Nowadays, more and more people using VM servers. Managing these VM servers become more and more important, security concerns raises as well because VNC doesn't encrypt the data over the connection.

Here I'll quickly describe how to setup VM server VNC setup/config, then discuss how to make VNC connection securier.

 

Config VNC connection to virtual machine

 

I'm using the quick Knoweledge base document of vmware, it is clear and easy document, it is written for VMware GSX, but also applys for other VMware products, just a little bit configuration place different. 3 essential variables are same: Enable VNC, port, password

You can use a VNC (Virtual Network Computing) client to connect directly to a virtual machine running on a VMware GSX Server 3 host. You can use a client such as RealVNC on a Windows or Linux host or client system.

Note: VMware does not support running virtual machines with a VNC client.

Keep in mind that the virtual machine must already be running before you can connect to it with a VNC client, which means the virtual machine must have already been powered on in the VMware Management Interface or the VMware Virtual Machine Console. The virtual machine can have a console connected to it at the same time as a VNC client.

To use a VNC client, you need to manually modify the configuration of any virtual machine to which you want to connect. You also need to configure the VNC client. This article covers both procedures.

Configuring a virtual machine for access by a VNC Client

To connect to a virtual machine with a VNC client, you must modify the virtual machine's configuration file (.vmx) while the virtual machine is powered off.

Open the file in a text editor and add the following lines:

  • RemoteDisplay.vnc.enabled = TRUE

    Setting this option to TRUE enables standard VNC support. This setting is valid only while the virtual machine is running. If the virtual machine is powered off, you cannot connect to it with a VNC client.

  • RemoteDisplay.vnc.port =

    Specify the port the VNC client uses to connect to the virtual machine. 5900 is the default VNC port used for . If you want to connect to more than one virtual machine on the same host with a VNC client, you must specify a unique port number for each virtual machine. VMware suggests you use a port number in the range from 5900 to 5999. You can use any port number, but keep in mind that certain port numbers are used by other applications while others are privileged (meaning only the root or Administrator user can listen). For example, the VMware Management Interface uses ports 8333 and 8222; on Linux, only root can listen to ports up to port number 1024. Conflicts can occur if you specify a port in use by another application.

    If you add RemoteDisplay.vnc.enabled = TRUE to your configuration file without specifying the port number option, the virtual machine uses port 5900, the default VNC port number. Note that only one virtual machine can use a given port number at a time.

  • RemoteDisplay.vnc.password =

    GSX Server 3 supports VNC 3.3 authentication, which is an eight character password. Use this password when you are prompted for authentication as you use the VNC client to connect to the virtual machine.

Make these changes for each virtual machine to which you want to connect with a VNC client. Remember to specify a unique port number for each virtual machine if you intend to connect to more than one virtual machine on the host with a VNC client.

Configuring the VNC Client for best performance

There are two VNC client settings you should ensure are specified before you connect to a virtual machine. Make sure the client is set for hextile encoding and make sure the client is set to use all colors. These settings should avert any display issues.

Connecting to a virtual machine with a VNC Client

To connect to a virtual machine with a VNC client, start the VNC client application, then specify the host's IP address or name along with the virtual machine's VNC port number:
:

Note: VNC clients understand a shorthand form for the port number, in which only the last two numbers (0 to 99) are needed and the 59 is implied. For example, if the virtual machine is configured for port 5902, you can specify :2 instead of :5902.

After you connect to the virtual machine, you must log in. You do not specify a user name, only the password specified in the configuration file.

Known issues when using a VNC Client

The following issues are known to occur when you connect to virtual machines with a VNC client.

  • Only the 8-character password is encrypted with the standard VNC client. All VNC client traffic is sent unencrypted across the network. If security is a concern in your organization, VMware recommends using the VMware Virtual Machine console, which allows you to encrypt console traffic using SSL. Alternatively, you can tunnel your VNC connections over the SSH protocol. Refer to your SSH vendor documentation for more details.

  • You cannot take or revert to snapshots.

  • You cannot change the power state of the virtual machine; that is, you cannot power on, power off, suspend or resume. You can shut down the guest operating system, which may or may not power off the virtual machine (some operating systems do not power off their systems when shut down).

  • You cannot copy and paste text between the host and guest operating system.

  • You must install VMware Tools in the virtual machine before you connect with the VNC client. Otherwise, the mouse cannot work. (VNC clients do not support relative mice; VMware Tools contains an absolute mouse driver.)

  • You cannot configure the virtual machine with the virtual machine settings editor, nor can you upgrade VMware Tools.

  • You may experience screen drawing issues. For more information, see Applications running in a Windows guest experience screen drawing issues (1261).

 

Security

So, basically you access a vm server by running

$vncviewer <vm host ip> <vm machine VNC port>

Right away, you can tell it's not a securied connection. There are some products on the market to make vm server connection more securier, here is my way.

1.Limit VNC connection within a securer site

Regardless which type of virtual machine you are running, you can secure the server within the server, for VNC connection, you don't need to have it for regular working basis. So, securier the VM host server, limit the range of the servers can access vm server via VNC by using iptables. By ip range and port.

2.use ssh connection over public network

In above cases, you need to open VNC port to external, For some cases, you need to access your virtual machine via VNC over public network, it's safer to setup an account on VM host, you can ssh to the VM host, then launch the VNC client.

$ssh -Y <vncaccount>@<vm host>

then

$vncviewer <vm host ip> <vm machine VNC port>

3.use vnc embeded ssh tunneling over public network

$vncviewer via <vm host ip>:<vm machine VNC port>

Option 'via' automatically create encrypted TCP tunnel to the gateway machine before connection, connect to the host through that tunnel (TigerVNC-specific), which is a ssh tunnel.

4.use ssh tunneling over public network

This is similar to the above case, setup an explicit ssh tunnel other thatn using vnc tunnel, this is especially useful when you don't have command line environment, for example, on a windows machine.

So, use terminal connection tool like putty, crate a ssh tunnel, then establish a VNC connection through the tunnel.

Equvilent command line is:

ssh -L <localport>:localhost:<VNC port> <vm host>

See more ssh tunneling setup example in How to setup SSH tunnel