17 February 2012

69. Reverse VNC using vncviewer and tightvnc

Reverse VNC is a good way of helping people remotely. It requires that your IP is remotely accessible, but it does NOT require that the client's IP is public.

This is based on http://ubuntuforums.org/showthread.php?t=299489 and https://caedesnotes.wordpress.com/2010/01/08/remote-administrationtech-support-with-reverse-vnc/ but with screenshots. If both of you are using linux but you for some reason prefer vnc over ssh, have a look at that link for how to do (i.e. using x11vnc on the client)

Like a lot of people I have parents. Like most of those people, my parents aren't too interested in augmenting their computer skills. Which is fine. But trying to explain over the phone where to click etc. gets old really fast -- VNC is an advantage here if they are running windows. Parents also tend to appreciate lots of screenshots -- so I've provided that. It's running on a French version of XP -- it's my way of indirectly learning and keeping my French alive.


The situation:
You're running linux. The client is running Windows. You are you, the person you're helping is The Client.
Set up your system before having the client follow the instructions here. I put the client instructions first so you can send them to this page.

The Client:
They are running Windows. They don't have a public IP. Here's what they should do:

1. Download tightvncviewer from here: http://www.tightvnc.com/download.php

2. Installation of tightvnc

a) Install both client and server or only server. It doesn't matter -- the server is important here.

b) During setup, make sure that you check all the boxes as shown below

You will not need to share your password with the person helping you. Make sure not to leave these blank.

c) Tightvnc requires the administrator password to be able to accept connections.

Right-click on the icon in the taskbar tray, and click on Configuration...

Change main server port to 5500. We're doing this to be consistent.
You may de-select 'Serve Java Viewer to Web clients)

The steps above you will only need to do once.

The following steps you will need to do each time you want to get help:
1. Right-click on the vnc icon in the taskbar tray. Select Attach Listening Viewer...

2. In Hostname or IP address of the viewer, type the IP address given to you by the person helping you. In this example it's, but it can be anything. Append ::5500 to the IP address. In our example, the input is

That's it. If something not described here is happening, make sure to tell the person helping you. Especially if messages about Blocked programmes or Firewalls come up.

You (linux person):
Your public IP is in the example above. Your port 5500 is open to the world.

sudo apt-get install vncviewer

Start your listening session by

vncviewer -compresslevel 9 -listen 0
vncviewer -listen: Listening on port 5500
vncviewer -listen: Command line errors are not reported until a connection comes in.

Once the connection is started by the client you get:
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "tantalum"
VNC server default format:
  16 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 31 green 63 blue 31, shift red 11 green 5 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
You can play around with the compresslevels which runs from 0 to 9. Make sure to keep an eye on your firewall log -- your client/parent may easily get frustrated if things aren't working -- and you really don't want to be the cause of it.

I tested this by running windows xp in virtualbox on one linux box,, and piped the vnc connection through to another linux box at The firewall settings I had to do were:


Open port 17500 to tcp traffic from to
sudo iptables -A INPUT -i eth1 -s -d -p tcp --dport 17500 -j ACCEPT

Open port 5500 to tcp traffic destined for
sudo iptables -A INPUT -d -p tcp --dport 5500 -j ACCEPT

No comments:

Post a Comment