Cloudflare Docs
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Render a VNC client in browser

Cloudflare can render a Virtual Network Computer (VNC) terminal in your browser without any client software or configuration required.

Administrators can use Cloudflare Tunnel to connect a VNC host to Cloudflare’s network. Using Cloudflare Access, you can apply Zero Trust policies to determine who can access your VNC server. Cloudflare’s network will then enforce the Zero Trust policies and, when a user is allowed, render the client in the browser.

🗺️ This walkthrough covers how to:

  • Install and run a Cloudflare Tunnel on a Linux virtual machine
  • Install and configure VNC on a Linux virtual machine
  • Build a Zero Trust policy to determine who can reach the host
  • Render the VNC server in your browser

⏲️ Time to complete:

10 minutes

Before you start

  1. Add a website to Cloudflare
  2. Enable Cloudflare Zero Trust on your account
  3. Connect your identity provider to Cloudflare Zero Trust

Configure VNC on your virtual machine

This section covers how to install a VNC server with TightVNC and the Gnome User Interface. If you already have a VNC server installed, you can skip this step.

  1. Open a terminal window for your VM.

  2. Run the following commands to install the VNC software.

    $ sudo apt-get update
    $ sudo apt-get install gnome-core
    $ sudo apt install tightvncserver
    $ sudo apt-get install gnome-panel
    $ sudo apt-get install ubuntu-gnome-desktop
  3. Once installed, you can create the VNC server instance with the following command:

    $ sudo tightvncserver

    VNC password

  4. Select a password for the VNC server. This password will be used during login for your browser VNC server.

  5. Run the following command, which will take you to your VNC server configuration directory.

    $ cd .vnc
  6. Open your xstartup file.

    $ vim xstartup
  7. Update the file to the following configuration (this is for demonstration purposes, browser based VNC will work with most configurations):

    xsetroot -solid grey
    x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
    #x-window-manager &
    # Fix to make GNOME work
    #gnome-session &
    gnome-panel &
    nautilus &

    VNC xstartup file

  8. Run the following command to create your VNC server:

    $ vncserver

At this point, you have a VNC server ready to test with browser-based VNC. We recommend performing a brief test with an existing VNC browser to verify any missing packages or configuration changes that might need to be made before continuing. Once your VNC server appears as desired, continue with your setup.

Configure Cloudflare Tunnel on your machine

  1. Follow these instructions to install cloudflared

  2. Authenticate cloudflared with the command:

    $ cloudflared tunnel login
  3. Create a Tunnel with the command:

    $ cloudflared tunnel create <NAME>
  4. Create a Tunnel configuration file with the command:

    $ vim config.yml
  5. Add the following configuration to your configuration file.

    tunnel: <NAME>
    - hostname:
    service: tcp://localhost:5901
    - service: http_status:404

    As you do that, replace the hostname value with the domain you wish to use to expose your VNC server in the browser. Also, replace 5901 with the port your VNC server is running on. To get a list of ports, run sudo ss -lnpt and look for VNC to get the value that should be specified in your configuration file.

  6. Route your Tunnel to your website.

  7. Run your Tunnel:

    $ cloudflared tunnel --config path/config.yaml run <NAME>

    Run Tunnel

  8. Follow this guide to open outbound connections for Cloudflare Tunnel if you have a firewall enabled.

At this point you have a running VNC server and a Cloudflare Tunnel on your machine ready to accept inbound VNC requests.

Create a Zero Trust VNC application

The last step is to create a Zero Trust application to run your VNC server in the Browser.

  1. Open your Zero Trust Dashboard and go to the Access > Applications tab.

  2. Click Add an application.

  3. Select Self-hosted.

  4. Name the application and set the domain to which you would like to expose the VNC server:

    Name application

  5. Add a Zero Trust policy. In this example we are only allowing users with emails ending in

    Create policy

  6. In cloudflared settings, set Application Type to be VNC.

And now you are ready to use the VNC terminal directly in the browser. Users will first see a login screen with your configured identity providers:

VNC login screen

After successful authentication, they may be prompted to enter the VNC server’s password:

VNC password prompt

Then your user will be directed into your VNC server:

VNC server

You’ve now successfully deployed a Zero Trust VNC server in the browser. You can define granular access controls across each individual VNC instance.