configuring tigervnc-standalone-server to listen on LAN

Discussion:

(too old to reply)

Gary Dale

2024-08-19 22:20:01 UTC

I'm running Debian/Trixie on and AMD64 system. I have a need to be able
to connect remotely to this machine.

My network already is setup for ssh from the outside to go to my main
server. From there I would normally use -L port forwarding to connect to
a computer on the LAN. However, tigervnc-standalone-server's
configuration defaults to only listening on localhost, assuming that
anyone coming in is using an SSH tunnel already.

I could punch another hole in my router's firewall to take me directly
to my workstation, and set it up as an SSH server. But I trust my LAN
and would prefer to just go through my normal SSH tunnel.

tigervnc-server has a command line option to listen to the LAN but the
Debian systemd service configuration doesn't invoke the server program
directly, so I'm not sure how to get the option to the vnc server.

Any ideas?

This is the .service file:

[Unit]
Description=Remote desktop service (VNC)
After=network.target systemd-user-sessions.service

[Service]
Type=forking
ExecStart=/usr/libexec/tigervncsession-start %i
PIDFile=/run/tigervncsession-%i.pid
SELinuxContext=system_u:system_r:vnc_session_t:s0

[Install]
WantedBy=multi-user.target

Max Nikulin

2024-08-20 02:30:01 UTC

Permalink

Post by Gary Dale
tigervnc-server has a command line option to listen to the LAN but the
Debian systemd service configuration doesn't invoke the server program
directly, so I'm not sure how to get the option to the vnc server.

[...]> This is the .service file:
[...]

Post by Gary Dale
ExecStart=/usr/libexec/tigervncsession-start %i

Try "systemctl cat" for the corresponding .socket file.

<https://0pointer.de/blog/projects/inetd.html>

Gary Dale

2024-08-20 19:10:02 UTC

Permalink

Post by Max Nikulin

Post by Gary Dale
tigervnc-server has a command line option to listen to the LAN but
the Debian systemd service configuration doesn't invoke the server
program directly, so I'm not sure how to get the option to the vnc
server.

[...]

Post by Gary Dale
ExecStart=/usr/libexec/tigervncsession-start %i

Try "systemctl cat" for the corresponding .socket file.
<https://0pointer.de/blog/projects/inetd.html>

Thanks, but I can't find a .socket file. While
find / -name *.service | grep vnc
locates the various .service files associated with vnc:
/etc/systemd/system/multi-user.target.wants/tigervncserver@:1.service
/etc/systemd/system/***@.service

The same search for *.socket comes up empty.

Greg Wooledge

2024-08-20 19:20:01 UTC

Permalink

Post by Gary Dale

Post by Max Nikulin

Post by Gary Dale
tigervnc-server has a command line option to listen to the LAN but
the Debian systemd service configuration doesn't invoke the server
program directly, so I'm not sure how to get the option to the vnc
server.

[...]

Post by Gary Dale
ExecStart=/usr/libexec/tigervncsession-start %i

Try "systemctl cat" for the corresponding .socket file.
<https://0pointer.de/blog/projects/inetd.html>

Thanks, but I can't find a .socket file. While
find / -name *.service | grep vnc
The same search for *.socket comes up empty.

If you know the package name, you can get a list of files which are part
of that package. If it's installed locally, you can use dpkg -L to get
the filenames. Otherwise, you can use Debian's web site:

https://packages.debian.org/bookworm/amd64/tigervnc-standalone-server/filelist

I'm guessing that's your package name.

File list of package tigervnc-standalone-server in bookworm of architecture amd64
/etc/X11/Xtigervnc-session
/etc/tigervnc/vncserver.users
/lib/systemd/system/***@.service
/usr/bin/Xtigervnc
/usr/bin/tigervncserver
/usr/libexec/tigervncsession-start
/usr/sbin/tigervncsession
/usr/share/doc/tigervnc-standalone-server/changelog.Debian.gz
/usr/share/doc/tigervnc-standalone-server/copyright
/usr/share/man/man1/Xtigervnc.1.gz
/usr/share/man/man1/tigervncserver.1.gz
/usr/share/man/man8/tigervncsession.8.gz

... oh wait, the package name is in the Subject. Gah, I hate it when
people hide details in the Subject header instead of the body.

Well, at least I guessed the right package name.

Gary Dale

2024-08-20 19:30:02 UTC

Permalink

Post by Greg Wooledge

Post by Gary Dale

Post by Max Nikulin

Post by Gary Dale
tigervnc-server has a command line option to listen to the LAN but
the Debian systemd service configuration doesn't invoke the server
program directly, so I'm not sure how to get the option to the vnc
server.

[...]

Post by Gary Dale
ExecStart=/usr/libexec/tigervncsession-start %i

Try "systemctl cat" for the corresponding .socket file.
<https://0pointer.de/blog/projects/inetd.html>

Thanks, but I can't find a .socket file. While
find / -name *.service | grep vnc
The same search for *.socket comes up empty.

If you know the package name, you can get a list of files which are part
of that package. If it's installed locally, you can use dpkg -L to get
https://packages.debian.org/bookworm/amd64/tigervnc-standalone-server/filelist
I'm guessing that's your package name.
File list of package tigervnc-standalone-server in bookworm of architecture amd64
/etc/X11/Xtigervnc-session
/etc/tigervnc/vncserver.users
/usr/bin/Xtigervnc
/usr/bin/tigervncserver
/usr/libexec/tigervncsession-start
/usr/sbin/tigervncsession
/usr/share/doc/tigervnc-standalone-server/changelog.Debian.gz
/usr/share/doc/tigervnc-standalone-server/copyright
/usr/share/man/man1/Xtigervnc.1.gz
/usr/share/man/man1/tigervncserver.1.gz
/usr/share/man/man8/tigervncsession.8.gz
... oh wait, the package name is in the Subject. Gah, I hate it when
people hide details in the Subject header instead of the body.
Well, at least I guessed the right package name.

Look, I know the executable is vncserver. The question is how do I get
the service to specify parameters when starting the service? I can start
is from the command line as "vncserver -localhost no" but then I'd have
to use cron to set it up to run on reboot, something the systemd service
already handles.

Greg Wooledge

2024-08-20 19:50:01 UTC

Permalink

Look, I know the executable is vncserver. The question is how do I get the
service to specify parameters when starting the service? I can start is from
the command line as "vncserver -localhost no" but then I'd have to use cron
to set it up to run on reboot, something the systemd service already
handles.

Are you sure you actually *want* to use systemd to start it? It doesn't
really seem like the best choice to me. For one thing, when you start
it from a user's crontab with @reboot, it runs as the correct user
automatically. I don't know how systemd knows which user to start the
VNC session as.

Maybe I just don't understand the concept of a "standalone (VNC) server".

I've got some workstations with tightvncserver installed, and I've got
two sessions running on each workstation, as two separate user accounts.
Each one is started from the user's crontab file, with a customized
resolution for each human user.

Gary Dale

2024-08-20 20:50:02 UTC

Permalink

Post by Greg Wooledge

Look, I know the executable is vncserver. The question is how do I get the
service to specify parameters when starting the service? I can start is from
the command line as "vncserver -localhost no" but then I'd have to use cron
to set it up to run on reboot, something the systemd service already
handles.

Are you sure you actually *want* to use systemd to start it? It doesn't
really seem like the best choice to me. For one thing, when you start
automatically. I don't know how systemd knows which user to start the
VNC session as.
Maybe I just don't understand the concept of a "standalone (VNC) server".
I've got some workstations with tightvncserver installed, and I've got
two sessions running on each workstation, as two separate user accounts.
Each one is started from the user's crontab file, with a customized
resolution for each human user.

That puts an interesting twist on it. I just rebooted and the service
doesn't actually appear to restart. It shows as dead.

$ systemctl status tigervncserver@:1.service
○ tigervncserver@:1.service - Remote desktop service (VNC)
     Loaded: loaded (/usr/lib/systemd/system/***@.service;
enabled; preset: enabled)
     Active: inactive (dead) since Tue 2024-08-20 15:52:31 EDT; 1min 4s ago
   Duration: 56ms
Invocation: d3a35f8b59284ff6b4bbf1e97ac13570
    Process: 1522 ExecStart=/usr/libexec/tigervncsession-start :1
(code=exited, status=0/SUCCESS)
   Main PID: 1539 (code=exited, status=0/SUCCESS)
   Mem peak: 2.8M
        CPU: 13ms

However I can run vncviewer localhost:5901 and connect as my user. I'm
seeing a black screen but that's a separate issue, I think.

Strangely, I am now getting a connection from my laptop. So now I just
have to resolve the black screen issue. Apparently the default
configuration requires a strong enough encryption to allow non-local
connections. I'm not sure why I wasn't connecting yesterday, but it's
working now.

As for the user under systemd, I think that is determined by the
connection. There is also a file (/etc/tigervnc/vncserver.users) that
links the connection to the user name. I only need to enable the actual
connection service for each user.

Gary Dale

2024-08-20 21:20:01 UTC

Permalink

Post by Gary Dale

Look, I know the executable is vncserver. The question is how do I get the
service to specify parameters when starting the service? I can start is from
the command line as "vncserver -localhost no" but then I'd have to use cron
to set it up to run on reboot, something the systemd service already
handles.

That puts an interesting twist on it. I just rebooted and the service
doesn't actually appear to restart. It shows as dead.
enabled; preset: enabled)
     Active: inactive (dead) since Tue 2024-08-20 15:52:31 EDT; 1min 4s ago
   Duration: 56ms
Invocation: d3a35f8b59284ff6b4bbf1e97ac13570
    Process: 1522 ExecStart=/usr/libexec/tigervncsession-start :1
(code=exited, status=0/SUCCESS)
   Main PID: 1539 (code=exited, status=0/SUCCESS)
   Mem peak: 2.8M
        CPU: 13ms
However I can run vncviewer localhost:5901 and connect as my user. I'm
seeing a black screen but that's a separate issue, I think.
Strangely, I am now getting a connection from my laptop. So now I just
have to resolve the black screen issue. Apparently the default
configuration requires a strong enough encryption to allow non-local
connections. I'm not sure why I wasn't connecting yesterday, but it's
working now.
As for the user under systemd, I think that is determined by the
connection. There is also a file (/etc/tigervnc/vncserver.users) that
links the connection to the user name. I only need to enable the
actual connection service for each user.

Ended up using krfb instead. Seems to work better and does what I want
simply and easily!

Max Nikulin

2024-08-21 03:20:02 UTC

Permalink

Post by Gary Dale
enabled; preset: enabled)
Active: inactive (dead) since Tue 2024-08-20 15:52:31 EDT; 1min 4s ago

[...]

Post by Gary Dale
However I can run vncviewer localhost:5901 and connect as my user.

I hope you have tried "systemctl status" after vncviewer to be sure that
systemd socket activation is not involved. I suspected that it is
systemd, not any tigervnc binary that accepts client connection.

I have no idea if "/usr/libexec/tigervncsession-start :1" allows to
create instance-specific configuration files.

You can override instance-specific systemd parameters in
/etc/systemd/system/tigervncserver@:1.service.d/*.conf files (I hope :1
does not need escaping).

It is better to query systemd runtime configuration than to rely on
"find" or "dpkg -L". The following commands might help to figure out
which way tigervnc is started

systemctl list-sockets '*vnc*'
systemctl list-units '*vnc*'
systemd-cgls
ps axuwf

and of course (as root)

journalctl -b

I am in doubts if some executable may explicitly call "systemctl start
tigervncserver@:1.service"

Nowadays I do not see advantages of crontab @reboot over a systemd unit.