I have used Apache Guacamole to access running GitHub Actions workflows as remote desktops. It worked super well for testing GUI apps on other operating systems that I didn't want to deal with setting up.
It's also nice if you want to run a GUI application in someone else's sandbox.
It's also really good if you're standing up old VMs (e.g. testing older OSs/setups from images).
I think Microsoft, for a time, offered VMs for such testing... Or maybe it was a third party... Guacamole world be a very good gatekeeper in this situation so the end users don't need virtualization themselves.
If the network is otherwise set up correctly, you can reasonably safely run windows XP behind Guacamole. Of course, I don't recommend that, but it prices that you can write software and then see how any of OS or setup runs your code/website/software... Without worrying that your VM might be compromised in 60 seconds.
As an aide, the siding of virtualization is also helpful for schools... A Chromebook can access guacamole to get to a VM... But a Chromebook can't run a VM itself.
We adopted Guacamole for access to some of our Windows server production environments; the great thing about it is you can put your corporate SSO / authorization model into a web app to control access and not have to disclose credentials to service accounts to developers. You can also tap off a feed from the guacd that represents a complete screen recording and save it for audit trail purposes.
The only issue we've had is that FreeRDP (that underlies it for connectivity to Window servers) is a bit fussier than the native RDP environment, or at least we've had challenges getting equivalent compatibility across old/odd Windows configurations.
Out of interest, we have SAML and OpenID Connect. How do you manage passing the SSO to Windows after displaying the web portal. I couldn't see anything in the Guacomole pages, but Citrix manages this. Where you sign in to the web portal, click a desktop, and don't have to login. Do you get a kerberos ticket, do you have something running on the Windows host or how?
The users don't log in with their own identities - we don't have developer accounts on production hosts. They log into service accounts: credentials are retrieved from a vault once the user has been authorized, after which the web application dynamically configures the RDP host/account/credential.
From his comment it seems like they use a service account and thus hardcoded username + password on the Guacamole side rather than doing what Citrix does
i have a question. i could "never" understand guacamole. i mean i currently use zerotier for clients/server and rdpwrap to get a bulletproof setup.
is there some sort of foss "server" implementation of rdp so as to avoid using rdpwrap? i know vnc but i need multiple users connected at the same time...
Setting it up via Docker container is a lot easier than a custom setup.
I really am not a fan of Guacamole. I love the idea and convenience of having everything running in the browser from the client side, but I much prefer a real RDP session (via VPN) than having it in the browser. Why? Keyboard shortcuts! I am soooo much slower because browsers (not guacs fault - but at the same time it is its fault since I would love a native client) can’t catch all keys (e.g. Windows key). ALT-TAB? Yeah you just tabbed away from Guac. Or the new fancy WIN-TAB, no way that gets passed on to Guac. Also the file sharing experience is worse. RDP? Just drag an drop or Ctrl-C, Ctrl-V. That doesn’t always work in Guac…
IIRC you can install the guac site as a PWA in your browser and sometimes the browser then allows more keyboard events to bubble up from the OS to the javascript layer where guac lives. Doesn't fix everything, but it can help.
Advantage to guacamole is you can have a corporate controlled middle man... You might set your server username to root/root, but that's not a problem if you can only get to it by guacamole.. I mean it's not great, but guacamole can face the world and be the castle to defend, not a dozen or hundred maybe-managed servers...
Yes. And many corporate and government networks deny list all traffic on ports other than 80/443, so RDP just is not an option in many cases. VDI over HTTPS also means users don't need a separately installed RDP client and can just access the VDI via their browser.
Using it mainly because of the paranoia of just exposing RDP to the internet. Http(s) is very convenient to add more layers of security, in my case via NGINX (both as LXC containers in Proxmox). I'm using a wildcard domain *.myhome.tld pointed to my static IP. Guacamole is hosted at try_guess_me.myhome.tld, with NGINX basic auth same for all subdomains (further protected by fail2ban). So in total 3 tokens are required (subdomain and basic auth username and password) just to get to the Guacamole login page, where additional username/password + 2FA are required. I used to expose RDP directly for years, but after a chat with a colleague before vacations and a purchase of a NUC for a homelab server decided to strengthen the security slightly.
RDP is still much better user experience, so once when I needed a longer session I used Guacamole to access my router admin interface and temporarily expose RDP directly via a random port and a very strong password. I'm still not convinced that the latter combination is not enough, but it's better to be safe than sorry.
You might also consider an IP whitelist. The firewall is still probably the best place to stop any unwanted connection attempt. Also gives you good protection against zero days. Have a central location for what IPs are allowed to connect (like aws s3) and the server downloading it every 5min, and applying it to the firewall if it changed.
But don't you keep the same IP as you roam by train? All you need is a way to whitelist your new IP easily (I created a website that has just a button for that), and wait less than 5 minutes that the server picks up the new list.
I've just checked before replying above, IP changes on every reconnect while being in the same room. It would be really bad usability with a whitelist. In my setup only 2FA cannot be saved in a browser, and login session is valid for a long time, so I do not have to re-login on every reconnect.
I wanted to avoid VPN both for my main working/dev machine and clients. What if VPN does not go up after hard reboot due to some weird loading order while I'm not logged in (e.g. electricity failure)? Both that machine and Guacamole/NGINX host are configured to autostart after powering off. This is the first thing I tested. For clients, I do not want to have VPN on each of them. And what if I need to use a random machine? Multi-layer opaque https endpoint seems safe enough.
Fair point, I have a pi 4 running pihole and wireguard so starts up and runs everything on power.
Also boot disk is on zfs so scrubs each week incase of microsd corruption.
The Wireguard in Docker automatically generates new client configs from ENVS.
I'm about to leave a system running on a pi 4 for a few months. Any details on your advice? Based on cursory googling [1] your setup looks non-trivial>
Guacamole and tailscale make my life so much easier when I’m away from home. Serving up guac from a machine with tailscale / wire guard means I can get to it without exposing it to the internet, or worrying about a home IP changing.
So is the domain you end up going to a tailscale subdomain or something? And that allows you to hit your home computer that's running the Guacamole server?
I'm really looking forward to having all my working stuff in the cloud. however, it's so annoying sometimes that networking is not suitable yet to work from ANYWHERE. especially in public places where you can pull a laptop from the bag and start working, with remote it's mostly a challenge
it doesn't really work well. network coverage differ from place to place. also, whenever you sit in some shitty coworking, their wifi should give you hard time getting this working
I actually disagree tbh - web browsers are so ubiquitous at this point that I would consider them a core part of the desktop at this point. If I can use just the "core tools" of my OS to access something I would consider that clientless for all intents and purposes
Moreover, something VNC has so many variants that one server might only support one client vs another. So even with a standardized “client”, you can still have issues. I don’t think this is much of an issue with RDP, but by using HTML5, this just avoids that entire issue.
More like "You don't need any tools for this, just use your thumb."
The idea being that every computer you own and happen to come across has a browser already. You will not need to install a client so it doesn't matter that you don't have rights to do so or don't want to pollute someone else's computer.
I hate this description too, because client software is needed, it's just that special or dedicated client software is not needed. It's just misleading to add flavor to the description.
Well, networking always requires some sort of client software, calling it "clientless" because most systems most likely already have the required software rubbed me the wrong way.
But I think I get it now, it's probably a tongue in cheek reference to "serverless" :P
I'm with you. I was confused by that term. Why not 'browser based remote desktop'? I've never heard anything happening in a browser called clientless before. In fact it is usually explicitly called a client, e.g. client side rendering.
Used the guac to host 100+ sessions for researchers and devs at my previous company. Performed well and using docker made it a breeze to deploy in the cloud and it also tied into my IPA infrastructure nicely for central authentication. I did not play with the screen recording feature though.
I use guacamole. It is awesome and super convenient. Nice insulation from various protocol bugs too. I don’t care what exploitable bugs RDP server in windows has if I access it only over guac.
It’s Java and Tomcat, so should work fine on Windows. I’d highly suggest using Linux + Docker in a VM or something though, it’ll be a way faster setup (configuring Guacamole manually is a pain in the rear, there’s good Docker containers out there that do it for you).
As silly and astonishing as it is, I've heard from some (mostly American) ISPs that a static IPv6 subnet is either not available for consumers or costs extra.
Yes, that's right, some ISPs rotate IPv6 subnets, negating many things IPv6 was invented for in the first place.
Tailscale, Nebula or any of the automagical VPN solutions you can run yourself (like Innernet, https://github.com/tonarino/innernet) will probably negate the issue as long as you can reach some server with a static IP.
I've never needed to. I don't think I've ever been with a non-mobile consumer ISP that rotated IPs enough for it to mayyer. Maybe if I took the modem offline for more than a week or if I move, but that's the only times I've ever had to update the necessary IP addresses.
It's still not a great fix, of course, because DDNS still causes outages while intermediate servers wait for their TTLs to expire and caches to clear, which means your record could point to the wrong IP for at least one minute per switch. That's fine for a mail server, but not great for other applications that don't handle servers dropping from the network so we'll.
DynamicIP + DynDNS works just as fine.
Getting DynDNS can be acomplished via many routes.
- Even old routers support at least noip.com and update the IP when it changes
- major DynDNS providers have a custom tool you can install, running in the background sending the current IP every minute or so
- every major registrar has a DNS API, which allows you to send IP updates in a simple CURL command and putting that command into crontab automates this as well.
The server software can run on any address as long as you don't hardcode the listening IP, just like any other web server. You'd need a way to have the URL point to the right server, of course, so DDNS or similar is a necessity if your server doesn't have a static public IP.
The desktop connections to the machines from Guacamole are tuples of { protocol configuration, hostname/IP, credentials}. If you specify the device Guacamole connects to by its IP and then that IP changes, the connection and configuration will break. You can probably work around that with some kind of dynamic DNS setting, or maybe local name resolution (LLMR and friends) if the machines are on a flat network.
We put an intermediary to them behind sso. Only the intermediary can get to the machine and forward guacamole traffic. Solves the no password / everyone in the company having access to test machines. We have a little script that registers endpoint machines with the intermediary and who can access the machine / when. We even log and do time block. The intermediary does password rotation with vault.
I'd almost used guacamole at my previous company, GKN Driveline. My boss wanted to setup soemthing to let people xvnc into servers effortlessly. We were dealing with mechanical engineers who weren't great with Linux tools. I never stayed long enough to implement it and my replacement had his hands full with other projects, but I really was excited about Guacamole and want to try it out some day. It seems like a great project, and might not get the same appreciation in tech spaces as it would in non-software companies which deal with something like Beowulf clusters or their like.
Tried Guacamole and it was ok. For this type of stuff a simple WireGuard VPN is much better. However, if you must serve apps remotely via browser, I find KASM WorkSpaces a superior solution.
The nice thing about Guacamole is that you can wrap just about anything on it and get at it from most browsers (although it can be a pain to use from an iOS client).
Only the other day I wrapped an old version of a mind mapping desktop app so I could open my old files on it without installing it: https://github.com/rcarmo/docker-xmind
We have a customer that was using ports directly exposed to the Internet to get to embedded VNC servers in some plant monitoring gear. I set them up a Guacamole VM from Bitnami or Turnkey on their environment and turned them loose on it. Since self-hosting and 100% control is exactly what they want, they loved it and we don't have to worry about hundreds of Internet-exposed VNC servers with the same single password.
yeah, Chrome Remote Desktop is a wonderful piece of engineering. Pretty much just works and was trivial to install. Needed it to remote into a physical machine that sometimes would have no internet, so I'd use an old MacBook Pro running Chrome Remote Desktop to "kick off" the VM before figuring out a better way to accomplish this entire process altogether. I am fairly surprised that they haven't made it a paid feature of G Workspaces or whatever its called now lol
I bought a PopOS Gazelle with an Nvidia GPU so I could play around with ML stuff. But, looking back on it, it might have been more efficient to just get a GPU instance on AWS or Google Cloud, and just using a remote desktop like this.
Anybody tried that configuration? If so, how has your experience been?
We use guacamole as a way to gatekeep access to servers which are explicitly made vulnerable for students to attack.
We give students a Kali Linux box, and a server with dozens of vulnerabilities.. and we don't have to worry about those vulnerable targets being otherwise internet accessible. We've done over 200,000 VMs behind Guacamole over 4 years without incident, despite having machines with the username/password of "student", or being unpatched for 4 years (spinning up old Ubuntu 14 images)
This is not easy to deploy, even with docker. Had to setup tomcat. Great project, but hoping for more features and integration as well as simpler setup and config.
> once Guacamole is installed on a server, all you need to access your desktops is a web browser.
These days, where basically nobody has a real ip, this is not entirely true. Using tor, you can easily expose a server to the outside world, the other point must support tor connections. Is there a way to freely expose anything to the outside world without needing special software on the client side?
> These days, where basically nobody has a real ip, this is not entirely true.
This is a vast exaggeration. Although this is true for many and perhaps a majority, are there any publicly available stats regarding this, there are still a large number of ISPs which provide real ip addresses and allow incoming connections. My ISP serves several million customers across several US sates and provides real up addresses and allows incoming connections.
It's also nice if you want to run a GUI application in someone else's sandbox.
https://github.com/jstrieb/ctf-collab/blob/9300c57364f71fe29...