Enabling Qemu's VNC server

Choosing TCP port(s)

Then, choose a TCP port number on the system that will be running the VNC server. (The VNC server in this case is part of Qemu.)

Since this is for a VNC session, the TCP port number(s) (each one on each system) should each be at least 5900. (If a lower number was selected, pick again, choosing a higher number. Then, repeat again as necessary until a sufficiently high number was chosen.) This is because chances are that the the VNC server software and/or also the VNC client software, quite possibly both, will want to work with a TCP port number which is number 5900 more/higher than a VNC desktop number that gets specified. (However, there may be some exceptions, as noted in the section about VNC desktop numbers.) Unsurprisingly, the TCP port number selected should be unused on the system that is going to be listening to traffic on that TCP port. (If the chosen TCP port number isn't free, either cause the TCP port numbers to become free, or simply choose a different TCP port numbers which is both free, and numerically at least 5900.)

Also, while at it, if the VNC client is going to be run on another server, then using tunneling may be a great idea that will be covered in this guide. If that will be used (and this is recommended), then identify a TCP port number on the system that will be running the VNC client's end of a tunnel that will be used. There are no technical requirements forcing the TCP port number on the client to be the same number as the TCP port number used on the server, although it does make organizational sense for them to match. The technical requirement that does exist, when picking the TCP number, is that the TCP port number should be free on the client. Also, picking a number that is at least 5900 is recommended.

Command line options

These need to be suitably set, if they haven't been already. Details are in the section on Qemu's VNC command line option(s).

There may not be a real way to change these settings after the virtual machine software has started running, so making changes may require (quitting any existing virtual machine that uses the same disk images, and then) starting a new copy of the virtual machine software.

VNC Server Connection/Authentication Settings

The Qemu VNC software can be enabled from the command line, although the recommended method is to use the Qemu monitor. By using the “Qemu monitor”, Qemu's VNC server is not accepting connections way earlier than the time when the authorized VNC session is ready to start being made.

Use the “Qemu monitor” to issue a command that specifies what TCP port number the VNC server, which is part of Qemu, should listen on. An example is:

change vnc localhost:20,password

Note: customize only the correct part of that line. The phrase “,password” there is *literal text*. Do not try to customize that with a specific password that you intend to use. You're actually supposed to type the actual word “,password” at the end of that line. (However, the VNC desktop number, which is based on the desired TCP port number, may be customized.)

(The above may be a newer example based on newer documentation. If that does not work, try specifying instead of localhost. If your incoming VNC traffic is coming from a remote system, you can specify the IP address of the network interface that will be receiving the VNC traffic.)

This will cause VNC to listen to a TCP port which is 5900 plus the VNC desktop number that is specified after the colon, so using the example text it would use TCP port 5920. Password authentication will be used. However, the VNC connection might not work until a password is set. (The default might not be to use a blank password, but rather to refuse all passwords.) (There is no hurry to start allowing passwords until the connection is made, so the instructions for setting a password are after details about getting the client ready to connect.)

It should be noted that this isn't absolutely the most secure way to use VNC, but in many cases it may be secure enough since it is secured against remote attacks, since connections can only come in on the IPv4 address Whether is a trustworthy system is something that needs to be determined using instructions other than this guide: In multi-user systems, one should expect that another user could log in and connect to the port. (Connecting to the port could be done either by using a command on the system with Qemu, or by using port forwarding, possibly by forwarding the traffic through a tunnel.) (There needs to be some sort of protection to prevent another user from making this sort of connection.) (Further instructions on securing VNC are not available here; they should be. (In the meantime, Qemu documentation: Section 3.10: VNC security provides a picture of what is needed, discussing command line parameters for Qemu. The sub-section Qemu documentation: Section 3.10.8: Generating certificates for VNC provides details about generating certificates using a command called certtool which comes from the third party package collection called “The GNU TLS packages”.))

Preparing the VNC client, and routing

Next, if this hasn't yet been done, install the VNC viewer on whatever computer this VNC session is going to be getting viewed from. For a choice of VNC viewing software, see the section about “Remote framebuffer” and VNC programs. (For information about installing the software, see the software installation page (especially the software installation (package management section)).

The next thing that needs to be done is to make sure that the VNC client can communicate with the VNC server. The method which is recommended (because it implements a higher degree of security) is for the VNC server to only listening to a loopback address ( for IPv4, which may be the only protocol supported by Qemu's internal VNC server). In that case, the two common methods to have the VNC client be able to communicate to that VNC server are to run a VNC client on the server or to set up TCP port forwarding to allow that communication to work. For details on that latter method, review the guide for setting up a traffic tunnel.

Start allowing authenticated connections

After it seems like any port forwarding is set up, and the VNC client is installed, and knowledge regarding how to use the VNC client is available, then it is finally time to adjust the VNC server to allow the possibility of logging into the VNC server. Issue the following command into the Qemu monitor:

change vnc password

Type in a password in the Qemu monitor, and create the VNC connection with the client.

If all goes well, the VNC client will be displaying the display that is being transmitted from the VNC server, and interaction with the displayed environment will work. (If interaction is not working, check the server to see if some sort of read-only mode was used.)


If the VNC session shows a blank black window, that may just mean that emulation is paused. Expect that the VNC session is working, and re-secure the VNC server (at least for now) by disabling passwords again.

Once the VNC connection is established (including authenticating well enough that the VNC server's screen starts to become visible to the VNC client), use the “ change vnc none ” command (in the Qemu monitor).

That will prevent new connections, while likely still allowing existing connections. If not, adjust the instructions as needed, and be sure to put in a password. (Note that blanking out the password might actually cause there to be no password requirement, lowering security.

Then check the existing network connections to make sure that no other connections were created. (Existing, established, active connections are able to continue even after the server stops accepting passwords for new connections.) (If there was one unauthorized connection, or even more, refer to the information about dealing with an intruder.)

One may then run something like “ netstat -na | grep -i 5920 ” in Unix-like environments (or “ netstat -na | find /i "5920" ” in Windows). (These example command lines are assuming TCP port 5920 is what is being used.) Look for any connections involving the port number being used. If only one connection is desired, then hopefully there is only one pair of IP addresses and port numbers that shows as “ESTABLISHED” (although the pairing may show twice, with one showing having the local address and foreign address swapped from the other showing). There will also be a “LISTEN” line with a foreign address of * or *.*, which needs to remain as long as there are existing VNC sessions. (After that point, it may be removed by using the Qemu monitor command “change vnc none”, but doing that will also terminate any existing VNC session.)

Sometimes, at least with some versions of Qemu (and perhaps just some versions of VNC), the screen may not draw properly. If that occurs, tell the VNC client to refresh the display.