NavigationContentFooter
Jump toSuggest an edit

I cannot connect to my Mac mini through a remote VNC connection

Reviewed on 12 June 2024Published on 07 April 2023

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • A Mac mini

VNC (Virtual Network Computing) is a system that lets users remotely access and control another computer’s desktop.

For those using Scaleway’s rented Mac mini, VNC can be activated by turning on either the “Screen Sharing” or “Remote Management” options in the system preferences. Once set up, you can connect to the Mac mini from another device using its IP address or hostname through VNC clients like RealVNC, TightVNC, and others.

However, some users who have updated their macOS have faced issues with this feature, receiving error messages like Connection failed to <Mac_mini_address> and Make sure Screen Sharing or Remote Management is enabled on the remote computer under the Sharing section of System Preferences.

Upon further analysis, we found a design flaw in macOS, where brute-force attacks performed by malicious actors could result in the service halting. Find out more about this issue on our blog.

As a precaution, every Mac mini comes with a preinstalled fail2ban service (a tool that parses logs, notices authentication failures, and configures the firewall. Refer to our fail2ban tutorial for further information). For added security and to ensure VNC service reliability, you can restrict access to macOS Screen Sharing to certain static IPs. This can be done by tweaking your network settings and using macOS’s inbuilt firewall, pf (Packet Filter), to manage incoming connections.

Note

This is a known issue that multiple Apple users have reported over time. Unfortunately, Apple’s support team has not effectively addressed it yet.

Enable and configure pf (Packet Filter)

You have to create a custom rule set for pf to only allow incoming Screen Sharing connections from your static IP.

Tip

We strongly advise using SSH for this procedure to prevent any risk of losing connection to your machine in the event of a malicious configuration.

  1. Run the following command to connect to your Mac mini:
    ssh@<your_mac_mini_ip>
  2. Backup the original pf.conf file by copying it to a different location.
    sudo cp /etc/pf.conf /etc/pf.conf.backup
  3. Edit the pf.conf file with a command like sudo nano /etc/pf.conf.
  4. Add the following lines to write rules that block all incoming connections on the Screen Sharing port, except for the desired IP.
    [...]
    ## Add these lines to block connections to port 5900 except from your static IP
    block in on en0 proto tcp from any to any port 5900
    pass in on en0 proto tcp from <static IP> to any port 5900
    In the example above, en0 should be replaced with the network interface you are using (you may discover the name of your network interface using the ifconfig command), and <static IP> should be the static IP address you are allowing. Port 5900 is typically used for VNC/screen sharing services.
  5. Save and close the file (if you are using nano: type Y to confirm your changes, Enter to save, and Control-X to close).
  6. Run sudo pfctl -f /etc/pf.conf to load the new pf configuration.
  7. Initiate a Screen Sharing session from the approved IP address and ensure it connects. Also, test from a different IP address to confirm it does not allow the connection.
Note
  • Any changes in your network configuration or the external static IP might require updates to this configuration. Keep this in mind, and adjust as necessary.
  • Remember that this setup can cause issues if the static IP changes for some reason. You can access your Mac mini using SSH to update the configuration.

Restarting screen sharing via SSH

If your Mac’s screen-sharing service stops responding, you can restart it from SSH.

  1. Run the following command to connect to your Mac mini:

    ssh@<your_mac_mini_ip>
  2. Execute the command below to force termination of the Screen Sharing daemon:

    sudo killall screensharingd

    The screensharingd service will automatically restart upon the next incoming connection.

Troubleshooting connection issues

Verify your latest upgrade has not reset your system preferences

Even though it is uncommon for system preferences to be reset during an upgrade, double-checking is always best practice. Make sure there was no reset due to compatibility issues or significant changes between the old and new versions of the OS.

Verify whether Screen sharing or Remote management is enabled

Make sure that either “Screen sharing” or “Remote management” are enabled on your Mac mini. Go to System Settings > General, then verify that Sharing is ticked.

Verify that incoming VNC connections are not blocked by the firewall

Make sure that your Mac mini firewall allows incoming connections for your VNC client. Go to System Settings and then, depending on the OS version, Firewall will be located in either Network or Security & Privacy.

Docs APIScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCarreer
© 2023-2024 – Scaleway