Securely Access VNC remote desktop with noVNC Encryption .

share on:
noVNC encryption tightvnc

noVNC is a browser based VNC client implemented using HTML5 Canvas and WebSockets. noVNC communicates with a remote VNC server via Web sockets. Furthermore, it runs well in any modern browser including mobile browsers (iOS and Android). We can also configure noVNC encryption for securely accessing remote servers.


noVNC Feature List

The following list shows full features offered by noVNC.

  • Supports all modern browsers including mobile (iOS, Android)
  • Supported VNC encodings: raw, copyrect, rre, hextile, tight, tightPNG
  • WebSocket SSL/TLS encryption (i.e. “wss://”) support
  • 24-bit true color and 8-bit color mapped
  • Supports desktop resize notification/pseudo-encoding
  • Local or remote cursor
  • Clipboard copy/paste
  • Clipping or scolling modes for large remote screens
  • Easy site integration and theming (3 example themes included)
  • Licensed under the MPL 2.0

Many projects and products have integrated noVNC including OpenStack, docker-selenium, OpenNebula, DigitalOcean and


We will use noVNC to access our remote server securely with an Encrypted session.

  • engy.debyum.local (Laptop or Desktop) is the system where we will install and setup NoVNC.
  • engy.debyum.remote is the system which we will access and is running a VNC server. IP address is 67.21x.x0x.xx6 (public IP, don’t own it)

I am using my Laptop as engy.debyum.local, where I will setup NoVNC.


About this guide. :


Step 1: Install and setup noVNC in engy.debyum.local.

engy@engy:~$ hostnamectl status
Static hostname: engy.debyum.local
Icon name: computer-laptop
Chassis: laptop
Machine ID: 70d18bffea7d42c3b97782ce222ac96c
Boot ID: f87f4788e77745079a90c1e8bae5c4c6
Operating System: Ubuntu 16.04.1 LTS
Kernel: Linux 4.4.0-57-generic
Architecture: x86-64


  • Download the latest master noVNC zipper file.


  • Unzip the downloaded file.
engy@engy:~$ unzip master


  • Go to noVNC directory.
engy@engy:~$ cd novnc-noVNC-3e08594\


  • Here’s the Directory view.
engy@engy:~$ ls -l
total 410732
drwxrwxr-x      2      engy engy    24          Dec 23 00:04 ATOM
drwxr-xr-x       4      engy engy    71          Dec 22 22:26 Desktop
drwxr-xr-x      18     engy engy    4096         Jan 3 22:46 Documents
drwxr-xr-x       8      engy engy    8192       Jan 14 14:46 Downloads
-rw-rw-r--        1      engy engy    675131    Jan 12 00:24 master
drwxr-xr-x       8      engy engy    24576      Oct 13 17:49 Music
drwxrwxr-x      8      engy engy    306         Jan 12 00:25 novnc-noVNC-3e08594



Create a self-signed certificate to use for Encryption in noVNC.

To set up noVNC encryption, we will create a Certificate to use with noVNC.

  • The important part is Encryption type and Bit size. (RSA2048).
  • Skip most parts and fill only Common name: (Hostname.)
engy@engy:~/novnc-noVNC-3e08594$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout engycert.pem -out engycert.pem
Generating a 2048 bit RSA private key
writing new private key to 'mycert.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:engy.debyum.local
Email Address []:



Step 2: Configure a VNC server on Remote Server vnc.debyum.remote.

For this step,  I have setup a minimal install ubuntu 16.04 server on DigitalOcean. I have also installed a Gnome desktop on it (for this tutorial).

I have configured this server with vnc4server and also created a user engy.

engy@vnc:~$ hostnamectl status
Static hostname: vnc.debyum.remote
Icon name: computer-vm
Chassis: vm
Machine ID: 9f9177449a5d40509fda099fef1473c7
Boot ID: 82ba07d724e849468fb02204a2099172
Virtualization: kvm
Operating System: Ubuntu 16.04.1 LTS
Kernel: Linux 4.4.0-57-generic
Architecture: x86-64


  • I will start the VNC4Server as user engy. We will later need to use ENGY user’s password to remotely access his account.
engy@vnc:~$ vnc4server -geometry 800x600

New 'vnc.debyum.remote:1 (engy)' desktop is vnc.debyum.remote:1

Starting applications specified in /home/engy/.vnc/xstartup
Log file is /home/engy/.vnc/vnc.debyum.remote:1.log


  • Check if  VNC4Server is working or not.
engy@vnc:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto    Recv-Q    Send-Q    Local Address    Foreign Address    State            PID/Program name
tcp       0               0    *                 LISTEN       2729/Xvnc4
tcp       0               0      *                 LISTEN       -
tcp6     0               0              :::5901                 :::*                          LISTEN       2729/Xvnc4
tcp6     0               0              :::22                     :::*                          LISTEN        -


  • Check if port 5901 is open.
engy@vnc:~$ telnet localhost 5901
Connected to localhost.
Escape character is '^]'.
RFB 003.008

telnet> quit
Connection closed.


  • Check IP address of this server.



Access remote server “vnc.debyum.remote” with noVNC.

Now go back to your local system with noVNC. Start the noVNC with remote server’s IP address and port number used in the arguments.

engy@engy:~/novnc-noVNC-3e08594$ ./utils/ --cert engycert.pem --vnc 67.21x.x0x.xx6:5901
Using local websockify at /home/engy/novnc-noVNC-3e08594/utils/websockify/run
Starting webserver and WebSockets proxy on port 6080
WebSocket server settings:
- Listen on :6080
- Flash security policy server
- Web server. Web root: /home/engy/novnc-noVNC-3e08594
- SSL/TLS support
- proxying from :6080 to 67.21x.x0x.xx6:5905 
Navigate to this URL: 


Press Ctrl-C to exit


Don’t close the window.

Now we have setup noVNC.

  • Next step is to open a browser and go to this address, as shown above.


We are already connected to the remote server with port 6080. We will just click Connect to start the connection.

  • We will start by testing an unencrypted noVNC connection.



  • Enter the password of Remote server’s user. Earlier we have run VNC server as user Engy. So we will enter user Engy’s password here.


  • Unencrypted noVNC Session established.


  • We can now access remote desktop via our noVNC.


  • Disconnect this session.


noVNC Encryption.

To create an encrypted session using noVNC we will follow these steps:

  • Edit the URL bar and add https:// in front of the existing URL. (Forced HTTPS). We are using self-generated SSL certificates here. Hit enter.



  • Add Exception for Self-generated SSL cert.



  • Confirm Security Exception.


  • Finally, we have setup noVNC encryption.


  • Verify the noVNC Encrypted session.


  • Create a Test directory “Testing” on the remote server or desktop.


Now we have created both encrypted and unencrypted sessions using noVNC.


Create Encrypted session between noVNC and TightVNC server.

Now we will use TightVNC Server on the remote server instead of VNC4Server. Then we will try to connect with it using noVNC encryption.

we will install Tightvnc server on Ubuntu 16.04 server.

Install Tightvnc server.

Search the correct package name.

engy@vnc:~$ sudo apt-cache search tightvnc
dmtcp - Checkpoint/Restart functionality for Linux processes
dmtcp-dbg - Debug package for dmtcp
ssvnc - Enhanced TightVNC viewer with SSL/SSH tunnel helper
tightvncserver - virtual network computing server software
x11vnc - VNC server to allow remote access to an existing X session
xtightvncviewer - virtual network computing client software for X
tightvnc-java - TightVNC java applet and command line program


Install Tight VNC server.

engy@vnc:~$ sudo apt-get install tightvncserver -y


Start the TightVnc server on display port 5, Means port 5905.

engy@vnc:~$ vncserver -geometry 1260x730 :5

You will require a password to access your desktops.

Would you like to enter a view-only password (y/n)? y

New 'X' desktop is x11vnc:1

Creating default startup script /root/.vnc/xstartup
Starting applications specified in /home/engy/.vnc/xstartup
Log file is /home/engy/.vnc/vnc.debyum.remote:5.log


Verify the working of TightVNC server.


Now we have started the XtightVNC server on Ubuntu 16.04.

Now again start noVNC on the local server with slightly different settings. Don’t forget to include the correct remote IP address and port.



Again open your browser and visit the URL shown in the example above. Press Connect and you should see the noVNC encryption enabled for this session.



Now we can securely access our remote server with the help of noVNC encryption.


Thanks for visiting this page. Have a great day.  🙂


share on:


Hello there, My name is Rishi Guleria and I work as a Linux system administrator. I have created this blog to share what I have learned so far and to learn new things. Don't forget to leave the feedback. Have a great day. :)

Leave a Response

share on: