No more logmein Free? OpenSource to the rescue! Part 4: Using Guacamole to connect to Hyper-V guests

Door Tomba op dinsdag 6 september 2016 14:55 - Reacties (3)
CategorieŽn: Guacamole, Linux, Systeembeheer, Views: 1.881

In part 1 of my series on Guacamole we learned how to install Guacamole on an Ubuntu machine. In part 2 of my series on Guacamole we learned how to further secure the machine running Guacamole. Finally part 3 was about upgrading to a newer version of Guacamole .

Because Ubuntu 16.04.1 LTS was released I decided it was time for an upgrade of my Guacamole server. Ubuntu 16.04.1 contains both Tomcat 8 and a version of FreeRDP that supports Session Selection Extension which will allow you to directly connect to the console of your Hyper-V guests! Up to this point I was using VNC which has worse performance than RDP and is more prone to disconnects, so I was quite happy with this :)
Long story short, part 4 is about a fresh install on Ubuntu 16.04.1 LTS including instructions on how to setup a connection through RDP to a Guest VM on Hyper-V

The installation of Guacamole is still largely unchanged. I installed a vanilla Ubuntu 16.04.1 LTS Server with just OpenSSH server enabled and after updating all components I just had to install the prerequisites:

apt-get install wget make libcairo2-dev libjpeg-turbo8-dev libpng12-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev gcc tomcat8 tomcat8-admin tomcat8-docs

Download the Guacamole Server source:
wget -O guacamole-server-0.9.9.tar.gz http://sourceforge.net/pr...ver-0.9.9.tar.gz/download

and the War :
wget -O guacamole-0.9.9.war http://sourceforge.net/pr...camole-0.9.9.war/download

After untarring the source:
tar -xzf guacamole-server-0.9.9.tar.gz


We can compile it by running:
cd guacamole-server-0.9.9/

./configure --with-init-dir=/etc/init.d
make
make install
update-rc.d guacd defaults

ldconfig


After which it's just a question of creating the relevant files (as you can see I still just use BasicFileAuthentication)
mkdir /etc/guacamole


vi /etc/guacamole/guacamole.properties
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822

# Location to read extra .jar's from
lib-directory: /var/lib/tomcat8/webapps/guacamole/WEB-INF/classes

# Authentication provider class
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider

# Properties used by BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml
Don't forget to create a valid (See Guacamoles own manual or step 10 in my original Blogpost)

After that we need to make Tomcat 8 aware of Guacamole:
mkdir /usr/share/tomcat8/.guacamole

ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat8/.guacamole


And copy the war file to the webapps dir!
cp guacamole-0.9.9.war /var/lib/tomcat8/webapps/guacamole.war

After we (re)start Guacd and Tomcat8 we should be good to go!
service guacd start

service tomcat8 restart


So now that Guacamole is up and running, how to connect to the Guest VM? Easy!
Logon to the Hyper-V server, open up an administrative PowerShell windows and type (replace {Name of Guest VM} with the Guest VM you are trying to connect to!):

PS C:\> Get-VM {Name of Guest VM} | Select-Object Id

Id
--
ed272546-87bd-4db9-acba-e36e1a9ca20b

The returned ID is the preconnection-blob so we add it as follows into /etc/guacamole/user-mapping.xml
<user-mapping>
<authorize username="testuser"
password="7a495904a8c0b3e6aabe27440b436c28"
encoding="md5">
<connection name="Test">
<protocol>rdp</protocol>
<param name="hostname">hypervserver1.contoso.local</param>
<param name="port">2179</param>
<param name="ignore-cert">true</param>
<param name="security">nla</param>
<param name="ignore-cert">true</param>
<param name="username">{ValidUsername</param>
<param name="password">{ValidPassword}</param>
<param name="domain">{ValidDomain}</param>
<param name="preconnection-blob">ed272546-87bd-4db9-acba-e36e1a9ca20b</param>
</connection>
</authorize>

</user-mapping>
If all goes well you can log in using the user testuser with password notmypassword and you will then be connected to the console of the selected Guest VM !

Don't forget to secure your installation! I did it using Apache as you can see in part 2 of this series :)

Note that Guacamole had been added to the Apache Incubator so we might see some nice improvements coming up!

No more logmein Free? OpenSource to the rescue! Part 3:Upgrading Guacamole

Door Tomba op zaterdag 19 april 2014 14:48 - Reacties (4)
CategorieŽn: Guacamole, Linux, Systeembeheer, Views: 6.813

In part 1 of my series on Guacamole we learned how to install Guacamole on an Ubuntu machine. In part 2 of my series on Guacamole we learned how to further secure the machine running Guacamole. Since Guacamole 0.9.0 was released recently, this time we will look into upgrading to a newer version of Guacamole .

First off, I upgraded my Ubuntu machine to 14.04 first to enable SSH support. We also need two specific packages to enable this: libpango2-1 and libssh2-1-dev
Installing these was as easy as running
apt-get install libpango2-1 libssh2-1-dev

Screenshots to follow later

1. Stop both guacamole and Tomcat7 by running
service guacd stop
service tomcat7 stop

2. Download the new War file by running
wget -O guacamole-0.9.0.war http://sourceforge.net/pr...camole-0.9.0.war/download

3. Download the new server source by running
wget -O guacamole-server-0.9.0.tar.gz http://sourceforge.net/pr...ver-0.9.0.tar.gz/download

4. Now we can unpack the source files of Guacamole server and we configure the package (Note by adding the --with-init-dir=/etc/init.d switch we prepare the build to install a startup script for guacd into the /etc/init.d directory)
tar -xzf guacamole-server-0.9.0.tar.gz
cd guacamole-server-0.9.0/
./configure --with-init-dir=/etc/init.d

5. If no errors occur we can make the source
make

6. And install Guacamole server:
make install

7. Now we tell Ubuntu to create the startupscript for Guacamole server and tell Ubuntu to rescan the libs
update-rc.d guacd defaults
ldconfig

8. Now we need to remove the existing Tomcat package and copy the new war-file
rm -r /var/lib/tomcat7/webapps/guacamole
cp guacamole-0.9.0.war /var/lib/tomcat7/webapps/guacamole.war

9. All preparations are now done, so it's time to restart Guacamole and Tomcat7
service guacd start
service tomcat7 restart

Now Guacamole 0.9.0 should be running on port 8080 on your server :)

No more logmein Free? OpenSource to the rescue! Part 2:Securing Guacamole and exposing it to the Web

Door Tomba op donderdag 6 februari 2014 09:35 - Reageren is niet meer mogelijk
CategorieŽn: Guacamole, Linux, Systeembeheer, Views: 12.654

Don't forget to check out Part 3!

In part 1 of my series on Guacamole we learned how to install Guacamole on an Ubuntu machine. As Guacamole is still being developed it can not be guaranteed that is 100% safe so extra security measures are advisable before opening Guacamole to the big bad internet. This guide shows you how to use Apache2 as a frontend. In a later guide I will also look into securing Apache with ModSecurity and Mod-Spamhaus but this is beyond the scope of this guide. I also have a VPN between my VPS and my internal server (so I don't need to expose my internal network to the internet), this is also out of the scope of this guide. To use this guide you must have succesfully installed Guacamole inside your own network.

As I own a VPS I used the VPS as a frontend proxy (connected through a VPN to my internal Guacamole server) but Apache2 can also run on the same machine as Guacamole. If you want to use this guide in this scenario there is less configuration. In both scenarios I will be using AJP as a communication protocol between Tomcat7 and Apache2.

Guacamole Schema

1. First we need to install mod-proxy to allow Apache to act as a Frontend (proxy) to Tomcat7
apt-get install libapache2-mod-proxy-html

2. Secondly Tomcat7 (on the Guacamole server) needs to be configured for AJP.
To allow AJP connections to Tomcat, you must add a connector to Tomcat's server.xml. There may already be an example connector in your server.xml, in which case all you need to do is uncomment it, editing the port number as desired (in this guide we love it at the default 8009):

vi /etc/tomcat7/server.xml
<Connector port="8009" protocol="AJP/1.3"
URIEncoding="UTF-8"
redirectPort="8443" />


The URIEncoding="UTF-8" attribute above ensures that connection names, user names, etc. which contain non-latin characters are properly received. If you will be creating connections that have Cyrillic, Chinese, Japanese, etc. characters in the names or parameter values, you should be sure to set this attribute.

Tomcat must be restarted after the connector is added.
service tomcat7 restart

3. Once the connector is open, and Tomcat is listening on the port specified, you can edit your Apache configuration, adding a location which will proxy the Guacamole web application served via AJP by Tomcat:

<Location /guacamole/>
Order allow,deny
Allow from all
ProxyPass ajp://HOSTNAME:8009/guacamole/ max=20 flushpackets=on
ProxyPassReverse ajp://HOSTNAME:8009/guacamole/
</Location>


The most important thing in this entire section is the option flushpackets=on. Most proxies, including mod_proxy, will buffer all data sent over the connection, waiting until the connection is closed before sending that data to the client. As Guacamole's tunnel will stream data to the client over an open connection, buffering this stream breaks Guacamole's communication.

If the option flushpackets=on is not specified, Guacamole will not work.

4. As AJP does not encrypt and it doesn't use authentication I enabled ufw on my Guacamole machine to only allow communication from the correct host. Don't forget to add exclusions for your SSH access before enabling it though!
ufw allow from [internalLAN] to [internalIP] port 22
ufw allow from [apache-VPN-IP] to [Guacamole-VPN-IP] port 8009
ufw enable

So if your VPN address are 192.168.111.5 (Guacamole) and 192.168.111.10 (Apache2), your internal Guacamole address is 192.168.1.5 and your LAN is 192.168.1.0/24 the commands are:
ufw allow from 192.168.1.0/24 to 192.168.1.5 port 22
ufw allow from 192.168.111.10 to 192.168.111.5 port 8009
ufw enable


5. Now it's time to finish configuring Apache2 by adding Apache authentication and HTTPS. To use HTTPS you can either use a selfsigned certificate (causing errors to pop up in your browser), buy a web certificate or use StartSSL to get a free one. This guide assumes you have both the key and the crt available, if you need help with this you can check here.

First create a DocumentRoot folder for the website (in this guide /var/guacamole.example.com)
mkdir /var/guacamole.example.com

Now we will create an Apache2 password file we will be using later to add an extra layer of authentication. Go to http://www.htaccesstools.com/htpasswd-generator/ and generate as many user/password combinations as you see fit and put these in /var/guacamole.example.com/.htpasswd. In this example I used user test with password 123
vi /var/guacamole.example.com/.htpasswd
Contents:
test:$apr1$LOLOpimH$.UnEpRCXoj08CPgqzZkJV0

Next we add a new website to Apache2 by adding a file to /etc/apache2/sites-available. In this example I am working with the domainname guacamole.example.com and a free SSL certificate from StartSSL, change this to the domainname of your server (you can also use the IP address of course) To make sure we always go to HTTPS a permanent redirect is specified on port 80 (HTTP)
The ' Allow from [YOU]' allows the machine with IP address [YOU] to continue without authentication, so if you have a non-dynamic IP address you can use this command to log in just a bit faster. If you have a dynamic IP address just delete that line.
vi /etc/apache2/sites-available/guacamole
<VirtualHost guacamole.example.com:80>
ServerName guacamole.example.com
Redirect permanent / https://guacamole.example.com/
Redirect permanent /guacamole https://guacamole.example.com/guacamole

</VirtualHost>

<VirtualHost guacamole.example.com:443>
NameVirtualHost guacamole.example.com
ServerName guacamole.example.com
DocumentRoot /var/guacamole.example.com

SSLEngine on
SSLCertificateFile /etc/ssl/cert/guacamole.example.com.crt
SSLCertificateKeyFile /etc/ssl/cert/guacamole.example.com.key
SSLCertificateChainFile /etc/ssl/cert/ca.pem
SSLCertificateChainFile /etc/ssl/cert/sub.class1.server.ca.pem

<Location /guacamole/>
ProxyPass ajp://192.168.111.5:8009/guacamole/ max=20 flushpackets=on
ProxyPassReverse ajp://192.168.111.5:8009/guacamole/
AuthName "Password Protected Area"
AuthUserFile /var/guacamole.example.com/.htpasswd
AuthType Basic
Order deny,allow
Deny from all
require valid-user
Allow from [YOU]
Satisfy Any
</Location>

</VirtualHost>

Now enable the website by running
a2ensite guacamole.example.com
and restart Apache2 by running
service apache2 restart

You should now be able to open the website https://guacamole.example.com/guacamole and after entering the correct Apache2 username/password see your Guacamole server!
http://tweakers.net/ext/f/K8UO1hvCU0Dz3P5IroKW7AO7/full.png
http://tweakers.net/ext/f/rXfEIqiUothNrd0x0mfAjYcj/full.png

Note: To achieve real end to end encryption you should only use Remote Desktop (which is encrypted by default) or buy a personal license to RealVNC which allows encrypting the communication between Guacamole and VNC. In this example encryption between client and Apache2 server is achieved by HTTPS and encryption between Apache2 and Tomcat7 by using a VPN.

No more logmein Free? OpenSource to the rescue! Part 1: Installing and configuring Guacamole

Door Tomba op woensdag 22 januari 2014 12:32 - Reacties (25)
CategorieŽn: Guacamole, Linux, Systeembeheer, Views: 14.532

Be sure to check out Part 2 and Part 3 of this guide as well :)

I am probably not the only Tweaker who has been using Logmein Free to get access to remote computers. It was easy to setup and allowed direct access to the console of the computer running Logmein. Very easy when helping friends or family who need regular support. Unfortunately logmein in all its wisdom has announced that the Free edition of Logmein is End of Life and will be unusable within one week. I briefly considered switching to one of the other solutions like Teamviewer, but hated to put my fate into the hands of yet another company able to pull support at any minute. I started looking around for a solution and found a great OpenSource solution: Guacamole!

Guacamole is a HTML5 remote desktop gateway, which allows VNC and RDP sessions to be made to specific systems without the need of installing any software on the Client. (Unfortunately Pango is broken in Ubuntu 13.10 so SSH connections won't be available) Nothing more is required than a web browser supporting HTML5 and AJAX.
This blog describes the steps required to configure and use Guacamole. As my Linux flavor of choice is Ubuntu all screenshots and steps are specific for that distro. For other distro's you might need other steps, see the Guacamole install guide for more info!

1. First we need to install all the prerequisites to use Guacamole:
apt-get install make libcairo2-dev libpng12-dev freerdp-x11 libssh2-1 libvncserver-dev libfreerdp-dev libvorbis-dev libssl0.9.8 gcc libssh-dev libpulse-dev tomcat7 tomcat7-admin tomcat7-docs
http://tweakers.net/ext/f/rk2AEsrNr48qhJK2GudIEaUW/full.png
(libpango1.0-dev is broken in 13.10 so I won't install it meaning no SSH through Guacamole, this will be fixed in Ubuntu 14.04)

2. Because Ubuntu only has Guacamole 0.6.0 in the repositories (which does not support NLA for access to Windows 2012 Servers) we need to download the source of Guacamole Server by running the command
wget -O guacamole-server-0.8.3.tar.gz http://downloads.sourcefo...35644&use_mirror=optimate
http://tweakers.net/ext/f/JER0t4yKkYcqKzC8Khg9jySd/full.png

3. As we are deploying on Tomcat7 we also need the War file:
wget -O guacamole-0.8.3.war http://downloads.sourcefo...390337127&use_mirror=garr
http://tweakers.net/ext/f/ZonSoyAN0cHAn304bsJ5bwvg/full.png

4. Now we unpack the source files of Guacamole server and we configure the package (Note by adding the --with-init-dir=/etc/init.d switch we prepare the build to install a startup script for guacd into the /etc/init.d directory)
tar -xzf guacamole-server-0.8.3.tar.gz
cd guacamole-server-0.8.3/
./configure --with-init-dir=/etc/init.d

http://tweakers.net/ext/f/N895zBUk6Mi0XXahKFaQdXNC/full.png

5. If no errors occur we can make the source
make
http://tweakers.net/ext/f/xZV9EmIiXshsUnbi6OGFNQO9/full.png

6. And install Guacamole server:
make install
http://tweakers.net/ext/f/CLEvcOIjEBg59cBNJ4zlOho1/full.png

7. Now we tell Ubuntu to create the startupscript for Guacamole server and tell Ubuntu to rescan the libs
update-rc.d guacd defaults
ldconfig

http://tweakers.net/ext/f/RbF82KACzw4E4JLDEi0RqbaE/full.png

8. Now it's time to create the settings files for Guacamole
mkdir /etc/guacamole
vi /etc/guacamole/guacamole.properties

http://tweakers.net/ext/f/aTgGuf3tnF7T8whXDAE8vQw2/full.png

9. Enter the following info into /etc/guacamole/guacamole.properties
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822

# Location to read extra .jar's from
lib-directory: /var/lib/tomcat7/webapps/guacamole/WEB-INF/classes

# Authentication provider class
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider

# Properties used by BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml

http://tweakers.net/ext/f/jQXV6koBmkFvvftv16nrXrbZ/full.png

10. Now edit the file /etc/guacamole/user-mapping.xml (below is an example to allow a user named adminstrator with password 1234 access to VNC on the host test) See Guacamoles own manual to find out what parameters you can enter.
http://tweakers.net/ext/f/msngqPQtcPogczOF2qocta9I/full.png

11. Now we need to make the war and configuration file available to Tomcat7 by running
mkdir /usr/share/tomcat7/.guacamole
ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat7/.guacamole
cp guacamole-0.8.3.war /var/lib/tomcat7/webapps/guacamole.war

http://tweakers.net/ext/f/OiyP7LhumBrWlOkXNA2g7y5O/full.png

12. All preparations are now done, so it's time to start Guacamole and restart Tomcat7
service guacd start
sudo service tomcat7 restart

http://tweakers.net/ext/f/mObF1pTGYXQswAIaaukjVLkp/full.png

13. Now connect to http://[ipadres]:8080 and login with the username supplied in step 10!
http://tweakers.net/ext/f/7urwaCQYidQ0cyyUdocnBWgk/full.png

Go to Part 2 to see how to use Apache as a frontend and how to further secure your installation.

Ads blocken met je eigen DNS server (3)

Door Tomba op donderdag 12 december 2013 14:29 - Reacties (15)
CategorieŽn: Linux, Systeembeheer, Views: 4.505

In mijn eerdere blogposts heb ik al uit de doeken gedaan hoe ik er thuis voor zorg dat onze internet ervaring zo reclamevrij mogelijk is.
Helaas blijkt mijn oplossing niet meer te werken sinds 6 december! Wat blijkt? MSMVPS heeft een aanpassing gedaan in hun hosts file:
Important Note: This update contains a change in the prefix in the HOSTS entries to "0.0.0.0" instead of the usual "127.0.0.1".This was done to resolve a slowdown issue with the new Win8.1/IE11 and the HOSTS file.

I'm not sure what Microsoft changed in the new version, although I suspect it has something to do with the new "TCP loopback interface" in Win8.1 ... this change in the prefix should not affect users.

If this proves to be a permanant fix ... I will update the website to reflect the changes.
Het resultaat is, dat geen enkele ad meer geblokkeerd wordt! Gelukkig is dit niet moeilijk te ondervangen, door 1 regel in het script aan te passen (127.0.0.1 moet gewijzigd worden naar 0.0.0.0 anders komen er geen resultaten uit de grep!) werkt alles weer helemaal naar behoren.

code:
1
2
3
4
5
6
7
8
9
10
11
# Automatic ad blacklist by Tomba based on Gjs script (http://tomba.tweakblogs.net/blog/9171/ads-blocken-met-je-eigen-dns-server.html#r_127502 )
# 2013-12-12 Changed due to different syntax in MSMVP hostfile

# Make backup of current zone file
cp /etc/bind/adservers /etc/bind/adservers.backup

# Get newest MVPS HOSTS File Update and write it to /etc/bind/adservers
curl -s http://winhelp2002.mvps.org/hosts.txt |grep -v localhost| grep ^0.0.0.0 |awk '{print $2}' |awk '{ sub(/\r$/,""); print "zone \""$0"\" { type master; notify no; file \"null.zone.file\"; };" }' > /etc/bind/adservers

# Restart Bind to make sure it picks up the new zonefile
service bind9 restart



Voor de rest is er aan de procedure niets veranderd, dus je moet zorgen dat het script uitvoerbaar is en dat ie gescheduled wordt mbv cron, zie daarvoor mijn 2e blogpost over deze oplossing :)