April 12, 2017 at 02:30Configure Windows Remote Access with noVNC
- Tutorial
This guide is about how to configure noVNC to remotely access Windows computers.
- Windows has a "native" tool for remote access - Remote Desktop Connection. But it is not available in all versions of Windows - for example, not in the Home edition.
- There are also many VNC servers and clients for any version of Windows. But to use them, you need to install the VNC client. And there are times when you can’t put anything (restriction of rights), or it is undesirable not to leave traces on someone else’s computer.
- There is also Chrome Remote Desktop, which on the client side only needs an extension in the browser. But I had a case when the Chrome protocol was blocked by the organization (everything was blocked there), and noVNC uses normal HTTP and therefore worked.
As far as I know, noVNC - the only tool that allows you to connect to a remote computer without installing any client - only a browser is used.
There is still SPICE , but for him I did not find a server under Windows.
As a result of this guide, we can simply open the link in the browser, enter the password and use the remote system.
A prerequisite is port forwarding, or the white IP of the remote computer. You can also use the VNC repeater. But that is already beyond the scope of this article.
First, we put a regular VNC server on port 5900.
Then we put noVNC and WebSockify on port 5901.
WebSockify is a kind of proxy that can talk to VNC on the one hand, which we have on port 5900, and can transmit it to the browser on the other. through the web socket, which we will have on port 5901.
noVNC is just an html application, or as it is called a Single Page Application today, which will work in a client browser and “talk” to WebSockify on the server.
Actually, in nature, there are VNC servers that can connect immediately via web sockets:
- MobileVNC , but it is paid (10 Euro per device)
- There is a library LibVNCServer, which supports web sockets, and theoretically works under Windows, but I did not find any ready-made server for Windows with this library.
In this case, WebSockify will no longer be needed.
The VNC protocol itself is standardized, so theoretically you can use any VNC server.
At first I tried to install TightVNC, but noVNC had some authentication problems with it. I think it was possible to figure it out, but I installed UltraVNC (carefully, they have tons of ads there, real links are at the bottom of the page) and it worked.
Most likely, most VNC servers that support Windows will work .
I put the VNC server on port 5900. Do not forget to set the password on the VNC connection. UltraVNC will not let you connect until you set a password.
Verify that the VNC server is working by connecting to it using the VNC client from another computer or smartphone.
Create a folder in a convenient place for ourselves, and load it there:
- unpack the zip archive noVNC
- unpack the zip archive WebSockify
The goal is to get something like this:
Now run the command prompt with administrator rights:
Launch WebSockify:
The first parameter above is the port on which noVNC will listen: 5901 . This port must be made available to customers.
The second parameter is the IP and port where the VNC server is located: 127.0.0.1:5900
The third parameter --web instructs noVNC to send the contents of the c: \ noVNC \ noVNC-master directory via HTTP (s). By default, noVNC only gives a VNC web socket, but this parameter allows you to have an HTTP server on the same port.
In the c: \ noVNC \ noVNC-master directory, rename the vnc.html file to index.html so that it is returned by default.
Now the noVNC client should be available on port 5901:
Try also opening the noVNC page from another computer / smartphone to make sure it is accessible from the outside. If not, then check:
- that your Windows Firewall does not block external connections to this port,
- that your router correctly redirects requests to this port to the correct computer; if necessary google "port forwarding".
We connect (Connect), enter the VNC password and see the desktop of the remote computer!
If something went wrong, then the errors should appear in our console.
You can stop the noVNC server by pressing Ctrl-C in the console. The configuration described above works over HTTP (and over WS).
Adding SSL is optional. You can create a self-signed certificate like this:
For Windows openssl can be taken here .
As a result, we get the self.pem file, which must be pointed out at the start of noVNC:
Now we have HTTPS and WSS (WebSocket Secure). For WSS, you need to specify Encrypt in the Settings. Interestingly, noVNC uses the same port for HTTP and HTTPS - it "knows" to distinguish between requests and respond correctly.
Since the certificate is self-signed, you will need to accept this certificate in the browser.
I have no instructions on how to configure the system so that Let's Encrypt automatically generates a certificate specifically for our system. This would require that noVNC work on port 80, which of course is possible, but it can be inconvenient, and find a way to integrate certbot so that these files are published in the correct directory. I think it’s possible, but I didn’t. If you finish, share in the comments.
In my case, I already have a home server with NGINX and DDNS name, which is configured to automatically receive a certificate from Lets Encrypt.
You can run something similar on your own. There are instructions on setting up Let's Encrypt for Linux and Windows.
So for noVNC, I just use existing pemfiles generated for nginx .
Let's Encrypt creates the following files:
On Ubuntu, you can find them along this path: / etc / letsencrypt / live / your_domain_name
You need to copy (combine) fullchain.pem and privkey.pem into one file, for example, call it encrypt.pem , and we will use this file for noVNC .
Of course, this will work only if the nginx server and noVNC are on the same domain. Ports may be different.
And we must not forget that the certificates are valid for only a few months, and then you need to copy the updated files.
We load the zip archive and unpack the files from there so that they lie in the same folder as the websockify.exe file , that is, in our case in c: \ noVNC \ websockify .
At startup, the service will use the parameters from the file noVNCConfig.ini . Here is an example of my config:
In the console launched with administrator privileges, create a new service:
If you need to remove the service, then like this:
Open the services (Control Panel → Administrative Tools → Services) and run the noVNC Websocket Server. Here you can also configure the service to start every time with Windows:
I found that the Russian keyboard layout works in a rather unusual way:
If the client has Russian, then keypresses are not transmitted to the remote computer at all.
Therefore, in order to print in Russian on a remote computer:
- the English layout must be selected on the client
- the Russian layout must be selected on the remote system
The clipboard (clipboard) works through a button in the browser (in the screenshot above), that is, you can put something there and pick it up on a remote system, or vice versa. And it (for me) does not know how to work with Russian letters.
Why noVNC?
- Windows has a "native" tool for remote access - Remote Desktop Connection. But it is not available in all versions of Windows - for example, not in the Home edition.
- There are also many VNC servers and clients for any version of Windows. But to use them, you need to install the VNC client. And there are times when you can’t put anything (restriction of rights), or it is undesirable not to leave traces on someone else’s computer.
- There is also Chrome Remote Desktop, which on the client side only needs an extension in the browser. But I had a case when the Chrome protocol was blocked by the organization (everything was blocked there), and noVNC uses normal HTTP and therefore worked.
As far as I know, noVNC - the only tool that allows you to connect to a remote computer without installing any client - only a browser is used.
There is still SPICE , but for him I did not find a server under Windows.
As a result of this guide, we can simply open the link in the browser, enter the password and use the remote system.
A prerequisite is port forwarding, or the white IP of the remote computer. You can also use the VNC repeater. But that is already beyond the scope of this article.
General scheme
First, we put a regular VNC server on port 5900.
Then we put noVNC and WebSockify on port 5901.
WebSockify is a kind of proxy that can talk to VNC on the one hand, which we have on port 5900, and can transmit it to the browser on the other. through the web socket, which we will have on port 5901.
noVNC is just an html application, or as it is called a Single Page Application today, which will work in a client browser and “talk” to WebSockify on the server.
Actually, in nature, there are VNC servers that can connect immediately via web sockets:
- MobileVNC , but it is paid (10 Euro per device)
- There is a library LibVNCServer, which supports web sockets, and theoretically works under Windows, but I did not find any ready-made server for Windows with this library.
In this case, WebSockify will no longer be needed.
We put VNC
The VNC protocol itself is standardized, so theoretically you can use any VNC server.
At first I tried to install TightVNC, but noVNC had some authentication problems with it. I think it was possible to figure it out, but I installed UltraVNC (carefully, they have tons of ads there, real links are at the bottom of the page) and it worked.
Most likely, most VNC servers that support Windows will work .
I put the VNC server on port 5900. Do not forget to set the password on the VNC connection. UltraVNC will not let you connect until you set a password.
Verify that the VNC server is working by connecting to it using the VNC client from another computer or smartphone.
noVNC and WebSockify
Create a folder in a convenient place for ourselves, and load it there:
- unpack the zip archive noVNC
- unpack the zip archive WebSockify
The goal is to get something like this:
Now run the command prompt with administrator rights:
Launch WebSockify:
c:\> cd c:\noVNC\websockify
c:\noVNC\websockify> websockify.exe 5901 127.0.0.1:5900 --web c:\noVNC\noVNC-master
WARNING: no 'resource' module, daemonizing support disabled
WebSocket server settings:
- Listen on :5901
- Flash security policy server
- Web server. Web root: c:\noVNC\noVNC-master
- No SSL/TLS support (no cert file)
- proxying from :5901 to 127.0.0.1:5900
The first parameter above is the port on which noVNC will listen: 5901 . This port must be made available to customers.
The second parameter is the IP and port where the VNC server is located: 127.0.0.1:5900
The third parameter --web instructs noVNC to send the contents of the c: \ noVNC \ noVNC-master directory via HTTP (s). By default, noVNC only gives a VNC web socket, but this parameter allows you to have an HTTP server on the same port.
In the c: \ noVNC \ noVNC-master directory, rename the vnc.html file to index.html so that it is returned by default.
Now the noVNC client should be available on port 5901:
Try also opening the noVNC page from another computer / smartphone to make sure it is accessible from the outside. If not, then check:
- that your Windows Firewall does not block external connections to this port,
- that your router correctly redirects requests to this port to the correct computer; if necessary google "port forwarding".
We connect (Connect), enter the VNC password and see the desktop of the remote computer!
If something went wrong, then the errors should appear in our console.
You can stop the noVNC server by pressing Ctrl-C in the console. The configuration described above works over HTTP (and over WS).
Add SSL with a self-signed certificate
Adding SSL is optional. You can create a self-signed certificate like this:
openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pemFor Windows openssl can be taken here .
As a result, we get the self.pem file, which must be pointed out at the start of noVNC:
c:\noVNC\websockify> websockify.exe 5901 127.0.0.1:5900 --web c:\noVNC\noVNC-master --cert=c:\noVNC\self.pemNow we have HTTPS and WSS (WebSocket Secure). For WSS, you need to specify Encrypt in the Settings. Interestingly, noVNC uses the same port for HTTP and HTTPS - it "knows" to distinguish between requests and respond correctly.
Since the certificate is self-signed, you will need to accept this certificate in the browser.
Let's encrypt
I have no instructions on how to configure the system so that Let's Encrypt automatically generates a certificate specifically for our system. This would require that noVNC work on port 80, which of course is possible, but it can be inconvenient, and find a way to integrate certbot so that these files are published in the correct directory. I think it’s possible, but I didn’t. If you finish, share in the comments.
In my case, I already have a home server with NGINX and DDNS name, which is configured to automatically receive a certificate from Lets Encrypt.
You can run something similar on your own. There are instructions on setting up Let's Encrypt for Linux and Windows.
So for noVNC, I just use existing pemfiles generated for nginx .
Let's Encrypt creates the following files:
cert.pem: Your domain's certificate
chain.pem: The Let's Encrypt chain certificate
fullchain.pem: cert.pem and chain.pem combined
privkey.pem: Your certificate's private keyOn Ubuntu, you can find them along this path: / etc / letsencrypt / live / your_domain_name
You need to copy (combine) fullchain.pem and privkey.pem into one file, for example, call it encrypt.pem , and we will use this file for noVNC .
Of course, this will work only if the nginx server and noVNC are on the same domain. Ports may be different.
And we must not forget that the certificates are valid for only a few months, and then you need to copy the updated files.
Add noVNC as a Windows service
We load the zip archive and unpack the files from there so that they lie in the same folder as the websockify.exe file , that is, in our case in c: \ noVNC \ websockify .
At startup, the service will use the parameters from the file noVNCConfig.ini . Here is an example of my config:
5901 127.0.0.1:5900 --web C:\noVNC\noVNC-master --cert=c:\noVNC\encrypt.pemIn the console launched with administrator privileges, create a new service:
sc create "noVNC Websocket Server" binPath= "c:\noVNC\websockify\noVNC Websocket Service.exe" DisplayName= "noVNC Websocket Server"If you need to remove the service, then like this:
sc delete "noVNC Websocket Server"Open the services (Control Panel → Administrative Tools → Services) and run the noVNC Websocket Server. Here you can also configure the service to start every time with Windows:
Known issues
Keyboard layout
I found that the Russian keyboard layout works in a rather unusual way:
If the client has Russian, then keypresses are not transmitted to the remote computer at all.
Therefore, in order to print in Russian on a remote computer:
- the English layout must be selected on the client
- the Russian layout must be selected on the remote system
Clipboard
The clipboard (clipboard) works through a button in the browser (in the screenshot above), that is, you can put something there and pick it up on a remote system, or vice versa. And it (for me) does not know how to work with Russian letters.