HowTo: Tunneling VNC Connections Over SSH

Virtual Network Computing (VNC) is a desktop sharing system which uses the RFB (Remote FrameBuffer) protocol to remotely control another computer. It transmits the keyboard presses and mouse clicks from one computer to another relaying the screen updates back in the other direction, over a network.

Step by step procedure

You can easily tunnel VNC connections over ssh so that entire traffic get encrypted. Type the following command to tunnel VNC connections over SSH (you need to type command on your desktop computer running UNIX or Linux):
$ ssh -L 5901:localhost:5901 -N -f -l rocky
$ ssh -L 5901: -N -f -l rocky


  • -L 5901:localhost:5901 : Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. Here you are using port 5901 on the localhost to be forward to on the 5901 port.
  • -N : Do not execute a remote command i.e. just forward ports.
  • -f : Requests ssh to go to background just before command execution. Requests ssh to go to background just before command execution. Once password supplied it will go to background and you can use prompt for type commands on local system.
  • -l rocky : rocky is the user to log in as on the remote machine (
  • ( Remote system with VNC server

In your localhost VNC client use for connection. Make sure you use appropriate port i.e. 5901 (VNC server running on display 1). This tunnel will provide nice enhanced security.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 15 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
15 comments… add one
  • weyasey Feb 2, 2009 @ 12:42

    Great tutorial, it was clear and the explanation of the switches made it all understandable.
    Thanks very much it helped me a great deal.

  • Anonymous Apr 17, 2010 @ 3:54

    Thank you, very good and clear. Indeed simpler than that from vnc client on windows

    • TT Jan 30, 2011 @ 21:02

      Do you know if I need the SSH protocol over a network and behind a firewall in Window platform using tight VNC?

  • baba Feb 8, 2011 @ 19:02

    great reference on a great site! however, following the scenario i am prompted with a password in my vnc client (vinagre) and none of the ones i provide work. any ideas?

  • baba Feb 8, 2011 @ 21:02

    sorry, my bad, it was the vnc password

  • YBR Feb 11, 2011 @ 15:17

    Thanks for this Ho-To. One additional note – you don’t have to specify “localhost” in the ssh -L command….I used this to tunnel from work into my home Linux box, and pointed it at the VNC server running on a laptop on my home network. Now I can nannycam! Here is what I did: ssh -L 5600:
    (note, IP numbers/names have been changed to keep honest people honest 🙂

  • Allen May 26, 2011 @ 21:03

    Is there a way to force all users to tunnel to use vnc?

  • Dhairya Aug 9, 2011 @ 12:08

    I followed these steps and could easily connect to remote machine. But now the problem is my localhost is not working as nginx server is unable to listen to any solution?

  • Michael Oct 25, 2012 @ 14:38

    For windows, to connect to a remote ssh session just download the free putty program and configure “tunnels” under the “SSH” category. You set the Source port to the local computers port that is connecting (i was connecting to a vnc session) like port 5900 and the destination port to localhost:5900 then when you open your favorit vnc program you can simply connect to the remote computer by typing “localhost” as long as your remote computer is setup to connect on port 5900. Thats my two cents for windows users.

  • Basu Mar 22, 2013 @ 21:03

    Very clear n concise information.


  • dllehr Feb 24, 2014 @ 19:33

    Thanks for the writeup! I was mistaking the -L hostname to be the one I was connecting to, not localhost. Cleared my issue up. Thanks!

  • waregle82 Jun 21, 2014 @ 5:20

    ssh -L 5902: -N -f -l pi
    pi@‘s password:
    channel_setup_fwd_listener: cannot listen to port: 5902
    Could not request local forwarding.


    • John Jan 13, 2015 @ 15:50

      Are you sure that 5902 is the port that vnc are using, looks like you are running Raspberry Pi with tightvncserver perhaps, in that case the default port is 5901

  • Eric Mar 14, 2016 @ 20:38

    Great that you use 5901 for both the localhost and the remote port, makes it very clear that the first 5901 is for the one and the second 5901 for the other (or is the other way around).

  • Gustavo Jul 21, 2016 @ 16:44

    Excellent! thanks for the quick tutorial and nice explanation.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum