Continuing on this foolish path to manage some virtual machines on a remote host with TLS and peer authentication, here I'm going to configure VNC.

The trick here is we're really configuring qemu not libvirtd as qemu itself provides the VNC server. On my Debian system the default configuration file is /etc/libvirt/qemu.conf. By default, TLS for VNC is not enabled.

To listen on all interfaces, use TLS and do peer authentication the following options need to be set.

vnc_listen = ""
vnc_tls = 1
vnc_tls_x509_verify = 1

The default certificates directories are either the default qemu certificate directory.


Or the qemu VNC certificate directory.


I chose to copy them to the latter.

VNC ports are allocated by qemu starting a port 5900 by default. I'm going to assume these are reused when either a domain is destroyed or deleted and allowed the port range 5900:5910 through the firewall.

I could only find limited documentation about where virt-manager or virt-viewer expects the certificates to be installed for making VNC connections. I ended up using strace to see where it was trying to read them from.

I was a bit surprised to find they actually expect the client certificates in different paths. Here is where virt-manager reads certificates.


And virt-viewer here, which partially overlaps where libvirt reads its certificates.


After copying the missing certificates we should be ready to go.

To create a new virtual machines with a graphical installer, which is what I wanted to do, I still need to download the installer ISO disk image on the server.

$ wget -P /var/kvm/installers/

It's now possible to create a new virtual machine with virt-manager and then use a graphical installer to install an operating system through a VNC display. 1 2 3 4 5 6

I can also script the virtual machine creation with virt-install which will launch the virt-viewer VNC client. A list of possible --os-variant values can be found run running virt-install --osinfo list.

$ virt-install \
  --connect 'qemu+tls://' \
  --name demo \
  --memory 2048 \
  --vcpus 2 \
  --disk size=20 \
  --cdrom /var/kvm/installers/latest-nixos-gnome-x86_64-linux.iso \
  --boot cdrom,hd \
  --os-variant nixos-22.05 \
  --graphics vnc

Starting install...
Allocating 'demo.qcow2'                                                                                                    | 3.1 MB  00:00:03 ...
Creating domain...                                                                                                         |    0 B  00:00:00
Running graphical console command: virt-viewer --connect qemu+tls:// --wait demo

Bam! A virt-viewer window appears displying the install media boot screen.

This is pretty great, I can now quickly and easily create new virtual machines on the server and immediately connect to their display and input devices using VPN client.

I'm still not fully satisfied, when I create virtual machines on my laptop I always prefer SPICE over VPN. The main reason is that SPICE has a feature "Redirect USB device" which works really well for many of my workflows that rely on my USB security key. The reason I didn't setup SPICE initially is that it doesn't support TLS peer authentication (!). I have an idea how I could make this work which I'd like to try, but I'll leave that for another time.