[HN Gopher] Apache Guacamole
___________________________________________________________________
Apache Guacamole
Author : WallyFunk
Score : 380 points
Date : 2021-12-04 17:50 UTC (5 hours ago)
(HTM) web link (guacamole.apache.org)
(TXT) w3m dump (guacamole.apache.org)
| fzumstein wrote:
| I found noVNC easier to use.
| rob_c wrote:
| Best used in combination with guac imo. Good way of getting
| past industry firewalls too
| CyberShadow wrote:
| The video on the main page is amazing. Rare that a product demo
| video is both entertaining and informative with a high
| information density!
| ww520 wrote:
| This is awesome. Sometimes I got lazy and don't want to go to
| another room to access the computers. This allows for easy remote
| desktop usage.
| djrogers wrote:
| Guacamole and tailscale make my life so much easier when I'm away
| from home. Serving up guac from a machine with tailscale / wire
| guard means I can get to it without exposing it to the internet,
| or worrying about a home IP changing.
| cowmix wrote:
| I personally use Chrome Remote Desktop for type of access. If you
| don't mind trusting Google for tunneling, it works great.
| arthurcolle wrote:
| yeah, Chrome Remote Desktop is a wonderful piece of
| engineering. Pretty much _just works_ and was trivial to
| install. Needed it to remote into a physical machine that
| sometimes would have no internet, so I 'd use an old MacBook
| Pro running Chrome Remote Desktop to "kick off" the VM before
| figuring out a better way to accomplish this entire process
| altogether. I am fairly surprised that they haven't made it a
| paid feature of G Workspaces or whatever its called now lol
| opless wrote:
| I've been using it for years, and it just works.
|
| Though every so often you need to reinstall the remote access
| software
| pkukkapalli wrote:
| I bought a PopOS Gazelle with an Nvidia GPU so I could play
| around with ML stuff. But, looking back on it, it might have been
| more efficient to just get a GPU instance on AWS or Google Cloud,
| and just using a remote desktop like this.
|
| Anybody tried that configuration? If so, how has your experience
| been?
| Rexxar wrote:
| Has someone already use guacamole to make a publicly available
| desktop software demo ?
| rob_c wrote:
| Amazing project used it to host 40 accounts on a server recently
| to host remote tutorials at a workshop recently :)
| jll29 wrote:
| That's the kind of scenario that I also have in mind. What
| server and network did you use to serve 40 clients?
| rob_c wrote:
| Dual Xeon gold with 56 core. Ended up rolling a custom docker
| image and instance with vnc all 40 managed by guac... Took
| some sleepless nights
| maximedupre wrote:
| That is kind of mind-blowing.
|
| The landing page and the video using Windows XP makes it look
| unappealing though
|
| I'd still use 10/10
| mopsi wrote:
| > The landing page /-/ makes it look unappealing though
|
| Why, loads too fast?
| 5e92cb50239222b wrote:
| It's not XP. Looks like 7 with the last decent theme that's
| ever came from them.
| pjmlp wrote:
| Nope, that is definitely XP, past Vista the Windows 2000 like
| theming was removed.
| alphabet9000 wrote:
| the windows version in the demo video is windows 7 ultimate
|
| https://i.jollo.org/CaCZBXbc.png
| mopsi wrote:
| It wasn't. Classic Theme was available on Windows 7 and
| Windows 8.
| https://www.google.com/search?q=windows+7+classic+theme
| ldoughty wrote:
| We use guacamole as a way to gatekeep access to servers which
| are explicitly made vulnerable for students to attack.
|
| We give students a Kali Linux box, and a server with dozens of
| vulnerabilities.. and we don't have to worry about those
| vulnerable targets being otherwise internet accessible. We've
| done over 200,000 VMs behind Guacamole over 4 years without
| incident, despite having machines with the username/password of
| "student", or being unpatched for 4 years (spinning up old
| Ubuntu 14 images)
| maximedupre wrote:
| Wow! Incredible.
| moontear wrote:
| Setting it up via Docker container is a lot easier than a custom
| setup.
|
| I really am not a fan of Guacamole. I love the idea and
| convenience of having everything running in the browser from the
| client side, but I much prefer a real RDP session (via VPN) than
| having it in the browser. Why? Keyboard shortcuts! I am soooo
| much slower because browsers (not guacs fault - but at the same
| time it is its fault since I would love a native client) can't
| catch all keys (e.g. Windows key). ALT-TAB? Yeah you just tabbed
| away from Guac. Or the new fancy WIN-TAB, no way that gets passed
| on to Guac. Also the file sharing experience is worse. RDP? Just
| drag an drop or Ctrl-C, Ctrl-V. That doesn't always work in
| Guac...
| reaperducer wrote:
| Couldn't Guacamole hijack the keyboard shortcuts?
|
| One of the reasons I hate Wrike is that it hijacks Command-
| Shift-N (New private window) in Safari.
| stjohnswarts wrote:
| Yeah I kinda just stick to ssh tunnel+ssh keys+VNC. Old school
| :)
| ldoughty wrote:
| Advantage to guacamole is you can have a corporate controlled
| middle man... You might set your server username to root/root,
| but that's not a problem if you can only get to it by
| guacamole.. I mean it's not great, but guacamole can face the
| world and be the castle to defend, not a dozen or hundred
| maybe-managed servers...
| stult wrote:
| IIRC you can install the guac site as a PWA in your browser and
| sometimes the browser then allows more keyboard events to
| bubble up from the OS to the javascript layer where guac lives.
| Doesn't fix everything, but it can help.
| punnerud wrote:
| The security is probably better if you enable HTTPS than RDP?
|
| When I use RDP it is always over SSH (port tunnel)
| stult wrote:
| Yes. And many corporate and government networks deny list all
| traffic on ports other than 80/443, so RDP just is not an
| option in many cases. VDI over HTTPS also means users don't
| need a separately installed RDP client and can just access
| the VDI via their browser.
| punnerud wrote:
| Can easily enable reverse SSH at home through 443 and 80.
| Log in with RDP just to enable the reverse-SSH and use that
| for RDP.
|
| The benefit is that you can access other things than RDP
| with this solution.
| moontear wrote:
| That's why I said via VPN, but yes of course it's more secure
| if you add another layer - I wouldn't say more secure than
| SSH or VPN.
| lunfard000 wrote:
| have you tried fullscreen mode? At least on vscode-server some
| shortcuts only work on that mode (probably using the browser
| Fullscreen API?)
| didibus wrote:
| How fast and responsive is it? My current favorite is ThinLinc by
| Cendio as I've found it the most reliable and performant.
| bigmattystyles wrote:
| We put an intermediary to them behind sso. Only the intermediary
| can get to the machine and forward guacamole traffic. Solves the
| no password / everyone in the company having access to test
| machines. We have a little script that registers endpoint
| machines with the intermediary and who can access the machine /
| when. We even log and do time block. The intermediary does
| password rotation with vault.
| iamkarlson wrote:
| I'm really looking forward to having all my working stuff in the
| cloud. however, it's so annoying sometimes that networking is not
| suitable yet to work from ANYWHERE. especially in public places
| where you can pull a laptop from the bag and start working, with
| remote it's mostly a challenge
| waynesonfire wrote:
| Setup wireguard
| pjmlp wrote:
| Ah the memories of going for a coffee break at the university,
| as $HOME failed to mount over NFS due to a bad terminator on
| the campus network.
| shepherdjerred wrote:
| I've found that having a dedicated WiFi hotspot mostly solves
| this issue, as long as you're somewhere with decent cell
| service.
|
| I haven't tried it with desktop streaming, but VS Code remote
| development is a dream, even with little bandwidth.
| iamkarlson wrote:
| it doesn't really work well. network coverage differ from
| place to place. also, whenever you sit in some shitty
| coworking, their wifi should give you hard time getting this
| working
| brutal_chaos_ wrote:
| My local library has WiFi Hotspots to checkout for free. They
| are T-Mobile hotspots and Fast.com reports:
|
| 35Mbps down (steady)
|
| 3Mbps up (decays quickly suggesting shown upload is "boost" /
| "burst" speeds or possibly throttled heavily in some other
| manner)
| rogereur wrote:
| Could this work as an alternative to Mighty?
| sudosysgen wrote:
| We've been using Guacamole for around 5 years now. It is an
| absolute godsend, and it makes remote work so much easier. Highly
| recommend!
| jstrieb wrote:
| I have used Apache Guacamole to access running GitHub Actions
| workflows as remote desktops. It worked super well for testing
| GUI apps on other operating systems that I didn't want to deal
| with setting up.
|
| It's also nice if you want to run a GUI application in someone
| else's sandbox.
|
| https://github.com/jstrieb/ctf-collab/blob/9300c57364f71fe29...
| Art9681 wrote:
| Tried Guacamole and it was ok. For this type of stuff a simple
| WireGuard VPN is much better. However, if you must serve apps
| remotely via browser, I find KASM WorkSpaces a superior solution.
| a-dub wrote:
| how does performance compare with x2go/freenx?
| chjohnst wrote:
| Used the guac to host 100+ sessions for researchers and devs at
| my previous company. Performed well and using docker made it a
| breeze to deploy in the cloud and it also tied into my IPA
| infrastructure nicely for central authentication. I did not play
| with the screen recording feature though.
| fhd2 wrote:
| Love it!
|
| That said:
|
| "We call it clientless because no plugins or client software are
| required.
|
| Thanks to HTML5, once Guacamole is installed on a server, all you
| need to access your desktops is a web browser."
|
| So... the web browser is the client software. Why not just come
| out and say that instead of first calling it fairly misleadingly
| "clientless"?
| tjoff wrote:
| They do, immediately. I was confused for a second but since the
| next sentence clarified it I can't see the issue.
| robotresearcher wrote:
| "You don't need a hammer to bang our nail. Simply use a
| hammer."
|
| vs.
|
| "You don't need a special hammer to bang our nail. Simply use
| your existing hammer."
| [deleted]
| sbysb wrote:
| I actually disagree tbh - web browsers are so ubiquitous at
| this point that I would consider them a core part of the
| desktop at this point. If I can use just the "core tools" of my
| OS to access something I would consider that clientless for all
| intents and purposes
| kube-system wrote:
| It's hard to believe this was 20+ years ago: https://en.wikip
| edia.org/wiki/United_States_v._Microsoft_Cor....
| codezero wrote:
| Because every modern device has a modern browser included. I
| think most people understand this and that might be why you're
| getting downvoted.
|
| What would a clientless (aka no additional client software to
| install) might work?
| fhd2 wrote:
| Well, networking always requires some sort of client
| software, calling it "clientless" because most systems most
| likely already have the required software rubbed me the wrong
| way.
|
| But I think I get it now, it's probably a tongue in cheek
| reference to "serverless" :P
| myownpetard wrote:
| I'm with you. I was confused by that term. Why not 'browser
| based remote desktop'? I've never heard anything happening
| in a browser called clientless before. In fact it is
| usually explicitly called a client, e.g. client side
| rendering.
| buybackoff wrote:
| Using it mainly because of the paranoia of just exposing RDP to
| the internet. Http(s) is very convenient to add more layers of
| security, in my case via NGINX (both as LXC containers in
| Proxmox). I'm using a wildcard domain *.myhome.tld pointed to my
| static IP. Guacamole is hosted at try_guess_me.myhome.tld, with
| NGINX basic auth same for all subdomains (further protected by
| fail2ban). So in total 3 tokens are required (subdomain and basic
| auth username and password) just to get to the Guacamole login
| page, where additional username/password + 2FA are required. I
| used to expose RDP directly for years, but after a chat with a
| colleague before vacations and a purchase of a NUC for a homelab
| server decided to strengthen the security slightly.
|
| RDP is still much better user experience, so once when I needed a
| longer session I used Guacamole to access my router admin
| interface and temporarily expose RDP directly via a random port
| and a very strong password. I'm still not convinced that the
| latter combination is not enough, but it's better to be safe than
| sorry.
| xen2xen1 wrote:
| There is an IP ban / fail2ban app for windows and RDP, nice
| extra layer.
| ncrmro wrote:
| For a lot of my stuff, the devices domain is only resolvable on
| my Wireguard's dns and access allowed only from Wireguard's
| subtnet.
| buybackoff wrote:
| I wanted to avoid VPN both for my main working/dev machine
| and clients. What if VPN does not go up after hard reboot due
| to some weird loading order while I'm not logged in (e.g.
| electricity failure)? Both that machine and Guacamole/NGINX
| host are configured to autostart after powering off. This is
| the first thing I tested. For clients, I do not want to have
| VPN on each of them. And what if I need to use a random
| machine? Multi-layer opaque https endpoint seems safe enough.
| ncrmro wrote:
| Fair point, I have a pi 4 running pihole and wireguard so
| starts up and runs everything on power. Also boot disk is
| on zfs so scrubs each week incase of microsd corruption.
|
| The Wireguard in Docker automatically generates new client
| configs from ENVS.
| edoceo wrote:
| Oh, I remember this thing, built some shit-hack auth for it like
| eight years ago. It's an awesome project and super easy to
| extend.
| guerby wrote:
| meshcentral is another nice free software for remote desktop and
| more:
|
| https://github.com/Ylianst/MeshCentral
|
| https://twitter.com/MeshCentral
|
| https://www.youtube.com/channel/UCJWz607A8EVlkilzcrb-GKg
|
| Disclaimer: we installed meshcentral for enabling student access
| to regular physical desktops machine during COVID19
| smbv wrote:
| I deployed Guacamole myself (for SSH), but I found SSHWifty[0] a
| lot easier to use and deploy.
|
| [0] https://github.com/nirui/sshwifty
| NovemberWhiskey wrote:
| We adopted Guacamole for access to some of our Windows server
| production environments; the great thing about it is you can put
| your corporate SSO / authorization model into a web app to
| control access and not have to disclose credentials to service
| accounts to developers. You can also tap off a feed from the
| guacd that represents a complete screen recording and save it for
| audit trail purposes.
|
| The only issue we've had is that FreeRDP (that underlies it for
| connectivity to Window servers) is a bit fussier than the native
| RDP environment, or at least we've had challenges getting
| equivalent compatibility across old/odd Windows configurations.
| mukundesh wrote:
| This is a life saver, have used it on different environments and
| it always worked...
| dmitrygr wrote:
| I use guacamole. It is awesome and super convenient. Nice
| insulation from various protocol bugs too. I don't care what
| exploitable bugs RDP server in windows has if I access it only
| over guac.
| BrandiATMuhkuh wrote:
| I don't see any window installation/compilation guide. Do you
| know about any pre compiled windows executables (client +
| server)?
| dmitrygr wrote:
| I run it on my home Linux server (a nook color tablet with an
| Ubuntu Linux chroot) to access my home windows server
| remotely.
| jacob019 wrote:
| next level recycling!
| dmitrygr wrote:
| It is all due to this. No r-pi or anything like it is
| ever this stable: root@localhost:~#
| uptime 22:21:32 up 3139 days, 19:42, 1 user,
| load average: 0.00, 0.01, 0.05 root@localhost:~#
| easton wrote:
| It's Java and Tomcat, so should work fine on Windows. I'd
| highly suggest using Linux + Docker in a VM or something
| though, it'll be a way faster setup (configuring Guacamole
| manually is a pain in the rear, there's good Docker
| containers out there that do it for you).
| johncena33 wrote:
| Do you need a static ip address for it?
| FrostKiwi wrote:
| DynamicIP + DynDNS works just as fine. Getting DynDNS can be
| acomplished via many routes.
|
| - Even old routers support at least noip.com and update the
| IP when it changes
|
| - major DynDNS providers have a custom tool you can install,
| running in the background sending the current IP every minute
| or so
|
| - every major registrar has a DNS API, which allows you to
| send IP updates in a simple CURL command and putting that
| command into crontab automates this as well.
| dmitrygr wrote:
| I use a dyndns thing I host on my VPS
| jeroenhd wrote:
| On what side?
|
| The server software can run on any address as long as you
| don't hardcode the listening IP, just like any other web
| server. You'd need a way to have the URL point to the right
| server, of course, so DDNS or similar is a necessity if your
| server doesn't have a static public IP.
|
| The desktop connections to the machines from Guacamole are
| tuples of { protocol configuration, hostname/IP,
| credentials}. If you specify the device Guacamole connects to
| by its IP and then that IP changes, the connection and
| configuration will break. You can probably work around that
| with some kind of dynamic DNS setting, or maybe local name
| resolution (LLMR and friends) if the machines are on a flat
| network.
|
| TL;DR you don't need it, but it helps.
| matthewaveryusa wrote:
| just use tailscale. seriously it's what you want
| shepherdjerred wrote:
| You could always use an IPv6 address, or setup something like
| Tailscale.
| jeroenhd wrote:
| As silly and astonishing as it is, I've heard from some
| (mostly American) ISPs that a static IPv6 subnet is either
| not available for consumers or costs extra.
|
| Yes, that's right, some ISPs rotate IPv6 subnets, negating
| many things IPv6 was invented for in the first place.
|
| Tailscale, Nebula or any of the automagical VPN solutions
| you can run yourself (like Innernet,
| https://github.com/tonarino/innernet) will probably negate
| the issue as long as you can reach some server with a
| static IP.
| tinus_hn wrote:
| Of course, because if you can use it to offer services,
| it's a 'pro' connection!
| TheDudeMan wrote:
| That was a heck of a demo. I wonder how many takes that took.
| marcodiego wrote:
| > once Guacamole is installed on a server, all you need to access
| your desktops is a web browser.
|
| These days, where basically nobody has a real ip, this is not
| entirely true. Using tor, you can easily expose a server to the
| outside world, the other point must support tor connections. Is
| there a way to freely expose anything to the outside world
| without needing special software on the client side?
| Ginden wrote:
| Even if so, configuring forwarding-only VPS costs ~3$/month.
| djrogers wrote:
| If you want to do so securely, use tailscale or wireguard, or
| any of a number of p2p vpns.
| dmitrygr wrote:
| DynDns exists
| tssva wrote:
| > These days, where basically nobody has a real ip, this is not
| entirely true.
|
| This is a vast exaggeration. Although this is true for many and
| perhaps a majority, are there any publicly available stats
| regarding this, there are still a large number of ISPs which
| provide real ip addresses and allow incoming connections. My
| ISP serves several million customers across several US sates
| and provides real up addresses and allows incoming connections.
| xz18r wrote:
| Awingu can do this. (https://www.awingu.com)
___________________________________________________________________
(page generated 2021-12-04 23:00 UTC)