Tuesday, October 1, 2019

Remote desktop via VNC from MacOS to EC2 Ubuntu 18

As a technical coach, I teach live online courses on various topics (TDD, ATDD, BDD, full stack Agile) and my tool of choice is EC2 instances.
This video I found pretty much tells the story and got me up and running but I wanted a document to store my learnings for future reference. Below are the steps.  If you find the images difficult to read, you can click them to bring them into full size view.

Create and Provision your EC2 Instance

Go into AWS and create an Ubuntu 18 (or even newer). Older versions of Ubuntu are tricky to get working with a desktop manager (at least 14 had a lot of threads generated in forums of people trying to get this to work).

GUI Software Stack

These are the parts we need: VNC, a window manager, and a desktop manager.

There's another piece called a Display Manager which handles user login, but as we aren't exporting X11 directly, we don't need this.  VNC will handle our password, which means the security is reduced somewhat (the hacker only needs to get one thing correct rather than two (username & password).  But for my purpose of creating temporary dev environments, it's good enough.

SSH into your instance and install the below:
$ssh -i path_to_private_public_key  ubuntu@
$sudo apt-get install ubuntu-desktop
$sudo apt-get install vnc4server
$sudo apt-get install gnome-panel
To make your ubuntu desktop happy create the following directories:

  • mkdir $HOME/Desktop 

Next, let's get VNC ready to go.  Setup the password for VNC:
$ vncserver 
Kill the server so and adjust it's configuration files:
$ vncserver -kill :1
$ vi $HOME/.vnc/xstartup
Modify xstartup thusly:


  • unset SESSION_MANAGER
  • after " # exec /etc/X11/xinit/xinitrc" add the following two lines:




  • gnome-session –session=gnome-classic & 



  • gnome-panel &

  • gnome-session is the gnome desktop manager. gnome-panel is the bar that contains buttons for selecting desktop applications.

    xstartup must be executable.  If you made your own, you'll need to do this:
    $ chmod 744 xstartup

    restart VNC:
     $ vncserver 
    (If you reboot the system, your VNC server will stop. If you want it to be always on, you'll need to work with the "service" to get that setup)

    Connecting to your Instance

    You can't yet connect directly to your instance as it's walled behind a virtual private cloud that is, by default, refusing all connections.  Two typical ways to get to your server are using SSH to create a tunnel to your server, which is great for ec2 instances you really don't want to allow connections from outside their virtual private cloud (VPC).  The other way is to change the security group so the VPC allows inbound connections so that you can frequently and conveniently connect to it with minimal fuss.
    A big problem with X11 is that it doesn't communicate using a secure channel unless you use the SSH tunnel.  So bear in mind that unless you're using an SSH tunnel, all those words your passing back and forth with your X client will be traveling un-encoded.  It's not clear to me that VNC4Server makes things any more secure.

    Using an SSH Tunnel

    $  ssh -L 5902:localhost:5902 -i ubuntu@

    Then launch MacOS's Screen Sharing app (go to spotlight and enter "screen sharing"), enter in "localhost:5902" which is your side of the SSH tunnel.
     You'll be prompted for your VNC password which you setup on the server when you ran "vnc4server" the first time.

    Direct Connect after adjusting the Security Group

    If you aren't operating with sensitive information and don't want too be hassled by creating a SSH tunnel every time you want to connect to this instance, then changing the VPC security group thusly will give you access to your EC2 instance.
    Refer to your instance's meta-information to get it's security group:
    Then open the security group and add an inbound rule:
    VNC servers typically need the range of 5800 to 5899 or 5900 to 5999, depending on configuration. The server will use port 5800 for internal reasons and any new displays added will be incremented from 5800 or 5900.  VNC4 uses 5900 and so the first time I launch VNC and left it running, it got display 1 (5901). The next connection I created with my SSH tunnel (if you did that) got display 2, or port 5902.  You can see what displays/ports are being used by inspecting your system with the "ps" command.

    Remember, when changing your security groups and if you plan to keep the VNC running all the time, you'll only be protected by a password, not even a username and password.  You could adjust the inbound rule to accept the source of only a specific IP rather than 0.0.0.0/0 which means from any IP address on the internet.


    1 comment:

    1. I will recommend anyone looking for Business loan to Le_Meridian they helped me with Four Million USD loan to startup my Quilting business and it's was fast When obtaining a loan from them it was surprising at how easy they were to work with. They can finance up to the amount of $500,000.000.00 (Five Hundred Million Dollars) in any region of the world as long as there 1.9% ROI can be guaranteed on the projects.The process was fast and secure. It was definitely a positive experience.Avoid scammers on here and contact Le_Meridian Funding Service On. lfdsloans@lemeridianfds.com / lfdsloans@outlook.com. WhatsApp...+ 19893943740. if you looking for business loan.

      ReplyDelete