Tigervnc Trials on Arch and Debian

I’ve found it useful to run a vnc server on my server, but I did it reluctantly. I didn’t need it for a while, but I was messing around with a bittorrent server, and I found a gui to be useful for that. The server runs Arch Linux, and at some point I went through the Arch wiki about tigervnc, set it up, and it just works, but when I went to set it up on my Debian boxes, I could not get it to work. I’m talking no matter what I tried, it just wouldn’t work. I’d spend something like an hour here and there just working on it, I’m talking about over the course of a year whenever I’d think to get back to it, and I’d get frustrated every single time.

For Debian, the documentation out there is sparse, and for tigervnc in general it is sparse. The best documentation I’ve found is the Arch Wiki, which is often the case, but it is somewhat outdated. For instance, you can set up the system to prefer a default desktop, and the vnc server will just use it, but there’s many, many confusing configuration write-ups that specify how to set up desktops, with confusing and unexplained configuration options. Then there’s getting the server to start at startup using systemd. In Arch, the service is called vncserver@.service, but in Debian it is called tigervncserver@.service. It is unclear why it is different between the two, but no big deal; it’s just that the arch documentation is the only game in town, and you have to figure out these differences on your own.

So, I had the server running on my Arch box no problem. It just works, but somehow I set it up to work without the ssh tunnel, which is what I actually want in my local network. I’m not going to be accessing these machines from outside of my local network, so the ssh security tunnel isn’t necessary. On my Debian boxes, I have yet to figure out how to make this happen, and on the Arch box, I have no idea what I did to make that one just work. I’ve been retracing my steps, and I can’t figure it out. I can use the ssh tunnel to connect to the debian boxes, but nothing I’ve tried removes that security layer that is set up by default, yet it just works in Arch (I have no idea why)

I went back and looked at my first write-up about this, TigerVNC Server Install, and half of it is just wrong. I remember when I wrote it I was reconstructing what I had done, poorly.

All of the following is what I’ve learned about making it work on Debian.

First of all, install the programs:

apt install tigervnc-standalone-server tigervnc-xorg-extension tigervnc-viewer

Interesting here, one thing about Debian is that usually the Ubuntu documentation works interchageably, and I found that list of programs on a one-off write up about this, but most don’t mention the existence of the xorg-extension at all. I don’t know if it is even necessary.

From there, you set the password for the vnc server logged in as the user you want to use for it. It will ask you for a password, and then to confirm it, and then it will as you if you want a read-only password, yes or no, and I’ve always selected no.

vncpasswd

Then, you can launch the server, which all the documentation I’ve seen says to do first, and then to kill it, I suppose to auto-generate all the configuration files it needs.

vncserver

But, here’s where I figured out that by default it wants the SSH tunnel. By default, the above command makes it accessible only to the localhost. To make it accessible and open to any machine on the local network, you run:

vncserver -localhost no :1

And with that running, it just works, and it will default to the systems default desktop, which you can select with the following command:

update-alternatives --config x-session-manager

In almost every other write-up I’ve read, nothing mentions that the vnc server will serve the default desktop. All of them give you various configuration files to set up to use xfce, and if you want to use plasma, it’s just about impossible to find configuration ideas pertinent to that. Moving on.

Now, kill the instance like this:

vncserver -kill :1

The tigervnc packages comes with a pre-configured systemd service file. Like I specified above, you can activate it like this:

systemctl start tigervncserver@:1.service

Here’s where I run into a brick wall for the configuration I want, which is exposed to the local network with no requirement to use the ssh tunnel. The above command activates the server, which you can see with the following command:

vncserver -list

But it is only exposed on the localhost, and you can’t get to it without the ssh tunnel. To create the ssh tunnel, obviously you will need an ssh server running on that machine. Then, you log into it like this:

ssh (hostname or IP address) -L 9901:localhost:5901

You must leave that window running, then open another window and do:

vncviewer localhost:9901

That just works, at least in my testing. I’m able to log into the remote machine using KDE plasma, or whatever default desktop you selected.

From here, the Arch wiki page becomes useless, but the Ubuntu man page has some good information. It says that the server will read from the default configuration file first, found at /etc/tigervnc/vncserver-config-defaults. Then, it will read any user configuration files that are located at $HOME/.vnc/tigervnc.conf. This is different from the arch wiki, which specifies the user configuration file in the same locations, but named merely config. The options specified in this file will override the default configuration. I’ve tried specifying in the default configuration file to use no localhost, which looks like this:

$localhost = "no";

But that didn’t work, and that’s where I am as of this writing, trying to figure out the configuration files and how they relate to each other. Even if I have no configuration file in my user directory, the above still doesn’t work, but it seems to me like it should.

UPDATE Feb. 26, 2025

Just a few new notes about this. First of all, the file $HOME/.vnc/tigervnc.conf I can verify is read. I copy and pasted the configuration that was in the old config file, which is how it is set up in Arch, just a file called config in the same directory. Systemctl terminated the service because the syntax was wrong, so another big difference between how this works in Arch and Debian. The syntax that is in the configuration files in /etc/tigervnc works, though. I’ve specified the above:

$localhost = "no";

And that seems to work because I am able to access the server without the ssh tunnel now; however, specifying the geometry in that file, or in any other, doesn’t seem to work at all. No idea what’s going on there.