How To

Setup TigerVNC Server on RHEL 10 / Rocky Linux 10

Victor Shamallah Updated Mar 22, 2026 · 6 min read

TigerVNC is a high-performance, open-source VNC (Virtual Network Computing) implementation that gives you graphical remote desktop access to Linux servers. It runs a dedicated VNC session per user – independent from the physical console – making it ideal for headless servers or remote administration where you need a full desktop environment over the network.

Original content from computingforgeeks.com - post 73489

This guide walks through a complete TigerVNC server setup on RHEL 10 and Rocky Linux 10. We cover installing a desktop environment, configuring VNC users and sessions, firewall rules, SSH tunnel security, and auto-start on boot.

Prerequisites

  • A server running RHEL 10 or Rocky Linux 10
  • Root or sudo access
  • At least 2 GB RAM (4 GB recommended for GNOME desktop)
  • A VNC client on your local machine (RealVNC Viewer, Remmina, or TigerVNC viewer)
  • Ports 5901+ open on the firewall (or SSH access for tunneling)

Step 1: Install a Desktop Environment

TigerVNC needs a desktop environment to display. If your server is a minimal install, you need to add one first. GNOME is the default for RHEL/Rocky, but XFCE is lighter and works well for remote sessions.

Option A: Install GNOME Desktop

Install the full GNOME desktop group package. This pulls in all the standard desktop components.

sudo dnf groupinstall "Server with GUI" -y

Option B: Install XFCE Desktop (Lightweight)

XFCE uses significantly less memory and CPU than GNOME, making it a better choice for remote VNC sessions – especially on servers with limited resources. XFCE is available from the EPEL repository.

sudo dnf install epel-release -y
sudo dnf groupinstall "Xfce" -y

Either option works. Pick GNOME if you want the full desktop experience, or XFCE for a leaner setup. The rest of this guide works with both.

Step 2: Install TigerVNC Server on RHEL 10 / Rocky Linux 10

Install the TigerVNC server package from the default AppStream repository. No extra repos needed.

sudo dnf install tigervnc-server -y

Confirm the installed version after the install completes.

rpm -q tigervnc-server

You should see the package version in the output, confirming a successful install:

tigervnc-server-1.15.0-6.el10.x86_64

Step 3: Configure VNC Password

Each user who will connect via VNC needs their own VNC password. Switch to the user account (or run as the user) and set the password with vncpasswd.

vncpasswd

You will be prompted to enter and confirm the password. When asked about a view-only password, choose based on your needs – a view-only password lets someone watch the session but not interact with it:

Password:
Verify:
Would you like to enter a view-only password (y/n)? n

This creates the ~/.vnc directory and stores the encrypted password in ~/.vnc/passwd.

Step 4: Configure VNC User Mappings

TigerVNC on RHEL 10 uses /etc/tigervnc/vncserver.users to map display numbers to system users. Each display number corresponds to a port – display :1 uses port 5901, display :2 uses port 5902, and so on.

Open the configuration file.

sudo vi /etc/tigervnc/vncserver.users

Add your user mapping. Replace jmutai with the actual username on your system:

# TigerVNC user mapping
# Format: :display_number=username
:1=jmutai
:2=devops

In this example, user jmutai gets display :1 (port 5901) and user devops gets display :2 (port 5902). Add as many users as you need.

Step 5: Configure Desktop Session

Each VNC user needs a configuration file that tells TigerVNC which desktop environment to launch and the session resolution. Create or edit ~/.vnc/config for each user.

vi ~/.vnc/config

For a GNOME session, add the following configuration:

session=gnome
geometry=1920x1080
alwaysshared

For XFCE, use this instead:

session=xfce
geometry=1920x1080
alwaysshared

The geometry setting controls the VNC session resolution. Adjust to match your monitor – common values are 1920×1080, 1680×1050, or 1280×1024. The alwaysshared option allows multiple clients to view the same session simultaneously.

Step 6: Start the TigerVNC Service

TigerVNC uses a systemd template service. Start the service for display :1 (which maps to the user you assigned in Step 4).

sudo systemctl start vncserver@:1

Check that the service is running. If your desktop environment is installed and the VNC password is set, the service should start without errors.

sudo systemctl status vncserver@:1

The output should show the service as active (running) with the Xvnc process started:

● vncserver@:1.service - Remote desktop service (VNC)
     Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled; preset: disabled)
     Active: active (running) since Sun 2026-03-22 20:50:00 EAT; 5s ago
   Main PID: 12345 (vncserver)
      Tasks: 0 (limit: 23456)
     Memory: 1.2M
        CPU: 50ms
     CGroup: /system.slice/system-vncserver.slice/vncserver@:1.service

Verify the VNC server is listening on the expected port with ss.

ss -tlnp | grep 590

You should see port 5901 in the listening state:

LISTEN 0      5            0.0.0.0:5901      0.0.0.0:*    users:(("Xvnc",pid=12346,fd=0))

Step 7: Configure Firewall for VNC Access

Open the VNC port in firewalld. Port 5901/tcp corresponds to display :1. If you configured additional displays, open those ports too (5902 for :2, 5903 for :3, etc.).

sudo firewall-cmd --permanent --add-port=5901/tcp
sudo firewall-cmd --reload

Confirm the port is open by listing the active firewall rules.

sudo firewall-cmd --list-ports

The output should include 5901/tcp:

5901/tcp

For multiple users, open a range of ports instead of adding them one by one. This opens ports 5901 through 5905 to support displays :1 through :5:

sudo firewall-cmd --permanent --add-port=5901-5905/tcp
sudo firewall-cmd --reload

If you are running firewalld with a non-default zone, make sure to specify the correct zone with the --zone flag.

Step 8: Connect with a VNC Client

From your local machine, open your VNC client and connect to the server IP on port 5901. The connection address format is:

server-ip:5901

Or using the display number syntax that some clients support:

server-ip:1

Enter the VNC password you set in Step 3 when prompted. You should see the GNOME or XFCE desktop load in the VNC viewer window.

Popular VNC clients include RealVNC Viewer (Windows/macOS/Linux), Remmina (Linux), and the TigerVNC viewer itself. On Linux, you can install the TigerVNC client and connect from the command line.

sudo dnf install tigervnc -y
vncviewer server-ip:5901

Step 9: Secure VNC with SSH Tunnel

VNC traffic is unencrypted by default. For production use or connections over the internet, always tunnel VNC through SSH. This encrypts the entire session and eliminates the need to open VNC ports on the firewall.

From your local machine, create an SSH tunnel that forwards a local port to the VNC port on the server:

ssh -L 5901:127.0.0.1:5901 -N -f user@server-ip

This command forwards local port 5901 to port 5901 on the remote server through the SSH connection. The -N flag tells SSH not to execute a remote command, and -f sends the process to the background.

Now connect your VNC client to localhost:5901 instead of the server IP directly. All traffic goes through the encrypted SSH tunnel.

vncviewer localhost:5901

When using SSH tunnels, you can remove the VNC port from firewalld since the connection goes through SSH (port 22) instead:

sudo firewall-cmd --permanent --remove-port=5901/tcp
sudo firewall-cmd --reload

On Windows, use PuTTY to create the SSH tunnel. Go to Connection > SSH > Tunnels, set the source port to 5901, destination to 127.0.0.1:5901, and click Add before connecting.

Step 10: Enable TigerVNC Auto-Start on Boot

Enable the VNC service so it starts automatically after a server reboot. Use the same template unit with the display number.

sudo systemctl enable vncserver@:1

Verify the service is enabled by checking its status.

systemctl is-enabled vncserver@:1

The output should confirm the service is enabled:

enabled

If you configured multiple displays, enable each one separately:

sudo systemctl enable vncserver@:2
sudo systemctl enable vncserver@:3

To restart a VNC session (for example, after changing ~/.vnc/config), use systemctl restart:

sudo systemctl restart vncserver@:1

Conclusion

You now have a working TigerVNC server on RHEL 10 or Rocky Linux 10, with user mappings, desktop sessions, and firewall rules configured. The SSH tunnel setup keeps your VNC traffic encrypted for remote access over untrusted networks.

For production servers, consider restricting VNC access to specific IP ranges in firewalld, using SELinux policies to limit VNC processes, and setting up Apache Guacamole as a web-based gateway if you need browser-based remote access without dedicated VNC clients.

Victor Shamallah

A systems engineer with vast skills in cloud computing, virtualization, systems administration, automated orchestration, containers, systems deployment, etc.

Related Articles

Ansible Upgrade CentOS|RHEL|Ubuntu|Debian Systems Using Ansible Automation Upgrade GitLab from 17.x to 18.x: Step-by-Step AlmaLinux Steps of Installing MariaDB or MySQL on Rocky 9|AlmaLinux 9 RHEl Best RHCSA Certification Study Books for 2026

1 thought on “Setup TigerVNC Server on RHEL 10 / Rocky Linux 10”

Leave a Comment

Press ESC to close