1. Install TightVNC:

   $ sudo apt install tightvncserver

2. Open the ports in your UFW Firewall:

   $ sudo ufw allow VNC
   $ sudo ufw allow 5902/tcp

3. Establish a port forward for port 5902 for your client's SSH connection, and open an SSH connection to the server
4. Check connections to the VNC server with a VNC Viewer for Windows, or on a mobile client VNC Viewer for Android. Connect to localhost:5902.
5. Note that port 5902 will open a connection to (local) display :2. It's safer to use display :2 than :1, as :1 sometimes is used by a SSH connection.

1. Next, we’ll set up the VNC server as a systemd service so we can start, stop, and restart it as needed, like any other service. This will also ensure that VNC starts up when your server reboots.
2. First, create a new unit file called /etc/systemd/system/vncserver@.service using your favorite text editor:

   $ sudo vim /etc/systemd/system/vncserver@.service

3. The @ symbol at the end of the name will let us pass in an argument we can use in the service configuration. We’ll use this to specify the VNC display port we want to use when we manage the service:

   [Unit]
   Description=Start TightVNC server at startup
   After=syslog.target network.target
   
   [Service]
   Type=forking
   User=<user>
   Group=<user>
   WorkingDirectory=/home/<user>
   
   PIDFile=/home/<user>/.vnc/%H:%i.pid
   ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
   ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 -dpi 96 :%i
   ExecStop=/usr/bin/vncserver -kill :%i
   
   [Install]
   WantedBy=multi-user.target

   The ExecStartPre command stops VNC if it’s already running, make sure the command is preceded by a “-”. The ExecStart command starts VNC and sets the color depth to 24-bit color with a resolution of 1920×1080 and dpi to 96 which ensures the fonts are large enough.

4. Make the system aware of the new unit file

   $ sudo systemctl daemon-reload

5. Enable the unit file:

   $ sudo systemctl enable vncserver@1.service

   The 2 following the @ sign signifies which display number the service should appear over, in this case the default :1.

6. Stop the current instance of the VNC server if it’s still running:

   vncserver -kill :1

7. Check that the following files do not exist. If they do, delete them:

   /tmp/.X2-lock
   /tmp/.X11-unix/X2

8. Then start it as you would start any other systemd service:

   $ sudo systemctl start vncserver@1

9. Check the service is active with one of the following commands:

   $ sudo systemctl is-active vncserver@1
   $ sudo systemctl status vncserver@1

• Your VNC server will now be available when you reboot the machine.

In my setup I attach the hard disks only after the encryption has been confirmed by password. This makes running the service at boot time not possible. In this case, you need to start the vncserver after the hard disk has been attached and the user folders are available.

1. Disable the unit file:

   $ sudo systemctl disable vncserver@1.service

2. Add the starting of the service through a script which runs at boot time, for example rc. local

   $ sudo systemctl start vncserver@1.service

1. If you need to access applications installed with snapd through your VNC connection you need to tweak the permissions to access the X server.
2. Run the following command before invoking such an application

   $ xhost +

3. The initial access control list for display number n may be set by the file /etc/Xn.hosts, where n is the display number of the server. If this file exists and contains the following line running xhost is not required.

   local:

• How to Install and Configure VNC on Debian 9
• How to Install and Configure VNC on Debian 10
• How to Install and Configure VNC on Debian 11
• GUI snaps can’t connect to display in VNC
• Linux xhost command
• Understanding Systemd Units and Unit Files
• How to ask systemd to not start a system service on boot?
• How to Enable /etc/rc.local with Systemd