[HN Gopher] Apache Guacamole ___________________________________________________________________ Apache Guacamole Author : WallyFunk Score : 380 points Date : 2021-12-04 17:50 UTC (5 hours ago) (HTM) web link (guacamole.apache.org) (TXT) w3m dump (guacamole.apache.org) | fzumstein wrote: | I found noVNC easier to use. | rob_c wrote: | Best used in combination with guac imo. Good way of getting | past industry firewalls too | CyberShadow wrote: | The video on the main page is amazing. Rare that a product demo | video is both entertaining and informative with a high | information density! | ww520 wrote: | This is awesome. Sometimes I got lazy and don't want to go to | another room to access the computers. This allows for easy remote | desktop usage. | djrogers wrote: | Guacamole and tailscale make my life so much easier when I'm away | from home. Serving up guac from a machine with tailscale / wire | guard means I can get to it without exposing it to the internet, | or worrying about a home IP changing. | cowmix wrote: | I personally use Chrome Remote Desktop for type of access. If you | don't mind trusting Google for tunneling, it works great. | arthurcolle wrote: | yeah, Chrome Remote Desktop is a wonderful piece of | engineering. Pretty much _just works_ and was trivial to | install. Needed it to remote into a physical machine that | sometimes would have no internet, so I 'd use an old MacBook | Pro running Chrome Remote Desktop to "kick off" the VM before | figuring out a better way to accomplish this entire process | altogether. I am fairly surprised that they haven't made it a | paid feature of G Workspaces or whatever its called now lol | opless wrote: | I've been using it for years, and it just works. | | Though every so often you need to reinstall the remote access | software | pkukkapalli wrote: | I bought a PopOS Gazelle with an Nvidia GPU so I could play | around with ML stuff. But, looking back on it, it might have been | more efficient to just get a GPU instance on AWS or Google Cloud, | and just using a remote desktop like this. | | Anybody tried that configuration? If so, how has your experience | been? | Rexxar wrote: | Has someone already use guacamole to make a publicly available | desktop software demo ? | rob_c wrote: | Amazing project used it to host 40 accounts on a server recently | to host remote tutorials at a workshop recently :) | jll29 wrote: | That's the kind of scenario that I also have in mind. What | server and network did you use to serve 40 clients? | rob_c wrote: | Dual Xeon gold with 56 core. Ended up rolling a custom docker | image and instance with vnc all 40 managed by guac... Took | some sleepless nights | maximedupre wrote: | That is kind of mind-blowing. | | The landing page and the video using Windows XP makes it look | unappealing though | | I'd still use 10/10 | mopsi wrote: | > The landing page /-/ makes it look unappealing though | | Why, loads too fast? | 5e92cb50239222b wrote: | It's not XP. Looks like 7 with the last decent theme that's | ever came from them. | pjmlp wrote: | Nope, that is definitely XP, past Vista the Windows 2000 like | theming was removed. | alphabet9000 wrote: | the windows version in the demo video is windows 7 ultimate | | https://i.jollo.org/CaCZBXbc.png | mopsi wrote: | It wasn't. Classic Theme was available on Windows 7 and | Windows 8. | https://www.google.com/search?q=windows+7+classic+theme | ldoughty wrote: | We use guacamole as a way to gatekeep access to servers which | are explicitly made vulnerable for students to attack. | | We give students a Kali Linux box, and a server with dozens of | vulnerabilities.. and we don't have to worry about those | vulnerable targets being otherwise internet accessible. We've | done over 200,000 VMs behind Guacamole over 4 years without | incident, despite having machines with the username/password of | "student", or being unpatched for 4 years (spinning up old | Ubuntu 14 images) | maximedupre wrote: | Wow! Incredible. | moontear wrote: | Setting it up via Docker container is a lot easier than a custom | setup. | | I really am not a fan of Guacamole. I love the idea and | convenience of having everything running in the browser from the | client side, but I much prefer a real RDP session (via VPN) than | having it in the browser. Why? Keyboard shortcuts! I am soooo | much slower because browsers (not guacs fault - but at the same | time it is its fault since I would love a native client) can't | catch all keys (e.g. Windows key). ALT-TAB? Yeah you just tabbed | away from Guac. Or the new fancy WIN-TAB, no way that gets passed | on to Guac. Also the file sharing experience is worse. RDP? Just | drag an drop or Ctrl-C, Ctrl-V. That doesn't always work in | Guac... | reaperducer wrote: | Couldn't Guacamole hijack the keyboard shortcuts? | | One of the reasons I hate Wrike is that it hijacks Command- | Shift-N (New private window) in Safari. | stjohnswarts wrote: | Yeah I kinda just stick to ssh tunnel+ssh keys+VNC. Old school | :) | ldoughty wrote: | Advantage to guacamole is you can have a corporate controlled | middle man... You might set your server username to root/root, | but that's not a problem if you can only get to it by | guacamole.. I mean it's not great, but guacamole can face the | world and be the castle to defend, not a dozen or hundred | maybe-managed servers... | stult wrote: | IIRC you can install the guac site as a PWA in your browser and | sometimes the browser then allows more keyboard events to | bubble up from the OS to the javascript layer where guac lives. | Doesn't fix everything, but it can help. | punnerud wrote: | The security is probably better if you enable HTTPS than RDP? | | When I use RDP it is always over SSH (port tunnel) | stult wrote: | Yes. And many corporate and government networks deny list all | traffic on ports other than 80/443, so RDP just is not an | option in many cases. VDI over HTTPS also means users don't | need a separately installed RDP client and can just access | the VDI via their browser. | punnerud wrote: | Can easily enable reverse SSH at home through 443 and 80. | Log in with RDP just to enable the reverse-SSH and use that | for RDP. | | The benefit is that you can access other things than RDP | with this solution. | moontear wrote: | That's why I said via VPN, but yes of course it's more secure | if you add another layer - I wouldn't say more secure than | SSH or VPN. | lunfard000 wrote: | have you tried fullscreen mode? At least on vscode-server some | shortcuts only work on that mode (probably using the browser | Fullscreen API?) | didibus wrote: | How fast and responsive is it? My current favorite is ThinLinc by | Cendio as I've found it the most reliable and performant. | bigmattystyles wrote: | We put an intermediary to them behind sso. Only the intermediary | can get to the machine and forward guacamole traffic. Solves the | no password / everyone in the company having access to test | machines. We have a little script that registers endpoint | machines with the intermediary and who can access the machine / | when. We even log and do time block. The intermediary does | password rotation with vault. | iamkarlson wrote: | I'm really looking forward to having all my working stuff in the | cloud. however, it's so annoying sometimes that networking is not | suitable yet to work from ANYWHERE. especially in public places | where you can pull a laptop from the bag and start working, with | remote it's mostly a challenge | waynesonfire wrote: | Setup wireguard | pjmlp wrote: | Ah the memories of going for a coffee break at the university, | as $HOME failed to mount over NFS due to a bad terminator on | the campus network. | shepherdjerred wrote: | I've found that having a dedicated WiFi hotspot mostly solves | this issue, as long as you're somewhere with decent cell | service. | | I haven't tried it with desktop streaming, but VS Code remote | development is a dream, even with little bandwidth. | iamkarlson wrote: | it doesn't really work well. network coverage differ from | place to place. also, whenever you sit in some shitty | coworking, their wifi should give you hard time getting this | working | brutal_chaos_ wrote: | My local library has WiFi Hotspots to checkout for free. They | are T-Mobile hotspots and Fast.com reports: | | 35Mbps down (steady) | | 3Mbps up (decays quickly suggesting shown upload is "boost" / | "burst" speeds or possibly throttled heavily in some other | manner) | rogereur wrote: | Could this work as an alternative to Mighty? | sudosysgen wrote: | We've been using Guacamole for around 5 years now. It is an | absolute godsend, and it makes remote work so much easier. Highly | recommend! | jstrieb wrote: | I have used Apache Guacamole to access running GitHub Actions | workflows as remote desktops. It worked super well for testing | GUI apps on other operating systems that I didn't want to deal | with setting up. | | It's also nice if you want to run a GUI application in someone | else's sandbox. | | https://github.com/jstrieb/ctf-collab/blob/9300c57364f71fe29... | Art9681 wrote: | Tried Guacamole and it was ok. For this type of stuff a simple | WireGuard VPN is much better. However, if you must serve apps | remotely via browser, I find KASM WorkSpaces a superior solution. | a-dub wrote: | how does performance compare with x2go/freenx? | chjohnst wrote: | Used the guac to host 100+ sessions for researchers and devs at | my previous company. Performed well and using docker made it a | breeze to deploy in the cloud and it also tied into my IPA | infrastructure nicely for central authentication. I did not play | with the screen recording feature though. | fhd2 wrote: | Love it! | | That said: | | "We call it clientless because no plugins or client software are | required. | | Thanks to HTML5, once Guacamole is installed on a server, all you | need to access your desktops is a web browser." | | So... the web browser is the client software. Why not just come | out and say that instead of first calling it fairly misleadingly | "clientless"? | tjoff wrote: | They do, immediately. I was confused for a second but since the | next sentence clarified it I can't see the issue. | robotresearcher wrote: | "You don't need a hammer to bang our nail. Simply use a | hammer." | | vs. | | "You don't need a special hammer to bang our nail. Simply use | your existing hammer." | [deleted] | sbysb wrote: | I actually disagree tbh - web browsers are so ubiquitous at | this point that I would consider them a core part of the | desktop at this point. If I can use just the "core tools" of my | OS to access something I would consider that clientless for all | intents and purposes | kube-system wrote: | It's hard to believe this was 20+ years ago: https://en.wikip | edia.org/wiki/United_States_v._Microsoft_Cor.... | codezero wrote: | Because every modern device has a modern browser included. I | think most people understand this and that might be why you're | getting downvoted. | | What would a clientless (aka no additional client software to | install) might work? | fhd2 wrote: | Well, networking always requires some sort of client | software, calling it "clientless" because most systems most | likely already have the required software rubbed me the wrong | way. | | But I think I get it now, it's probably a tongue in cheek | reference to "serverless" :P | myownpetard wrote: | I'm with you. I was confused by that term. Why not 'browser | based remote desktop'? I've never heard anything happening | in a browser called clientless before. In fact it is | usually explicitly called a client, e.g. client side | rendering. | buybackoff wrote: | Using it mainly because of the paranoia of just exposing RDP to | the internet. Http(s) is very convenient to add more layers of | security, in my case via NGINX (both as LXC containers in | Proxmox). I'm using a wildcard domain *.myhome.tld pointed to my | static IP. Guacamole is hosted at try_guess_me.myhome.tld, with | NGINX basic auth same for all subdomains (further protected by | fail2ban). So in total 3 tokens are required (subdomain and basic | auth username and password) just to get to the Guacamole login | page, where additional username/password + 2FA are required. I | used to expose RDP directly for years, but after a chat with a | colleague before vacations and a purchase of a NUC for a homelab | server decided to strengthen the security slightly. | | RDP is still much better user experience, so once when I needed a | longer session I used Guacamole to access my router admin | interface and temporarily expose RDP directly via a random port | and a very strong password. I'm still not convinced that the | latter combination is not enough, but it's better to be safe than | sorry. | xen2xen1 wrote: | There is an IP ban / fail2ban app for windows and RDP, nice | extra layer. | ncrmro wrote: | For a lot of my stuff, the devices domain is only resolvable on | my Wireguard's dns and access allowed only from Wireguard's | subtnet. | buybackoff wrote: | I wanted to avoid VPN both for my main working/dev machine | and clients. What if VPN does not go up after hard reboot due | to some weird loading order while I'm not logged in (e.g. | electricity failure)? Both that machine and Guacamole/NGINX | host are configured to autostart after powering off. This is | the first thing I tested. For clients, I do not want to have | VPN on each of them. And what if I need to use a random | machine? Multi-layer opaque https endpoint seems safe enough. | ncrmro wrote: | Fair point, I have a pi 4 running pihole and wireguard so | starts up and runs everything on power. Also boot disk is | on zfs so scrubs each week incase of microsd corruption. | | The Wireguard in Docker automatically generates new client | configs from ENVS. | edoceo wrote: | Oh, I remember this thing, built some shit-hack auth for it like | eight years ago. It's an awesome project and super easy to | extend. | guerby wrote: | meshcentral is another nice free software for remote desktop and | more: | | https://github.com/Ylianst/MeshCentral | | https://twitter.com/MeshCentral | | https://www.youtube.com/channel/UCJWz607A8EVlkilzcrb-GKg | | Disclaimer: we installed meshcentral for enabling student access | to regular physical desktops machine during COVID19 | smbv wrote: | I deployed Guacamole myself (for SSH), but I found SSHWifty[0] a | lot easier to use and deploy. | | [0] https://github.com/nirui/sshwifty | NovemberWhiskey wrote: | We adopted Guacamole for access to some of our Windows server | production environments; the great thing about it is you can put | your corporate SSO / authorization model into a web app to | control access and not have to disclose credentials to service | accounts to developers. You can also tap off a feed from the | guacd that represents a complete screen recording and save it for | audit trail purposes. | | The only issue we've had is that FreeRDP (that underlies it for | connectivity to Window servers) is a bit fussier than the native | RDP environment, or at least we've had challenges getting | equivalent compatibility across old/odd Windows configurations. | mukundesh wrote: | This is a life saver, have used it on different environments and | it always worked... | dmitrygr wrote: | I use guacamole. It is awesome and super convenient. Nice | insulation from various protocol bugs too. I don't care what | exploitable bugs RDP server in windows has if I access it only | over guac. | BrandiATMuhkuh wrote: | I don't see any window installation/compilation guide. Do you | know about any pre compiled windows executables (client + | server)? | dmitrygr wrote: | I run it on my home Linux server (a nook color tablet with an | Ubuntu Linux chroot) to access my home windows server | remotely. | jacob019 wrote: | next level recycling! | dmitrygr wrote: | It is all due to this. No r-pi or anything like it is | ever this stable: root@localhost:~# | uptime 22:21:32 up 3139 days, 19:42, 1 user, | load average: 0.00, 0.01, 0.05 root@localhost:~# | easton wrote: | It's Java and Tomcat, so should work fine on Windows. I'd | highly suggest using Linux + Docker in a VM or something | though, it'll be a way faster setup (configuring Guacamole | manually is a pain in the rear, there's good Docker | containers out there that do it for you). | johncena33 wrote: | Do you need a static ip address for it? | FrostKiwi wrote: | DynamicIP + DynDNS works just as fine. Getting DynDNS can be | acomplished via many routes. | | - Even old routers support at least noip.com and update the | IP when it changes | | - major DynDNS providers have a custom tool you can install, | running in the background sending the current IP every minute | or so | | - every major registrar has a DNS API, which allows you to | send IP updates in a simple CURL command and putting that | command into crontab automates this as well. | dmitrygr wrote: | I use a dyndns thing I host on my VPS | jeroenhd wrote: | On what side? | | The server software can run on any address as long as you | don't hardcode the listening IP, just like any other web | server. You'd need a way to have the URL point to the right | server, of course, so DDNS or similar is a necessity if your | server doesn't have a static public IP. | | The desktop connections to the machines from Guacamole are | tuples of { protocol configuration, hostname/IP, | credentials}. If you specify the device Guacamole connects to | by its IP and then that IP changes, the connection and | configuration will break. You can probably work around that | with some kind of dynamic DNS setting, or maybe local name | resolution (LLMR and friends) if the machines are on a flat | network. | | TL;DR you don't need it, but it helps. | matthewaveryusa wrote: | just use tailscale. seriously it's what you want | shepherdjerred wrote: | You could always use an IPv6 address, or setup something like | Tailscale. | jeroenhd wrote: | As silly and astonishing as it is, I've heard from some | (mostly American) ISPs that a static IPv6 subnet is either | not available for consumers or costs extra. | | Yes, that's right, some ISPs rotate IPv6 subnets, negating | many things IPv6 was invented for in the first place. | | Tailscale, Nebula or any of the automagical VPN solutions | you can run yourself (like Innernet, | https://github.com/tonarino/innernet) will probably negate | the issue as long as you can reach some server with a | static IP. | tinus_hn wrote: | Of course, because if you can use it to offer services, | it's a 'pro' connection! | TheDudeMan wrote: | That was a heck of a demo. I wonder how many takes that took. | marcodiego wrote: | > once Guacamole is installed on a server, all you need to access | your desktops is a web browser. | | These days, where basically nobody has a real ip, this is not | entirely true. Using tor, you can easily expose a server to the | outside world, the other point must support tor connections. Is | there a way to freely expose anything to the outside world | without needing special software on the client side? | Ginden wrote: | Even if so, configuring forwarding-only VPS costs ~3$/month. | djrogers wrote: | If you want to do so securely, use tailscale or wireguard, or | any of a number of p2p vpns. | dmitrygr wrote: | DynDns exists | tssva wrote: | > These days, where basically nobody has a real ip, this is not | entirely true. | | This is a vast exaggeration. Although this is true for many and | perhaps a majority, are there any publicly available stats | regarding this, there are still a large number of ISPs which | provide real ip addresses and allow incoming connections. My | ISP serves several million customers across several US sates | and provides real up addresses and allows incoming connections. | xz18r wrote: | Awingu can do this. (https://www.awingu.com) ___________________________________________________________________ (page generated 2021-12-04 23:00 UTC)