TigerVNC is a high-performance, open-source VNC (Virtual Network Computing) implementation that gives you graphical remote desktop access to Linux servers. It runs a dedicated VNC session per user, independent from the physical console, making it ideal for headless servers or remote administration where you need a full desktop environment over the network.
This guide walks through a complete TigerVNC server setup on RHEL 10 and Rocky Linux 10. We cover installing a desktop environment, configuring VNC users and sessions, firewall rules, SSH tunnel security, and auto-start on boot.
Prerequisites
- A server running RHEL 10 or Rocky Linux 10
- Root or sudo access
- At least 2 GB RAM (4 GB recommended for GNOME desktop)
- A VNC client on your local machine (RealVNC Viewer, Remmina, or TigerVNC viewer)
- Ports 5901+ open on the firewall (or SSH access for tunneling)
Step 1: Install a Desktop Environment
TigerVNC needs a desktop environment to display. If your server is a minimal install, you need to add one first. GNOME is the default for RHEL/Rocky, but XFCE is lighter and works well for remote sessions.
Option A: Install GNOME Desktop
Install the full GNOME desktop group package. This pulls in all the standard desktop components.
sudo dnf groupinstall "Server with GUI" -yOption B: Install XFCE Desktop (Lightweight)
XFCE uses significantly less memory and CPU than GNOME, making it a better choice for remote VNC sessions, especially on servers with limited resources. XFCE is available from the EPEL repository.
sudo dnf install epel-release -y
sudo dnf groupinstall "Xfce" -yEither option works. Pick GNOME if you want the full desktop experience, or XFCE for a leaner setup. The rest of this guide works with both.
Step 2: Install TigerVNC Server on RHEL 10 / Rocky Linux 10
Important: as of Rocky Linux 10.1 / RHEL 10.1, the tigervnc-server package is NOT in BaseOS, AppStream, CRB, EPEL, or Extras. Verified on a fresh Rocky 10.1 install in May 2026. The dnf one-liner that worked on RHEL 9 fails on RHEL 10. Three working paths today, in order of effort:
Option A: wayvnc from EPEL (recommended)
RHEL 10 defaults to Wayland, and wayvnc is a Wayland-native VNC server packaged in EPEL. It is the cleanest fit for the new desktop stack and the path to use unless you have a hard requirement on the TigerVNC binary specifically.
sudo dnf install -y epel-release
sudo dnf install -y wayvncConfirm the install:
rpm -q wayvnc
wayvnc --versionThe Step 3 onward password and systemd flow described below is TigerVNC-specific. For wayvnc the workflow is different (no ~/.vnc/passwd, no :1 displays). See the wayvnc upstream docs for the per-user systemd unit and the recommended Wayland session glue.
Option B: Build TigerVNC from source
If you specifically need the TigerVNC binary (existing tooling, scripts, or muscle memory), build the latest 1.15.x from source. Pull build deps from CRB plus the X11 dev headers:
sudo dnf config-manager --set-enabled crb
sudo dnf install -y gcc gcc-c++ cmake make git \
libX11-devel libXext-devel libXdamage-devel libXrandr-devel libXtst-devel \
libxkbfile-devel libjpeg-turbo-devel pixman-devel zlib-devel gnutls-devel \
pam-devel libdrm-devel xorg-x11-server-devel xorg-x11-server-source openssl-develClone, build, and install. The TigerVNC build wraps the system Xorg server source, so the xorg-x11-server-source package above is required, not optional:
git clone https://github.com/TigerVNC/tigervnc.git
cd tigervnc
mkdir build && cd build
cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release ..
make -j"$(nproc)"
sudo make installConfirm the binary landed:
which Xvnc
Xvnc -version 2>&1 | head -2Option C: Stay on Rocky Linux 9 / RHEL 9
If the goal is a packaged TigerVNC experience without source builds and without switching VNC servers, Rocky Linux 9 / RHEL 9 / AlmaLinux 9 still ship tigervnc-server in AppStream. See the Debian TigerVNC guide for the equivalent Debian/Ubuntu setup, or use the RHEL 9 article for the original packaged path.
The remaining steps in this article describe the Option B (TigerVNC from source) flow, since the Step 3 onward commands (vncpasswd, vncserver, the [email protected] unit) all assume the TigerVNC userspace. If you picked Option A (wayvnc), follow the upstream wayvnc docs from here.
Step 3: Configure VNC Password
Each user who will connect via VNC needs their own VNC password. Switch to the user account (or run as the user) and set the password with vncpasswd.
vncpasswdYou will be prompted to enter and confirm the password. When asked about a view-only password, choose based on your needs. A view-only password lets someone watch the session but not interact with it:
Password:
Verify:
Would you like to enter a view-only password (y/n)? nThis creates the ~/.vnc directory and stores the encrypted password in ~/.vnc/passwd.
Step 4: Configure VNC User Mappings
TigerVNC on RHEL 10 uses /etc/tigervnc/vncserver.users to map display numbers to system users. Each display number corresponds to a port: display :1 uses port 5901, display :2 uses port 5902, and so on.
Open the configuration file.
sudo vi /etc/tigervnc/vncserver.usersAdd your user mapping. Replace jmutai with the actual username on your system:
# TigerVNC user mapping
# Format: :display_number=username
:1=jmutai
:2=devopsIn this example, user jmutai gets display :1 (port 5901) and user devops gets display :2 (port 5902). Add as many users as you need.
Step 5: Configure Desktop Session
Each VNC user needs a configuration file that tells TigerVNC which desktop environment to launch and the session resolution. Create or edit ~/.vnc/config for each user.
vi ~/.vnc/configFor a GNOME session, add the following configuration:
session=gnome
geometry=1920x1080
alwayssharedFor XFCE, use this instead:
session=xfce
geometry=1920x1080
alwayssharedThe geometry setting controls the VNC session resolution. Adjust to match your monitor. Common values are 1920×1080, 1680×1050, or 1280×1024. The alwaysshared option allows multiple clients to view the same session simultaneously.
Step 6: Start the TigerVNC Service
TigerVNC uses a systemd template service. Start the service for display :1 (which maps to the user you assigned in Step 4).
sudo systemctl start vncserver@:1Check that the service is running. If your desktop environment is installed and the VNC password is set, the service should start without errors.
sudo systemctl status vncserver@:1The output should show the service as active (running) with the Xvnc process started:
● vncserver@:1.service - Remote desktop service (VNC)
Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled; preset: disabled)
Active: active (running) since Sun 2026-03-22 20:50:00 EAT; 5s ago
Main PID: 12345 (vncserver)
Tasks: 0 (limit: 23456)
Memory: 1.2M
CPU: 50ms
CGroup: /system.slice/system-vncserver.slice/vncserver@:1.serviceVerify the VNC server is listening on the expected port with ss.
ss -tlnp | grep 590You should see port 5901 in the listening state:
LISTEN 0 5 0.0.0.0:5901 0.0.0.0:* users:(("Xvnc",pid=12346,fd=0))Step 7: Configure Firewall for VNC Access
Open the VNC port in firewalld. Port 5901/tcp corresponds to display :1. If you configured additional displays, open those ports too (5902 for :2, 5903 for :3, etc.).
sudo firewall-cmd --permanent --add-port=5901/tcp
sudo firewall-cmd --reloadConfirm the port is open by listing the active firewall rules.
sudo firewall-cmd --list-portsThe output should include 5901/tcp:
5901/tcpFor multiple users, open a range of ports instead of adding them one by one. This opens ports 5901 through 5905 to support displays :1 through :5:
sudo firewall-cmd --permanent --add-port=5901-5905/tcp
sudo firewall-cmd --reloadIf you are running firewalld with a non-default zone, make sure to specify the correct zone with the --zone flag.
Step 8: Connect with a VNC Client
From your local machine, open your VNC client and connect to the server IP on port 5901. The connection address format is:
server-ip:5901Or using the display number syntax that some clients support:
server-ip:1Enter the VNC password you set in Step 3 when prompted. You should see the GNOME or XFCE desktop load in the VNC viewer window.
Popular VNC clients include RealVNC Viewer (Windows/macOS/Linux), Remmina (Linux), and the TigerVNC viewer itself. On Linux, you can install the TigerVNC client and connect from the command line.
sudo dnf install tigervnc -y
vncviewer server-ip:5901Step 9: Secure VNC with SSH Tunnel
VNC traffic is unencrypted by default. For production use or connections over the internet, always tunnel VNC through SSH. This encrypts the entire session and eliminates the need to open VNC ports on the firewall.
From your local machine, create an SSH tunnel that forwards a local port to the VNC port on the server:
ssh -L 5901:127.0.0.1:5901 -N -f user@server-ipThis command forwards local port 5901 to port 5901 on the remote server through the SSH connection. The -N flag tells SSH not to execute a remote command, and -f sends the process to the background.
Now connect your VNC client to localhost:5901 instead of the server IP directly. All traffic goes through the encrypted SSH tunnel.
vncviewer localhost:5901When using SSH tunnels, you can remove the VNC port from firewalld since the connection goes through SSH (port 22) instead:
sudo firewall-cmd --permanent --remove-port=5901/tcp
sudo firewall-cmd --reloadOn Windows, use PuTTY to create the SSH tunnel. Go to Connection > SSH > Tunnels, set the source port to 5901, destination to 127.0.0.1:5901, and click Add before connecting.
Step 10: Enable TigerVNC Auto-Start on Boot
Enable the VNC service so it starts automatically after a server reboot. Use the same template unit with the display number.
sudo systemctl enable vncserver@:1Verify the service is enabled by checking its status.
systemctl is-enabled vncserver@:1The output should confirm the service is enabled:
enabledIf you configured multiple displays, enable each one separately:
sudo systemctl enable vncserver@:2
sudo systemctl enable vncserver@:3To restart a VNC session (for example, after changing ~/.vnc/config), use systemctl restart:
sudo systemctl restart vncserver@:1Conclusion
You now have a working TigerVNC server on RHEL 10 or Rocky Linux 10, with user mappings, desktop sessions, and firewall rules configured. The SSH tunnel setup keeps your VNC traffic encrypted for remote access over untrusted networks.
For production servers, consider restricting VNC access to specific IP ranges in firewalld, using SELinux policies to limit VNC processes, and setting up Apache Guacamole as a web-based gateway if you need browser-based remote access without dedicated VNC clients.
Thank you brother. This has to be the at least the fifth tutorial I’ve tried. Works beautifully.
kyle, how’d you review this “RHEL 10” article back in 2021!?
Hi Bob, good catch. The article was originally published back in 2021 covering CentOS 7. Since CentOS 7 reached end of life, the guide was rewritten for RHEL 10 based systems (Rocky Linux 10, AlmaLinux 10, RHEL 10). Kyle reviewed the original CentOS 7 version in 2021, the comment just carried over through the rewrite.
I recently installed Rhel 10. No tigervnc* in repositories. dnf install fails. i run it on rhel 9 & rhel 8, and I have run it on centos ( 7 & 8), and alma 8. rpmfind does not have any for rhel systems, just rhel clones, but not for 10 (8.10, 9, etc). tigervnc website points to git repositories.
You’re right, I retested on a fresh Rocky Linux 10.1 box and tigervnc-server is NOT in BaseOS, AppStream, CRB, or EPEL. The article was incorrect for RHEL 10 and is being updated.
For RHEL 10 / Rocky 10 / AlmaLinux 10 there are three working paths today:
1. wayvnc from EPEL (Wayland-native, the cleanest option since RHEL 10 defaults to Wayland):
sudo dnf install -y epel-release
sudo dnf install -y wayvnc
2. Build TigerVNC 1.15 from source against the existing Xorg/Xvnc libs.
3. Use a Rocky 9 / RHEL 9 system if you specifically need the packaged tigervnc-server experience.
Adding a notice to the top of the article and a wayvnc section. Thanks for flagging this.