Security

How to Secure a VNC Viewer Connection

Plain VNC isn't private by default. Learn how encryption plugins, strong passwords and tunnelling lock down your VNC Viewer sessions.

How to Secure a VNC Viewer Connection

VNC is a wonderfully open protocol, but 'open' cuts both ways: a basic VNC session is not strongly encrypted, and a weak password is an open door. The good news is that securing VNC Viewer is straightforward once you know the three layers that matter.

What you're protecting against

Two risks dominate: someone guessing or brute-forcing a weak password, and someone intercepting an unencrypted session on the network. Both are entirely preventable.

Layer 1: Strong, unique passwords

Set a long, unique server password — ideally a passphrase. Never reuse a password from another account. If your build supports it, set a separate view-only password for people who only need to watch.

Tip: Change the password immediately if a machine is ever shared or a team member leaves.

Layer 2: Encrypt the session

VNC Viewer supports DSM encryption plugins that scramble session data so it can't be read in transit. Install the plugin on both the server and viewer and enable it before you connect. Without this, treat the session as visible to anyone on the path.

Layer 3: Tunnel or VPN for the internet

The safest way to reach a machine from outside your network is not to expose VNC at all. Instead, connect to your network over a VPN, or wrap the session in an SSH tunnel, then connect to the host as if you were local. Our internet-access guide shows how.

If you only remember one rule: never port-forward a raw VNC port to the open internet. Tunnel it.

Extra hardening steps

  • Restrict which IP addresses may connect, where supported
  • Keep VNC Viewer and Windows fully patched
  • Disable the server when you don't need unattended access
  • Log and review connections on sensitive machines

Frequently asked questions

Basic VNC traffic is not strongly encrypted. Use an encryption plugin, a VPN or an SSH tunnel to protect the session.
Connect through a VPN or SSH tunnel so the VNC port is never directly exposed. Avoid raw port forwarding.
Use a long, unique passphrase you don't use anywhere else, and change it whenever access should be revoked.
Remember: always download VNC Viewer from the official project source, keep it updated, and never expose a raw VNC port to the internet without a VPN or SSH tunnel. When you're ready, head to the download section.