DEV Community: Chairat Onyaem (Par) The latest articles on DEV Community by Chairat Onyaem (Par) (@pacroy). https://dev.to/pacroy https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F265891%2F6d275fd1-09cc-41e3-bcf4-bfcd7ff9f3da.jpg DEV Community: Chairat Onyaem (Par) https://dev.to/pacroy en Create Your Own Azure Bastion with Guacamole and Save $100+ a month Chairat Onyaem (Par) Fri, 30 Apr 2021 15:18:40 +0000 https://dev.to/pacroy/create-your-own-azure-bastion-with-guacamole-and-save-100-a-month-3fld https://dev.to/pacroy/create-your-own-azure-bastion-with-guacamole-and-save-100-a-month-3fld <p>Microsoft Azure provides <a href="https://azure.microsoft.com/en-us/services/azure-bastion" rel="noopener noreferrer">Azure Bastion</a> service which is a jump server so you can securely access your virtual machines via its Azure Portal web interface without exposing SSH or RDP port. Here is its architecture:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv15wy165uheqdm4ljb6w.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv15wy165uheqdm4ljb6w.jpg" alt="Azure Bastion Architecture"></a></p> <p>This service is great except <a href="https://azure.microsoft.com/en-us/pricing/details/azure-bastion/" rel="noopener noreferrer">it costs $0.19 per hour</a>. Combining with other components then this may costs you almost $150 a month. Bad news is you can't stop it unless you delete it.</p> <p>This post, I will show you how I create my own jump server on Ubuntu VM to replace Azure Bastion using <a href="https://guacamole.apache.org/" rel="noopener noreferrer">Apache Guacamole</a> which is an open source tool which provide similar functionalities (I wonder that Azure Bastion may be even built on top of it). The VM can be a small one that may costs only a few tens bucks per month.</p> <h1> Apache Guacamole </h1> <p>From <a href="(https://guacamole.apache.org/)">its website</a>, Apache Guacamole is a clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH. Clientless means your clients don't need to install anything but just use a web browser to remotely access your fleet of VMs.</p> <p><iframe src="https://player.vimeo.com/video/116207678" width="710" height="399"> </iframe> </p> <p>The Guacamole comprises of two main components:</p> <ul> <li>Guacamole Server which provides <code>guacd</code> which is like a proxy server for the client to connect to the remote server.</li> <li>Guacamole Client which is a servelet container that user will log in and via web browser.</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftdmwjtttqn8va262s79b.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftdmwjtttqn8va262s79b.png" alt="Guacamole Architecture"></a></p> <p>For more information about Guacamole, visit its <a href="https://guacamole.apache.org/doc/gug/guacamole-architecture.html" rel="noopener noreferrer">architecture page</a>.</p> <p>As my disclaimer, installation is not simple as there are several components you need to install and configure before it is <em>good enough</em> to use. There may be simpler ways to deploy e.g. using <a href="https://guacamole.apache.org/doc/gug/guacamole-docker.html" rel="noopener noreferrer">Docker image</a> or using <a href="https://github.com/prabhatsharma/apache-guacamole-helm-chart/blob/master/values.yaml" rel="noopener noreferrer">this Helm chart</a> but I haven't tried them yet. Because of cost is my concern so I'd like to deploy on a small VM that may not run a Kubernetes cluster (and may be I just prefer to learn it in hard way :P).</p> <h1> Network Topology </h1> <p>You use Azure Bastion or a jump server because you want to secure your VMs behind so having the right network design is needed. Here it mine:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ve1uz4kmxg65ox3gikj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ve1uz4kmxg65ox3gikj.png" alt="Network Topology"></a></p> <p>In my virtual network (VNet), I split into two subnets:</p> <ol> <li> <code>snet-gateway</code> where I will deploy Guacamole on a Ubuntu VM which has a public IP so its web interface can be reached from the Internet.</li> <li> <code>snet-default</code> where I will deploy my backend pool of VM and enable remote access via Guacamole only.</li> </ol> <p>For the sake of security, you should configure Network Security Group (NSG) of your <code>snet-gateway</code> to limit inbound and outbound connections to/from Ubuntu VM in the same way as you do for <a href="https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg#apply" rel="noopener noreferrer">AzureBastionSubnet</a>. But in this example, I just associate NSG to the VM directly.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd9jmik21jh988vk99jwo.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd9jmik21jh988vk99jwo.png" alt="NSG Inbound Rules"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgkncp6amdvvjar3ita6q.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgkncp6amdvvjar3ita6q.png" alt="NSG Outbound Rules"></a></p> <p>Once you setup your network then create the VMs. In this example, I create the following two VMs:</p> <ol> <li> <code>vm-win10</code> in the <code>snet-default</code> which is the machine I will remote access to.</li> <li> <code>vm-ubuntu1804</code> in the <code>snet-gateway</code> where I will install Guacamole and use it as a jump server. I choose <code>B2s</code> size which cost around $39 per month but, of course, you can change its size later.</li> </ol> <h1> Install Guacamole Server </h1> <p>Once your Ubuntu Server 18.04 is created then log in via SSH. You may need to expose SSH port publicly for now. You can change SSH port to something than 22 to make it more secure. See how to do it in my previous blog.</p> <div class="ltag__link"> <a href="https://pacroy.medium.com/setting-up-your-own-vpn-server-with-just-5-a-month-c934cf073ea1" class="ltag__link__link" rel="noopener noreferrer"> <div class="ltag__link__pic"> <img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmiro.medium.com%2Fv2%2Fresize%3Afill%3A88%3A88%2F1%2AsP-A6cCxQ_-Z5QxHUdmdqg.jpeg" alt="Chairat Onyaem (Par)"> </div> </a> <a href="https://pacroy.medium.com/setting-up-your-own-vpn-server-with-just-5-a-month-c934cf073ea1" class="ltag__link__link" rel="noopener noreferrer"> <div class="ltag__link__content"> <h2>Setting Up Your Own VPN Server with just $5 a month | by Chairat Onyaem (Par) | Medium</h2> <h3>Chairat Onyaem (Par) ・ <time>Mar 13, 2021</time> ・ <div class="ltag__link__servicename"> <img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev.to%2Fassets%2Fmedium-f709f79cf29704f9f4c2a83f950b2964e95007a3e311b77f686915c71574fef2.svg" alt="Medium Logo"> pacroy.Medium </div> </h3> </div> </a> </div> <p>From <a href="https://guacamole.apache.org/doc/gug/installing-guacamole.html" rel="noopener noreferrer">its documentation</a>, there's no executable binary available for Guacamole server and you need to build it from source (unless you deploy from Docker image).</p> <p>First you need to install build tools and all required dependencies for the build process. Missing some of them may result in missing features or build failure.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Update &amp; upgrade system</span> <span class="nb">sudo </span>apt-get update <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt-get <span class="nt">--yes</span> upgrade <span class="c"># Install build tools</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">--yes</span> build-essential <span class="c"># Install build dependencies</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">--yes</span> libcairo2-dev libjpeg-turbo8-dev libpng-dev libtool-bin libossp-uuid-dev <span class="c"># Install optional dependencies</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">--yes</span> <span class="se">\</span> libavcodec-dev libavformat-dev libavutil-dev libswscale-dev <span class="se">\</span> freerdp2-dev <span class="se">\</span> libpango1.0-dev <span class="se">\</span> libssh2-1-dev <span class="se">\</span> libtelnet-dev <span class="se">\</span> libvncserver-dev <span class="se">\</span> libwebsockets-dev <span class="se">\</span> libpulse-dev <span class="se">\</span> libssl-dev <span class="se">\</span> libvorbis-dev <span class="se">\</span> libwebp-dev <span class="c"># Install runtime dependencies</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">--yes</span> <span class="nt">--no-install-recommends</span> <span class="se">\</span> netcat-openbsd <span class="se">\</span> ca-certificates <span class="se">\</span> ghostscript <span class="se">\</span> fonts-liberation <span class="se">\</span> fonts-dejavu <span class="se">\</span> xfonts-terminus </code></pre> </div> <p>Next, download source codes and extract.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">export </span><span class="nv">GUAC_VERSION</span><span class="o">=</span><span class="s2">"1.3.0"</span> curl <span class="nt">-fLO</span> <span class="s2">"https://downloads.apache.org/guacamole/</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">/source/guacamole-server-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">.tar.gz"</span> <span class="nb">tar</span> <span class="nt">-xzf</span> <span class="s2">"guacamole-server-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">.tar.gz"</span> </code></pre> </div> <p>Configure the build and start the build.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">cd</span> <span class="s2">"guacamole-server-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">"</span> ./configure <span class="nt">--with-init-dir</span><span class="o">=</span>/etc/init.d make </code></pre> </div> <p>Once done, install and start the service.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo </span>make <span class="nb">install sudo </span>ldconfig <span class="nb">sudo </span>systemctl daemon-reload <span class="nb">sudo </span>systemctl start guacd <span class="nb">sudo </span>systemctl <span class="nb">enable </span>guacd </code></pre> </div> <p>At this point, the Guacamole server (guacd) service should be up and running. Inspect by executing <code>systemctl status guacd --no-pager</code>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8absf4ibgp8z964tli9w.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8absf4ibgp8z964tli9w.png" alt="Guacamole Server Service Status"></a></p> <h1> Install Guacamole Client </h1> <p>Unlike the server, we don't need to build it (but you can if you want). So we will download the WAR file and install on Tomcat server then expose it through nginx via HTTPS.</p> <h2> Install Tomcat </h2> <p>First, we need Tomcat to run the WAR file. Use this script to install it.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">export </span><span class="nv">TOMCAT_VERSION</span><span class="o">=</span><span class="s2">"8.5.65"</span> <span class="nv">TOMCAT_MAJOR_VERSION</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="k">${</span><span class="nv">TOMCAT_VERSION</span><span class="k">}</span> | <span class="nb">awk</span> <span class="nt">-F</span> <span class="nb">.</span> <span class="s1">'{print $1}'</span><span class="si">)</span> <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">--yes</span> default-jdk <span class="nb">sudo </span>groupadd tomcat <span class="nb">sudo </span>useradd <span class="nt">-s</span> /bin/false <span class="nt">-g</span> tomcat <span class="nt">-d</span> /opt/tomcat tomcat <span class="nb">sudo </span>usermod <span class="nt">-a</span> <span class="nt">-G</span> tomcat <span class="s2">"</span><span class="nv">$USER</span><span class="s2">"</span> curl <span class="nt">-LO</span> <span class="s2">"https://downloads.apache.org/tomcat/tomcat-</span><span class="k">${</span><span class="nv">TOMCAT_MAJOR_VERSION</span><span class="k">}</span><span class="s2">/v</span><span class="k">${</span><span class="nv">TOMCAT_VERSION</span><span class="k">}</span><span class="s2">/bin/apache-tomcat-</span><span class="k">${</span><span class="nv">TOMCAT_VERSION</span><span class="k">}</span><span class="s2">.tar.gz"</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /opt/tomcat <span class="nb">sudo tar</span> <span class="nt">-xzf</span> <span class="s2">"apache-tomcat-</span><span class="k">${</span><span class="nv">TOMCAT_VERSION</span><span class="k">}</span><span class="s2">.tar.gz"</span> <span class="nt">-C</span> /opt/tomcat <span class="nt">--strip-components</span><span class="o">=</span>1 <span class="nb">sudo chgrp</span> <span class="nt">-R</span> tomcat /opt/tomcat <span class="nb">cd</span> /opt/tomcat <span class="nb">sudo chmod</span> <span class="nt">-R</span> g+r conf <span class="nb">sudo chmod </span>g+x conf <span class="nb">sudo chown</span> <span class="nt">-R</span> tomcat webapps/ work/ temp/ logs/ </code></pre> </div> <p>Configure Tomcat and start the service.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">JAVA_ALT_TEXT</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>update-java-alternatives <span class="nt">-l</span> <span class="o">||</span> <span class="nb">true</span><span class="si">)</span><span class="s2">"</span> <span class="nv">JAVA_HOME</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="k">${</span><span class="nv">JAVA_ALT_TEXT</span><span class="k">}</span><span class="s2">"</span> | <span class="nb">awk</span> <span class="s1">'{print $3}'</span><span class="si">)</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"[Unit] Description=Apache Tomcat Web Application Container After=network.target [Service] Type=forking Environment=JAVA_HOME=</span><span class="k">${</span><span class="nv">JAVA_HOME</span><span class="k">}</span><span class="s2"> Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid Environment=CATALINA_HOME=/opt/tomcat Environment=CATALINA_BASE=/opt/tomcat Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC' Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom' ExecStart=/opt/tomcat/bin/startup.sh ExecStop=/opt/tomcat/bin/shutdown.sh User=tomcat Group=tomcat UMask=0007 RestartSec=10 Restart=always [Install] WantedBy=multi-user.target"</span> | <span class="nb">sudo tee</span> /etc/systemd/system/tomcat.service <span class="o">&gt;</span> /dev/null <span class="nb">sudo </span>systemctl daemon-reload <span class="nb">sudo </span>systemctl start tomcat <span class="nb">sudo </span>systemctl <span class="nb">enable </span>tomcat </code></pre> </div> <p>Now the Tomcat service should be up and running. Inspect by executing <code>systemctl status tomcat.service --no-pager</code>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh8c1a8tbd591h0wgbsrt.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh8c1a8tbd591h0wgbsrt.png" alt="Tomcat Service Status"></a></p> <h2> Add Guacamole Client Servlet </h2> <p>Download and add the WAR file to the Tomcat.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">-LO</span> <span class="s2">"https://downloads.apache.org/guacamole/</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">/binary/guacamole-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">.war"</span> <span class="nb">sudo cp</span> <span class="s2">"guacamole-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">.war"</span> <span class="s2">"/opt/tomcat/webapps/ROOT.war"</span> <span class="nb">sudo chown </span>tomcat:tomcat <span class="s2">"/opt/tomcat/webapps/ROOT.war"</span> <span class="nb">sudo rm</span> <span class="nt">-rf</span> /opt/tomcat/webapps/ROOT </code></pre> </div> <p>You may try to access the client at <code>http://&lt;your-server&gt;:8080/</code> by either open or forward the port and you should see the Guacamole's login screen (but you can't login now).</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fokirc2h7agxiq27qaste.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fokirc2h7agxiq27qaste.png" alt="Guacamole Login"></a></p> <p>In case you see Tomcat instead of Guacamole, restart Tomcat using command <code>sudo systemctl restart tomcat</code> and try again.</p> <h2> Install nginx and certbot </h2> <p>We will use <a href="https://www.nginx.com/" rel="noopener noreferrer">nginx</a> as a proxy and <a href="https://certbot.eff.org/" rel="noopener noreferrer">certbot</a> to get a certificate from Let's Encrypt.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">--yes</span> nginx-core <span class="nb">sudo </span>snap <span class="nb">install </span>core<span class="p">;</span> <span class="nb">sudo </span>snap refresh core <span class="nb">sudo </span>snap <span class="nb">install</span> <span class="nt">--classic</span> certbot </code></pre> </div> <p>Configure certbot with a domain and an email address and integrate with nginx.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">export </span><span class="nv">DOMAIN_NAME</span><span class="o">=</span><span class="s2">"&lt;Your VM FQDN&gt;"</span> <span class="nb">export </span><span class="nv">EMAIL</span><span class="o">=</span><span class="s2">"&lt;Your Email Address&gt;"</span> <span class="nb">sudo </span>certbot <span class="nt">--nginx</span> <span class="nt">-d</span> <span class="s2">"</span><span class="k">${</span><span class="nv">DOMAIN_NAME</span><span class="k">}</span><span class="s2">"</span> <span class="nt">-m</span> <span class="s2">"</span><span class="k">${</span><span class="nv">EMAIL</span><span class="k">}</span><span class="s2">"</span> <span class="nt">--agree-tos</span> <span class="nt">-n</span> </code></pre> </div> <p>Edit the file <code>/etc/nginx/sites-enabled/default</code> and replace the following section:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> server_name your.server.fqdn; # managed by Certbot location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } </code></pre> </div> <p>with this one:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> server_name your.server.fqdn; # managed by Certbot location / { proxy_pass http://localhost:8080/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_cookie_path /guacamole/ /; access_log off; } </code></pre> </div> <p>This will set nginx as a proxy to your servlet. You don't need to configure to redirect HTTP to HTTPS as that is already done by certbot.</p> <p>Test the configuration and restart nginx.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo </span>nginx <span class="nt">-t</span> <span class="nb">sudo </span>systemctl restart nginx </code></pre> </div> <p>Now you should be able to access Guacamole ay <code>https://&lt;your-server&gt;/</code></p> <h2> Configure User and Connections </h2> <p>We will create a user with two connections in the <code>user-mapping.xml</code> file so we can test logging on.</p> <p>Create the file <code>/etc/guacamole/user-mapping.xml</code> an put below content. Create the directory <code>/etc/guacamole</code> first if it does not exist.</p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code> <span class="nt">&lt;user-mapping&gt;</span> <span class="nt">&lt;authorize</span> <span class="na">username=</span><span class="s">"guacadmin"</span> <span class="na">password=</span><span class="s">"guacadmin"</span><span class="nt">&gt;</span> <span class="nt">&lt;connection</span> <span class="na">name=</span><span class="s">"this-server-ssh"</span><span class="nt">&gt;</span> <span class="nt">&lt;protocol&gt;</span>ssh<span class="nt">&lt;/protocol&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"hostname"</span><span class="nt">&gt;</span>localhost<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"port"</span><span class="nt">&gt;</span>22<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;/connection&gt;</span> <span class="nt">&lt;connection</span> <span class="na">name=</span><span class="s">"some-win10-rdp"</span><span class="nt">&gt;</span> <span class="nt">&lt;protocol&gt;</span>rdp<span class="nt">&lt;/protocol&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"hostname"</span><span class="nt">&gt;</span>vm-win10<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"port"</span><span class="nt">&gt;</span>3389<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"username"</span><span class="nt">&gt;</span>username<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"password"</span><span class="nt">&gt;</span>thisisyourpassword<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;param</span> <span class="na">name=</span><span class="s">"ignore-cert"</span><span class="nt">&gt;</span>true<span class="nt">&lt;/param&gt;</span> <span class="nt">&lt;/connection&gt;</span> <span class="nt">&lt;/authorize&gt;</span> <span class="nt">&lt;/user-mapping&gt;</span> </code></pre> </div> <p>The first connection is SSH to local server itself while the second one is RDP to Windows 10 VM. Don't forget to update the username and password.</p> <p>Restart Tomcat and test logging in and making the connections.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo </span>systemctl restart tomcat </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwzthl1qgsbhacb59oc0p.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwzthl1qgsbhacb59oc0p.png" alt="Guacamole with Dummy Connections"></a> </p> <p>If everything is configured properly, you should be able to connect to your VMs via either SSH and RDP. However, you cannot change anything on the web GUI the configuration is static in the file <code>user-mapping.xml</code></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fud6bvfeo2qw0ij2dgost.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fud6bvfeo2qw0ij2dgost.png" alt="Guacamole Static Settings"></a> </p> <p>To make it editable via the web GUI, we need to install a database. In this example, I will use MySQL but Guacamole also supports other databases e.g. MariaDB, PostgreSQL. You can check for more information in <a href="https://guacamole.apache.org/doc/gug/jdbc-auth.html" rel="noopener noreferrer">this documentation page</a>.</p> <h1> Install MySQL </h1> <p>Let's install MySQL.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">--yes</span> mysql-server </code></pre> </div> <p>Check MySQL service status by executing <code>systemctl status mysql --no-pager</code>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwhmmn8kqfsr7xx8gn5se.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwhmmn8kqfsr7xx8gn5se.png" alt="MySQL Service Status"></a></p> <p>After install the MySQL, we also need to install the Guacamole extension and library so it knows how to talk to the database.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Download and install JDBC extensions</span> curl <span class="nt">-fLO</span> <span class="s2">"https://downloads.apache.org/guacamole/</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">/binary/guacamole-auth-jdbc-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">.tar.gz"</span> <span class="nb">tar</span> <span class="nt">-xzf</span> <span class="s2">"guacamole-auth-jdbc-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">.tar.gz"</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /etc/guacamole/extensions <span class="nb">sudo cp</span> <span class="s2">"guacamole-auth-jdbc-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">/mysql/guacamole-auth-jdbc-mysql-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">.jar"</span> <span class="s2">"/etc/guacamole/extensions/"</span> <span class="c"># Download and install MySQL Connector/J</span> <span class="nv">CONNECTORJ_VERSION</span><span class="o">=</span><span class="s2">"8.0.24"</span> curl <span class="nt">-fLO</span> <span class="s2">"https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-</span><span class="k">${</span><span class="nv">CONNECTORJ_VERSION</span><span class="k">}</span><span class="s2">.tar.gz"</span> <span class="nb">tar</span> <span class="nt">-xvf</span> <span class="s2">"mysql-connector-java-</span><span class="k">${</span><span class="nv">CONNECTORJ_VERSION</span><span class="k">}</span><span class="s2">.tar.gz"</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /etc/guacamole/lib <span class="nb">sudo cp</span> <span class="s2">"mysql-connector-java-</span><span class="k">${</span><span class="nv">CONNECTORJ_VERSION</span><span class="k">}</span><span class="s2">/mysql-connector-java-</span><span class="k">${</span><span class="nv">CONNECTORJ_VERSION</span><span class="k">}</span><span class="s2">.jar"</span> <span class="s2">"/etc/guacamole/lib/"</span> </code></pre> </div> <h2> Configure Database </h2> <p>Next, we need to create a database and a user. In this example, I will create the database named <code>guacamole_db</code> and the user named <code>guacamole_user</code>. Please note the password must meet complexity criteria.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">MYSQL_PASSWORD</span><span class="o">=</span><span class="s2">"&lt;YourPasswordHere&gt;"</span> <span class="nb">sudo </span>mysql <span class="nt">--execute</span><span class="o">=</span><span class="s1">'CREATE DATABASE guacamole_db;'</span> <span class="nb">sudo </span>mysql <span class="nt">--execute</span><span class="o">=</span><span class="s2">"CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY '</span><span class="k">${</span><span class="nv">MYSQL_PASSWORD</span><span class="k">}</span><span class="s2">';"</span> <span class="nb">sudo </span>mysql <span class="nt">--execute</span><span class="o">=</span><span class="s2">"GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';"</span> <span class="nb">sudo </span>mysql <span class="nt">--execute</span><span class="o">=</span><span class="s1">'FLUSH PRIVILEGES;'</span> </code></pre> </div> <p>Then run the provides scripts to create schema and the Guacamole default user <code>guacadmin</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">cat </span>guacamole-auth-jdbc-1.3.0/mysql/schema/<span class="k">*</span>.sql | <span class="nb">sudo </span>mysql guacamole_db </code></pre> </div> <p>Lastly, you need to configure Guacamole client so it can connect to the database by creating file <code>/etc/guacamole/guacamole.properties</code> and put the following content.</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># MySQL properties</span> <span class="na">mysql-hostname</span><span class="pi">:</span> <span class="s">localhost</span> <span class="na">mysql-port</span><span class="pi">:</span> <span class="m">3306</span> <span class="na">mysql-database</span><span class="pi">:</span> <span class="s">guacamole_db</span> <span class="na">mysql-username</span><span class="pi">:</span> <span class="s">guacamole_user</span> <span class="na">mysql-password</span><span class="pi">:</span> <span class="s">&lt;YourPasswordHere&gt;</span> </code></pre> </div> <p>If you configure the <code>user-mapping.xml</code> file before then you may no longer need that so remove it.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo rm</span> <span class="nt">-f</span> /etc/guacamole/user-mapping.xml </code></pre> </div> <p>Restart Tomcat and test logging in again using default username and password i.e. <code>guacadmin</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo </span>systemctl restart tomcat </code></pre> </div> <p>Now, you should be able to make changes in the Settings. It is recommended you create a new user and then remove the <code>guacadmin</code> as soon as possible.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ful497mrr8pedfsel6r6v.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ful497mrr8pedfsel6r6v.png" alt="Guacamole Dynamic Settings"></a></p> <h1> Enable Two-Factor Authentication </h1> <p>If you want you can optionally install TOTP module to enable two-factor authentication to add more security to your VM pool. Just download the extension and restart Tomcat.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Download and install TOTP extension</span> curl <span class="nt">-fLO</span> <span class="s2">"https://downloads.apache.org/guacamole/</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">/binary/guacamole-auth-totp-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">.tar.gz"</span> <span class="nb">tar</span> <span class="nt">-xzf</span> <span class="s2">"guacamole-auth-totp-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">.tar.gz"</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /etc/guacamole/extensions <span class="nb">sudo cp</span> <span class="s2">"guacamole-auth-totp-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">/guacamole-auth-totp-</span><span class="k">${</span><span class="nv">GUAC_VERSION</span><span class="k">}</span><span class="s2">.jar"</span> <span class="s2">"/etc/guacamole/extensions/"</span> <span class="c"># Restart tomcat</span> <span class="nb">sudo </span>systemctl restart tomcat </code></pre> </div> <p>Now, when you try logging in again, it will ask you to setup an authenticator and require you to input in every time you log in.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fogujgoikwc4m2wwp1m99.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fogujgoikwc4m2wwp1m99.png" alt="Multi-factor Authentication Setup"></a></p> <h1> Scripts </h1> <p>If you don't want to perform all above steps one by one, you may leverage bash scripts I created in this repository.</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/pacroy" rel="noopener noreferrer"> pacroy </a> / <a href="https://github.com/pacroy/guacamole-setup-script" rel="noopener noreferrer"> guacamole-setup-script </a> </h2> <h3> Guacamole Setup Script for Ubuntu Linux Server </h3> </div> </div> <p>Use at your own risk!</p> <p><em>Cover Image by <a href="https://unsplash.com/@footluz?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText" rel="noopener noreferrer">Footluz Blog</a> on <a href="https://unsplash.com/s/photos/bastion?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText" rel="noopener noreferrer">Unsplash</a></em></p> azure bastion guacamole ubuntu