Setting Up VNC Access to Raspberry Pi via AWS EC2 and a Custom Domain

Why Do You Need VNC?

Picture this: you’re at home, at work, or on vacation

Your Raspberry Pi is running quietly at home — maybe downloading files, controlling your smart home, or recording video. Suddenly, you need to check something or make a quick change. Through SSH you only get a black text console, which isn’t ideal for working with graphical apps.

With VNC, you can open an app on your laptop and see your Raspberry Pi’s full desktop — as if you were right in front of it. You can click with your mouse, open files, and launch programs normally.

What You’ll Get After Setup:

See the Desktop

A full Raspberry Pi graphical interface right on your screen — complete with windows, icons, and menus. It feels just like using a regular computer.

Access From Anywhere

At home, in the office, in a café, or abroad — no matter where you are. As long as you have internet, you can connect to your Raspberry Pi in just a few clicks.

Secure Connection

All traffic is encrypted. Even if you connect via public Wi-Fi, no one can eavesdrop on what you’re doing.

No Router Hassle

No need to mess with router settings or open ports. Everything runs securely through the tunnel you already set up.

Requires a Working SSH Tunnel

This guide continues from the Reverse SSH Tunnel Setup for Raspberry Pi via EC2. If you haven’t created the tunnel yet, start there — VNC will work through it.

Terminology Explained in Simple Terms

Before we start, let’s clear up what all these technical terms mean. Don’t worry if you forget something — we’ll revisit each term as we go through the setup process.

VNC (Virtual Network Computing)

Think of it as streaming your Raspberry Pi’s screen to your laptop over the Internet. You see its desktop and control the mouse and keyboard as if you were sitting in front of it.

Analogy: Like mirroring your smartphone screen on your laptop — but for a full desktop computer.

VNC Viewer (Client)

An app on your computer (Windows, macOS, or Linux) that displays your Raspberry Pi’s desktop. Think of it as a “browser” for remote desktops instead of websites.

VNC Server

The program running on your Raspberry Pi that “shares” its desktop. It’s already installed and enabled by default on Raspberry Pi OS — nothing to install manually!

Port

Think of a port as an apartment number in a building. The IP address is like the street address (e.g. “5 Main Street”), while the port points to a specific program (e.g. apartment 101).

Port 5900: the “apartment” of the VNC server on Raspberry Pi

Port 5901: the “apartment” on EC2 that forwards to VNC through the tunnel

Port 2222: the “apartment” on EC2 that leads to SSH on Raspberry Pi

SSH Tunnel

A secure, encrypted “pipe” between your Raspberry Pi and the EC2 cloud server. All traffic (including VNC) travels through this tunnel — fully encrypted and unreadable to anyone else.

Important: The tunnel is initiated by the Raspberry Pi itself, so your home router doesn’t block it.

EC2 (Elastic Compute Cloud)

A virtual server in Amazon’s cloud (AWS). It’s like renting a computer that runs 24/7 in an Amazon data center with its own permanent public IP address.

Role: It acts as a middleman between you and your Raspberry Pi. It’s reachable from the Internet, while your Raspberry Pi isn’t.

Domain Name

A friendly name instead of a string of numbers. For example, instead of 3.120.94.8:5901 you can use my-raspberry.example.com:5901 — easier to remember and more professional.

Security Group

A virtual firewall in AWS that decides who can “knock” on which “apartments” (ports) of your EC2 server from the Internet.

Example: opening port 5901 = allowing VNC connections.

Systemd Service

A Linux service manager that keeps your programs running. If the tunnel goes down (e.g. Internet drop or crash), systemd automatically restarts it after 10 seconds.

Analogy: like a watchman making sure the “door” (tunnel) always stays open.

localhost (127.0.0.1)

A special name that means “this computer.” When you write localhost:5901 on EC2, it refers to port 5901 on that same EC2 server.

0.0.0.0 (All Interfaces)

A special address meaning “accept connections from anywhere.” If a port is open on 0.0.0.0, it’s accessible from the Internet.

Don’t Panic!

You don’t need to memorize everything right away. We’ll revisit these terms as we go along, each time in context. This section is simply a reference you can return to anytime.

How It Works: The Path from You to Raspberry Pi

Let’s break down how data travels between your computer and your Raspberry Pi. Understanding the flow will help you troubleshoot issues later.

Visual Diagram:

Your Computer

VNC Viewer

EC2 Server

YOUR-EC2-IP:5901

SSH Tunnel

Encrypted

Raspberry Pi

VNC Server :5900

Step-by-Step Explanation:

You open VNC Viewer

Enter the address: YOUR-DOMAIN.example.com:5901 (or YOUR-EC2-IP:5901). VNC Viewer sends a connection request over the Internet to this address and port.

The request reaches the EC2 server

Your EC2 server (a virtual machine in Amazon’s cloud) receives the request on port 5901. The Security Group (AWS firewall) checks: “Is access to this port allowed?” If yes, it lets the traffic through.

Data travels through the SSH tunnel

EC2 forwards everything that arrives at port 5901 into the SSH tunnel. That tunnel connects to your Raspberry Pi at home. All data is encrypted — even if intercepted, it’s unreadable.

Raspberry Pi responds

The request reaches the VNC server on the Raspberry Pi (port 5900). The VNC server verifies your password and sends back the desktop image along the same route: RPI → Tunnel → EC2 → Internet → Your Computer.

You see the desktop!

VNC Viewer receives the desktop image and displays it in a window. Every mouse click and keystroke you make travels back the same way and executes on the Raspberry Pi.

Why Is This Secure?

All traffic travels through an SSH tunnel — one of the most secure ways to transfer data
No router ports are opened at home — no exposure or vulnerabilities
The Raspberry Pi initiates the tunnel — no one from outside can reach it directly
Access is protected by a VNC password (and optionally SSH keys, as explained later)

What You’ll Need

Before we begin, make sure you have everything ready. If you’re missing something, take a moment to set it up first.

Required Items

✓
A working SSH tunnel to Raspberry Pi
You should have set this up following this guide. Test it: the command ssh rpi should connect to your Pi.
✓
A Raspberry Pi running Raspberry Pi OS
The VNC server is already installed and enabled by default on Raspberry Pi OS — no extra setup needed.
✓
An EC2 instance on AWS
With a static Elastic IP address. You already have one if you followed the SSH tunnel setup earlier.
✓
Access to the AWS Console
You’ll need it to open port 5901 in the Security Group (firewall).
✓
VNC Viewer installed on your computer
The free RealVNC Viewer app — we’ll install it during this setup.

Quick Reference: Values You’ll Need

Keep this info handy. In examples, we’ll use placeholders — replace them with your real values.

What It Is	In Examples	Your Value
EC2 IP address	`YOUR-EC2-IP`	Example: 18.185.123.45
Your domain name	`YOUR-DOMAIN.example.com`	Example: my-rpi.ddns.net
Raspberry Pi username	`a528fe1`	Your actual username
SSH key for EC2	`~/.ssh/rpi-tunnel-key.pem`	Path to your private key

Step 1. Checking VNC on Raspberry Pi

VNC Server comes pre-installed on Raspberry Pi OS and usually starts automatically. Let’s make sure it’s running and see which port it’s listening on.

1.1 Connect to Your Raspberry Pi

Open a terminal on your computer and run:

1ssh rpi

What’s happening here:

You’re connecting to your Raspberry Pi through the existing SSH tunnel. If this command fails, go back to the SSH tunnel setup guide and verify that the tunnel is active.

1.2 Check the VNC Port

On your Raspberry Pi, run this command:

1sudo ss -tulpn | grep 590

Command breakdown:

ss — shows network connections
-tulpn — options to display TCP/UDP ports with program names
grep 590 — filters only lines containing “590” (VNC ports)

Expected output (example):

1tcp   LISTEN   0   5   0.0.0.0:5900   0.0.0.0:*   users:(("vncserver-x11",pid=1234))

What this means:

VNC Server is running
Listening on port 5900
Accessible on all interfaces (0.0.0.0)
Process name: vncserver-x11

⚠ Remember the port number (5900) — you’ll need it in the next step.

If VNC is not running (no output appears):

Check the VNC service status:

1sudo systemctl status vncserver-x11-serviced.service

If it’s inactive, start it manually:

1sudo systemctl enable vncserver-x11-serviced.service
2sudo systemctl start vncserver-x11-serviced.service

Then verify again:

1sudo systemctl status vncserver-x11-serviced.service

It should say: active (running)

Perfect! VNC is running. Keep the terminal open — we’re moving to the next step.

Step 2. Adding VNC to the SSH Tunnel

Right now, your SSH tunnel only forwards SSH traffic (port 22). We’ll extend it to include VNC, so you can access your Raspberry Pi’s desktop remotely.

What We’re Doing:

We’ll tell SSH: “Everything arriving at port 5901 on EC2 should be forwarded to port 5900 on the Raspberry Pi (where VNC runs).” Port 5901 on EC2 will be the “entry,” and 5900 on the Pi — the “exit.”

2.1 Stop the Tunnel

On your Raspberry Pi (inside the SSH session), run:

1sudo systemctl stop reverse-tunnel.service

Why stop it first:

To safely change tunnel settings. If you skip this, the old tunnel may conflict with the new configuration.

2.2 Edit the Tunnel Configuration

Open the service configuration file:

1sudo vim /etc/systemd/system/reverse-tunnel.service

Quick vim refresher:

Move around: arrow keys
Start editing: press i (you’ll see -- INSERT -- at the bottom)
Edit as in a normal text editor
Save and exit: press Esc, type :wq, then press Enter
Exit without saving: Esc, then :q!

2.3 Find and Modify ExecStart Line

Locate the line starting with ExecStart=. It’s long — just append a new parameter at the end.

Before (old version):

1ExecStart=/usr/bin/ssh -i /home/a528fe1/.ssh/id_tunnel ... -R 2222:localhost:22 tunnel@YOUR-EC2-IP

After (new version):

1ExecStart=/usr/bin/ssh -i /home/a528fe1/.ssh/id_tunnel ... -R 2222:localhost:22 -R 5901:localhost:5900 tunnel@YOUR-EC2-IP

What we added:

-R 5901:localhost:5900 — this creates a reverse port forward:

5901 — port on the EC2 server (public side)
localhost:5900 — port on the Raspberry Pi (where VNC runs)
So anyone connecting to EC2:5901 will be redirected to RPi:5900

2.4 Save the Changes

In vim:

Press Esc
Type :wq
Press Enter

File saved successfully!

2.5 Reload and Start the Tunnel

Run these commands in order:

1# Reload systemd configs
2sudo systemctl daemon-reload
3
4# Start the tunnel with new settings
5sudo systemctl start reverse-tunnel.service
6
7# Check status
8sudo systemctl status reverse-tunnel.service

What to look for in the output:

Expected Result:

Status: active (running) in green
No red error lines
The process has been running for several seconds (check uptime)

2.6 Verify the Tunnel Includes VNC

Let’s confirm the SSH process is actually forwarding port 5901:

1ps aux | grep ssh | grep tunnel

You should see a line like this:

1a528fe1  12345  ... /usr/bin/ssh ... -R 2222:localhost:22 -R 5901:localhost:5900 tunnel@YOUR-EC2-IP

See -R 5901:localhost:5900?

Perfect — the tunnel is properly forwarding VNC. Time to check things on the EC2 server.

Don’t close the terminal, but you can safely exit Raspberry Pi:

1exit

Step 3. Checking on the EC2 Server

Now let’s verify that the tunnel has reached the EC2 server and that port 5901 is open for connections.

3.1 Connect to Your EC2 Instance

In your computer’s terminal, run:

1ssh -i ~/.ssh/rpi-tunnel-key.pem ubuntu@YOUR-EC2-IP

If you have an alias configured:

You can just type ssh ec2-tunnel (if you added it to your SSH config).

3.2 Check Tunnel Ports

On EC2, run:

1sudo ss -tulpn | grep -E "2222|5901"

You should see one of these two cases:

Case 1 (local ports):

1tcp   LISTEN   0   128   127.0.0.1:2222   0.0.0.0:*   users:(("sshd",pid=...))
2tcp   LISTEN   0   128   127.0.0.1:5901   0.0.0.0:*   users:(("sshd",pid=...))

Case 2 (global ports, ideal):

1tcp   LISTEN   0   128   0.0.0.0:2222   0.0.0.0:*   users:(("sshd",pid=...))
2tcp   LISTEN   0   128   0.0.0.0:5901   0.0.0.0:*   users:(("sshd",pid=...))

Difference between the two:

127.0.0.1 — port is only accessible locally (from EC2 itself)
0.0.0.0 — port is accessible from anywhere (the Internet) this is what we need

If you see case 1 (127.0.0.1 only):

You need to enable GatewayPorts in the SSH configuration. Move on to the next step.

3.3 Enable GatewayPorts (if needed)

Check the current setting:

1sudo grep -i gatewayports /etc/ssh/sshd_config

You should see:

1GatewayPorts yes

If the line is commented out (#GatewayPorts) or missing entirely:

Open the file: sudo vim /etc/ssh/sshd_config
Find the GatewayPorts line or add it to the end
Set it to: GatewayPorts yes
Save with: Esc, :wq, Enter

What GatewayPorts does:

By default, SSH allows port forwarding only to localhost (127.0.0.1). The GatewayPorts yes option binds ports to all interfaces (0.0.0.0), making them accessible from the Internet.

Restart the SSH service:

1sudo systemctl restart ssh

Don’t worry — this won’t disconnect your current SSH session.

3.4 Restart the Tunnel on Raspberry Pi

After making changes on EC2, restart the tunnel on your Raspberry Pi. Without closing the EC2 terminal, open a new terminal and run:

1ssh rpi
2sudo systemctl restart reverse-tunnel.service
3exit

3.5 Check Ports Again on EC2

Back in your EC2 terminal, verify again:

1sudo ss -tulpn | grep -E "2222|5901"

Now the ports should show as 0.0.0.0:

This means VNC is publicly reachable!

3.6 Test Local Connection

Let’s check if port 5901 is responding locally on EC2:

1nc -zv localhost 5901

What this command does:

nc (netcat) — a network utility
-z — checks availability without sending data
-v — verbose output

Expected output:

1Connection to localhost 5901 port [tcp/*] succeeded!

Excellent! The port is open.

Locally on EC2, you can now connect to port 5901 — which forwards through the tunnel to your Raspberry Pi. The next step is to open this port in AWS Security Group.

Exit EC2:

1exit

Step 4. Opening the Port in AWS Security Group

A Security Group is the virtual firewall for your EC2 instance. Right now, port 5901 is closed to the Internet. Let’s open it so you can connect to VNC from anywhere.

4.1 Open AWS Console

Go to AWS Console
Sign in to your account
Select the region where your EC2 instance runs (for example Frankfurt — eu-central-1)
Open Services → EC2

4.2 Find the Security Group

In the left menu, click Instances
Find and select your instance (for example rpi-tunnel-server)
A details panel opens below
Switch to the Security tab
Click the Security Group name (for example sg-1234567890abcdef0)

4.3 Add a Rule for VNC

Click Edit inbound rules
Click Add rule
Fill in the fields:
- Type: Custom TCP
- Port range: 5901
- Source: choose one of:
  - 0.0.0.0/0 — access from anywhere (convenient but less secure)
  - My IP — access only from your current IP (more secure)
- Description: VNC access to Raspberry Pi
Click Save rules

Security recommendation:

If you always connect from the same place (home or office):

Use My IP — it’s safer
When your location changes, just update the rule in the Security Group

If you connect from different networks:

Use 0.0.0.0/0 for convenience
Make sure to use a strong VNC password (see the Alternative section)

4.4 Verify All Rules

In the Inbound rules list you should see at least the following entries:

Type	Port	Source	Purpose
SSH	22	My IP	Manage the EC2 server
Custom TCP	2222	0.0.0.0/0	SSH to Raspberry Pi
Custom TCP	5901	0.0.0.0/0 or My IP	VNC to Raspberry Pi ✨

Done! Port 5901 is now open for connections.

VNC Viewer can now connect to your EC2 instance on port 5901, and the traffic will be tunneled through to your Raspberry Pi.

Step 5. Verifying Your Domain

You can connect using your EC2 IP, but it’s easier to remember a domain name likemy-rpi.ddns.net or home-pi.example.com. Let’s verify that your domain correctly points to your EC2 server.

5.1 Check DNS Record

You need an A record in your DNS zone pointing to your EC2 IP address.

Type	Name	Value	TTL
A	my-rpi	18.185.123.45	3600

You can set this up in your DNS provider’s panel (Cloudflare, Namecheap, Route53, etc.). If you use Dynamic DNS (like DuckDNS or No-IP), the record is created automatically.

5.2 Test Domain Resolution

On your computer, check that the domain resolves to your EC2 IP:

1nslookup my-rpi.ddns.net

Expected output:

1Name:   my-rpi.ddns.net
2Address: 18.185.123.45

Perfect — the domain points to your EC2 server.

You can now use my-rpi.ddns.net instead of the numeric IP in your connection settings.

If the IP doesn’t match:

• Check if your EC2 Elastic IP has changed
• Verify the DNS record in your provider’s control panel
• Wait up to 5–10 minutes for DNS propagation

5.3 Optional: Verify Through Browser

Open your browser and visit http://my-rpi.ddns.net:5901. You’ll likely see a “Connection refused” or “Invalid response” message — that’s good!

Why that’s expected:

The VNC server doesn’t speak HTTP, so your browser can’t open it. But the fact that the connection attempt reaches the server confirms DNS and the port are working.

Great — your domain is now verified. Next, let’s install a VNC client and actually connect to your Raspberry Pi.

Step 6. Installing VNC Viewer

Now that the tunnel and domain are configured, it’s time to install the program you’ll use to access your Raspberry Pi’s desktop.

Recommended App:

RealVNC Viewer — the official, free client from the Raspberry Pi Foundation. It supports Windows, macOS, and Linux.

6.1 Download VNC Viewer

Go to https://www.realvnc.com/en/connect/download/viewer/ and choose the version for your system.

Windows

Installer (.exe)

macOS

Disk image (.dmg)

Linux

DEB / RPM package

6.2 Install the Application

Follow the on-screen installer instructions. No special configuration is required — the default options are fine.

Tip:

On macOS, if you see a “Security & Privacy” popup blocking the app, open System Settings → Privacy & Security → Open Anyway.

6.3 Launch VNC Viewer

After installation, open the app. You’ll see an empty window with an address bar at the top.

6.4 Enter Connection Address

In the address field, enter your EC2 public IP or domain name followed by :5901:

1my-rpi.ddns.net:5901

Press Enter — a dialog will appear asking for your Raspberry Pi’s VNC password.

Default VNC Password:

If you’ve never changed it, use the same password you use to log into Raspberry Pi’s desktop. You can change or reset it via sudo raspi-config → Interface Options → VNC.

Connection Successful!

You should now see your Raspberry Pi’s desktop in the VNC Viewer window. You can use your mouse and keyboard as if you were sitting in front of it.

That’s it — your VNC connection through AWS EC2 is ready! In the next step, we’ll test and troubleshoot the setup.

Step 7. Connect via VNC! 🎉

Everything’s ready! You’re about to see your Raspberry Pi desktop remotely for the first time. It’ll only take a minute.

7.1 Launch VNC Viewer

Open the VNC Viewer application on your computer.

7.2 Enter the Connection Address

At the top of the VNC Viewer window you’ll see an address field.

If you have a domain, type:

1YOUR-DOMAIN.example.com:5901

Or use your IP address directly:

1YOUR-EC2-IP:5901

What “:5901” means:

The colon and number after the address represent the port number. You’re telling VNC Viewer: “Connect to this address, but use port 5901 instead of the default one.”

7.3 (Optional) Save the Connection

To avoid typing the address every time, you can save it:

Click File → New connection
In VNC Server, enter YOUR-DOMAIN.example.com:5901
In Name, give it a friendly label like Raspberry Pi Home
Leave all other fields at their default values
Click OK

The connection is now saved — next time, simply double-click it to connect.

7.4 Connect

Press Enter or double-click the saved connection.

7.5 Security Warning (First Time Only)

You might see a warning window:

"The identity of this computer cannot be verified"

"The signature of the VNC Server could not be verified"

Why this appears:

The VNC Server on your Raspberry Pi doesn’t use a trusted SSL certificate (like websites with https://). For personal use, that’s perfectly fine and safe, because all traffic is already encrypted inside the SSH tunnel.

Click Continue or Connect.

7.6 Enter the VNC Password

An Authentication dialog will appear asking for your password.

Which password to use:

On Raspberry Pi OS, the VNC Server uses your user account password by default — the same one you use to log in to the system.

In our example: 0fa65eb3e31c (for user a528fe1)

Enter the password and click OK.

7.7 Success — You’re In! 🎉

Congratulations — It Works!

You should now see your Raspberry Pi desktop in the VNC Viewer window. From here you can:

Control the mouse

Type with your keyboard

Open applications

Work with files

Everything you do in VNC Viewer happens directly on your Raspberry Pi — it’s as if you were sitting in front of it with a monitor and keyboard, only now through the Internet!

Helpful Tips:

Fullscreen mode: Press F8 or the toolbar button in VNC → Full screen
Image quality: Right-click the connection → Properties → Options → Picture quality (choose Low / Medium / High)
Copy & paste: Works between your computer and the Pi through VNC’s shared clipboard

Extra Security Options

The setup you’ve built is already quite secure — traffic goes through an SSH tunnel and isn’t exposed to the public Internet. But if you want to tighten it even more, here are several additional layers you can add.

Use SSH Keys for Authentication

Disable password login for the Raspberry Pi and use SSH keys instead. This prevents brute-force attempts and strengthens your authentication.

1sudo raspi-config → Interface Options → SSH → Enable
2sudo nano /etc/ssh/sshd_config
3# Set:
4PasswordAuthentication no

Restrict VNC Access by IP

In your AWS Security Group, limit inbound rules for port 5901 to only your current IP address. This prevents others from even attempting to connect.

Add Fail2Ban to EC2

Install fail2ban to automatically block IPs that repeatedly fail to log in via SSH. It adds a layer of active defense against scanning bots.

1sudo apt update
2sudo apt install fail2ban
3sudo systemctl enable --now fail2ban

Use Cloudflare Tunnel (Alternative to SSH)

Cloudflare offers a free tunnel service (cloudflared) that lets you expose services like VNC or SSH securely — without needing to open any ports at all.

1sudo apt install cloudflared
2cloudflared tunnel login
3cloudflared tunnel create rpi-vnc
4cloudflared tunnel route dns rpi-vnc my-rpi.example.com

The tunnel connects from your Pi directly to Cloudflare’s global network — no need for EC2 or port forwarding.

Summary

Use SSH keys — disable password login
Restrict VNC access by IP in AWS
Protect EC2 with fail2ban
Consider Cloudflare Tunnel for zero-exposure access

These steps are optional but highly recommended if you plan to leave your Pi online permanently.

Troubleshooting

If something doesn’t work as expected, don’t worry. Here are the most common issues and how to fix them step by step.

“Connection refused” in VNC Viewer

This means EC2 is reachable, but the VNC port isn’t open or forwarding properly.

Check if the tunnel is active on Raspberry Pi:

1sudo systemctl status reverse-tunnel.service

If it’s inactive — restart it:

1sudo systemctl restart reverse-tunnel.service

Then on EC2, confirm port forwarding:

1sudo ss -tulpn | grep 5901

VNC freezes or lags

That’s usually due to limited bandwidth or CPU load on the Raspberry Pi.

Try lowering the VNC quality settings (in VNC Viewer → Properties → Options)
Close background processes on Raspberry Pi
Check your Internet upload speed at home

Tunnel stops working after reboot

The systemd service might not be enabled on boot.

1sudo systemctl enable reverse-tunnel.service

Then restart your Raspberry Pi to test it:

1sudo reboot

VNC connects, but screen is black

This happens when the VNC server doesn’t have an active desktop session.

Make sure your Raspberry Pi is running the desktop environment:

1sudo systemctl get-default

If it says multi-user.target, switch it to graphical mode:

1sudo systemctl set-default graphical.target
2sudo reboot

Can’t connect via EC2 IP but works via localhost

Check the GatewayPorts setting on EC2 — it must be set to yes in /etc/ssh/sshd_config.

Restart SSH on EC2 after changing it:

1sudo systemctl restart ssh

General Diagnostics

Use these commands to inspect your connection and logs:

1# Check if the tunnel is active
2sudo systemctl status reverse-tunnel.service
3
4# View system logs
5journalctl -u reverse-tunnel.service -n 30
6
7# Check network sockets
8sudo ss -tulpn | grep ssh
9
10# Test connection from EC2
11nc -zv localhost 5901

Still stuck?

Double-check each layer: Raspberry Pi → Tunnel → EC2 → Security Group → VNC Viewer. The issue almost always lies in one of those hops. Once all are aligned, it works flawlessly.

Useful Commands

Here’s a quick reference of all the main commands used in this guide — organized by where you run them. Save this list for later.

On Raspberry Pi

1# Check VNC port
2sudo ss -tulpn | grep 590
3
4# Restart VNC server
5sudo systemctl restart vncserver-x11-serviced.service
6
7# Check tunnel status
8sudo systemctl status reverse-tunnel.service
9
10# Restart tunnel
11sudo systemctl restart reverse-tunnel.service
12
13# Enable tunnel on boot
14sudo systemctl enable reverse-tunnel.service

On EC2 Server

1# Check listening ports
2sudo ss -tulpn | grep -E "2222|5901"
3
4# Restart SSH if GatewayPorts changed
5sudo systemctl restart ssh
6
7# Check VNC port locally
8nc -zv localhost 5901

On Your Computer

1# Test EC2 port from your machine
2nc -zv YOUR-EC2-IP 5901
3
4# Connect to Raspberry Pi via tunnel
5ssh rpi
6
7# Connect to EC2 server
8ssh -i ~/.ssh/rpi-tunnel-key.pem ubuntu@YOUR-EC2-IP

Tip

Keep these commands in a separate cheat sheet or note — they’ll help you quickly check or restart your tunnel and services when something goes wrong.

That’s it — you’ve completed the full setup! Your Raspberry Pi is now accessible from anywhere via a secure and private VNC connection.

Final Overview: How Everything Works Together

Your Computer (anywhere in the world)

VNC Viewer connects to YOUR-DOMAIN.example.com:5901

EC2 Server (Amazon AWS Cloud)

IP: YOUR-EC2-IP, port 5901 is open in the Security Group

SSH Tunnel (encrypted channel)

Reverse tunnel created by Raspberry Pi: EC2:5901 → RPI:5900

Raspberry Pi (at home behind a router)

VNC Server running on port 5900, user a528fe1

Quick Access Credentials:

Domain / IP:YOUR-DOMAIN.example.com or YOUR-EC2-IP

VNC Address:YOUR-DOMAIN.example.com:5901

VNC Password:0fa65eb3e31c (Raspberry Pi user password)

SSH to RPi:ssh rpi

SSH to EC2:ssh -i ~/.ssh/rpi-tunnel-key.pem ubuntu@YOUR-EC2-IP

Congratulations! 🎉

You now have full remote access to your Raspberry Pi from anywhere in the world:

SSH for the command line
VNC for the graphical desktop
Secure encrypted connection
Works behind any router with no setup required
Accessible through a custom domain

What’s Next?

Now that you have full remote access, your Raspberry Pi can serve as the foundation for countless creative and practical projects:

Home Server

Install Nextcloud for your own private cloud storage, Plex for a media server, or Pi-hole to block ads across your entire home network.

Nextcloud →

Smart Home

Set up Home Assistant to control all your smart devices from a single dashboard. Manage lights, temperature, and cameras from anywhere.

Home Assistant →

Monitoring & Automation

Use your Pi for server monitoring, metrics collection, or task automation. Install Grafana for beautiful dashboards, or Node-RED for workflow automation.

Grafana →

Learning & Experiments

Learn Linux, programming, networking, or databases. You now have your own personal 24/7 lab server, accessible from anywhere in the world.

Raspberry Pi Documentation →

Useful Links

Documentation & Guides:

AWS & Security:

Need help setting up remote access?

I can help you configure VNC, SSH tunnels, remote access to IoT devices, and automate infrastructure deployment. Tell me about your project — I’ll suggest the best solution.