Open source remote control - Apache Guacamole

Got a tip from another user in here that might let me get something to let our students work from home. The tip was Apache Guacamole https://guacamole.apache.org/ . I just installed this on a test box at home before I go into work and put an old server back together and try installing there. I used CentOS 7.7 simply because I’m more comfortable with CentOS and I found a recent video and web page that walked me through it https://www.byteprotips.com/?p=2391 .

Got as far as logging into the user interface and probably stopping for the night.

So what’s with this thread? Might help someone else find it. Also I’m certain that I’m going to have some issues going forward and thought I might start a thread where I can drop those questions.

Those of you that are fluent in Docker, there is a Docker image out there.

Lots of reading to do now on the settings for connections. First issue at hand, changing the web connection port. Second will be using https to secure the connection a little.

While I think it is an interesting project and I do like that it is clientless, I still like X2GO a bit better for it’s simplicity.

We are going to have students working with Chromebooks and tablets as well as more capable desktop operating systems, so I think the clientless part might be big. I did go back and watch your video on X2GO again and noted that you said it can be used through a web server, but it is a pain to set up. How painful is it?

And over the connection that most people have, and even what I can supply, I think performance is going to be far less than my faculty are thinking. I’m sure they expect to edit video and audio as fluidly as if they were sitting at the computer… And we still have the problem that students are going to need to upload 2GB+ for any given video project from their probably 6mbps upload home connection. I’m probably doing a large amount of work for relatively little use, there are only a couple of applications where this will probably work OK.

I have not tried setting it up for web hosted version.

Well, I got the old twice recycled server back in the rack with a basic CentOS 7.7 installed and a remote connection open. I’ll have to finish from home now.

If anyone knows some good tutorials on reverse proxy setup, I think I’m going to need the help. Need to read through the Guac documents again.

OK, got the real server set up today and buggered around with it for quite a long time trying to figure out what was going wrong. I have RDP enabled through a group policy, but there are a lot of things set to “not configured” And there are two things I need to change and not finding them right away. I’ve always just used the Windows RDP client and everything has been good. So now asking for help here.

Now I also tested Guac with the XRDP that I installed on the CentOS server that hosts Guac, that worked without issue just like it was supposed to work, so I knew parts of the Guac install were functioning correctly. That’s when I hit up the mighty google for an answer. I found that there was a registry change needed to make this work https://mangolassi.it/topic/17846/make-windows-10-server-2016-rdp-work-with-guacamole/2

Made the change to one of my workstations and Guac now connects. Does anyone have any idea what those registry values correlate to in Group Policy? I know it is in the computer administrator templates area:

computer–> admin templates --> windows components --> Remote Desktop Services --> remote Desktop Session Host

After that, many choices of things and Group Policy is an art in itself. Any help would be appreciated as it will save me from having to push out the .reg file or going to each machine and “installing” the .reg file to make the above changes.

Hi, first off a couple of quick disclaimers; I’ve never used Guacamole, but I do know Group Policy and you are reducing your security by making these changes.

I believe the settings you are looking for are;

SecurityLayer = Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> Require use of specific security layer for remote (RDP) connections, set that to enabled and ‘RDP’

UserAuthentication = Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> Require user authentication for remote connections by using Network Level Authentication, set that to disabled

As mentioned in the disclaimer you are reducing your security by enabling this, it would be worth investigating enabling NLA in Guacamole, a quick google would indicate it is possible.

I believe you are correct that I’m compromising security. Guac is supposed to allow NLA, but it doesn’t seem to be passing the username info in the way my hosts need. I’m going to have to dig into this. It’s some systemic on my domain that I’ll need to fix.

Thanks for the tips, I’ll put them in place and see if that makes things work.

That worked after the systems started taking the new policy. It didn’t change the registry but now Guac is connecting.

Next problem is no audio, it seems to have built without the guacsnd-client.so module so I’m searching for the solution now. All the Pulseaudio stuff is installed and running on the server, so that’s not the issue.

Glad it’s at least helped you make some progress.

Sticking with this I found where the problem starts, still figuring out how I’m going to fix it.

Let me first say that when I installed this, I used the shortcut of using their pre-built .war file. Now I find that this is part of the problem:

The client files lack the rdp sound scripts, so the pre-made .war is also lacking them. The older version has some of the files easily found, but I’m not done checking how many things need to be copied from old to new, and then I’d need to “make” the new .war file (I guess). Getting out of the known areas for me, I guess I’m going to learn along the way.

Thankfully I still have my sacrificial test system at home, I can mess it up and burn it to the ground and start again as many times as needed. Also thankfully nothing is really “in service” yet, still a long way to go before I let this be accessed from the internet.

I did post my findings on the Guac mail list, not sure if anything will come from it. Also not sure why they are still using a mail list, what an annoying way to do this, set up a forum and go, so many good free ones that could be put on their website for no additional cost.

After a bit of time looking through the make files, I found they they just moved the audio files to a different area and that they were indeed done. Went back to the configuration for each connection and decided to uncheck “audio in console” and now it works. Performance is probably a lot lesser than desired, not going to be editing videos across this connections. And oddly enough several applications won’t even let me open them through RDP. Need to look into that.

So, I just found out about Guacamole and plan on using it for remote access without VPN being required. I found a bitnami image already built but I need to learn how to support this without a pre-built iso or vm image. I am supersized this hasn’t been covered on the channel especially with everyone going remote. xcp-ng/ova/guacamole is a crazy powerful platform for remote workers.

I would skip the bitnami image unless you are set up to handle it. Just install CentOS 7.7 and follow the directions in the link above. Lots of other directions for a Debian based install as well.

I am finding that the server processor is hitting 100 percent when trying to play video from only a single client session. Thus is from the video encoding needed to get this onto a web stream. Going to go up and see exactly which pieces of old stuff I have that might be faster to try again.

An FYI followup for this…

Changed from 5110 processors (2 cores each) to e5310 processors (4 cores each) and not really any change. FFMPEG seems to only use a single core at a time when it is encoding the RDP video to put it out over the html server. I see a single core running at 100%, after a small amount of time it will switch to another core.

The best I can do with this server is x54xx processors which are still only 4 cores each and no hyper threading, just a faster clock speed. This is built on a SuperMicro X7DB3 board from 2007.

I have an old H8 dual processor board that was in service for a slightly shorter time period, but it was having some issues which is why it didn’t get turned into a FreeNAS system. I’ll have to try and sort out those issues and see if I can force it back into service since it might be a little faster, or at least I could buy a pair of processors that should be faster.

Other thing I asked on the mailing list is if Guac can work with a video card to leverage some of the encoding duties, not sure if that is possible but I could stuff an nVidia card into the existing server if it will try to use it.

For text based stuff, Guac seems to be working fine, but for video forget it it unless you have a more powerful server to use.

And all that said, I still don’t have this open to the internet, waiting for the campus IT department to decide if they will forward a couple more ports to my firewall. If not I may need do some underhanded trickery like maybe a reverse proxy to combine some of the other destinations into one port connection. or I’ll just tell my department that it can’t even be tested because they won’t allow access… Less work for me.

So for now I go in through my VPN, then hit the web service to test and video performance is poor. If I RDP directly to that same host, video performance is good enough that they should be able to edit video projects. That leads me to believe that Guac and FFMPEG on this server are the issues.

Pulling this back up as a running log of sorts…

I’ve been testing this a little bit from the “open web” by shuffling some services around, video performance is still pretty yuck. But with Media Composer in it’s normal windowed version, the video is OK, maybe 15fps which normally would suck, but decent enough if they are doing basic things, and if they are just doing a rough cut before coming in to finish the project.

I did find one application that keeps kicking the connection, Sony Catalyst Browse. We use this to screen the clips from our cameras (XDCam EX files). When playing the video clips in Browse it keeps kicking me. Pretty sure it is because it is sending too much data and spiking the processor.

I did run into an issue, and this was a Windows issue. Admins could RDP with no issues, users could not. After setting and checking the “normal” things in domain group policies and domain level user groups for RDP, it comes down to the local policy that needs to be changed. Your “domain users” must be in this local policy. Thankfully run can force this policy from the domain GPO.

Now all I need is more horsepower! After research, there is NO hardware acceleration at this time, so I think I really need a much bigger/faster server to serve up the desktops. Like to put in a 20 core 40 thread server, but I know that’s going to be an issue. I’m guessing that with my current 8 core machine (from 2008) that I’ll be able to serve up 7 or maybe 8 connections editing video. Going to have to beat on it and see where it will go. Good proof of concept but I’m fighting an uphill battle to scale it and getting push back in a couple of places with wait and see attitudes. I’m certain we will be sent home if we are even allowed to start in person classes. And if they are in person, they are going to be limited size and possible “hybrid” which means a lot of “from home” stuff still required.

Looks like this is the end of this project for me, it seems that the college’s IT department has decided that this isn’t going to be possible.

I did load test this and I got 6 clients connected and all playing back Youtube videos, the seventh kicked one of the others off and the fps slowed down as the server processor cores all went above 80 percent. Just something to keep in mind if you are building one of these, throw a decent number of processor cores at it, at least one per user and a couple more for the system. I still think 20 cores with 40 threads might have been a good place for us and would have worked.

BTW, Guacamole is used by the NASA Center for Climate Simulation for remote researchers, here’s the instructions:

https://www.nccs.nasa.gov/nccs-users/instructional/guacamole

That would suggest that it is reasonably useful and can be made secure.

1 Like

Pushing this back to the top.

It was brought to my attention that there was a big bug in this software that could allow remote code execution. This has been patched in version 1.2, and this bug went back many (maybe all) previous versions so if you are using it, you need to patch things. Apache Guacamole™: Security Reports

I did a bigger load test on the local network some time ago and got some decently solid metrics. Summary is that you need 1 core (or thread for hyper threaded processors) per connection when playing video (my worst case), ram was not really an issue. Network could become an issue, 11 remote workers, all playing video, consumed between 400 and 500mbps on the workstation to server side, the “internet” facing side was up around another 100-120mbps. So dealing with a single gigabit connection to the server starts to become a bottle neck when you get up into 20+ connections. I’d suggest a 10gbe connection to the server. I saw that you need roughly 6-10mbps per connection for your internet bandwidth, again this is worst case where each remote is playing video (constant screen changes). If doing something that is mostly text based, things are significantly different. And even editing video with Media Composer was on the lower end because the video windows are smaller, and things are not constantly changing unless you are playing the timeline out (again smaller window for playback).

Note that this is in megabytes, multiply by 8. Sorry about all the red, I couldn’t b bothered to change colors on the other threads. That was one of my XCP-NG computers that I forced into service for a day, dual 6 cores and 72GB of ram, I think they are x5660 processors from a long time ago, don’t have newer to try and see what kind of performance increase might happen with newer hardware. The remote sessions did work better than the last time I tried a local test, so there may be gains from using the latest processors and extra cores are needed because things jump around a lot, every core hit 100% at one time or another during the 2 hour test. Yes a few of Youtubers got some add revenue from me that day.

I did talk to another person in a college not too far away and he tried Guac as a VM, and then switched to 3 bare metal servers after that testing. I think it’s up to the core/thread count needed for this. He was just going to build a web landing page to direct his students to the correct lab room connection. He said mostly for ArcGIS classes where they need powerful computers that students can’t really afford. Neither of us work at ivy league schools where an extra $2000+ is nothing but drinking money.