News
Faster Speeds: Bandwidth for vStack Servers in Kazakhstan Increased to 200 Mbps
JH
Joe Harris
February 1 2021
Updated June 27 2025

How to Establish a Secure VNC Connection Over SSH Tunnel on CentOS 8, macOS, and Windows

CentOS Linux Security VPS

Using another OS?

Select the desired version or distribution.

We recently covered how to install TigerVNC server on CentOS 8. VNC connections are insecure by themselves. Therefore, in this tutorial, we are going to show you how to establish a VNC connection over a SSH tunnel on CentOS 8. This will secure the connection and transmitted data. To successfully complete the steps from this manual, you must complete all the settings from the first part.

SSH configuration

Previously, we created the user username. Now we need to give him the ability to connect to the server via SSH, if he does not have it. To test this, try connecting to the remote server via SSH as username.

If this works, you can proceed to the next step. If not, you need to either enable password authorization on the server, or configure a SSH key for username. See chapters SSH configuration and SSH key configuration in the Initial CentOS 8 Server Setup note.

TigerVNC configuration

Open the TigerVNC configuration file:

sudo nano /etc/tigervnc/vncserver-config-defaults

Uncomment the following line:

# localhost

Restart the TigerVNC service:

sudo systemctl restart vncserver@:2

Now it will not be possible to connect via VNC to the server directly from a remote computer, only via a SSH tunnel.

Now let's move on to the client computer.

Creating a SSH tunnel on Linux or MacOS

On any Unix-like operating system, just open a command prompt and enter the following command:

ssh -L 62000:localhost:5902 -N username@TigerVNC_server_IP

Replace username with your login that was created in the first part of the tutorial. And TigerVNC_server_IP with your server address. As you can see, this is a usual ssh command. The -L and -N flags allow it to be used to create a tunnel.

Creating a SSH tunnel on Windows with Putty

In Putty, the differences from regular SSH connection are also not very different. You need to go to the Connection section, then SSH and finally Tunnels. Enter 62000 in the Source port and localhost:5902 in the Destination.

Click Add and Apply.

Establishing a VNC connection over a SSH tunnel

After the tunnel is created, you can establish a secure VNC connection to the remote server. To do this, use any VNC client, as in the first part. But the address and port of the VNC server for connection will differ: localhost:62000.

Conclusion

By establishing a VNC connection over an SSH tunnel, you significantly improve the security of remote desktop access to your CentOS 8 server. VNC by itself does not encrypt traffic, making it vulnerable to eavesdropping and attacks. Tunneling the VNC session through SSH ensures that all data, including login credentials and screen content, is securely encrypted. In this tutorial, we showed how to configure both the TigerVNC server and SSH tunnel on CentOS 8, as well as how to create the tunnel from Linux/macOS and Windows using PuTTY. With these steps, your VNC sessions are now protected and safe for remote administration.

FAQ

  • Q1: Why should I use SSH tunneling with VNC?
    VNC transmits data in plain text by default. Using an SSH tunnel encrypts the connection, protecting it from network sniffing and man-in-the-middle attacks.
  • Q2: What port should I use when connecting to the VNC server through the tunnel?
    Connect to localhost:62000 instead of the real server IP and VNC port. The SSH tunnel forwards local port 62000 to the server’s VNC port 5902.
  • Q3: Can I use a different port instead of 62000?
    Yes, you can use any available local port. Just ensure it matches in both your tunnel command and VNC client configuration.
  • Q4: What if SSH login fails for my VNC user?
    Ensure the user has SSH access enabled. This may require configuring password authentication or setting up SSH keys.
  • Q5: Why can’t I connect to the VNC server directly anymore?
    The TigerVNC configuration was changed to bind only to localhost (localhost directive uncommented), which disables external direct VNC access for security.
  • Q6: Do I need to create a new tunnel every time I want to connect?
    Yes, the SSH tunnel must be re-established each time before starting a VNC session unless you configure an automated or persistent SSH connection.
Vote:
5 out of 5
Аverage rating : 5
Rated by: 5
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
ITGLOBAL.COM NL
700 300

You might also like...

We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.