Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

RDP to Linux

RDP Basics

What is RDP?

You basically can see the screen/desktop of another machine and control it remotely.    

Remote Desktop Protocol typically runs over port TCP and UDP 3389 and allows you to login to windows machines using a client (from any machine).   Linux uses VNC and by default that is port 5601.  Even though it’s called VNC, you can use RDP clients to connect to it..    

I often use my chromebook to connect to various servers in my home and production environment.   This allows me to use a relatively cheap device to travel with.   The chromebook also has almost a 12 hour battery life, runs android apps, and a linux container - so it’s all that I need, most of the time.     By allowing RDP I can sit on the couch upstairs and work on any of my machines (windows or linux) downstairs, just as if I am sitting right in front of that machine (same IP and everything).

Why Not SSH?

SSH (Secure Shell) is widely used to remotely administer linux based servers.   THere is no GUI, only commands.     For some applications, especially to interact with the Windows based world, you need a GUI, a browser, etc.    SSH is much stronger against attacks than RDP, and on my servers I run both.

If you need to install ssh to run the rest of th tutorial remotely, you would type (locally):

sudo apt-get install openssh-server

Security Concerns

There are security issues to deal with - namely, it’s a HUGE attack vector (https://github.com/search?q=rdp).  VNC isn’t encrypted by default and RDP isn’t either.    Both can use various forms of encryption such as SSH tunneling, and TLS.    WIndows versions can tie into AD and have additional certificate matching.     There are probably things you can do for Linux too - but I use SSH tunneling, which is high enough security for what I do.

Firewalls

At the very least, you should be running a firewall that blocks everyone except you from even attempting SSH or RDP connections.  If you do not do this, you will get hacked - it is just a matter of time.    There are several firewall tutorials, and a dynamic firewall script on my site: https://grimoire.jamesfraze.com/?s=ufw I run a script that updates the firewall to my current location.     It allows SSH and RDP protocols in, everywhere and everyone else is blocked.     Look up “UFW” for a free host based firewall for Ubuntu/Pi.   UFW is really a front end to IP Tables, which is available on all linux machines.

You probably won’t need a firewall at your house to connect from your couch chromebook to your Pi on the desk, but consider learning about firewalls once you’ve been through the tutorial and have it all working.   You NEED a firewall if your RDP server is public.

Speed

RDP is slower than sitting right in front of the computer.   RDP over SSH tunneling is even slower!   You will notice the speed, and if your internet connection isn’t fast enough, it might be unusable.     Local connections should be plenty fast, but once it goes across the internet, expect major slow downs.

Debian

Debian is a version of linux.   It has many variants.   The Pi and Ubuntu are versions of Debian.   If you know Debian commands and methods you can understand the Pi and Ubuntu.    Redhat is the other major player and it has variants such as CentOS and Fedora.    Many devices use a base of either Debian or Redhat.    Redhat however requires licensing for updates, so I tend to ignore it.    Redhat is widely used in the govt.

VPS

Imagine a data farm somewhere across the world that hosts 10,000 servers.   They can rent you one and you can manage it for cheap.   $5 to $10 a month is about the cheapest I’ve found, from digitalocean.com  Most of my hosting of websites, remote desktops, lab servers are on digitalocean.com

ESX/Proxmox

ESX is a virtual product that you can run on a computer at your home/office.    It’s free.  My server has several lab machines running inside of it at the moment.     You can also setup a NAT on your router and for all purposes, you will have a small cloud service.   I use ESX to make temporary servers, take snapshots of them, experiment, and do proof of concept work before production.   ESX is my “lab”.    However, it can function just like digitalocean.com in the sense that it is a form of cloud based computing.   

GEO Based ACL

An ACL is an access control list and is a generic term that means “blocked or allowed”.   Many of the companies I work for block any IP that isn’t from the US and then they apply the rest of their firewall rules.    I use a VPS based in the US so I can log into the companies I work for, no matter where I am by hopping through this “Jumphost”.

 From there, I can log into my various companies and it appears as if I’m in the United States.

ie:  MYPC@Starbucks Germany --->   VPS in US --> Bank in US requiring US IP to connect

Setup RDP on the Pi

Now that you have a background of what RDP is and why you might need it.   You must first configure your Pi/Ubuntu Machine to “Listen” for RDP requests.

Create User for RDP

If desired, “adduser” and restrict their login/actions.    I created a user that wasn’t root.   Exact changes to shell, group etc are left for you to decide.

sudo adduser james

Setup Desktop Environment 

On the linux machine, you must setup the framework for having a desktop in the first place:

tasksel --list-task

If you do not have a desktop environment, you need to install one:

tasksel install kubuntu-desktop

Install XRDP

Exact install order seems to be important.  So we are going to remove and then reinstall in a specific order.  If it’s not installed, that’s fine, these commands won’t hurt anything.   Run these on the Pi or Linux computer that you just set up the desktop environment for in the previous step.

sudo apt-get remove xrdp vnc4server tightvncserver
sudo apt-get install tightvncserver
sudo apt-get install xrdp

Create  /etc/xrdp/xrdp.ini

In the event that you need to make changes, or if the xrdp.ini isn’t set up, you can run this command on the Linux Machine.  Mine was set up by default, but I kept notes just in case.

Backup First!

sudo cp /etc/xrdp/xrdp.ini /etc/xrdp.ini.bak

Create xrdp.ini File

sudo bash -c 'cat > /etc/xrdp/xrdp.ini <<EOF

[globals]
bitmap_cache=yes
bitmap_compression=yes
port=3389
crypt_level=low
channel_code=1

[vnc1]
name=vncserver
lib=libnvc.so
ip=localhost
port=5091
username=pi
password=JamesSuperSecretPassword123
EOF'

You may want to set encryption to ‘high’ instead of ’low’

The xrdp.ini also controls things like reconnect automatically to the same connection, instead of making a new one.   Read xrdp docs for other features that may be useful to you.

Restart the XRDP Service

The service is technically running at this point, but the sesman (session manager) isn’t handling things quite right yet.  You need to restart the service to make them all work together:

sudo service xrdp restart

If you use the “sudo netstat -tulpn” command you can see that port 3389 is now open:

Update Firewall Rules

Even though the server is listening, a firewall might be blocking it.   Keep reading…

IF you have ufw installed on the Pi/Linux, you will need to add a rule something like one of these:

If you want the whole network allowed (not always the best idea):

sudo ufw allow from 192.168.1.0/24 to any port 3389

If you want just a single computer:

sudo ufw allow from 192.168.1.10 to any port 3389

You can verify your ufw rules with “ufw status”

sudo ufw status numbered

If you do not have the port open, or if you have a firewall blocking it, you might get an error like this:

If it’s working though, you should see this:

For your non-production, home network it’s ok to just accept and continue, but you should at least understand that it’s saying “Hey, this connection type is pretty easy to hack, continue?”.

Connect from Windows (Normal)

In the case you want to use a windows computer to connect to the GUI on linux, you can.   The windows client is called “Microsoft Terminal Services Client”, (mstsc.exe) You can click start and find the remote desktop icon:

or type it from the command line on windows:

mstsc /console /f /v:somecomputer
  • /console will reconnect to your last session instead of start a new one
  • /f will open in full screen
  • /v:somecomputer will connect you to the computer

Connect from Chromebook (Normal)

I connect via my chromebook, and that is why this tutorial was written.  There are 2 ways to connect from the chromebook.   The standard way would be to use the app from the chrome webstore:

https://chrome.google.com/webstore/detail/microsoft-remote-desktop/ombhnmnhpipdkodghlpgkplpfpobagim

The app works great and for my local network, that’s all I use.    You can probably just stop reading here and things will work for your local network. 

Connect from Chromebook (SSH Tunnel, Encrypted)

SSH Tunneling allows you to make a pipe where everything you put in that pipe is encrypted.  It’s like a VPN, but it’s not.  Do not call SSH tunneling a “VPN”, it’s not.

The linux container on chromebook doesn’t talk to your browser, so the app above cannot use some of the encryption features by default (but there is a ssh browser app that allows you to do the tunnel in chrome too).  I don’t like it but it does work:  

https://chrome.google.com/webstore/detail/pnhechapfaindjhompbnflcldabbghjo

If you have a linux container installed on your chromebook, you can do it the linux way by opening a tunnel and then running rdp over the tunnel.

Install xfreerdp client:

You need a client like the chrome webstore app, or mstsc.exe.    Linux uses “freerdp”.   Install it:

sudo apt-get install freerdp-x11

Run Client Through Tunnel:

Now, open 2 terminals.   1 terminal will create a tunnel, the other terminal will start the xfreerdp client.

Form the tunnel:

  • -i- -C sets compression for slow networks, but actually slows things down on fast ones
  • -p Sets the port to 80 (my ssh port)
  • -L sets a loopback from my port 12345 to malchias.com port 3389
  • -c blowfish might be a better option than -C if speed is important.  blowfish is a weaker cipher, but still pretty hard to crack.   I use the -C because sometimes i work from the vehicle, tethered to a mobile data plan, and reception can get spotty.  So I need to optimize bandwidth, not really CPU usage (blowfish is easier on the CPU)

Run the Client:

  • /v says to connect to my chromebook, port 12345
  • /size sets the size of my screen

And now you have a linux desktop that you are remotely connected to from chromebook (KDE Desktop?):

or if you have a Pi and are connected from windows, it might look like this (XFCE desktop):

Bugs, Problems, Etc

RDP Crashed/Won’t Start

Sometimes, if the xrdp service crashes, port 3389 won’t be open anymore.  Verify this through ssh with the netstat command:

netstat -tunlp

Look for the 3389 service. If it’s not in the list, the xrdp service has crashed. A quick solution is try and restart the service, but if that fails, just reboot the Pi. There are other graphical hiccups that can happen.     I don’t know how to troubleshoot them and I just reboot when they happen (infrequently). You can also try restarting the xrdp service first though:

sudo service xrdp restart

IF there are any issues, you will be able to see them on the screen, or in detail by looking at the last 3 minutes of the journal:

sudo journalctl -S -3m
Jul 13 11:12:30 raspberrypi systemd\[1\]: Stopped xrdp session manager.                                                                                                            
Jul 13 11:12:30 raspberrypi systemd\[1\]: Starting xrdp session manager...                                                                                                         
Jul 13 11:12:30 raspberrypi xrdp-sesman\[23185\]: (23185)(-1225175184)\[DEBUG\] libscp initialized                                                                                   
Jul 13 11:12:30 raspberrypi xrdp-sesman\[23185\]: (23185)(-1225175184)\[DEBUG\] Testing if xrdp-sesman can listen on 127.0.0.1 port 3350.                                            
Jul 13 11:12:30 raspberrypi xrdp-sesman\[23185\]: (23185)(-1225175184)\[DEBUG\] Closed socket 1 (AF_INET6 ::1 port 3350)                                                             
Jul 13 11:12:30 raspberrypi xrdp-sesman\[23186\]: (23186)(-1225175184)\[INFO \] starting xrdp-sesman with pid 23186                                                                  
Jul 13 11:12:30 raspberrypi systemd\[1\]: Started xrdp session manager.                                                                                                            
Jul 13 11:12:30 raspberrypi xrdp-sesman\[23186\]: (23186)(-1225175184)\[INFO \] listening to port 3350 on 127.0.0.1                                                                  
Jul 13 11:12:30 raspberrypi systemd\[1\]: Starting xrdp daemon...                                                                                                                  
Jul 13 11:12:30 raspberrypi xrdp\[23195\]: (23195)(-1225160592)\[DEBUG\] Testing if xrdp can listen on 0.0.0.0 port 3389.                                                            
Jul 13 11:12:30 raspberrypi xrdp\[23195\]: (23195)(-1225160592)\[DEBUG\] Closed socket 7 (AF_INET6 :: port 3389)                                                                     
Jul 13 11:12:30 raspberrypi systemd\[1\]: xrdp.service: Can't open PID file /run/xrdp/xrdp.pid (yet?) after start: No such file or directory                                       
Jul 13 11:12:31 raspberrypi systemd\[1\]: Started xrdp daemon. 

Maybe there will be a clue in this info as to why.   If not, just reboot.

Running Slow

Here is what my memory/cpu usage looks like when connected both locally running pandora over a browser,  and via RDP at same time (nothing open in that session yet):

Remember, the Pi is not a supercomputer.  It’s amazing that it can do ANYTHING!  Do not open 20 windows and expect it to run smoothly.  Shut down things you aren’t using and close tabs, etc.   That will help.

You can also change to a weaker encryption, change the bit depth lower, remove the background image on your Pi.   

IPV6 Bug

XRDP will ONLY work if IPV6 is enabled.   It is enabled by default, but in the case you have disabled it, know that it will not work (a current bug in debian).

Fixup ICA Client for Linux

Citrix is how many of the companies I work with connect.  It makes a virtual desktop called a VDI.   If you aren’t using VDI for your organziation, you probably don’t need this.    The default certs do not work with Citrix, so we need to fix them IF we are going to connect to a Citrix VDI when we are done with RDP setup.

https://www.citrix.com/downloads/citrix-receiver/linux/receiver-for-linux-latest.html

sudo dpkg -i SOMEPACKAGE

https://askubuntu.com/questions/1064452/citrix-receiver-13-10-on-ubuntu-18-04-1/1069929#1069929

cd /opt/Citrix/ICAClient/keystore
sudo rm -r cacerts
sudo ln -s /etc/ssl/certs cacerts

Get the IP of the Pi

On the Pi/Linux computer, get your IP:

ifconfig | grep inet

probably something like:  192.168.1.xx   where xx is the Pi/Linux computer you want to connect to.

Policy double login annoyance

(http://c-nergy.be/blog/?p=12073 and http://c-nergy.be/blog/?p=12043)

rm /usr/share/polkit-1/actions/org.freedesktop.color.policy.xml

or

sudo vim /usr/share/polkit-1/actions/org.freedesktop.color.policy.xml  for each <allow_any>….</allow_any>, replace the auth_admin value with the value yes.  

or recommended

sudo vim/etc/polkit-1/localauthority.conf.d/02-allow-colord.conf
polkit.addRule(function(action, subject) {
if (([action.id](http://action.id) == "org.freedesktop.color-manager.create-device" ||
[action.id](http://action.id) == "org.freedesktop.color-manager.create-profile" ||
[action.id](http://action.id) == "org.freedesktop.color-manager.delete-device" ||
[action.id](http://action.id) == "org.freedesktop.color-manager.delete-profile" ||
[action.id](http://action.id) == "org.freedesktop.color-manager.modify-device" ||
[action.id](http://action.id) == "org.freedesktop.color-manager.modify-profile") &&
 subject.isInGroup("{users}")) {
 return polkit.Result.YES;
  }
});

Other XRDP Reading: