@stephdl is very good at that 
Not yet but we are going to play with docker sooner or later.
Well to be honest I retrieve the most of time a rpm in epel, maintaining directly a rpm could be a full time job. However we could take a look and find a way to build it. For guacamole I believe we can start from a spec file of an older rpm and looks what it appends, otherwise we could start with a spec file of another rpm based distro.
Perhaps this will help
https://build.opensuse.org/package/view_file/home:ecsos:server/guacamole-server/guacamole-server.spec
0.9.11
Provides TFA with DUO and improvement to double authentication backend
If installed from source i think the 0.9.10 howto should work just fine by just replacing files with the ones found here, and editing the guacamole.properties
To update from 0.9.10 the following worked
cd /opt/
tar -xzf guacamole-server-0.9.11-incubating.tar.gz
mv guacamole-server-0.9.11-incubating guacamole-0.9.11
rm guacamole-server-0.9.11-incubating.tar.gz
cd guacamole-0.9.11
./configure --with-init-dir=/etc/init.d
make
make install
ldconfig
mv /opt/guacamole-0.9.11-incubating.war /var/lib/guacamole/guacamole.war
rm -rf /var/lib/tomcat/webapps/guacamole.war && ln -s /var/lib/guacamole/guacamole.war /var/lib/tomcat/webapps/
rm -rf /usr/lib64/freerdp/guacdr.so && ln -s /usr/local/lib/freerdp/guacdr.so /usr/lib64/freerdp/
mkdir ~/guacamole && cd ~/guacamole
mv /opt/guacamole-auth-jdbc-0.9.11-incubating.tar.gz ~/guacamole/guacamole-auth-jdbc-0.9.11-incubating.tar.gz
tar -zxf guacamole-auth-jdbc-0.9.11-incubating.tar.gz
mv /opt/guacamole-auth-ldap-0.9.11-incubating.tar.gz ~/guacamole/guacamole-auth-ldap-0.9.11-incubating.tar.gz
tar -zxvf guacamole-auth-ldap-0.9.11-incubating.tar.gz
mv guacamole-auth-jdbc-0.9.11-incubating/mysql/guacamole-auth-jdbc-mysql-0.9.11-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-jdbc-mysql.jar
mv guacamole-auth-ldap-0.9.11-incubating/guacamole-auth-ldap-0.9.11-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-ldap.jar
cat guacamole-auth-jdbc-0.9.11-incubating/mysql/schema/upgrade/upgrade-pre-0.9.11.sql | mysql -u root -p guacdb
#Allow logins from existing users only
This will prevent users who do not exist in MySQL to even attempt to login, instead of giving them an empty guacamole screen with no connections, the “login disabled” option in users settings is no longer needed
vi /etc/guacamole/guacamole.properties
Add > mysql-user-required: true
#Cleanup
cd ~ && rm -rf guacamole*
systemctl daemon-reload
systemctl restart guacd.service
systemctl restart tomcat.service
The DUO TFA seems really neat, it’s really interesting as it allows for a stronger security when exposing internal machines to the internet, users have to authenticate to guacamole with both LDAP and TFA, if either fail, access is denied
If the user has not set it up yet, there’s a wizard with QR codes to set it up
It also supports U2F devices, has anyone tried these USB and can offer advice on which to try?
4 Likes
Hi Team,
I’ve seen mention of a great app called Guacamole. The official blurb from their website says this:
Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
We call it clientless because no plugins or client software are required.
Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.
I’ve installed Guacamole a few years back to try it out and I thought it was pretty amazing. But I’m sure others are looking at it and wondering how it can be useful and why would anyone want to add it. I thought I would share my plans for our office’s use case for it.
We are an assaylab business so we use special machines at each workstation to help us do our daily work. The machines have a physical/hardware component and run using software. Rarely does the hardware fail so if there are issues it’s usually with the setup in the software.
All of our workstations that run the software for these machines are locked down from Internet access at our gateway. They are almost like dumb terminals in that they are always running and logged in with a generic account so an operator can go to any workstation and use it. This is a really quick overview of our operation so I’m skipping a lot of detail but you get the idea of our setup now.
All our workstations have VNC Server installed on them so I can remote into the office via VPN to assist. There is no access to any of these workstations from outside unless I’ve granted VPN access.
Our vendors do provide remote support via Internet but with all workstations locked down they cannot automatically remote in and assist when an operator requires help. I have provided VPN access to our vendor (and only allowed them access to the workstations they need to get too) but then our vendor needs to have a list of IP’s for each workstation. It works but is kind of messy.
This is where I see Guacamole can help. Serving up a webpage and creating a user account for our vendor I can display the workstations they can have access too. They can use VNC to look over our operators shoulder and assist. I still prefer to use VPN access as I don’t want to leave the Guacamole page opened for hackers to try and break in. But for a short period of time I suppose I could expose the Guacamole webpage to the Net for the duration of the vendor that provides support. It’s always best to be careful so VPN is very important to me and our office. 
If others have a use case for Guacamole they would like to share I’d like to hear it!
Thanks.
I have just added your post here, I think that it’s the right place.
Thanks for your thoughts I think that Guacamole is a GREAT package, sadly it’s not so straightforward installing it as rpm, as you can say above.
1 Like
Thanks @alefattorini for putting my post in the right location.
I’m still getting my head around requirements with regards to adding new modules. Is there a document or would someone be able to list of me what is needed from an App before it would be considered for nethserver? It sounds like an .rpm file is a must. Anything else you look for?
Thank you.
I’ve found .rpm for guacamole-common for Fedora. Would this be of any help for someone with the knowledge to build off of for Guacamole on NS?
you have a guacamole rpm in epel for centos7, it could be a good startting point also.
I was trying to find a solution for people to access RDP sessions with zero config and no installation files.
first I solved it by implementing sslexplorer until I found out about Guacamole.
I would like to share my experience about that,
Compiling it over Centos or Ubuntu is not an issue at all, no need for Docker as there are some posts advising to do so.
The trick about guacamole is that, best to be integrated into Nextcloud rather than being exposed to the public internet.
What I did: downloaded and compiled the guacamole from source.
Then inside nextcloud I pointed to it with external site link (however I used its private ip address)
So now the guacamole and its ports 8080 and 443 are not exposed to the outside world hence no one can access it directly.
The only problem I have is solving the issue of the certificate being pointing to a private IP.
1 Like
How does external site work when accessing nextcloud from outside using its FQDN? Does it just embed guacamole’s page inside nextcloud (meaning that page has to be directly reachable from the user, i.e. you still have to open tomcat port 8080 to the outside world to make it work) or does it work like a reverse proxy?
Also check this out, next release will add an http authentication header module which could be helpful when giving a user access to its desktops when that user has already been authenticated by a different service (nextcloud, authenticated reverse proxy, etc…)
Guacamole is working fine however there is a need to port forward 443
There is a way to avoid exposing the guacamole server to the public net.
I am launching a community request to develop 2 simple apps for nextcloud
one for freepbx webrtc and one for the guacamole.
@alefattorini could you please create a thread for that request ?
1 Like
I agree @ghost, guacamole really needs to be added to nethserver…where did your community request to develop your two apps go? I don’t see a continuation of this thread. I hope it’s not dead.
@alefattorini, that bounty that you created…I’m guessing it’s still open? I’m not a developer so sadly I can’t create the package nethserver needs…but I’m more than willing to help with testing.
How close are we to having guacamole integrated into nethserver…or is it best to just use the excellent instructions from this thread (thanks @edi and @Adam!).
1 Like
@greavette I hear you well.
Unfortunately my request did not get the @alefattorini attention.
I am not a developer either, however I am willing to contribute!
Just upgraded to 0.9.12 ( credits to Chase Wright https://www.chasewright.com/guacamole-upgrade/ ) and looks even nicer very bright resolution with RDP. It will be a pity to let this nice jewellery out of Nethserver.
Back to you @alefattorini
1 Like
I’ll pull an @alefattorini and say…
C’mon team…let’s get this implemented into Nethserver!
But seriously…how close are we to having this module installed? From what I read there is an older version of the rpm from epel available? what if Nethserver added that older version to the Software Center and provide command line instructions on how to update it. At least that will allow people to use/try out Guacamole until such time Nethserver team decides if they want to create/maintain a more recent rpm version? Just a suggestion…
I’m using Guacamole for a while now and I like this package. On my secondary school(where I work as system/network administrator) I use it to get some “working from home” environment. The only thing the employees must have is an html5 browser.
Now I’m working on a project with Guacamole. I want to create a solution for people who’s pc is crached and have to get back to work really soon. They can boot with pxe into a Linux environment that starts Chromium with a connection to a Guacamole server. Because it all runs from memory and not from harddisk, you can push an image to that harddisk. (video: https://www.youtube.com/watch?v=pPbTfJk0GmQ)
So I think Guacamole is a very goor product and I think it’s really good to add it to nethserver.
3 Likes
Hi @FMFREAK,
Great to see you here in our forums. We can surely use your experience with Guacamole and make it an integrated module for NethServer.
Can you tell us a bit more about the technical details how you managed to get things done on your project?
1 Like
Hello,
I am not a developer hence I wish to call for developers in this community to help me out creating a module that can be integrated into nextcloud.
Below are few examples that already achieved what I am looking for
- Rainloop email module
- XMPP module
-
Spreed.me
These modules call internal ip addresses without the need to forward ports on the main firewall
they use proxy ngix
Our desired module is necessary in order to eliminate the need to type username and password.
No need to make it so complex and link it to the LDAP, you just look at rainloop how it functions and implement the same for the Guacamole Nextcloud module.
This is very practical module for tech support , for teleworkers and is an integral part of the collaboration suite.
Currently it is working with external link Guacamole Package?
1 Like
Just moved the post here, I agree. Guacamole is very interesting, anyone interested in creating a new package for that? What does it involve?
@FMFREAK
2 Likes
Has there been any updates on a Guacamole package for NS?
I tried the install instructions above for NS7, and could not get it to work on a test system.