LiveChat 
Support 
Ubuntu Remote Desktop From Windows: xrdp, VNC, SSH & NoMachine
Reaching the graphical desktop of an Ubuntu machine from a Windows PC is a common need — whether you are managing a workstation in another room, supporting a remote user, or occasionally need a GUI tool on a server. The good news is that Windows ships with everything you need to start, and Ubuntu offers several mature remote-access paths. The harder part is choosing the right method and not accidentally exposing your machine to the internet.
This guide walks through the four main approaches — xrdp (the most Windows-native option), VNC, SSH with X forwarding, and NoMachine — with working commands, a comparison table, and the security practices that matter most.
Key Takeaways
• Use xrdp for the smoothest experience from Windows: install it on Ubuntu, then connect with the built-in Remote Desktop Connection (`mstsc`) using the Ubuntu IP.
• VNC (TigerVNC / x11vnc) is cross-platform and flexible; SSH X forwarding is ideal for running a single graphical app rather than a full desktop.
• NoMachine is a fast, cross-platform option that handles audio and high-latency links well.
• Never expose RDP (port 3389) or VNC (5900+) directly to the internet — tunnel them over SSH or a VPN.
• On a headless server you rarely need a full desktop; SSH and the CLI handle most administration.
Which remote access method should you choose?
The right tool depends on whether you want a full desktop, a single application, or just a command line — and on the network between you and the Ubuntu host.
| Method | Protocol / Port | Best for | Windows client | Notes |
|---|---|---|---|---|
| xrdp (RDP) | RDP / TCP 3389 | Full desktop, Windows users | Remote Desktop Connection (`mstsc`) | Most native feel on Windows; one session per user |
| VNC (TigerVNC, x11vnc) | RFB / TCP 5900+ | Full desktop, cross-platform | TigerVNC / any VNC viewer | Flexible; can mirror an existing session with x11vnc |
| SSH + X forwarding | SSH / TCP 22 | A single graphical app | VcXsrv / Xming + PuTTY/OpenSSH | No desktop needed; encrypted by default |
| NoMachine | NX / TCP 4000 | Full desktop, slow links, audio | NoMachine client | Fast over high latency; cross-platform |
If you are unsure, start with xrdp — it requires no extra Windows software.
How do you set up xrdp on Ubuntu and connect from Windows?
xrdp is an open-source implementation of the Remote Desktop Protocol. Because Windows already includes an RDP client, this is usually the fastest route to a working Ubuntu desktop.
Install xrdp on Ubuntu
On the Ubuntu machine, install xrdp from the standard repositories:
“`bash sudo apt update sudo apt install xrdp -y “`
After installation, the service should start automatically. Confirm it is running and enabled at boot:
“`bash sudo systemctl status xrdp sudo systemctl enable xrdp “`
xrdp adds itself to a `ssl-cert` group so it can read the machine’s TLS certificate. If your session fails to render a desktop, make sure a desktop environment is installed (GNOME ships with Ubuntu Desktop; on a server you may need to add one — see below).
Allow RDP through the firewall
If UFW (Uncomplicated Firewall) is active, open port 3389 — but scope it to your local network rather than the whole world:
“`bash sudo ufw allow from 192.168.1.0/24 to any port 3389 sudo ufw reload “`
Replace `192.168.1.0/24` with your actual LAN subnet. Opening 3389 to `any` is convenient but risky; we will return to that under security.
Connect with Remote Desktop Connection (mstsc)
On Windows, press Win + R, type `mstsc`, and press Enter. Enter the Ubuntu machine’s IP address (find it on Ubuntu with `ip a` or `hostname -I`), then sign in with your Ubuntu username and password at the xrdp login screen.
“`text Computer: 192.168.1.50 User name: yourubuntuuser “`
A frequent snag: if you are already logged into the Ubuntu desktop locally with the same user, the GNOME session may be “busy” and xrdp can fail to start a parallel session. Log out locally, or use a separate session manager, to avoid the conflict.
How do you use VNC to reach an Ubuntu desktop?
VNC (Virtual Network Computing) uses the RFB protocol and is genuinely cross-platform. Two common server choices exist on Ubuntu:
- TigerVNC — creates a new virtual desktop session, independent of any physical display.
- x11vnc — mirrors the *existing* physical/logged-in desktop, which is useful for remote support.
Install TigerVNC and start a session:
“`bash sudo apt install tigervnc-standalone-server -y vncserver -localhost no :1 “`
The `:1` creates a display on port 5901 (5900 + display number). You will be prompted to set a VNC password on first run. On Windows, install a VNC viewer such as TigerVNC Viewer and connect to `192.168.1.50:5901`.
Because classic VNC traffic is weakly encrypted or unencrypted, the safest pattern is to bind it to localhost (omit `-localhost no`) and reach it through an SSH tunnel, covered next.
When should you use SSH with X forwarding instead?
If you only need one graphical application — say `gedit`, a database GUI, or `wireshark` — you do not need a whole desktop. SSH X forwarding streams a single app’s window over the encrypted SSH connection.
On Windows, install an X server such as VcXsrv or Xming and start it. Then connect with X forwarding enabled. With the built-in OpenSSH client:
“`bash ssh -X [email protected] “`
Once connected, launch an app and its window appears on your Windows desktop:
“`bash gedit & “`
For a slightly faster, compressed variant on trusted networks, use `-Y` (trusted forwarding) or add `-C` for compression. This approach is encrypted end-to-end and needs no open ports beyond SSH (22), which makes it the lightest-weight graphical option.
Is NoMachine a good alternative?
NoMachine uses the NX protocol and is known for strong performance over high-latency or low-bandwidth links, plus built-in audio forwarding. It is free for personal use and runs on both Ubuntu and Windows.
Install it on Ubuntu by downloading the `.deb` package from NoMachine and installing it:
“`bash sudo dpkg -i nomachine_*.deb “`
Then install the NoMachine client on Windows and connect to the Ubuntu host’s IP. Like RDP and VNC, its default port (4000) should not be exposed to the internet without a tunnel or VPN.
Do you actually need a remote desktop on a server?
Here is the part most tutorials skip: for a server, you rarely need a full graphical desktop at all. The overwhelming majority of Linux server administration — installing packages, editing configs, reading logs, managing services, deploying code — is faster and lighter over SSH and the command line than through a remote GUI.
A typical headless server ships *without* a desktop environment, which is by design: no GUI means a smaller attack surface, less RAM and CPU consumed, and fewer packages to patch. If you connect to such a server with xrdp, you will get a blank or broken session because there is nothing graphical to display.
So the pragmatic rule is:
- Default to SSH. Use “ and the CLI for almost everything.
- Install a desktop + xrdp/VNC only if you genuinely need a graphical tool — for example, a GUI-only database client, a browser for a captive portal, or design software.
- When you do add a GUI, prefer a lightweight desktop to keep resource use low:
“`bash sudo apt install xfce4 xfce4-goodies -y echo “xfce4-session” > ~/.xsession sudo systemctl restart xrdp “`
- Never expose RDP or VNC directly to the internet. Tunnel it.
That last point deserves its own section.
How do you keep remote desktop access secure?
Remote desktop ports are a favorite target for automated scanners. Exposed RDP (3389) and VNC (5900+) endpoints attract relentless brute-force attempts. Treat them as services that should never face the open internet on their own.
Tunnel over SSH. Instead of opening the RDP or VNC port to the world, forward it through an SSH connection. From Windows (OpenSSH) for an RDP session bound to localhost on the server:
“`bash ssh -L 3389:localhost:3389 yourubuntuuser@server-public-ip “`
Then point `mstsc` at `localhost:3389`. The RDP traffic now travels inside the encrypted SSH tunnel, and only port 22 is exposed. The same pattern works for VNC:
“`bash ssh -L 5901:localhost:5901 yourubuntuuser@server-public-ip “`
Beyond tunneling, apply the usual hardening:
- Use strong, unique passwords and, where possible, SSH key authentication instead of passwords.
- Keep RDP/VNC bound to localhost or your LAN subnet in the firewall — never `0.0.0.0`.
- Prefer a VPN (such as WireGuard) for remote sites, so the desktop service is only reachable from inside the private network.
- Keep Ubuntu and xrdp patched with `sudo apt update && sudo apt upgrade`.
- Consider fail2ban to throttle repeated failed logins.
See “ for a fuller checklist.
Reliable remote access starts with the right server
A smooth remote desktop experience depends on the foundation underneath it: root SSH access, a clean Ubuntu install, and a network that stays up.
DarazHost VPS and dedicated servers ship with full SSH root access, so you can administer everything from the command line by default — and install a desktop environment plus xrdp or VNC whenever you genuinely need a GUI. Our secure-by-default access, reliable network, and 24/7 support mean you can tunnel remote-desktop traffic safely and keep your sessions responsive. Whether you run a headless production server or a graphical workstation in the cloud, you get the access model that fits the workload. Explore “ to get started.
Frequently asked questions
Can I use the Windows built-in Remote Desktop to connect to Ubuntu? Yes. Install xrdp on Ubuntu, allow port 3389 on your LAN, and connect using Remote Desktop Connection (`mstsc`) with the Ubuntu machine’s IP address. No extra Windows software is required.
Why do I get a black screen or login loop with xrdp? This usually means no desktop environment is available to the xrdp session, or the same user is already logged in locally. Install a desktop (for example `xfce4`), set it as the session in `~/.xsession`, restart xrdp, and avoid logging into the same user both locally and remotely at once.
What port does Ubuntu remote desktop use? xrdp uses TCP 3389 (RDP), VNC uses 5900 + display number (5901 for `:1`), SSH uses TCP 22, and NoMachine uses TCP 4000 by default.
Is it safe to open RDP to the internet so I can connect from anywhere? No. Exposed RDP and VNC ports are heavily targeted by brute-force scanners. Instead, tunnel the connection over SSH or place the server behind a VPN, so only the SSH/VPN endpoint is reachable.
Do I need a GUI on my Ubuntu server at all? Usually not. SSH and the CLI handle nearly all server administration efficiently. Install a desktop and xrdp/VNC only when a specific task truly requires a graphical tool.
