Combination of server and client that can encrypt communication of soracom VNC and SORACOM service that is convenient to use

　This article is a re-edited version of "A combination of server and client that can encrypt VNC communication and a convenient SORACOM service" posted on the "SORACOM Official Blog" provided by SORACOM. .

Contents

Remote control and VNC What is VNC?　VNC evolution and encrypted communication Combining encrypted VNC communication 　How to encrypt communication with Raspberry Pi OS (RealVNC)?　How to encrypt communication with macOS (screen sharing)?　How to safely operate a Windows computer with VNC? Summary - Preparing for communication to use VNC

　Hello, this is Soracom Technology Evangelist Matsushita (nickname: Max).

　Here, we will explain the combination of encrypted communication for VNC (Virtual Network Computing), which is often used for remote control of personal computers. I think it will be useful for those who are doing remote control by VNC or are considering introducing it.

Remote operation and VNC

A common use of IoT is "remote operation", which uses communication to operate devices in distant locations.

　I think that computers are often used to control equipment in the field, but one of the ways to operate these computers remotely is the "remote desktop function". Remote desktop is a mechanism that allows you to display and operate the screen of a remote computer at hand, and it is one of the IoT utilization methods that we often inquire about at SORACOM.

Overview of remote desktop features

Displaying the screen of a remote Windows computer on a local Windows computer

　There are several types of software that realize remote desktops, but since VNC was introduced in 1999, many derived software (implementations) have been created against the background of its simple implementation, and it is used in various places. I'm here.

What is VNC?

If you search for VNC, you can find several names such as "~~ VNC". These are all “VNC”. What is “VNC” with so many implementations?

VNC is an abbreviation for Virtual Network Computing, and is a general term for software that uses a protocol called RFB (Remote Frame Buffer) to send and receive input and output such as screens and keyboards/mouse over the network. It becomes the individual product name. In this blog, we will use “VNC” as a general term for software.

　For an example of using VNC, you can get an idea of ​​how to use it by looking at "Secure remote desktop access from outside" in the SORACOM IoT DIY recipe, which introduces IoT system construction as a recipe. I think not.

VNC implementation that you can use right now

　Here, we will introduce a VNC implementation that you can use right now. See Wikipedia for a list of derived software.

・Real VNC

This is the successor to the "original VNC (VNC as software name)" that appeared in 1999.

　After becoming RealVNC, it is also sold as paid software. The operating environment supports Windows, macOS, Linux, etc. It is included as standard with the Raspberry Pi OS (GUI), and in this case it is a license that can be used free of charge for non-commercial use.

・TigerVNC

　TightVNC derived software derived from the original VNC (grandson from the original VNC point of view).

TightVNC has improved RFB, and TigerVNC has strengthened security such as encryption with TLS (Transport Layer Security). It works in environments such as Windows, macOS, Linux, etc., and is standard VNC in Fedora. The license is GPL-2.0.

・"Screen Sharing" on macOS

　The "screen sharing" function of macOS is realized with VNC.

VNC evolution and encrypted communication

VNC has been updated mainly in two directions. The first is the improvement of RFB, which improves response performance when changing screens and improves communication efficiency. The second is the improvement of security, and the main contents are authentication at the time of connection and encryption of communication contents.

　There are many versions of the protocol "RFB" used in VNC, and connectivity is prioritized and security is compromised. Specifically, communication is performed without encryption. I have a case.

　Therefore, in order to use VNC with peace of mind, we will explain whether or not there is encrypted communication by combination.

Combination for encrypted VNC communication

In conclusion, "Communication between the same VNC implementations (software products)" is a combination that is reliably encrypted. If RealVNC is running on the destination server, connect with RealVNC Viewer from the client.

　In addition, communication is possible between different VNC implementations, but in most cases it is not encrypted, so care must be taken when using it.

From here, we will explain each OS that waits for a VNC connection.

How to encrypt communication with Raspberry Pi OS (RealVNC)?

　Communication with RealVNC, which comes standard with the Raspberry Pi OS, is summarized for each VNC client.

Connection status with Raspberry Pi OS (RealVNC)

　RealVNC in the Raspberry Pi OS does not work immediately after installation. See here for how to enable RealVNC.

Impact of setting "Authentication = "VNC password"" for connecting from other VNC clients

　When connecting from a VNC client other than RealVNC Viewer, "No matching security types" is displayed and the connection fails will fail. If you set "Authentication to "VNC password"" on RealVNC on the Raspberry Pi OS side, you will be able to connect, but the communication will not be encrypted.

How to encrypt communication with macOS (screen sharing)?

　Communication with macOS screen sharing is summarized for each VNC client.

Connection status with macOS "Screen Sharing"

See here for how to enable "screen sharing" on macOS and how to connect from other macOS using the VNC client function.

1 in "Start a screen sharing session with another Mac" is the activation method, and 2 is the connection method.

Influence of the setting "Allow VNC users to operate the screen" when connecting from other VNC clients

When connecting from a macOS VNC client or a VNC client other than RealVNC Viewer It says “No matching security types” and fails to connect. If you enable "Allow VNC users to control the screen" on the macOS that accepts the connection, you will be able to connect, but the communication will not be encrypted. (There is also a description on Apple's page)

　In addition, RealVNC Viewer can be connected without setting "Allow VNC users to operate the screen", but please note that communication is not encrypted.

How can I safely operate my Windows computer with VNC?

　Windows does not have a VNC function as standard. Therefore, separate software is installed. TigerVNC is a good VNC implementation that can be used easily on Windows.

　The following is the result when TigerVNC is targeted.

Connection status with TigerVNC

　TigerVNC's default setting is "Authentication = "VNC password"" for RealVNC, so the connection will not fail, but it is not encrypted, so be careful.

If Windows is Pro or above, a remote desktop function separate from VNC using RDP (Remote Desktop Protocol) is available as standard. You can consider that too.

Summary ~ Preparing for communication to use VNC

　Explained whether or not encryption is used by combining VNC software. Once again, sharing the conclusion, "Communicating with the same VNC implementation (software product)" is a combination that can be reliably encrypted.

　By the way, when it comes to actual use, it is necessary not only to install VNC, but also to prepare a communication line.

　Combining "SORACOM Air", a data communication for IoT using LTE/5G used in smartphones, and "SORACOM Napter", which allows secure remote access to devices connected by SORACOM Air, and Wi- By linking SORACOM Napter with "SORACOM Arc", which can connect to SORACOM from IP networks such as Fi and wired communication, you can remotely control any PC placed at any site with VNC.

Configuration example of remote control by VNC combining IoT data communication service "SORACOM Air" and on-demand remote access service "SORACOM Napter" ― IoT DIY Recipe From "Safely access remote desktop from outside"

We hope that you will take a look at the IoT DIY recipe introduced at the beginning, "Safely accessing remote desktops from outside", etc., and use remote control conveniently and safely!

　The technical findings in this article have been separately summarized in a separate blog post on how to use caution when setting a "VNC password", as communication will be in plain text. Please also see this.