Meet Guacamole, Your Remote Access Gateway

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Hi! In this tutorial we:

Discuss use cases for Guacamole
Install using Docker or Rancher/Kubernetes
Connect to Windows/Linux via RDP/SSH/VNC protocols
Set up 2FA (multifactor authentication / TOTP) using Authy / Google Authenticator
Discuss options for VPN and SSL

Hope you enjoy it! As always, feedback welcome!

👍︎︎ 17 👤︎︎ u/Techno-Tim 📅︎︎ Sep 26 2020 🗫︎ replies

I built an Apache Guacamole server this week at work. Put it behind CloudFlare Pro, and configured on-prem firewall to only accept traffic from CloudFlare servers. So far so good!

👍︎︎ 5 👤︎︎ u/DumpsterFyre 📅︎︎ Sep 26 2020 🗫︎ replies

I recently just set up a guacamole server with duo 2FA, and it's made my life so much simpler!

No more random ports in my firewall for the couple of machines I need to rdp to. Just one extra server block in nginx config and it's golden!

👍︎︎ 3 👤︎︎ u/Connochio 📅︎︎ Sep 26 2020 🗫︎ replies

Does Guac support OAuth or OpenID connect yet?

👍︎︎ 2 👤︎︎ u/angryundead 📅︎︎ Sep 26 2020 🗫︎ replies

My homelab I use the configuration by SmartHomeBeginner with a lot of success https://www.smarthomebeginner.com/install-guacamole-on-docker/ there's a massive trove of information in their Github as well https://github.com/htpcBeginner/docker-traefik

👍︎︎ 1 👤︎︎ u/Nighteyez07 📅︎︎ Sep 26 2020 🗫︎ replies

Hi u/Techno-Tim! Firstly, wanna say thanks for the content. Very nicely done vids. I wanted to ask about Rancher. I've been trying for a few days now to get rancher set up on single node HA cluster, as opposed to the docker version you did a vid about. I've been having none stop issues trying to get it up and running, even following the rancher official docs to the letter, so I may throw in the towel and go for the docker install of rancher from one of your other videos.

Are you running the docker version in your production set up, and have you had any issues with it?

👍︎︎ 1 👤︎︎ u/[deleted] 📅︎︎ Sep 26 2020 🗫︎ replies

Guacamole is awesome. I use it with pfsense, haproxy and acame to access from work. I have it in my lab environment and train my team on cyber security from time to time especially now being remote. Running in a docker container was the easiest setup tho installing from source isn't that bad.

👍︎︎ 1 👤︎︎ u/hijinko 📅︎︎ Sep 27 2020 🗫︎ replies

Looks like I’ve got a new project to do this weekend...

👍︎︎ 1 👤︎︎ u/firestar547 📅︎︎ Sep 27 2020 🗫︎ replies

Hi Techno-Tim, thanks for the tutorial. I am looking for a tutorial to deploy the Guacamole docker images in Azure AKS, with guideline to build yaml manifests. Could you please help me to find this information? Thanks for the great content!

👍︎︎ 1 👤︎︎ u/Guacamoleaks 📅︎︎ Jan 13 2021 🗫︎ replies

Captions

so you've been building out your home lab and you have a lot of virtual machines some of them are running windows some are running linux and some have a ui and some don't and you find yourself remoting into those virtual machines quite a bit and that means using a collection of tools like rdp ssh vnc and it can be a challenge to manage all of those tools across all of your devices but what if you had one place you can go to to manage all those connections something that didn't require anything but a browser and didn't require any plugins and you can do it all securely well setting up a self-hosted remote access gateway is what we're going to talk about today hey welcome back so i'm techno tim and today we're going to talk about apache guacamole a clientless remote access gateway for all of your virtual machines as a quick reminder i stream every tuesday thursday and saturday so if you want to continue the conversation about guacamole there we can so let's talk about apache guacamole so you've spun up a lot of virtual machines some of them are windows servers or windows desktops and some of them are linux servers or linux desktops and because these are all virtual machines they're all running headless which means there's no physical monitor attached to them so the way that you access these is by remote access it's up to you to remember track and use the appropriate tool for that virtual machine and you figured out a system on your main machine you probably have a vnc client installed an ssh client and a remote desktop client and that all works great until you move to another machine and now you have to set up and configure those three things again and if that next machine is a mobile device now you have to figure out less familiar tools to set this up with and you have to do this again and again for every new device you set up or every new platform you adopt well that's where something like apache guacamole comes in so apache guacamole is a clientless remote desktop gateway it's clientless because it uses standard protocols like rdp vnc and ssh and those protocols are already supported by operating systems that you're using so you aren't required to install any additional software and it works within any browser without any additional plugins it also gives you an easy way to manage all of these connections and on top of that there are a lot of authentication options it even supports things like one-time passwords or two-factor off and that's exactly what we're gonna talk about today so today in this video we're gonna set up guacamole and we're not gonna set up guacamole in the traditional way we're going to set up guacamole using docker and after docker we'll move on to something called rancher so if you aren't familiar with rancher rancher is an easy way to spin up kubernetes which then gives you docker and if you need help setting that up i've got a tutorial that'll help you set up docker rancher and kubernetes in just a couple of minutes but if you're using something else like portainer openmediavault qnap synology or just plain old docker we'll cover that too then you'll have a self-hosted version of guacamole in just a couple of minutes so with that out of the way let's get started the first thing you want to do is go out to ownzu docker guacamole on github now if you're subscribed to the channel you know that i typically recommend linux server.io images however the one that's on linux server only supports the backend piece and we want the front end as well i'm choosing this docker image because it supports setting up the front end the back end as well as the database which makes this much easier to implement so let's scroll down and take a look at the docker commands and we can see here in the usage there's very few things to configure and so if we're running plain old docker we can run docker run then we're going to choose our ports that we expose it on or publish then we're going to mount a volume which is a path to our config on the local machine to the images config and after that we're going to specify the docker image but we can see here under parameters it also supports an environment variable this environment variable is called extensions and when we use this extensions environment variable we can turn on different authentication methods we can see it supports ldap duo header cas open id two-factor auth and quick connect and you can see in their example if you wanted to support ldap plus duo you would just add them like this extensions equal auth ldap comma auth duo and if we wanted to spin this up with plain old docker we could run this docker command and this would spin up apache guacamole on port 8080 pointing to our config with a couple of extensions for authentication and within a couple of minutes we'd have it running but we're going to move on to rancher now keep in mind if you're not using rancher and you're using something like portainer qnap synology or open media vault they have very similar uis and following this process will work as well but in rancher we're going to go to cluster default cluster and here we're going to deploy a new workload let's name this work well guacamole then we'll set the image to ownzu guacamole we can keep our namespace as default and for port mapping i'm going to choose hostport and what this will do is publish the container port 80 to the host port of 80. 8080 is a common port so if you need to change this you can so i'm going to change mine to 9600 but any port you have free will work now i did mention that it supports environment variables and we'll set one up for two-factor authentication however we want to make sure that this works first before we turn on two-factor off so we'll come back to that and now we'll jump down to volume so let's add a volume here i'm going to use buy mount a directory from a node but if you have your storage set up another way feel free to choose that here i'm going to name my volume guacamole and here we'll need to specify the path on our node now we haven't set up this folder yet so let's do that so you want to remote into your server and actually create a folder for it so you want to create a folder on your node and then copy that path to your clipboard mine slash home slash techno tim guacamole and we'll paste that in there and then the mount point is just slash config the next thing we'll need to do is change our scaling and upgrade policy now if you're using host port typically i use kilo pods then start new then we can launch our container and here we should see it spinning up and it's already running okay let's take a look at the ui and we can see our ui's running so the default username and password is guac admin so let's sign in once we sign in we'll see all connections now this is brand new so we don't have any but before we do that let's change our password so we'll go to this menu and go to settings then we'll go to preferences here you should probably set your language in time zone then we'll update our password another thing we'll do is create a new account and then disable the squawk admin account so the simplest way to do this is to clone this user so let's go into guac admin scroll down let's click clone and then let's change our username and give it a password in here we can configure more profile information here we can also set up account restrictions this is handy if you want to give someone else access to guacamole now these restrictions only apply to the guacamole dashboard and not to the remote connections we'll set up here in a little bit but if you wanted to create a user that can access your guacamole dashboard outside of yourself you could do that here but anyways let's finish cloning this user click save okay so we have a new account let's actually sign in with our new account so let's sign out and we'll sign in with our new one and then let's go back into users and actually delete that guac admin account users guac admin and delete okay so we have our admin user that's ourselves now let's create a connection so we'll go into connection and here we can set up a new connection or a new group if we wanted to create a new group we would obviously just click new group and here we could give it a group name now this is up to you on how you want to organize your connections you could do it by role by operating system or anything else you can think of but i'm just going to call this one windows then we'll save and now let's create a new connection click new connection okay so this is our new connection form the very first thing you want to do is change our protocol don't fill out any of this until you change your protocol so we can change it here so on windows we're going to use rdp for the protocol and here you can set up some of the same restrictions that we had within the group like concurrency limits load balancing and other parameters but let's just get connected to this windows machine first so we'll scroll down to network and go to hostname here you can put in the hostname of the device or the ip address i'm going to use ip address next we'll want to choose the port the default port for rdp is 3389. next we'll want to fill up authentication so this is going to be the windows user on that machine that can actually sign in remotely next you'll fill out a password then you'll fill out the domain if you don't have a domain you don't need to fill this out and our security mode is going to be nla or network level authentication and next we'll need to ignore server certificate errors and this is a recommendation from guacamole now we won't need to fill out anything for a remote desktop gateway and we don't need to do anything for basic settings either in the display section you can tweak a few things here the two things i typically change are the color depth i usually set it to 32-bit now this is gonna use more bandwidth and you can lower it if you'd like but 32-bit looks really crisp and clean and next is the resize method i typically choose display update virtual channel something but what this means is it'll dynamically update the resolution as you rescale your browser so choose display update virtual channel rdp 8.1 plus it's a mouthful and next we'll see some parameters that we see on the typical rdp client we can choose whether or not we want to disable the clipboard we can choose audio printing drive mapping file upload and download and you name it and these are all things you typically see in your rdp client next are some performance options and these will really be up to you but you can choose whether or not to enable wallpaper theming clear type fonts which i typically turn on so full window drag that's the preview as you're dragging the window desktop composition so this is glass or arrow effects menu animations bitmap caching off-screen caching and glyph caching now you'll want to tweak this based on your preferences but i typically only turn on clear tight font next we can configure some options for remote app then some hyper-v options load balancing and then screen recording so this is really cool you can actually record this screen as you're remoting into it now i don't do this but i can definitely understand the use case for this especially if you have other people using this system so choose that if you like then you have secure ftp and you can configure this if you like and then last but not least we have wake on lan so if your device supports wake on lan or your hypervisor supports sending a wake on lan packet to a virtual machine you could actually keep this virtual machine off all the time and then send the wake on lan packet to wake it up and then remote into it so if you're using this for a desktop in the cloud you can actually keep that desktop off until you want it on and you remote in through guacamole but you'll want to be sure that the physical device or the virtual machine supports wake online packets but a very cool option okay let's save this oh yeah we forgot to name the connection okay so we're gonna name this connection i'm gonna name this windows 10 vm real creative i know and then we can choose our location so let's group this in the windows group we created and now let's save it save okay so now in connections we can actually see our group and within our group we can see our new virtual machine so let's try to remote into our virtual machine so keep in mind we're in the connection management screen so we'll need to actually go back here and go to home and now we can see our connections and here's our windows group and here's our windows 10 vm so let's click on it here we go and we're remoted in and this is all done over html we can open folders browse the web with edge if you want open up powershell for remote administration so all the things you can normally do through rdp now i'm in full screen mode so we can restore this down and you can see here i'm going through a web browser and this should be responsive so as we resize this the client desktop resizes as well [Music] so this is really awesome we're able to remote into our machine over a web page so really quick something i didn't mention is that rdp should be turned on if you're having troubles rdping into your windows machine you want to go into settings here i typically just type remote desktop settings and then choose that option you'll want to make sure that remote desktop is turned on and then you'll want to select users and make sure that your user account has remote access and that's how simple it is to rdp into a windows machine okay so next up is a linux machine now i should just say that this should be any machine that has ssh and not just linux so let's configure an ssh connection so we'll go into settings and we'll go into connections and let's create a new group since we have one for windows i'm going to call this linux and it'll be in the root location and we'll hit save okay so now let's add a new connection so this is called ubuntu server and we're going to put it in the linux group and let's change the protocol to ssh as soon as we change that we see some options open up down here so the host name needs to be something it can resolve but i'm going to use an ip address next the port for ssh is 22. if you use something else change it here if you have a public host key you'll need to fill this in here then we'll fill out the authentication section so if you only use username and password you can fill that out but if you supply a private key and a passphrase you can fill that out too so now a remote connection is going to be a terminal and we have some terminal options we can choose our color scheme we can choose black on white gray on black green on black white on black or a custom theme then you can configure fonts your font size maximum scroll back size and make it read-only which is handy if you want someone to only be able to see the output and so i'm not going to configure any of this but feel free to tweak it if you'd like and then we have all of the same options we saw when we configure a windows device so let's save this and now we have our new connection we can see under linux we have our ubuntu server connection and so let's remote into this so let's go back home on our connections dashboard we now see this so let's remote in and here we go we're ssh into our server through a web browser we can do all of the normal stuff we would do in a terminal and you can see here that this is in a web browser however i have it in full screen mode and you can see that this is kind of a little responsive too so it doesn't dynamically resize what's already there but it does set the max width after it's there which is good enough for me okay so let's log out of here go back home next let's configure a linux desktop now we have a lot of options for a linux desktop remote connection our linux desktop supports lots of protocols you can actually use rdp if you like ssh or even vnc so let's turn on remote access in our linux desktop so i'm using ubuntu here but you can use any version of linux you like so once we're in ubuntu let's go into settings then we'll go into sharing then we'll toggle sharing on then let's turn on screen sharing we'll want to require a password here and then we'll turn it on for the network we're connected to okay let's close out of here and so this is going to turn on the vnc connection to this ubuntu desktop now let's configure that connection inside of guacamole so we'll go into settings connections and let's create a new connection let's name this ubuntu desktop let's put the location within our linux let's choose the linux folder and we'll keep the protocol as vnc for our host name we'll just put in the ip address and the default vnc port is 5900 then we'll fill in our username and password and then we'll save then we'll go back to home and we should see our desktop under here and so let's connect and here we go we're connected to our linux desktop and you can see it's within a browser and this scales pretty good too and we can do all the normal things we would from a remote client okay so so far we've set up guacamole we created a new admin account we deleted the default admin account we set up a rdp connection to a windows machine we set up an ssh connection to a linux server we set up a vnc connection to a linux desktop but now let's configure two-factor auth for this so i purposely didn't set up two-factor auth yet because i wanted to make sure all of this worked and i didn't want to confuse the matter with two-factor auth in the very beginning but it's really easy to add so we'll need to add one more environment variable so let's go into our guacamole workload and let's click edit expand environment variables and let's add a variable here we'll want to add the environment variable extensions and then the value of off totp and this is for the two factor auth extension okay so let's save that it's going to redeploy this workload and it should come back online okay so let's go back to guacamole now so let's sign in using that admin account okay so immediately upon logging in we get a two-factor auth prompt so this is really awesome we can use something like authy or google authenticator to scan this barcode and retrieve our code so let's do that okay let's add an account let's scan this qr code [Music] save our account okay so let's type in our code so this is awesome now we have two factor authentication with guacamole and if we sign out and sign back in now we're required to provide this authentication code and now we can sign in securely and so now that we can sign in securely there's one more thing we should talk about and that's actually hosting this securely so as you can see guacamole itself doesn't come with a certificate that means that our communication is not encrypted which also means you shouldn't host this publicly unless you have a certificate if you're going to access this you should access it with a certificate and if you're going to access this from the outside you should definitely use a vpn connection that will ensure that you have a secure tunnel between you on the go and your server infrastructure but even then you should still use a certificate and if you'd like to host this securely over ssl within your rancher cluster i have a tutorial on how to set this up using rancher this tutorial walks you through getting an ssl certificate using let's encrypt and then it uses traffic as your load balancer to route that traffic internally that will help you get a certificate and host this securely then you can access this from anywhere in the world using any device over ssl with two-factor auth which seems like a pretty robust solution to me so what do you think of guacamole what do you think of setting up a remote access gateway what are some of the systems that you need remote access to where this would help i'd love to hear your answers in the comments section below and while you're down there don't forget to give this video a like and consider subscribing if you haven't already and if you have more questions you can always join my live stream i stream every tuesday thursday and saturday so if you have a question about this video or any of my other videos hop in my stream and i'd love to have you so thanks so much for watching and until next time stream on my friends storage solution with lots of options and i think those options now instead of jails on bsd will be docker containers i could even see them going as far as i have all these ideas and i want to say like remind me in six months to see if i was right i'm gonna make some big bets here's my big bets on on truenet scale uh obviously linux uh docker support i think it's gonna have first class kubernetes support i think they're just to say yep you can spin up a kubernetes cluster right on this thing i think they're going to make it easy right they see things like fortener they see things like rancher um and then they see stuff like like um like a proxmox right and they look at the solutions that people are choosing because they give them a lot of options so i i do think i think we're going to see a combination of of proxmox plus true nets it's going to be like proxmox truenas and rancher all had a baby that's my that's my uh that's my guess

Info

Channel: Techno Tim

Views: 76,888

Rating: 4.9722543 out of 5

Keywords: homelab, home lab, self hosted, selfhost, guacamole, apache guacamole, remote access, remote access gateway, rdp, ssh, vnc, telnet, totp, 2fa, authy, ssl, virtual machine, ubuntu, server, guacamole setup, overview, turotial, diy, selfhosted, docker, rancher, kubernetes, k8s, k3s, container, vm, apache, portal, techno tim, vpn, dashboard, homelab ideas, 3389, 5900, 22, ports, 21, remote desktop, cloud desktop, virtualization, docker-guacamole, docker guacamole tutorial, openmediavault, qnap, synology, portainer, linux, oznu

Id: LWdxhZyHT_8

Channel Id: undefined

Length: 19min 39sec (1179 seconds)

Published: Sat Sep 26 2020