VNC is open-source remote access software. It has been around for many years, and the protocol has been implemented in a number of different software packages. It supports Windows, Linux and Mac OS X. Programs include UltraVNC, TightVNC, TigerVNC, and RealVNC.

This article shows the ports used by VNC, and explains how to block or allow these ports on your computer network.

Network Ports used by VNC

The ports used by VNC are TCP 5900 and TCP 5800.

If you have multiple displays, then ports 5901 and upwards are used (each display uses the next consecutive port number).

Port 5800 is often used as a basic web-server with a web-based VNC Javascript application allowing easy remote access.

The ports can be user-configured on each server that runs VNC, and it can also be publicly exposed on a different port number based on your router configuration. Just because these ports are the defaults does not mean they are always used.

A word of caution: According to John Matherly’s Shodan Blog, there are at least 8,070 VNC Servers running without a password! Tools such as Shodan can find VNC running even on non-standard ports. Changing the port number isn’t a very good security measure.

How to Allow VNC Ports

To access VNC on a public network (e.g. the Internet), you must forward the appropriate ports through your router/firewall. The exact steps are based on your specific router model. Here’s a basic guide to port-forward VNC Ports:

  1. Find the local IP Address of your PC running VNC Server
  2. Login to your router’s web interface (e.g. http://192.168.1.1)
  3. Find the “Port Forwarding” section of your router
  4. Create a new “Port Forwarding” rule
    1. Set the source and destination ports to TCP 5900
    2. Set the destination IP Address to the IP Address of your local PC (found in Step 1)
  5. Run the GRC ShieldsUP Port Scanner to see if the port is open and listening

How to Block VNC Port Remote Access On Your Network

If you want to block VNC on your network, there are a couple of simple ways to do this:

  1. Check all routers and firewalls for Port Forwarding rules to Port 5900 and 5800
  2. Run the GRC ShieldsUP port scanner to find any open VNC ports
  3. Restrict any VNC EXEs from running, via Group Policy
  4. Deep packet inspection in your firewall