Simple HowTo for a secured remote graphical HMI access on Kali 2 installed on Raspberry Pi 3. Probably also works for other Linux Distribution and hardware as well.
by Emeric Nasi
License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
I wrote this how-to because I lastly decided to install and run Kali Linux from a Raspberry Pi. I wanted to install VNC and I found it quite complicated to get the information I needed to be able to do so in a secure and nice way.
First you need to have a running Kali or other Debian based Linux distribution installed on Raspberry PI. I personally installed Kali 2 on Raspberry Pi 3. For that look at instruction on the Kali Official Documentation
The device must be connected to the Internet to install the required packages and be network accessible to the PC or phone where you install the VNC client.
SSH server must be available and running on the Raspberry Pi. The Raspberry Pi will act as SSH and VNC server.
I used Xubuntu as the client OS but any other are possible provided they support SSH tunneling and you can install a VNC client.
Also you should use certificate authentication for SSH or at least change the default password (toor) for the Kali root user.
II. Install TightVNC
II.1 Required packages
Install TightVNC server package:
apt-get install tightvncserver
Install Autocutsel package to enable cut&paste between client and server:
apt-get install autocutsel
II.2 First run
We will make a first run of VncServer to generate configuration files and VNC password.
We started an X session on display port 1, note that by default vncserver will attempt to start on display 0 which is already taken by the started Kali session used for local access
The first time you run vncserver, it prompts for a password (8 char max). Thats when you realize VNC sessions are not linked to Linux user authentication but relies on a single password (one of VNC insecurity problems)! You can later change that password using the
We can check the VNCserver is running by issuing the
netstat -tupln command:
Port 5901 is VNC connection port, 6001 is X server for VNC.
II.3 Client access
On the client machine, first install a VNC client such as xtightvncviewer.
apt-get install xtightvncviewer
To connect to the server use the command:
You may notice that the remote HMI is not responsive and really slow. To remediate to that, you can use some options to optimize the connection:
xtightvncviewer <server_ip>:1 -compresslevel 9 -quality 4 -depth 8
We will configure VNC startup script to enable cut and paste. For that edit the file /.vnc/xstartup and add autocutsel line as below.
You can restart your VNC server and check it is working.
III. VNC over SSH
As mention on TightVNC man page, the problem about Xvnc is that it is not secure. As they write: “It’s recommended to restrict network access to Xvnc servers from untrusted network addresses. Probably, the best way to secure Xvnc server is to allow only loopback connections ... and to use SSH tunneling for remote access to the Xvnc server.”
III.1 Localhost only VNC server
We want all our traffic to go through an SSH tunnel. So we will ensure VNC related ports are not accessible on the network.
We have to start VNC server with next options:
vncserver :1 -geometry 1280x800 -depth 16 -localhost -nolisten tcp
The -locahost option will ensure VNC port 5901 is listening only on local interface, the -nolisten tcp option will disable the port 6001(X Server will not listen on the network).
Now our listening connections are:
III.2 SSH Tunnel
We will create an SSH tunnel by issuing the next command on client machine:
ssh -L 5901:localhost:5901 -N -f <distant_user>@<server_ip>
This command means SSH will listen on local port 5901 on client machine. Any connection to this port will be tunneled to port 5901 or the remote VNC server via SSH (port 22).
Now to connect to our raspberry pi VNC server we use the command:
xtightvncviewer localhost:1 -compresslevel 9 -quality 4 -depth 8
IV. Enable at boot
IV.1 Startup script
This startup script is an adaptation of the one proposed by raspberrypi.org to enable the SSH tunneling.
You can test this script by issuing
service vncboot start to start VNC server and
service vncboot stop to stop it.
IV.2 Enable at startup
To enable the script at machine boot:
Now enjoy your remote access, and have fun!