diff --git a/start-vnc b/start-vnc
index 4c7010ec7410e62f4461476d5b21493a4630558a..9fe1bdeaab8b32ec5e7583116d8ddfa248c10bde 100755
--- a/start-vnc
+++ b/start-vnc
@@ -288,13 +288,18 @@ main () {
     echo "Vncserver started on node ${vnc_host}.dkrz.de display \
 :${vnc_display}."
 
-    local vnc_port=$((5900+${vnc_display}))
-    ssh -o ForwardX11=no \
-        -o StrictHostKeyChecking=accept-new \
-        -L "${vnc_port}:localhost:${vnc_port}" \
-        -Nf \
-        "${SVNC_USERNAME}@${vnc_host}.dkrz.de";
-
+    local vnc_port_local=$((5900 + RANDOM % 100))
+    # WSL doesn't seem to detect used ports so randomize
+    # local port to reduce risk of masking.
+    local vnc_port_remote=$(( 5900 + vnc_display ))
+    while ! ssh -o ForwardX11=no \
+            -o StrictHostKeyChecking=accept-new \
+            -L "${vnc_port_local}:localhost:${vnc_port_remote}" \
+            -Nf \
+            "${SVNC_USERNAME}@${vnc_host}.dkrz.de"; do
+        vnc_port_local=$((5900 + RANDOM % 100))
+        echo "Trying local port ${vnc_port_local}."
+    done
     local client_options
     client_options="${SVNC_CLIENT_OPTIONS:-}"
     if [[ ${SVNC_PASSWORD} = "true" ]]; then
@@ -303,7 +308,7 @@ main () {
         client_options+=" -passwd vnc_passwd"
     fi
     echo "Connecting vncviewer to ${vnc_host}.dkrz.de"
-    "${SVNC_CLIENT}" ${client_options} :${vnc_display}
+    "${SVNC_CLIENT}" ${client_options} :$(( vnc_port_local - 5900 ))
 }
 
 main "$@"