Install Guacamole RDP and add Open ID Connect Authentication to it.
Вставка
- Опубліковано 5 чер 2024
- === Links ===
Show Notes
wiki.opensourceisawesome.com/...
Guacamole Docker Project used in this video
hub.docker.com/r/jwetzell/gua...
Apache Guacamole Home Page
guacamole.apache.org/
Authentik Home Page
goauthentik.io/
Get the AwesomeOpenSource Merchandise
awesomeopensource.creator-spr...
Support my Channel and ongoing efforts through Patreon:
/ awesomeopensource
Buy Me a Coffee or Beer
paypal.me/BrianMcGonagill?cou...
=== Timestamps ===
00:00 Beginning
00:09 Introduction
02:34 Thank you to my Patrons at Patreon, and my subscribers on UA-cam
03:10 Installation
06:55 Check our Install by IP
10:55 Create a new Admin user
12:45 Login with new Admin and delete default admin user
13:35 Setup an RDP Connection
18:00 Setup a Reverse Proxy with an FQDN
22:15 Setup OIDC (OpenID Connect) for Guacamole Access
30:30 Setup an Admin user with OIDC access
=== Contact ===
Twitter: @mickintx
Telegram: @MickInTx
Mastodon: @MickInTx@fosstodon.org
Try out SSDNodes VPS Services! Amazing Specs for incredibly low costs. I'm running a 32 GB RAM / $ CPU Server for only $9 a month! Seriously. FOr long term server usage, this is the way to go!
www.ssdnodes.com/manage/aff.p...
Get a $50.00 credit for Digital Ocean by signing up with this link:
m.do.co/c/a6a61ae55242
Use Hover as your Domain Name Registrar to get some great control over you domains / sub-domains:
hover.com/SHPaiirr
Support my Channel and ongoing efforts through Patreon:
/ awesomeopensource
What does the money go to?
To Pay for Digital Ocean droplets, donations to open source projects I feature, any hardware I may need to purchase for future episodes (which I will then give to a subscriber in a drawing or contest). - Наука та технологія
You have a awsome timing, do you know!
I reached the point where my homelab is taking shape and i was just finding out Auth solutions like Authelia, etc.
Thanks for shining some light 🕯️ inside of this black box 🎁
Absolutely my pleasure.
I've been using Guacamole for quite a while now and it's great. I had to set up a Cloudflare tunnel first because I'm behind CG NAT. Guacamole sure makes it easy to get into my machines from elsewhere.
Having Guacamole with ActiveDirectory authentication and utilizing Cloudflare tunnel and authentication condition with AzureAD is been working great for me.
That's awesome!
Excellent video, Brian...thanks...
My pleasure!
very useful , thanks.
question: how come there is not an opensource Remote Desktop Services (terminal service) out there ?
I mean, there kind of is. Ubuntu has a multi-session setup that can be used, and I think it could be setup on any Linux system really. It's just that most people think of Windows when they think Terminal Services, which is expensive to license of course.
hi thank you for working so hard to keep people interested in open source which in my humble opinion should be the way to go. i also like to ask you if you could do a video on using totp with guacamole
Do you mean the TOTP plugin stand-alone? You can setup TOTP MFA with Authentik, as I show here.
yes i mean the stand-alone without Authentik
Thank you for providing excellent easy to follow tutorials I greatly appreciate. Might sound like a dumb question but I noticed you are not using official image from Guacamole, what happens when JWetzell cannot maintain it anymore do we have reinstall everything again? not sure how this works. Thanks
I have looked at JWetzells work, it's really solid. I continue to get updates, but it's a risk if he decides to stop maintaining his version. I think the official method is fine, but JWetzell included some nice wasy that , for me, were easy to understand on getting things like OIDC working.
@@AwesomeOpenSourceThank you, I trust your advice and installed it successfully. Next step is Authentik.
Awesome!
Hi Brian. This video is great but I'm having issues and I very much a newbie here. I just did a fresh install of the newest LTS Ubuntu Server. I think I have updated docker and Ubuntu entirely with update commands. I'm on Docker version 20.10.24 and Docker Compose version v2.17.2. I copy, pasted, and triple checked the docker-compose.yml file from your site and saved it. I get the error: "yaml: line 7: could not find expected ':'". Is this due to me having the wrong version of Docker Compose? I did a lot of researching here and couldn't find the solution. I even tried typing out the file manually and deleting it to retry.
Do you happen to have an idea of the issue here?
No, sometimes there is a hidden character that I can't seem to get rid of. You can usually fix it by just retyping that line, and the few lines above and below it.
You don't use Unifi do you? I can't access anything from outside my network, even though I have my domain name pointed to my IP and have port forwarding setup. If I go to my domain, it goes straight to the Unifi controller, even though I add the port after it and Nginx can't ever get Lets Encrypt to issue a cert.
Strange one, but definitely fixable. Does it work if you just use your ip:port and no domain name?
@@SurfSailKayak yeah, local works fine.
I don't use Unifi. I use OpenWRT and VLANs to OpenWRT APs. I know with some systems, there's a flag in the UI that will tell the Firewall / Router not to load the GUI for non-local connections.
Question: I have a friend that lives about half mile from me, and he needs help on his win10 desktop frequently. Can I set up this system on his computer and access from my office?
you could setup Guacamole on his network, and his machine, then access it over https from anywhere techically.
@@AwesomeOpenSource He has no other computers on his network, only his windows desktop and a television running hulu. would I need to add a linux machine to his network? and use that for guacamole?
@@jim7smith in that case I would try something more like RustDesk. You could use docker on Windows to run Guacamole on his machine.
hi. Are you able to change the logo and title name in the login page of guacamole?
I don't know. I've never tried. If you use the Authentik setup that I show here, then you can customize your Authentik page.
What about Rustdesk? its easy to use and opensource.
I've covered rustdesk a couple of times. And it's great. It, for me, is a much better Remote Support tool, whereas Guacamole is a remote access tool to machines I have constant access to. Rustdesk can be used in that way with the password saved, but for me Guacamole has an advantage as I can access it from any browser, where as if I was on someone else's machine who didn't have Rustdesk, I'd have to install it, then set it to my server and key.
hi i decided to follow this video i installed authentik guacamole i already had nginx install but i'm having and issue with it when i type the fqdn of guacamole instance it flashes the authentik login page but goes right into the guacamole login page. can you help me pleaseeeee...
Hmmmm. I would have to see your setup to help. I don't know why you might see that, but it shouldn't be taking you back to the guacamole login page unless there's some error happening. Would be good to look at the Guacamole logs, as well as those for Authentik when you try this. I would guess it's on the guacamole side though. If you need more help jump over to discuss.opensourceisawesome.com and post in the #help-me-please channel.
Do a video doing the same for Bookstack
Let me see what I can do. Bookstack wasn't hard, but matching my exisitn user made me have to make edits in the Bookstack database.
Anyone have any idea what terminal app he is using?
Tabby is my terminal app.
Tried open id connect for sso but stuck with same error id token not valid on the docker compose logs and stuck on redirect loop for triying to connect every 5 minutes (300)
Sorry man. I did have to use s different browser for Guacamole the first time I logged in, but after restarting FF it worked fine with SSO for me.
@@AwesomeOpenSource sorry my mistake after reviewing guacamole docs token maximum accepted 300 minutes it wasn't the case on authentic after update it work fine now , the issue is there Is any way to logout from the guacamole session will log out authentic sso session as guacamole is clientless any way to pass logout url ?
Many thanks for your concern and reaponse
Suuper glad you got it worked out.
Good afternoon, I did everything the same as in the video. But when I log in, I get a redirect loop. In guacomole-log this error: INFO o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: JWT processing failed. Additional details: [[17] Unable to process JOSE object. What am I doing wrong?
If you're on Firefox, try a different browser. The first time, i got that too, but it's a caching issue in firefox I think.
@@AwesomeOpenSource I've tried IE and Chrome. and Chrome incognito.
Definitely would never use IE for anything these days. Chrome should work, but did the issue ever resolve for you?
Does this work with IPv6?
Yep
Yes, it will work with IPv6.
why i thought guacamole will allow me create RDP Access to my linux system when Xorg does not work :{ it seems not so usefull.
You can install xrdp for x systems.
How do you have dark mode on that?
Not sure which item you're referring to, but guessing it's the dark-reader add on in the browser if the application doesn't have a built in dark mode.
Thats it, thanks.
I have yet to find a video that doesn't expect you to already know and understand several other things, like Rancher, Nginx, Poratiner, Cloudflare and more. You do a good job explaining what certain things mean, but you breeze right over "I'm just gonna go ahead and copy this file right here." Uhhhh? I've got docker desktop, I've downloaded the official guacd, and the official guacamole, and all three of the suggested SQL databases (I know I only need one). I have yet to find a video that goes through the suggested installation methods. The official documentation is so convoluted and spread out that you have to read all of it several times to start to understand what to do. I can't seem to find a step-by-step guide that makes any sense.
I have a previous video on Guacamole setup without the Authentik part. Maybe it will give you more basics. I also have other videos on the basics of docker, reverse proxy, etc. that are meant to help you get that down first. It's hard to cover all of that in every video as it's very repetitive after 200+ videos.
Thanks, you're doing great. I've just been trying too long to get this working. I'm close though. Sorry for venting.
NO!
You do not setup your RDP, or any remote access so ANYBODY, including bad actors, can access it from anywhere!
You either go for convenience or security. Pick one.
This one is different as it's using RDP protocol on the backend to access the RDP session so it's never exposed to the internet. Guacamole is the frontend using HTTPS only.
Plus you can restrict the RDP servers to only accept connections from Guacamole via internal IPs if you're paranoid.
100% what @Dank6969 said. This is really the only way I'd ever run RDP over the internet outside fo a VPN connection.