Use Qemu VNC
Use VNC built in Qemu
- Related info
This page shows one method of using VNC. (Some additional guides have also been written, and are referenced at the end of this section.)
This guide describes what to do if you have specified “
-vnc none” as the display method. This approach lets you see the output window of the system.
- Have VNC client software installed
Have VNC client software installed. This does not necessarly mean that the VNC client software needs to be installed to the same machine that runs the Qemu virtual machines, although that can be a fine option of that machine has an easily usable graphical display. It is perfectly possible to have Qemu run on an operating system like OpenBSD or a Linux-based operating system, but to have the VNC client run on Microsoft Windows or Apple OSX. That can be done using the magic of SSH port forwarding, which will momentarily be discussed in this guide.
Note: This guide doesn't go into a whole lot of details about how to use VNC software. The software installation section has information about installing software. The Remote access software: RFB/VNC may provide some details about software. As some quick notes: TurboVNC works well with IPv6. SSVNC (see: SSVNC) may be a good option, or TightVNC or UltraVNC.
If there are problems with using the VNC software to connect to Qemu, then it may make good sense to test that VNC software to connect to another VNC server. (The generally recommended process for that is to have the “VNC server” software run on a different machine than the “VNC client” software. In fact, software might even enforce such a recommendation (unless an option is specified).
- Accessing the monitor
- First, you need to access the Qemu monitor. The process to do this may be a simple keyboard combination, or may be a bit more elaborate. See: using the Qemu monitor.
One assumption here is that the Qemu software has initialized the “VNC server” code, even if that code is not being very active. This can be done by specifying “
-vnc none” on the command line.
Okay, so by now, it is presumed that the previous directions (including following this hyperlinked guide to using the Qemu monitor) allow a person to view the Qemu monitor. The prompt may look like this:
If multiple virtual machines are running, and if you are not completely certain which machine you are connected to, you can perform a quick check. Just type “
info name” (and press
(That ought to be be informative if each virtual machine has been given a unique and useful name that easily identifies the system.)
The next step will be to enable the “VNC server” software that is built into Qemu. (Older versions of Qemu did not have this option. With such software, VNC was still a viable option by having Qemu output to a graphical display, and using separate software as a “VNC server”. However, this guide shows how to use Qemu's internal “VNC server” functionality, since that may typically be more convenient than installing additional “VNC server” software.)
There are two parts to do here.
(This is also documented at: starting Qemu VNC server.)
- Assign desktop number and require password
At the monitor, type something like this:
e.g.: the output may look something like this:
Note: The only part of that which is recommended to customize is that VNC desktop number. Customize only the correct part of that line. Specifically, the phrase “
” there is *literal text*. Do not try to customize that with a specific password that you intend to use. You're actually supposed to type the actual word “
” at the end of that line. (However, the VNC desktop number, which is based on the desired TCP port number, may be customized.)
If SSH port forwarding proves to be too difficult, then security can be lowered by not specifying
localhostas the network address (which is a name, and not a numeric address, in this example). However, the recommended process is to limit the connections to localhost. A potential attacker who cannot pass the system's authorization requirements may be unable to communicate over the loopback interface, so this security measure is recommended.
- Test for listening
If it works, the server should show up with “
”, and using Qemu monitor's “info vnc” command should show the desired info.
Of course, another way to verify that the server is listening is to use the VNC client, but that won't do much good until the pssword is sufficiently set up.
- The optional host name
If you don't specify the optional host name, it appears that Qemu listens to all possible IPv4 addresses (on the specified VNC desktop number).
If you do specify the host name to be
localhost, it appears that Qemu will first try to find an IPv4 name for the specified DNS name. The result is that Qemu will be listening on IPv4, and will not be listening on IPv6. Running
infowill just show the IPv4 address (not the DNS name). At the time of this writing, there is no currently-known way to get Qemu to listen to both IPv6 and IPv4 at the same time. If you want to listen to IPv6, you may need to specify the IPv6 address (or a hostname which resolves only to an IPv6 address).
- IPv6 notes
If, as the
, a literal IPv6 address is desired, then surround it with square brackets:
Some older documentation noted an alternative: surrounding the address with quotation marks. Whether or not that is an official procedure described by any official documentation, that technique was found to work. However, it did not seem to work with newer versions of the software, so it is not recommended. If you're using older software and are having troubles, consider using newer software, or consider using this (perhaps older) technique:
- Specify the password
Once again, do not try to customize the password in the above line. Just type the literal word “
passwordat the appropriate location.
The system will then ask for a password. The input will then be echoed back as asterisks. e.g.:
Warning: Do not be fooled into thinking that a password longer than eight characters is more secure. The VNC protocol only allows passwords of up to eight characters, so the VNC client will only be sending the first eight characters. The VNC server will only be paying attention to the first eight characters. (This is noted in the section about RFB/VNC limited password strength.)
At this point, the Qemu software should be running a VNC server that is capable of receiving network traffic. You may either run VNC client software on the machine that is running Qemu, or you can use SSH port forwarding (which will be discussed next).
- Alternative options
Note: There may be other options, like allowing the VNC traffic to listen to more than just the local network. This is not recommended, as VNC is not generally viewed as a very secure protocol. (Not only is the initial password sent unencrypted, but so is all of the data. That is basically as insecure as some other options, like Telnet or FTP. VNC is discussed further by section on RFB/VNC.) The fact that some VNC software will provide a user interface that seems to accept passwords longer than 8 characters, but then it simply ignores the characters longer than 8 characters, is rather misleading, making such software even less secure than the likes of Telnet. Therefore, the recommended way to secure the network traffic is to use a tunnel that encrypts traffic with the SSH protocol, not to rely on VNC's passwords.
The Qemu software supports some additional VNC-related security. One option is data encryption by using TLS encryption which is accomplished via a VNC extention called “VeNCrypt” Another option is data encryption using SASL. User authentication can be accmoplished using x509 certificates, as well as passwords. This guide does not provide a while lot of details about many of these options, in part because they may be a bit complex to set up (requiring installation of additional software that might not be pre-installed), and in part because data encryption and user authentication is being performed when the VNC traffic is being sent through an SSH tunnel that provides these features. SSH software is also very likely to be pre-installed on many Unix operating systems, which makes that a convenient choice. Regarding the other options, details are currently available from the Qemu documentation: “VNC security” section (which is section 3.11 of the documentation). After discussing the options in Qemu, the documentation provides command lines that can be used with some other software to perform functionality that may be needed for some of these other options.
- SSH port forwarding
- Determining needed info
First, choose a TCP port number. To make things easiest with the interfaces used by some VNC software, it is recommended to make the TCP port number be at least 5900, and choosing something less than 6000 will probably be most convenient.
It is generally recommmended, for simplicity, to choose the same TCP port number as what the VNC server is listening to. This is not strictly required, but simplifies things. In fact, this documentation will intentionally choose different numbers, so that this documentation can easily demonstrate which number needs to go in each location (if the numbers are different). However, when doing this yourself, you're less likely to accidentally put the wrong number in a location if the numbers are not different. So, keep them the same.
You'll also need to know the IP address that the VNC server is running on. This can be the “loopback” address of the SSH server.
The third piece of inforamtion that you'll need to know is which TCP port the VNC server is listening to.
- Example info
In these examples, we will use 5920 as the local TCP port that is being used on the machine running the SSH client.
For the destination server, we will assume that the VNC server is running on the same machine as the SSH server. Therefore, from the SSH server's perspective, the VNC server is located at the loopback address.
For the destination port number, we will assume that the VNC server is listening to VNC desktop number :30, and that the VNC server is listening on the standard TCP port for that VNC desktop number. That means that the VNC server is listening on TCP port
- Entering the info
- Entering the info in PuTTY
in a nutshell, make the options look like the pictures seen in SSH Tunnel Loopback.
In case that isn't clear enough, details about creating the SSH tunnel may be found in Configuring with the
In the VNC client, the VNC software standard is that the number after a colon is a VNC desktop number, not the more general standard for TCP applications which specifies that the number after a colon is a TCP port number. A newer VNC standard specifies that TCP port numbers can be specified by using two colons after the network address.
The VNC client should be connected to the TCP port number that is by the letter “L” in the SSH tunnel software (as seen in the example).
- Entering the info into the VNC client
Specify the VNC desktop number that relates to the TCP port number that the SSH client is listening.
As an example, the following worked with TurboVNC:
C:\Program Files (x86)\TurboVNC\vncviewer.exe
/autopass /8bit /nojpeg [
C:\Program Files (x86)\TurboVNC\vncviewer.exe
Even if the virtual machine is in a paused state, the VNC client will be able to show a blank screen. (Modern VNC clients generally support the VNC server resizing the screen resolution. That works fine with Qemu's VNC server.)
If you see a black box, that probably means that the system hasn't output any video yet (which would happen if the system is paused). This is actually tremendous progress, as it implies that the SSH port forwarding worked (since the password prompt was shown), and the password was accepted (since VNC is showing the virtual machine's output, instead of a dialog box about a password being unaccepted).
- Related info
Here are some additional resources/guides:
Related info: Seeing Qemu using a standard graphical user interface which is part of Accessing the local display(s) of virtual machine(s)
One piece of information there is Interacting with the virtual machine's output/display: section on “Enabling Qemu's VNC server” which refers to another page Enabling Qemu's VNC server