VNC vino over SSH tunnel ONLY

Solution 1:

AFAIK the vino-preferences GUI does not include it, but I believe the parameter you are looking for is network-interface

gsettings get org.gnome.Vino network-interface

If unset (i.e. the above command returns the empty string, '') then vino-server listens on all available interfaces, whereas if set to lo

gsettings set org.gnome.Vino network-interface 'lo'

then it will listen only on the lo (localhost) interface.

You could also use the GUI dconf-editor, where the parameter is listed under the org -> gnome -> desktop -> remote-access item.

You can confirm that the server is listening on the desired interface using netstat e.g. the default is

$ sudo netstat -nlp | grep ':5900'
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      10927/vino-server
tcp6       0      0 :::5900                 :::*                    LISTEN      10927/vino-server

(listening on all available interfaces); then after

$ gsettings set org.gnome.Vino network-interface 'lo'

you should see that it is only listening on the localhost interface(s):

$ sudo netstat -nlp | grep ':5900'
tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN      10927/vino-server
tcp6       0      0 ::1:5900                :::*                    LISTEN      10927/vino-server

Alternatively (or additionally), you could use iptables or ufw to close the port - by default, it is port 5900 + display number.