Note: this article assumes having net/tigervnc installed as a Xvnc binary provider
For my Rpi3, I wrote a vncserver rc(8) service script which starts a standard Xvnc server for a single, dedicated (with restricted class capabilities set in login.conf), unprivileged user upon boot:
#!/bin/sh
# PROVIDE: vncserver
# REQUIRE: NETWORKING SERVERS DAEMON LOGIN
# KEYWORD: shutdown
$_rc_subr_loaded . /etc/rc.subr
name=vncserver
rcvar=$name
VNCSERVER=/usr/pkg/bin/vncserver
load_rc_config $name
vncdir="/home/vnc/.vnc"
required_files="${vncdir}/passwd ${vncdir}/xstartup"
start_cmd="vncserver_start"
stop_cmd="vncserver_stop"
: ${vncserver_user="vnc"}
: ${vncserver_display="1"}
: ${vncserver_depth="24"}
: ${vncserver_geometry="1024x768"}
vncserver_start()
{
CMD="$VNCSERVER -depth ${vncserver_depth} -geometry ${vncserver_geometry} :${vncserver_display}"
su -l ${vncserver_user} -c "${CMD}"
}
vncserver_stop()
{
CMD="$VNCSERVER -kill :${vncserver_display}"
su -l ${vncserver_user} -c "${CMD}"
}
run_rc_command "$1"
Put it in /etc/rc.d, change its permissions to 555 and have it started:
$ echo vncserver=YES >> /etc/rc.conf
$ service vncserver start
Make sure a suitable TERM definition is set system-wide in /etc/profile, otherwise tset shall prompt you to interactively provide one. Also, the service requires ~/.vnc/passwd and ~/.vnc/xstartup to be present and readable; my ~/.vnc/xstartup:
PATH=/bin:/usr/bin:/usr/X11R7/bin:/usr/pkg/sbin:/usr/local/bin
unset SESSION_MANAGER.
unset DBUS_SESSION_BUS_ADDRESS
LC_LANG="en_US.UTF-8"; export LC_LANG
LC_CTYPE="en_US.UTF-8"; export LC_CTYPE
setxkpmap it
xsetroot -grey
xset m 55/20 4
xset r rate 250 40
xset +fp /usr/pkg/share/fonts/X11/artwiz-aleczapka/
xset +fp /usr/pkg/share/fonts/X11/Dina/
xrdb ${HOME}/.Xresources
xmodmap ${HOME}/.xmodmap
xclock &
xload &
ctwm -W &
For LAN session, you may want to additionally configure a npf(7) firewall to allow incoming VNC connections on local network only and reject everything else.
$NIC = ifaddrs(<your network interface here>)
$LAN = { 192.168.1.1/24 }
alg "icmp"
group default {
pass final on lo0 all
pass stateful out final all
pass stateful in final proto tcp from $LAN to $NIC port 5901
block return in final all
}