đŸ Archived View for dioskouroi.xyz âș thread âș 29442643 captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content
âĄïž Next capture (2021-12-05)
-=-=-=-=-=-=-
________________________________________________________________________________
Past related threads:
_Apache Guacamole 1.1.0_ -
https://news.ycombinator.com/item?id=22190251
- Jan 2020 (50 comments)
_Apache Guacamole â Clientless remote desktop gateway_ -
https://news.ycombinator.com/item?id=21660925
- Nov 2019 (40 comments)
_Apache Guacamole â A clientless remote desktop gateway_ -
https://news.ycombinator.com/item?id=15778902
- Nov 2017 (41 comments)
_Guacamole â A clientless remote desktop gateway_ -
https://news.ycombinator.com/item?id=15389727
- Oct 2017 (216 comments)
_Apache Guacamole_ -
https://news.ycombinator.com/item?id=11744430
- May 2016 (57 comments)
Also:
_Fixing critical vulnerabilities in Apache's remote desktop_ -
https://news.ycombinator.com/item?id=23715212
- July 2020 (8 comments)
I have used Apache Guacamole to access running GitHub Actions workflows as remote desktops. It worked super well for testing GUI apps on other operating systems that I didn't want to deal with setting up.
It's also nice if you want to run a GUI application in someone else's sandbox.
https://github.com/jstrieb/ctf-collab/blob/9300c57364f71fe29...
Using it mainly because of the paranoia of just exposing RDP to the internet. Http(s) is very convenient to add more layers of security, in my case via NGINX (both as LXC containers in Proxmox). I'm using a wildcard domain *.myhome.tld pointed to my static IP. Guacamole is hosted at try_guess_me.myhome.tld, with NGINX basic auth same for all subdomains (further protected by fail2ban). So in total 3 tokens are required (subdomain and basic auth username and password) just to get to the Guacamole login page, where additional username/password + 2FA are required. I used to expose RDP directly for years, but after a chat with a colleague before vacations and a purchase of a NUC for a homelab server decided to strengthen the security slightly.
RDP is still much better user experience, so once when I needed a longer session I used Guacamole to access my router admin interface and temporarily expose RDP directly via a random port and a very strong password. I'm still not convinced that the latter combination is not enough, but it's better to be safe than sorry.
There is an IP ban / fail2ban app for windows and RDP, nice extra layer.
For a lot of my stuff, the devices domain is only resolvable on my Wireguardâs dns and access allowed only from Wireguardâs subtnet.
I wanted to avoid VPN both for my main working/dev machine and clients. What if VPN does not go up after hard reboot due to some weird loading order while I'm not logged in (e.g. electricity failure)? Both that machine and Guacamole/NGINX host are configured to autostart after powering off. This is the first thing I tested. For clients, I do not want to have VPN on each of them. And what if I need to use a random machine? Multi-layer opaque https endpoint seems safe enough.
Fair point, I have a pi 4 running pihole and wireguard so starts up and runs everything on power.
Also boot disk is on zfs so scrubs each week incase of microsd corruption.
The Wireguard in Docker automatically generates new client configs from ENVS.
We adopted Guacamole for access to some of our Windows server production environments; the great thing about it is you can put your corporate SSO / authorization model into a web app to control access and not have to disclose credentials to service accounts to developers. You can also tap off a feed from the guacd that represents a complete screen recording and save it for audit trail purposes.
The only issue we've had is that FreeRDP (that underlies it for connectivity to Window servers) is a bit fussier than the native RDP environment, or at least we've had challenges getting equivalent compatibility across old/odd Windows configurations.
Setting it up via Docker container is a lot easier than a custom setup.
I really am not a fan of Guacamole. I love the idea and convenience of having everything running in the browser from the client side, but I much prefer a real RDP session (via VPN) than having it in the browser. Why? Keyboard shortcuts! I am soooo much slower because browsers (not guacs fault - but at the same time it is its fault since I would love a native client) canât catch all keys (e.g. Windows key). ALT-TAB? Yeah you just tabbed away from Guac. Or the new fancy WIN-TAB, no way that gets passed on to Guac. Also the file sharing experience is worse. RDP? Just drag an drop or Ctrl-C, Ctrl-V. That doesnât always work in GuacâŠ
Advantage to guacamole is you can have a corporate controlled middle man... You might set your server username to root/root, but that's not a problem if you can only get to it by guacamole.. I mean it's not great, but guacamole can face the world and be the castle to defend, not a dozen or hundred maybe-managed servers...
IIRC you can install the guac site as a PWA in your browser and sometimes the browser then allows more keyboard events to bubble up from the OS to the javascript layer where guac lives. Doesn't fix everything, but it can help.
have you tried fullscreen mode? At least on vscode-server some shortcuts only work on that mode (probably using the browser Fullscreen API?)
The security is probably better if you enable HTTPS than RDP?
When I use RDP it is always over SSH (port tunnel)
Yes. And many corporate and government networks deny list all traffic on ports other than 80/443, so RDP just is not an option in many cases. VDI over HTTPS also means users don't need a separately installed RDP client and can just access the VDI via their browser.
Can easily enable reverse SSH at home through 443 and 80.
Log in with RDP just to enable the reverse-SSH and use that for RDP.
The benefit is that you can access other things than RDP with this solution.
Thatâs why I said via VPN, but yes of course itâs more secure if you add another layer - I wouldnât say more secure than SSH or VPN.
Yeah I kinda just stick to ssh tunnel+ssh keys+VNC. Old school :)
Couldn't Guacamole hijack the keyboard shortcuts?
One of the reasons I hate Wrike is that it hijacks Command-Shift-N (New private window) in Safari.
Guacamole and tailscale make my life so much easier when Iâm away from home. Serving up guac from a machine with tailscale / wire guard means I can get to it without exposing it to the internet, or worrying about a home IP changing.
I'm really looking forward to having all my working stuff in the cloud. however, it's so annoying sometimes that networking is not suitable yet to work from ANYWHERE. especially in public places where you can pull a laptop from the bag and start working, with remote it's mostly a challenge
I've found that having a dedicated WiFi hotspot mostly solves this issue, as long as you're somewhere with decent cell service.
I haven't tried it with desktop streaming, but VS Code remote development is a dream, even with little bandwidth.
My local library has WiFi Hotspots to checkout for free. They are T-Mobile hotspots and Fast.com reports:
35Mbps down (steady)
3Mbps up (decays quickly suggesting shown upload is "boost" / "burst" speeds or possibly throttled heavily in some other manner)
it doesn't really work well. network coverage differ from place to place. also, whenever you sit in some shitty coworking, their wifi should give you hard time getting this working
Ah the memories of going for a coffee break at the university, as $HOME failed to mount over NFS due to a bad terminator on the campus network.
Setup wireguard
Used the guac to host 100+ sessions for researchers and devs at my previous company. Performed well and using docker made it a breeze to deploy in the cloud and it also tied into my IPA infrastructure nicely for central authentication. I did not play with the screen recording feature though.
The video on the main page is amazing. Rare that a product demo video is both entertaining and informative with a high information density!
I bought a PopOS Gazelle with an Nvidia GPU so I could play around with ML stuff. But, looking back on it, it might have been more efficient to just get a GPU instance on AWS or Google Cloud, and just using a remote desktop like this.
Anybody tried that configuration? If so, how has your experience been?
meshcentral is another nice free software for remote desktop and more:
https://github.com/Ylianst/MeshCentral
https://twitter.com/MeshCentral
https://www.youtube.com/channel/UCJWz607A8EVlkilzcrb-GKg
Disclaimer: we installed meshcentral for enabling student access to regular physical desktops machine during COVID19
Love it!
That said:
"We call it clientless because no plugins or client software are required.
Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser."
So... the web browser is the client software. Why not just come out and say that instead of first calling it fairly misleadingly "clientless"?
They do, immediately. I was confused for a second but since the next sentence clarified it I can't see the issue.
"You don't need a hammer to bang our nail. Simply use a hammer."
vs.
"You don't need a special hammer to bang our nail. Simply use your existing hammer."
I actually disagree tbh - web browsers are so ubiquitous at this point that I would consider them a core part of the desktop at this point. If I can use just the "core tools" of my OS to access something I would consider that clientless for all intents and purposes
It's hard to believe this was 20+ years ago:
https://en.wikipedia.org/wiki/United_States_v._Microsoft_Cor...
.
Because every modern device has a modern browser included. I think most people understand this and that might be why youâre getting downvoted.
What would a clientless (aka no additional client software to install) might work?
Well, networking always requires some sort of client software, calling it "clientless" because most systems most likely already have the required software rubbed me the wrong way.
But I think I get it now, it's probably a tongue in cheek reference to "serverless" :P
I'm with you. I was confused by that term. Why not 'browser based remote desktop'? I've never heard anything happening in a browser called clientless before. In fact it is usually explicitly called a client, e.g. client side rendering.
We put an intermediary to them behind sso. Only the intermediary can get to the machine and forward guacamole traffic. Solves the no password / everyone in the company having access to test machines. We have a little script that registers endpoint machines with the intermediary and who can access the machine / when. We even log and do time block. The intermediary does password rotation with vault.
Tried Guacamole and it was ok. For this type of stuff a simple WireGuard VPN is much better. However, if you must serve apps remotely via browser, I find KASM WorkSpaces a superior solution.
That was a heck of a demo. I wonder how many takes that took.
I personally use Chrome Remote Desktop for type of access. If you don't mind trusting Google for tunneling, it works great.
yeah, Chrome Remote Desktop is a wonderful piece of engineering. Pretty much _just works_ and was trivial to install. Needed it to remote into a physical machine that sometimes would have no internet, so I'd use an old MacBook Pro running Chrome Remote Desktop to "kick off" the VM before figuring out a better way to accomplish this entire process altogether. I am fairly surprised that they haven't made it a paid feature of G Workspaces or whatever its called now lol
I've been using it for years, and it just works.
Though every so often you need to reinstall the remote access software
Oh, I remember this thing, built some shit-hack auth for it like eight years ago. It's an awesome project and super easy to extend.
That is kind of mind-blowing.
The landing page and the video using Windows XP makes it look unappealing though
I'd still use 10/10
We use guacamole as a way to gatekeep access to servers which are explicitly made vulnerable for students to attack.
We give students a Kali Linux box, and a server with dozens of vulnerabilities.. and we don't have to worry about those vulnerable targets being otherwise internet accessible. We've done over 200,000 VMs behind Guacamole over 4 years without incident, despite having machines with the username/password of "student", or being unpatched for 4 years (spinning up old Ubuntu 14 images)
Wow! Incredible.
It's not XP. Looks like 7 with the last decent theme that's ever came from them.
Nope, that is definitely XP, past Vista the Windows 2000 like theming was removed.
It wasn't. Classic Theme was available on Windows 7 and Windows 8.
https://www.google.com/search?q=windows+7+classic+theme
the windows version in the demo video is windows 7 ultimate
https://i.jollo.org/CaCZBXbc.png
> The landing page /-/ makes it look unappealing though
Why, loads too fast?
I deployed Guacamole myself (for SSH), but I found SSHWifty[0] a lot easier to use and deploy.
[0]
https://github.com/nirui/sshwifty
How fast and responsive is it? My current favorite is ThinLinc by Cendio as I've found it the most reliable and performant.
how does performance compare with x2go/freenx?
This is a life saver, have used it on different environments and it always worked...
We've been using Guacamole for around 5 years now. It is an absolute godsend, and it makes remote work so much easier. Highly recommend!
Has someone already use guacamole to make a publicly available desktop software demo ?
This is awesome. Sometimes I got lazy and donât want to go to another room to access the computers. This allows for easy remote desktop usage.
once Guacamole is installed on a server, all you need to access your desktops is a web browser.
These days, where basically nobody has a real ip, this is not entirely true. Using tor, you can easily expose a server to the outside world, the other point must support tor connections. Is there a way to freely expose anything to the outside world without needing special software on the client side?
> These days, where basically nobody has a real ip, this is not entirely true.
This is a vast exaggeration. Although this is true for many and perhaps a majority, are there any publicly available stats regarding this, there are still a large number of ISPs which provide real ip addresses and allow incoming connections. My ISP serves several million customers across several US sates and provides real up addresses and allows incoming connections.
If you want to do so securely, use tailscale or wireguard, or any of a number of p2p vpns.
Awingu can do this. (
)
Even if so, configuring forwarding-only VPS costs ~3$/month.
DynDns exists
I found noVNC easier to use.
Best used in combination with guac imo. Good way of getting past industry firewalls too
I use guacamole. It is awesome and super convenient. Nice insulation from various protocol bugs too. I donât care what exploitable bugs RDP server in windows has if I access it only over guac.
I don't see any window installation/compilation guide. Do you know about any pre compiled windows executables (client + server)?
Itâs Java and Tomcat, so should work fine on Windows. Iâd highly suggest using Linux + Docker in a VM or something though, itâll be a way faster setup (configuring Guacamole manually is a pain in the rear, thereâs good Docker containers out there that do it for you).
I run it on my home Linux server (a nook color tablet with an Ubuntu Linux chroot) to access my home windows server remotely.
next level recycling!
It is all due to this. No r-pi or anything like it is ever this stable:
root@localhost:~# uptime
22:21:32 up 3139 days, 19:42, 1 user, load average: 0.00, 0.01, 0.05
root@localhost:~#
Do you need a static ip address for it?
You could always use an IPv6 address, or setup something like Tailscale.
As silly and astonishing as it is, I've heard from some (mostly American) ISPs that a static IPv6 subnet is either not available for consumers or costs extra.
Yes, that's right, some ISPs rotate IPv6 subnets, negating many things IPv6 was invented for in the first place.
Tailscale, Nebula or any of the automagical VPN solutions you can run yourself (like Innernet,
https://github.com/tonarino/innernet
) will probably negate the issue as long as you can reach some server with a static IP.
Of course, because if you can use it to offer services, itâs a âproâ connection!
DynamicIP + DynDNS works just as fine.
Getting DynDNS can be acomplished via many routes.
- Even old routers support at least noip.com and update the IP when it changes
- major DynDNS providers have a custom tool you can install, running in the background sending the current IP every minute or so
- every major registrar has a DNS API, which allows you to send IP updates in a simple CURL command and putting that command into crontab automates this as well.
On what side?
The server software can run on any address as long as you don't hardcode the listening IP, just like any other web server. You'd need a way to have the URL point to the right server, of course, so DDNS or similar is a necessity if your server doesn't have a static public IP.
The desktop connections to the machines from Guacamole are tuples of { protocol configuration, hostname/IP, credentials}. If you specify the device Guacamole connects to by its IP and then that IP changes, the connection and configuration will break. You can probably work around that with some kind of dynamic DNS setting, or maybe local name resolution (LLMR and friends) if the machines are on a flat network.
TL;DR you don't need it, but it helps.
just use tailscale. seriously itâs what you want
I use a dyndns thing I host on my VPS
Could this work as an alternative to Mighty?
Amazing project used it to host 40 accounts on a server recently to host remote tutorials at a workshop recently :)
That's the kind of scenario that I also have in mind. What server and network did you use to serve 40 clients?
Dual Xeon gold with 56 core. Ended up rolling a custom docker image and instance with vnc all 40 managed by guac... Took some sleepless nights