Guacamole Package?

Did you try to add this to your guacamole.properties? It doesn’t take much time and maybe it’s the missing property? :slight_smile:

I did yes, no difference.

Hi guacamole lovers,

I gave it a try and it’s really nice to have a web based remote desktop/ssh/vnc with connection manager.

I could install it easily via the script @jackyes suggested here

yum -y install nethserver-mysql java-1.8.0-devel
wget http://sourceforge.net/projects/guacamoleinstallscript/files/CentOS/guacamole-install-script.sh
chmod +x guacamole-install-script.sh
cat ~/.my.cnf
./guacamole-install-script.sh

Scroll up to copy your mariadb root password from the output of “cat ~/.mycnf” and just paste it:

 Enter the root password for MariaDB: YOURMARIADBPW
 Enter the Guacamole DB name: guacamole
 Enter the Guacamole DB username: guacamole
 Enter the Guacamole DB password: guacamole
 Enter the Java KeyStore password (least 6 characters): guacamole
 Do you wish to Install the Proxy feature (Nginx)?: no

Then you are asked to complete the Java keystore wizard:

What is your first and last name?
  [Unknown]:  Markus
What is the name of your organizational unit?
  [Unknown]:  Users
What is the name of your organization?
  [Unknown]:  NethServer
What is the name of your City or Locality?
  [Unknown]:  Vienna
What is the name of your State or Province?
  [Unknown]:  Vienna
What is the two-letter country code for this unit?
  [Unknown]:  AT
Is CN=Markus, OU=Users, O=NethServer, L=Vienna, ST=Vienna, C=AT correct?
  [no]:  yes

To allow the ports:

config set fw_guacamole service status enabled TCPPorts 8080,8443 access green
signal-event firewall-adjust

Browse to https://YOURNETHSERVER:8443/guacamole/ and login with username and password guacadmin

I could connect to Win Server 2016 via RDP and to Nethserver via SSH. Guacamole rocks!

This explains install from epel but didn’t work for me:

3 Likes

OMG! this is also a killer app!
Great to see this coming to NethServer. Nest step: nethserver-guacamole module! WEEHOO… :smiley:

Good to know there is a workable way to install it on NethServer. Thanks for updating us
@stephdl did you try epel rpms yet?

need to check my note, but it misses the user interface IIRC

OMG…did I read this right? Guacamole is coming to Nethserver?

I’ve been working a bit with the developer of a script to install Guacamole - https://sourceforge.net/projects/guacamoleinstallscript/?source=navbar.

He was kind enough to upgrade Guacamole to a newer version. But having the ability to add Guacamole to my Nethserver modules would be a holy grail for us. :slight_smile:

I’ll keep a watch on this thread and find time for testing.

Thanks All!

1 Like

While I look forward to having Guacamole on my Nethserver, here is a comment on how I’m currently including Guacamole in our office.

I’ve installed a Nextcloud app called External sites. I then used the guacamole install script (link above) to install Guacamole on a separate CentOS server. I’m using my Nextcloud as the gateway to get to my Guacamole server. Think of it as a two factor authentication before access to my network. :slight_smile:

External sites is a great app within Nextcloud but currently in Nextcloud 12 I do not have the ability to enable External sites by group. But Nextcloud 13 is going to give me this ability so I’m looking forward to the next version of Nextcloud coming out later this month. We don’t have many people using our Guacamole but it has come in handy on a few occassions. Putting Guacamole behind our Nextcloud install gives me extra piece of mind and I only need to open one firewall rule to my network to my Nextcloud server.

1 Like

I love that trick, your users think that guacamole is on NethServer :slight_smile:
How do you use guacamole? Can you provide us some scenarios?

1 Like

Hello Markus,

I installed guacamole using the way you suggested. That way it installs with a selfsigned certificate and everything works well. Thank you very much. Despite I want to enhance 2 things:

  1. I created a bash-script to copy the LetsEncrypt certificate to the Java key store, so now I don’t get annoying messages anymore about a selfsigned certificate. Is it possible to execute this script automatically after the LetsEncrypt certificate renewal? If yes, can you tell me how?
  2. Guacamole is listening on port 8443 (https://<FQDN>:8443/guacamole/). On my work I can only access external websites at port 80 or 443, so I still cannot access my computer at home via guacamole. I tried to solve this via reverse proxy (so when I browse to https://<FQDN>/guacamole/, it is proxied to https://<FQDN>:8443/guacamole/), but this only works within my home network. As I cannot create a VPN tunnel from my work to my home network, this still doesn’t work. Is it possible to use reverse proxy from outside my home network? If yes, can you tell me how?

This is great, I am really interested in your script because it may help with other java key store apps.

/usr/libexec/nethserver/letsencrypt-certs is executed daily via /etc/cron.daily/nethserver-letsencrypt-certs so you may append your script there.

I hope so but I wasn’t able to make it work.

Here is my bash script:

#!/bin/bash

#Convert LetsEncrypt certificate to PKCS12
openssl pkcs12 -export -in /etc/letsencrypt/live/<FQDN>/fullchain.pem -inkey /etc/letsencrypt/live/<FQDN>/privkey.pem -out /var/lib/tomcat/webapps/cert.p12 -name guacamole -passout pass:guacamole

#Remove old certificate from Java keystore
keytool -keystore /var/lib/tomcat/webapps/.keystore -delete -alias guacamole -storepass guacamole -noprompt

#Import PKCS12 certificate into Java keystore
keytool -importkeystore -deststorepass guacamole -destkeypass guacamole -destkeystore /var/lib/tomcat/webapps/.keystore -srckeystore /var/lib/tomcat/webapps/cert.p12 -srcstoretype PKCS12 -srcstorepass guacamole -noprompt

#Remove PKCS12 certificate
rm -rf /var/lib/tomcat/webapps/cert.p12

#Restart tomcat
systemctl stop tomcat
systemctl start tomcat
2 Likes

Hello Markus,

We are doing things wrong. In the past I programmed apps in NodeJS; those apps were listening on (i.e.) port 3000; then I put Nginx as reverse proxy in front of it; Nginx was handling encryption, and the traffic between Nginx and the app was not encrypted; the app couldn’t be reached from internet directly, only via Nginx.

Here with Guacamole we need to do it the same way, except with Httpd instead of Nginx. So I need to install Guacamole without encryption and Httpd has to proxy the network traffic to the Guacamole port (without encryption). The Guacamole port may only be open for localhost, not for any other network.
On my NethServer I have Apache 2.4.6 running, so according to the Guacamole docs it should be possible to make this work. I will try to configure this in the weekend when there is some time left (probably not so much because of carnaval).

1 Like

There was already a solution for this:

Thanks, seems I missed this one :blush:

Sure @alefattorini,

There are two examples of how we are using Nextcloud and Guacamole in our small office. The majority of our workstations in our office do not have access to the Internet. These workstations are almost like dumb terminals that are used by operators to do their job(s). We have two external vendors who provide remote support for their applications but for these vendors to get access to one of our workstations, because these workstations are blocked by our firewall the vendor can’t help visually.

For this usecase I’m using Guacamole (though Nextcloud) so our Vendors can login and on Guacamole I’ve provided VNC access (viewer only) to each of our workstations. The Vendor is provided a VNC password to use by the operator. The Vendor can now safely (after logging in essentially three time…once into our Nextcloud, then into Guacamole, and lastly using VNC) into the workstation that needs assistance. I love the fact that in Guacamole each Vendor will only have access to the servers I allow them to view through their Guacamole user Id. As you can see I’m a bit paranoid with people getting in. :slight_smile:

One of our senior staff has a need to work from home when allowed by the owners. For these days this user will login through Nextcloud and then using Guacamole they will be able to access their office workstation using RDP.

So far this is working very well for us.

Thanks!

3 Likes

Great explanation, it looks a good use case for guacamole

3 Likes

As 2FA is more and more in use
Would it be possible to implement TOPT in this package?
https://guacamole.apache.org/doc/gug/totp-auth.html

Kind Regards
Shodan

1 Like

I’m going to add it in the next update.

For now you may put the jar to /var/lib/guacamole/extensions/ and reapply the configuration with:

signal-event nethserver-guacamole-update

See also:

2 Likes

Works like a charm
thanks and thanks for including it so I do not need to worry about updates ;).

short remark I first got a problem that the enrollment did not start reason needed to clear my browser cache.
Regards
Shodan

1 Like