x11vnc and TigerVNC SSH Access

I’m documenting my setup for secure remote desktop access from my MacBook to a Linux server in the cloud. This guide covers x11vnc (VNC server for X11 displays) and TigerVNC Viewer for reliable, SSH-key-authenticated connections. x11vnc allows you to share an X11 display remotely over VNC protocol. When combined with SSH tunneling and TigerVNC Viewer, you get:

• Encrypted connections (via SSH tunnel)
• SSH key-based authentication (no PINs)
• Lightweight remote desktop experience
• Cross-platform compatibility

This is a solid alternative to Chrome Remote Desktop if you prefer SSH key management.

On your Mac:

• macOS (Monterey or later)
• SSH access to your Linux server
• SSH key pair (~/.ssh/id_rsa and ~/.ssh/id_rsa.pub)

On your Linux server:

• SSH server with key-based authentication enabled
• (Optional) Desktop environment like XFCE for a GUI

Step 1: Install x11vnc on Linux

SSH into your remote server and install x11vnc:

ssh your-server
sudo apt-get update
sudo apt-get install -y x11vnc

Verify installation:

which x11vnc
x11vnc --version

Step 2: Set Up x11vnc as a systemd Service

First, install Xvfb (virtual X server) for headless systems:

sudo apt-get install -y xvfb

Create a systemd service for Xvfb (virtual X display):

sudo tee /etc/systemd/system/xvfb.service > /dev/null << 'EOF'
[Unit]
Description=Xvfb Virtual X Display Server
After=network.target

[Service]
Type=simple
User=root
ExecStart=/usr/bin/Xvfb :99 -screen 0 1920x1080x24 -nolisten tcp
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

Create a systemd service for x11vnc (depends on Xvfb):

sudo tee /etc/systemd/system/x11vnc.service > /dev/null << 'EOF'
[Unit]
Description=x11vnc Remote Desktop Server
After=xvfb.service
Wants=xvfb.service

[Service]
Type=simple
User=root
Environment="DISPLAY=:99"
ExecStart=/usr/bin/x11vnc -display :99 -forever -nopw -xkb -auth /dev/null -listen localhost
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

x11vnc flags:

• -forever — Keep running after client disconnects
• -nopw — No VNC password required
• -xkb — Enable X keyboard support
• -auth /dev/null — Disable X11 authentication (safe since SSH provides security)
• -listen localhost — Only listen on localhost (SSH tunnel handles forwarding)

Create a systemd service for XFCE (depends on Xvfb):

sudo tee /etc/systemd/system/xfce-vnc.service > /dev/null << 'EOF'
[Unit]
Description=XFCE Desktop Environment for VNC
After=xvfb.service
Wants=xvfb.service

[Service]
Type=simple
User=root
Environment="DISPLAY=:99"
ExecStart=/usr/bin/startxfce4
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

Enable and start all three services:

sudo systemctl daemon-reload
sudo systemctl enable xvfb x11vnc xfce-vnc
sudo systemctl start xvfb xfce-vnc x11vnc
sudo systemctl status xvfb
sudo systemctl status x11vnc
sudo systemctl status xfce-vnc

Verify all are running:

sudo netstat -tlnp | grep 5900
pgrep -f "Xvfb :99"
pgrep -f x11vnc
pgrep -f xfce4-session

Step 3: Install Desktop Environment (Optional)

XFCE runs as a separate systemd service, so you can restart x11vnc without affecting XFCE. Just install XFCE:

sudo apt-get install -y xfce4 xfce4-goodies

Then enable and start the XFCE service:

sudo systemctl enable xfce-vnc.service
sudo systemctl start xfce-vnc.service

When you connect via VNC, you’ll see the XFCE desktop.

Advantages of separate service:

• Restarting x11vnc doesn’t restart XFCE
• XFCE persists across x11vnc crashes/restarts
• Can stop/start XFCE independently

To stop XFCE:

sudo systemctl stop xfce-vnc.service

Without a Desktop Environment:

If you prefer just a blank X server (for running specific applications), skip XFCE. You can still run individual applications on demand:

DISPLAY=:99 xterm &
DISPLAY=:99 firefox &

Step 4: Set Up SSH Tunnel on macOS

Open two Terminal windows on your Mac.

Terminal 1: Create SSH tunnel

ssh -L 5900:localhost:5900 your-server

This forwards port 5900 (VNC default) on your Mac to the remote server’s VNC port through the SSH tunnel.

Keep this terminal open — the tunnel stays active while it’s running.

Step 5: Install TigerVNC Viewer on macOS

Install TigerVNC Viewer via Homebrew:

brew install tigervnc-viewer

TigerVNC handles VNC authentication properly with our headless x11vnc setup.

Step 6: Connect via TigerVNC

Terminal 1: Keep the SSH tunnel running:

ssh -L 5900:localhost:5900 your-server

Terminal 2: Connect with TigerVNC:

/opt/homebrew/bin/vncviewer localhost:5900

You should now see the XFCE desktop (or blank screen if you skipped Step 3)!

Best Practices for Reliable Connection

1. Use SSH Key Authentication

Ensure your SSH key is properly configured:

# Check your SSH config
cat ~/.ssh/config

# Example config for your server:
Host your-server
    HostName 5.78.110.65
    User root
    Port 22
    IdentityFile ~/.ssh/id_rsa
    ServerAliveInterval 60
    ServerAliveCountMax 3
    TCPKeepAlive yes

Key options:

• ServerAliveInterval 60 — Send keepalive every 60 seconds
• ServerAliveCountMax 3 — Disconnect if no response after 3 attempts
• TCPKeepAlive yes — Enable TCP-level keepalive at OS level
• These prevent SSH tunnel from dropping due to idle timeout

2. Add SSH Key to Agent (Optional but Recommended)

# Add your key to SSH agent
ssh-add ~/.ssh/id_rsa

# List loaded keys
ssh-add -l

This avoids re-entering passphrase for multiple SSH connections.

3. Monitor Connection Health

On the server, check x11vnc status:

ps aux | grep x11vnc
netstat -tlnp | grep 5900

On your Mac, monitor SSH tunnel:

# In Terminal 1, you'll see connection logs
# If tunnel dies, reconnect immediately:
ssh -L 5900:localhost:5900 your-server

Security

This setup is secure because:

• SSH tunnel encrypts all VNC traffic
• SSH keys authenticate the connection (no passwords)
• x11vnc only listens on localhost (not exposed to the network)
• VNC port 5900 is blocked by default (only accessible through SSH tunnel)

For maximum security, ensure your SSH config has proper key permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub

Troubleshooting

“Connection refused” when launching VNC viewer

# Check SSH tunnel is running
ps aux | grep "ssh -L"

# Verify x11vnc is listening
ssh your-server "netstat -tlnp | grep x11vnc"

# Restart tunnel
ssh -L 5900:localhost:5900 your-server

x11vnc not found on server

which x11vnc  # Should return /usr/bin/x11vnc
which Xvfb    # Should return /usr/bin/Xvfb if using virtual display

# If missing, install:
sudo apt-get install -y x11vnc xvfb

SSH tunnel keeps disconnecting

Add keepalive to SSH config:

cat >> ~/.ssh/config << 'EOF'
Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3
    TCPKeepAlive yes
EOF

Performance Tips

Reduce Bandwidth

To use lower color depth or compression, update the systemd service:

sudo vim /etc/systemd/system/x11vnc.service

Modify the ExecStart line to add performance flags:

ExecStart=/usr/bin/x11vnc -display :99 -forever -nopw -listen localhost -depth 8 -compress 9

Then restart:

sudo systemctl restart x11vnc

Flags:

• -depth 8 — Use 8-bit color instead of 24-bit (reduces bandwidth)
• -compress 9 — Maximum compression (trades CPU for bandwidth)

When to use x11vnc:

• You prefer SSH key management
• Want lightweight setup
• Need cross-platform compatibility
• Running Linux on both ends

Resources

• x11vnc Documentation
• TigerVNC Viewer
• SSH Config Best Practices