Apache Guacamole

I have used Apache Guacamole to access running GitHub Actions workflows as remote desktops. It worked super well for testing GUI apps on other operating systems that I didn&#x27;t want to deal with setting up.<p>It&#x27;s also nice if you want to run a GUI application in someone else&#x27;s sandbox.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;jstrieb&#x2F;ctf-collab&#x2F;blob&#x2F;9300c57364f71fe29d260a387fe5606966b09de5&#x2F;.github&#x2F;workflows&#x2F;run-server-graphical.yml#L126" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jstrieb&#x2F;ctf-collab&#x2F;blob&#x2F;9300c57364f71fe29...</a>

We adopted Guacamole for access to some of our Windows server production environments; the great thing about it is you can put your corporate SSO &#x2F; authorization model into a web app to control access and not have to disclose credentials to service accounts to developers. You can also tap off a feed from the guacd that represents a complete screen recording and save it for audit trail purposes.<p>The only issue we&#x27;ve had is that FreeRDP (that underlies it for connectivity to Window servers) is a bit fussier than the native RDP environment, or at least we&#x27;ve had challenges getting equivalent compatibility across old&#x2F;odd Windows configurations.

Setting it up via Docker container is a lot easier than a custom setup.<p>I really am not a fan of Guacamole. I love the idea and convenience of having everything running in the browser from the client side, but I much prefer a real RDP session (via VPN) than having it in the browser. Why? Keyboard shortcuts! I am soooo much slower because browsers (not guacs fault - but at the same time it is its fault since I would love a native client) can’t catch all keys (e.g. Windows key). ALT-TAB? Yeah you just tabbed away from Guac. Or the new fancy WIN-TAB, no way that gets passed on to Guac. Also the file sharing experience is worse. RDP? Just drag an drop or Ctrl-C, Ctrl-V. That doesn’t always work in Guac…

Using it mainly because of the paranoia of just exposing RDP to the internet. Http(s) is very convenient to add more layers of security, in my case via NGINX (both as LXC containers in Proxmox). I&#x27;m using a wildcard domain *.myhome.tld pointed to my static IP. Guacamole is hosted at try_guess_me.myhome.tld, with NGINX basic auth same for all subdomains (further protected by fail2ban). So in total 3 tokens are required (subdomain and basic auth username and password) just to get to the Guacamole login page, where additional username&#x2F;password + 2FA are required. I used to expose RDP directly for years, but after a chat with a colleague before vacations and a purchase of a NUC for a homelab server decided to strengthen the security slightly.<p>RDP is still much better user experience, so once when I needed a longer session I used Guacamole to access my router admin interface and temporarily expose RDP directly via a random port and a very strong password. I&#x27;m still not convinced that the latter combination is not enough, but it&#x27;s better to be safe than sorry.

Guacamole and tailscale make my life so much easier when I’m away from home. Serving up guac from a machine with tailscale &#x2F; wire guard means I can get to it without exposing it to the internet, or worrying about a home IP changing.

I&#x27;m really looking forward to having all my working stuff in the cloud. however, it&#x27;s so annoying sometimes that networking is not suitable yet to work from ANYWHERE. especially in public places where you can pull a laptop from the bag and start working, with remote it&#x27;s mostly a challenge

Past related threads:<p><i>Apache Guacamole 1.1.0</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=22190251" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=22190251</a> - Jan 2020 (50 comments)<p><i>Apache Guacamole – Clientless remote desktop gateway</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=21660925" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=21660925</a> - Nov 2019 (40 comments)<p><i>Apache Guacamole – A clientless remote desktop gateway</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=15778902" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=15778902</a> - Nov 2017 (41 comments)<p><i>Guacamole – A clientless remote desktop gateway</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=15389727" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=15389727</a> - Oct 2017 (216 comments)<p><i>Apache Guacamole</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11744430" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11744430</a> - May 2016 (57 comments)<p>Also:<p><i>Fixing critical vulnerabilities in Apache&#x27;s remote desktop</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=23715212" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=23715212</a> - July 2020 (8 comments)

The video on the main page is amazing. Rare that a product demo video is both entertaining and informative with a high information density!

Love it!<p>That said:<p>&quot;We call it clientless because no plugins or client software are required.<p>Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.&quot;<p>So... the web browser is the client software. Why not just come out and say that instead of first calling it fairly misleadingly &quot;clientless&quot;?

Used the guac to host 100+ sessions for researchers and devs at my previous company. Performed well and using docker made it a breeze to deploy in the cloud and it also tied into my IPA infrastructure nicely for central authentication. I did not play with the screen recording feature though.

I use guacamole. It is awesome and super convenient. Nice insulation from various protocol bugs too. I don’t care what exploitable bugs RDP server in windows has if I access it only over guac.

We put an intermediary to them behind sso. Only the intermediary can get to the machine and forward guacamole traffic. Solves the no password &#x2F; everyone in the company having access to test machines. We have a little script that registers endpoint machines with the intermediary and who can access the machine &#x2F; when. We even log and do time block. The intermediary does password rotation with vault.

I&#x27;d almost used guacamole at my previous company, GKN Driveline. My boss wanted to setup soemthing to let people xvnc into servers effortlessly. We were dealing with mechanical engineers who weren&#x27;t great with Linux tools. I never stayed long enough to implement it and my replacement had his hands full with other projects, but I really was excited about Guacamole and want to try it out some day. It seems like a great project, and might not get the same appreciation in tech spaces as it would in non-software companies which deal with something like Beowulf clusters or their like.

meshcentral is another nice free software for remote desktop and more:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;Ylianst&#x2F;MeshCentral" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Ylianst&#x2F;MeshCentral</a><p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;MeshCentral" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;MeshCentral</a><p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;channel&#x2F;UCJWz607A8EVlkilzcrb-GKg" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;channel&#x2F;UCJWz607A8EVlkilzcrb-GKg</a><p>Disclaimer: we installed meshcentral for enabling student access to regular physical desktops machine during COVID19

Tried Guacamole and it was ok. For this type of stuff a simple WireGuard VPN is much better. However, if you must serve apps remotely via browser, I find KASM WorkSpaces a superior solution.

That was a heck of a demo. I wonder how many takes that took.

The nice thing about Guacamole is that you can wrap just about anything on it and get at it from most browsers (although it can be a pain to use from an iOS client).<p>Only the other day I wrapped an old version of a mind mapping desktop app so I could open my old files on it without installing it: <a href="https:&#x2F;&#x2F;github.com&#x2F;rcarmo&#x2F;docker-xmind" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;rcarmo&#x2F;docker-xmind</a>

We have a customer that was using ports directly exposed to the Internet to get to embedded VNC servers in some plant monitoring gear. I set them up a Guacamole VM from Bitnami or Turnkey on their environment and turned them loose on it. Since self-hosting and 100% control is exactly what they want, they loved it and we don&#x27;t have to worry about hundreds of Internet-exposed VNC servers with the same single password.

I personally use Chrome Remote Desktop for type of access. If you don&#x27;t mind trusting Google for tunneling, it works great.

A popular docker image for calibre uses Guacamole:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;linuxserver&#x2F;docker-calibre" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;linuxserver&#x2F;docker-calibre</a><p>It’s not as smooth as a web application but it works well. Might be useful as a reference if you want to setup your own instance too.

Amazing project used it to host 40 accounts on a server recently to host remote tutorials at a workshop recently :)

I bought a PopOS Gazelle with an Nvidia GPU so I could play around with ML stuff. But, looking back on it, it might have been more efficient to just get a GPU instance on AWS or Google Cloud, and just using a remote desktop like this.<p>Anybody tried that configuration? If so, how has your experience been?

That is kind of mind-blowing.<p>The landing page and the video using Windows XP makes it look unappealing though<p>I&#x27;d still use 10&#x2F;10

how does performance compare with x2go&#x2F;freenx?

This is a life saver, have used it on different environments and it always worked...

I deployed Guacamole myself (for SSH), but I found SSHWifty[0] a lot easier to use and deploy.<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;nirui&#x2F;sshwifty" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;nirui&#x2F;sshwifty</a>

Is this something that would allow me to demo my electron app to visitors on my website? Or take it a step further and sell instances to users?<p>If someone has consulting chops to help me with this I’d love to chat.

This is not easy to deploy, even with docker. Had to setup tomcat. Great project, but hoping for more features and integration as well as simpler setup and config.

&gt;We call it clientless because no plugins or client software are required.<p>&gt;all you need to access your desktops is a web browser.<p>So which is it? Not having a client is nonsense.

This is awesome. Sometimes I got lazy and don’t want to go to another room to access the computers. This allows for easy remote desktop usage.

We&#x27;ve been using Guacamole for around 5 years now. It is an absolute godsend, and it makes remote work so much easier. Highly recommend!

Oh, I remember this thing, built some shit-hack auth for it like eight years ago. It&#x27;s an awesome project and super easy to extend.

How fast and responsive is it? My current favorite is ThinLinc by Cendio as I&#x27;ve found it the most reliable and performant.

Does anyone have a reference to an example configuration for setting up a cloud instance that pipes Guacamole over SSH?

&gt; once Guacamole is installed on a server, all you need to access your desktops is a web browser.<p>These days, where basically nobody has a real ip, this is not entirely true. Using tor, you can easily expose a server to the outside world, the other point must support tor connections. Is there a way to freely expose anything to the outside world without needing special software on the client side?

Has someone already use guacamole to make a publicly available desktop software demo ?

That’s really great. Do I understand correctly that it doesn’t understand SPICE?

The ridiculous installation procedure should be improved for non-docker users.

I found noVNC easier to use.

Can I run MacOS on a super powerful cloud instance with this?

Could this work as an alternative to Mighty?