vnc is insecure by nature. Thus, use it through ssh tunneling:
ssh -L 999:localhost:5900 <—on local host port 999, listen for local connections, and “bind it to remote host’s localhost:5900 (remote host’s localhost = remote host).
Now, vnc to localhost port 999. It’ll go through ssh’s port 22.