Post

Accessing a Remote GUI Over the Web

Posted
Preview Image
By Manuel Laggner
4 min read
Accessing a Remote GUI Over the Web

Managing remote desktops from anywhere can be essential, especially when physical access is impossible. Many people immediately think of TeamViewer or AnyDesk for such tasks. However, if you’re privacy-conscious or just prefer an open-source, self-hosted solution, you can build your own alternative using a Virtual Machine or standalone PC, a graphical environment, and noVNC accessed through a reverse proxy like Nginx or Caddy.

In this article, we’ll explore how to expose a graphical environment over the web - securely and conveniently - without relying on proprietary software. 🛡️

🧠 Understanding the Concepts Behind This Setup

Before diving in, let’s clarify the core components and their roles:

💾 Virtual Machine or Standalone PC

This is the host system running a graphical desktop environment (e.g., XFCE, GNOME, KDE, macOS). This can be:

  • A VM on Proxmox, VirtualBox, VMware, or KVM
  • A physical machine in your network

🎨 GUI (Graphical User Interface)

You’ll need a GUI installed on your system to interact visually. For Linux, lightweight environments like XFCE or LXQt are ideal when performance matters.

📡 VNC Server

A VNC (Virtual Network Computing) server renders the GUI over a network. Popular options include:

  • x11vnc – attaches to an existing X session
  • tigervnc – creates new virtual sessions
  • tightvnc – lightweight and fast

When using a macOS system (like a Mac Mini) or a VM in Proxmox, you get a VNC server outof the box - otherwise you need to install a VNC server for the desktop environment you use.

You’ll typically configure a password and display port (e.g., :1 maps to TCP 5901).

🌐 noVNC

noVNC is a web-based VNC client that runs directly in the browser using HTML5 and WebSockets - no software installation needed on the client side.

🔁 Reverse Proxy

This acts as a secure and friendly front-end for your service. It enables HTTPS, domain-based access, and hides backend ports from the outside world. Common choices:

  • Nginx (I personally use the Nginx Proxy Manager)
  • Caddy (automatic HTTPS, zero-config for many cases)
  • Apache

⚙️ Step-by-Step: Building the Setup

A typical setup using this components could look like:

---
config:
  look: handDrawn
---
flowchart LR
  subgraph INTERNET["Internet"]
    direction LR
        n5["Client"]
  end
  subgraph LAN["Local Network"]
    direction LR
        n3("Router / Firewall")
        proxy["Reverse Proxy"]
        novnc["noVNC"]
        host["GUI host"]
  end
    n5 --> n3
    n3 --> proxy
    proxy --> novnc
    novnc --> host

Here’s how to get it all working together:

Set Up Your VM or PC

  • Ensure the system is always on or has Wake-on-LAN enabled.
  • Install your preferred Linux distro with a GUI.
  • Set up the VNC server on your host.

Set Up noVNC

Using the Docker image from https://hub.docker.com/r/bonigarcia/novnc you get a ready to start noVNC server. You just need to spin up the Docker container which runs the noVNC server:

1

docker run --rm --name novnc -p 6080:6080 --net grid -e AUTOCONNECT=true -e VNC_PASSWORD=secret -e VNC_SERVER=172.17.0.1:5900 bonigarcia/novnc:1.2.0

Secure with a Reverse Proxy and HTTPS

Having a reverse proxy to handle all public services is always a good start. The reverse proxy offers the noVNC service via HTTPS to the public while hiding any internal setup. You may take a look at my setup with the Nginx Proxy Manager.

🔐 Securing Your Setup

You’re now publicly exposing a graphical interface on the internet - that means security is non-negotiable. Here’s how to stay safe:

  • 🔒 Always use HTTPS
  • 🔑 Secure VNC with strong passwords and optionally SSH tunneling
  • 🔐 Use basic auth or IP whitelisting on your reverse proxy
  • 🔄 Keep your software up-to-date

✅ Pros and Cons vs. TeamViewer

👍 Pros

  • 🚀 No proprietary software
  • 🔐 More control over security and updates
  • 🧩 Highly customizable
  • 💸 No subscription fees

👎 Cons

  • 🧠 Requires initial setup and maintenance
  • 🧰 Limited support compared to commercial tools
  • 🌐 Requires a public IP or port-forwarding (unless using Tailscale, Cloudflare Tunnel, etc.)

🧠 Final Thoughts

If you’ve ever wanted a self-hosted TeamViewer alternative, combining a VNC server, noVNC, and a reverse proxy gives you an efficient and transparent setup with full control. It’s ideal for developers, sysadmins, or privacy-minded users who want access to their graphical desktops without relying on third-party services.

Just remember: the more exposed a service is, the more carefully it needs to be secured. With HTTPS, authentication, and smart firewalling, this setup can be just as safe - and significantly more flexible - than many commercial solutions.

Happy remote hacking!

homeserver
networking
This post is licensed under CC BY 4.0 by the author.