Guacamole Remote Desktop

Browser Based Remote Desktop Access

User/connection management considerations

It is possible to manage users/connections in a simple flat file (/etc/guacamole/user-mapping.xml), or to configure Guacamole to use an sql server for configuration, but I want to centrally manage all users/connections in my LDAP in FreeIPA. Note that if you use the database solution, the all the configuration options are available in the html5 interface, whereas my setup requires all settings to be made in LDAP, and is a bit more of a hassle if you frequently change the setup.

From Template

Clone the centos7 template and set IP+hostname.

Install guacamole server packages and plugins/libs:

yum install -y guacd libguac-client-ssh libguac-client-vnc libguac-client-rdp dejavu-sans-mono-fonts wget tomcat freerdp-plugins

Create guacamole client app directory:

mkdir -p /etc/guacamole/extensions

Fetch client WAR and ldap extension (and install as ROOT tomcat app - I know I'm cheating!)

wget 'http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/binary/guacamole-1.0.0.war' -O /etc/guacamole/guacamole.war
wget 'http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/binary/guacamole-auth-ldap-1.0.0.tar.gz' -O /etc/guacamole/guacamole-auth-ldap-1.0.0.tar.gz 
tar xf /etc/guacamole/guacamole-auth-ldap-1.0.0.tar.gz -C /etc/guacamole/
cp /etc/guacamole/guacamole-auth-ldap-1.0.0/guacamole-auth-ldap-1.0.0.jar /etc/guacamole/extensions/
rm -rf /etc/guacamole/guacamole-auth-ldap-1.0.0/
cp /etc/guacamole/guacamole.war /var/lib/tomcat/webapps/ROOT.war

Create optional screen recording folder:

mkdir -p /etc/guacamole/rec/
chown guacd:guacd /etc/guacamole/rec

Edit/create /etc/guacamole/guacamole.properties to point to ldap server and configure user base dn.

# Auth provider class
auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider

# LDAP properties
ldap-hostname:           freeipa.lan.example.com
ldap-port:               389
ldap-user-base-dn:       cn=users,cn=accounts,dc=lan,dc=example,dc=com
ldap-config-base-dn:     cn=groups,cn=accounts,dc=lan,dc=example,dc=com

Open the firewall to allow connections in on tcp/8080

firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --reload

Enable and restart the services to pick up the changes.

systemctl enable guacd ; systemctl restart guacd 
systemctl enable tomcat ; systemctl restart tomcat 

Connection profile to be installed on FreeIPA server

This will only work after FreeIPA is configured to handle guacamole connections. Like in the FreeIPA article you can import .ldif files to FreeIPA from the command line. Save the follwing as win-connection.ldif: Adjust it to fit your domain, and make sure the gid is unique. Change the values to fit your needs.

#*********** create connection profile group  ********
dn: cn=guac-wingaming,cn=groups,cn=accounts,dc=lan,dc=example,dc=com
changetype: add
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: guacConfigGroup
objectClass: ipaobject
objectClass: ipausergroup
guacConfigProtocol: rdp
guacConfigParameter: ignore-cert=true
guacConfigParameter: disable-auth=true
guacConfigParameter: security=tls
guacConfigParameter: hostname=10.0.5.90
guacConfigParameter: port=3389
guacConfigParameter: recording-path=/etc/guacamole/rec
guacConfigParameter: create-recording-path=true
guacConfigParameter: recording-name=guac-wingaming
cn: guac-wingaming
gidNumber: 1838600118

Also add an ssh profile for a management server that you'll have access to from outside - ssh-mgmt-connection.ldif:

#*********** create connection profile group  ********
dn: cn=guac-ssh-mgmt,cn=groups,cn=accounts,dc=lan,dc=example,dc=com
changetype: add
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: guacConfigGroup
objectClass: ipaobject
objectClass: ipausergroup
guacConfigProtocol: ssh
guacConfigParameter: hostname=10.0.5.31
guacConfigParameter: port=22
#guacConfigParameter: recording-path=/etc/guacamole/rec
#guacConfigParameter: create-recording-path=true
#guacConfigParameter: recording-name=guac-ssh-mgmt
cn: guac-ssh-mgmt
gidNumber: 1838600121

Example of a VNC profile for an ubuntu server (see notes below if Ubuntu VNC is unstable)


#*********** create connection profile group  ********
dn: cn=guac-vnc-ubuntu,cn=groups,cn=accounts,dc=lan,dc=example,dc=com
changetype: add
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: guacConfigGroup
objectClass: ipaobject
objectClass: ipausergroup
guacConfigProtocol: vnc
guacConfigParameter: hostname=10.0.5.39
guacConfigParameter: port=5900
guacConfigParameter: password=password-used
guacConfigParameter: recording-path=/etc/guacamole/rec
guacConfigParameter: create-recording-path=true
guacConfigParameter: recording-name=guac-vnc-ubuntu
cn: guac-vnc-ubuntu
gidNumber: 1838600119

Import it after adjusting realm and target machines

ldapadd -x -D "cn=Directory Manager" -W -f win-connection.ldif
ldapadd -x -D "cn=Directory Manager" -W -f ssh-mgmt-connection.ldif
ldapadd -x -D "cn=Directory Manager" -W -f vnc-ubuntu-connection.ldif

Now log on with a user that is a member of both the guacamoleusers, guac-wingaming and guac-ssh-mgmt groups.

http://guacamole.lan.example.com:8080

Setup Web Application Firewall with Let's Encrypt HTTPS

The main idea with this guacamole setup is to use it for access from the outside.

Ldap modification templates

Update ldap attribute

#replace specific hostname attribute
dn: cn=guac-vnc-ubuntu,cn=groups,cn=accounts,dc=lan,dc=example,dc=com
changetype: modify
delete: guacConfigParameter
guacConfigParameter: hostname=10.0.5.31
-
add: guacConfigParameter
    guacConfigParameter: hostname=10.0.5.23

Add missing attribute

#Add missing guac password attribute
dn: cn=guac-vnc-ubuntu,cn=groups,cn=accounts,dc=lan,dc=example,dc=com
changetype: modify
add: guacConfigParameter
guacConfigParameter: password=pass

Enable WAF:

Log on to Sophos UTM

Webserver Protection -> Certificate Management -> Advanced -> Allow Let's Encrypt certificates and enable.

Wait a minute or two.

Webserver Protection -> Certificate Management -> New Certificate

Select method: Let's Encrypt, interface: WAN and type in the subdomain you'll access guacamole from externally - e.g. guacamole.example.com Note that the lan subdomain is not included.

Wait a minute or two while the cert is issued from Let's Encrypt.

Webserver Protection -> Web Application Firewall -> Virtual Webservers -> New Virtual Webserver...

Name the webserver, select WAN interface, encrypted https, port 443 and the appropriate LE certificate that we just created.

Add a Real Webserver for root path and add the guacamole host definition, plaintext http and port 8080 and save. Mark the checkbox for the real webserver, select no firewall profile and press OK.

Toggle the status to enabled.

CentOS 7.7 issue and workaround

CentOS 7.7 updates FreeRDP to version 2.0 making the current guacamole release incompatible with the RDP plugin. This will result in a yum dependency error. A workaround is to install an old version of freerdp-devel from the 7.6 repos and hold it back. The following instructions are from the bugtracker comments: https://issues.apache.org/jira/browse/GUACAMOLE-249

Note that the yum.conf exclusion must be removed as soon as the updated guacamole can work with freerdp v2, as guacamole won't receive any security patches untill then.

hatzfF Hatz added a comment - 20/Sep/19 18:01 - edited
@ Gogo: I found this solution:
Deinstall freerdp-devel and freerdp-libs
Activate the old base-repo of 7.6 (in '/etc/yum.repos.d/CentOS-Vault.repo')
Install the 'old' freerdp (yum install freerdp-devel-1.0.2-15.el7)
Deactivate the 7.6 base-repo
Add 'exclude=freerdp*' 'to /etc/yum.conf'.
Afterwards freerdp will not be updated anymore and you can wait until a new version of guacamole including freerdp-2.0-support is ready.

Unstable VNC issue

In Ubuntu 18.04 and 19.04 I am experiencing frequent disconnects (anywhere from 10 second to 5 minute intervals) when using Ubuntu's built-in VINO VNC server. Removing vino and replacing it with x11vnc solves this.