:5900 ipAddress -l username sleep 60

We have obtain the above command from the man page. The details are as follows:
  • -f is to ask the ssh to fork a separate process. This way the terminal will be free up. We can use ps -A | grep ssh to see if the process is still alive.
  • -L 5999:localhost:5900 This is the most important option. It tell ssh to use port 5999 as the local port for our local host and the ssh is to forward the data from local port to port 5900 at the remote host. Local port 5999 can be any unused port number. 5900 is the port used by the VNC server. If your VNC server uses different port, please change accordingly.
  • ipAddress is the ip of the VNC server
  • -l username is for us to login with username 
  • sleep 60 tell ssh to keep alive the connection for 60 seconds if there is no network activity. This way we  do not need to kill the process when we are done.
We also have tested the following command:

ssh -L 5999:localhost:5900 -N -f -l username ipAddress

We have obtained this command via web search. It is pretty much the same. The option -N ask ssh not to execute a remote command as the connection is for port forwarding only. Therefore sleep command cannot be used with -N. The ssh connection will be there until we kill it.

We would recommend to use the first command, unless you prefer to establish a permanent connection.

Launch VNC Client
To use VNC client over ssh, we need to use localhost and the local port number established earlier. Simply, we can use the following command:


Whatever VNC client we use, we must configure such that the VNC server will be localhost or The port number will be 5999 or whichever local port number you have configured using ssh.

Method 1B: Launching VNC from Windows

We need to download and install Putty. Putty is a remote connection tool. The setting is similar, if in doubt please research the web for information. Then you need to launch your VNC client using localhost and local port number you have configured in Putty.

Method 2: Launching VNC with SSH from VNC Client

We can perform both function using certain VNC client. Currently we only can confirm that the app Remmina can support this function. Remmina is only available in Linux platform. Open the app and create a new connection.

Enter the name of connection, server with port number, username and password. Then click on the third tab named SSH:

Over here we can configure the SSH settings.

Once the settings is done, we can click save and connect to established VNC connection. If you are on Linux platform, we would recommend Remmina.


Sunday, July 29, 2018

Simple Screen Sharing on Linux Ubuntu 18.04 LTS

Ubuntu already has a VNC server Vino pre-installed. So no additional VNC server installation is required.

Configuring VNC Server

To share screen from Ubuntu, we need to perform a few steps:

To share screen go to Settings > Sharing

Turn ON the OFF button on the top right corner

Click on Screen Sharing. Turn ON the OFF button on the top left corner and set a password.

Resulting screen is as follows:

Once it is completed. We need additional command line to configure so that it works. Apparently, the default encryption does not work well will any VNC client. To get VNC to accept incoming connection, open a terminal and execute the following command:

gsettings set org.gnome.Vino require-encryption false

Once this setting is done, we have one more step to do before we are good to go.  We need to enable auto-login so that screen sharing can work. Go to Settings > Details > Users

On the top right corner, click Unlock and enter your password. Then turn ON auto-login as shown below:

Now we are good to go. Before we move on, please obtain the IP address either from the GUI or command ifconfig.

Note: I could not get Ubuntu to launch screen sharing without user login. If you happen to have the solution, please let us know in the comment.

Working with VNC Client

VNC Client on Windows

If you are connecting from Windows, we would recommend you to download RealVNC viewer. It is free. Just type the ip address follow by the port number at the VNC viewer. By default Vino uses port 5900.

VNC Client on Mac OS

If you are connecting from Mac, we can use the built-in VNC viewer. Under Finder, select Go > Connect to Server and then type in the following vnc://ipaddress:5900

Alternatively, you can still download RealVNC viewer for Mac. The connecting process is the same.

VNC Client on Linux
For other Linux distribution, we have Remmina which come pre-installed in Ubuntu. Please search the web for other VNC client. 


Please note that VNC connection is Not Secure. As shown earlier, we have to disabled encryption to get Vino to work. However, there are other possible option. The most common approach is to use ssh to secure the VNC connection. Alternatively, we can explore other VNC server.

Please refer to the following post if you need to established secure connection over VNC. 

Please refer to the following guide for configuring various VNC server in Linux