Work from anywhere - Remote desktops and terminals

Previously on this topic…

In my quest to setup a system that allows me to work from any device at any time, top of my list was being able to connect to my primary workstation desktop from a browser. After much reading, it became clear the only option is Apache Guacamole and, to be honest, its been a fantastic addition to my setup.

I know there are many (an overwhelming amount) of options for accessing a desktop remotely. But, they all need a client on the remote machine. This “work from anywhere” setup requires that I only need a web browser and should not need to install any executables on the machine I’m using at the moment.

In addition to accessing my workstation desktop from any browser, I also wanted a terminal in the browser that I can then use to access anything running in my homelab. This has the same requirements as I don’t want to install anything, including carrying around my ssh keys. There are also many options for this, but I decided to use Cockpit to accomplish this task.

Terminal in the browser

For an extra layer of security (even if it might be a thin one) I run a jump host, or also called a bastion server. The idea is that I can connect to this device and then jump to another. The other devices are configured to only accept connections from the jump host and then there is extra security and limitations put on connecting to the jump host.

So, the goal is to have a terminal for my jump host in the browser, without sacrificing security.

What steered me to using Cockpit for this task is:

1. Cockpit is in most repos and is super easy to get installed.
2. Once logging into Cockpit there is a tab for a terminal, among the other device management options.
3. It is easy to setup with two factor authentication.

Login security

By default, Cockpit uses the standard $USER credentials. I want to have 2FA on the login for extra protection. Cockpit uses its own pam authentication server, so we can use the same type of 2FA configuration that already exists on my jump host.

Directions come from this Github comment.

sudo apt-get install libpam-google-authenticator libqrencode-dev -y

google-authenticator -t -d -f -r 3 -R 30 -W -Q UTF8

sudo bash -c 'echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/cockpit'

sudo systemctl restart cockpit

⚠️ ⚠️ ⚠️ You can skip the google-authenticator command if the server is already setup with 2FA for ssh. If you do this again it will supersede the existing 2FA code and will only use the new code setup for Cockpit.

I then put access to Cockpit through my reverse proxy so connections have a valid SSL cert. As always, access is limited to my LAN or via Tailscale.

Experience with Cockpit

Frankly, this isn’t something I’m going to use all the time but is a critical part of being able to work from any machine.

A real world example is managing my kids Minecraft server. Whenever they have issues, like if it needs an update or to be restarted, I always find out while sitting in front of their computer. Then, I have to go to my office, turn on my desktop, do whatever is needed, and then go back to their laptop to verify the fixes. Now I can just open a browser on their machine, log in to Cockpit, and then do whatever is needed and then test right away. It is one of those tools that is “good enough” in a pinch, but not where I’d choose to work on my homelab.

Full desktop in the browser

Honestly, I knew about Apache Guacamole but never used it because its a pain in the ass to setup. For this project I was backed into a corner. If my goal is to not install anything on the temporary PC, then I can’t use something like Sunshine since I’d need client software to access. I want to simply go to a URL and access my desktop.

Easy Guac setup

I’m not a fan of “pipe to bash” installation scripts. There are numerous security implications, including my inability to read or decipher code. I am not a developer, I am a weekend warrior SysAdmin for my home.

However, I found a Guacamole install script that looks on the up and up. After reviewing the scripts created in the repo and going through their Github issues, I decided to try it in a virtual machine. I used it isolated for a few days while testing and read through the bash scripts to the best of my ability and this appears to be good.

This is fantastic, because like I mentioned earlier, Guacamole is a pain to get going. The script handles the setup, along with some extra niceties like 2FA, a full reverse proxy, along with other authentication and backup utilities.

Here is the one liner to get started:

wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh

It will prompt through the installation what features are needed. I definitely want 2FA enabled, but do not need the reverse proxy.

On first launch in the browser it will prompt to setup 2FA which is then enabled from there on out. Once logged in, it will land on the settings page, which was confusing.

And this is where I finally figured out exactly what Guacamole does.

Its not a server for each desktop its installed on, its a server for remote connections. It makes it so I can use rdp or vnc connections in the browser. I don’t need to have it installed on every machine, I need a central server and then tell it what computers it can connect to and then install vnc or rdp on the remote machines I want to connect. It even has ssh connection options.

Guacamole impressions

I’m really happy with this setup. I have it also installed on my jump host so it makes it easier to manage. I have one machine that is setup to “jump” to any of my other machines. Guacamole works in any browser, including Vivaldi on my Samsung Galaxy S10e in DeX mode. No extra software needed.

I was able to connect it to my primary desktop using rdp and even has a wakeonlan option. Again, access is protected with 2FA and connects through my reverse proxy for traffic encryption. My only complaint is with the ssh connection option. Many of my servers have 2FA enabled to connect with ssh, on top of a key and password. Guacamole gives the option for keys and passwords, but it will not prompt for the 2FA input. If that worked, then I wouldn’t need Cockpit at all, I could do it all through Guacamole.

Closing thoughts

So far I really like this setup and feel it is secure. Doing everything through a browser is not my primary way of getting work done. But, it is important to me that all of my workflows are available to me in any browser in my house.

With Cockpit and Guacamole I can literally grab any machine that has none of my preferred apps installed or none of my files and get to work in a browser. When out of the house, I can boot from a persistent USB install that only has a browser and Tailscale configured.

- - - - -

Did you like this post? Give it an upvote by clicking on the arrows below! Sending me an upvote is like you and I giving each other a high five.

🙏 😎

If you enjoy the random stuff I write here, post to Mastodon, or watch on YouTube, and are feeling generous, I am open to tips of Ko-fi.