You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Dark Corner <da...@gmail.com> on 2022/05/23 14:52:47 UTC

Access to Guacamole with OpenVPN (behind the Firewall)

Guacamole is installed on a PC behind a Zyxel firewall.
Users should connect to Guacamole via VPN and, once logged into Guacamole,
log into their PC.
However, the firewall cannot handle multiple VPNs. So, I wish to install
OpenVPN, possibly on the same PC used for Guacamole.
To access OpenVPN I would like to open a set of ports on the firewall to
the Guacamole PC only, so that it is not necessary to use a VPN on the
firewall.

Do you have any suggestions in this regard?

For your info, there are fewer than 10 users and each can only access their
PC.
Only one or two users should be able to access all PCs.

Thanks in advance.

Re: Access to Guacamole with OpenVPN (behind the Firewall)

Posted by Nick Couchman <vn...@apache.org>.
On Mon, May 23, 2022 at 11:56 AM Dark Corner <da...@gmail.com>
wrote:

> Thanks for the reply.
> I did not understand your suggestion.
> Do you mean that in the firewall I have to direct the 80/443 traffic
> towards the PC of Guacamole?
>

Yes.


> What if there is a web server on the network? There isn't, but it could be
> activated in the near future. In this case I would have to change the ports
> on Guacamole and tell users that they must use the port in the URL.
> Then I have to consider that the IP is dynamic and therefore I still have
> to use a DDNS.
>

If you don't have a dedicated public IP, or a dedicated public IP per
system that you want to serve content from, then, yes, you'll need
Dyanmic DNS. However, if you're considering placing a web server on the
network that serves content to the Internet then I would just make sure to
architect things in a way that factors in both requirements. You could go
ahead and stand up a single web server that is Internet-facing and use that
to Reverse Proxy all of your required applications. You can configure the
web server to forward the /guacamole path and everything under it to your
Guacamole server, and if you have other applications do the same. We have
instructions in the Guacamole Manual for proxying Guacamole:

https://guacamole.apache.org/doc/gug/reverse-proxy.html

Keep in mind, though, that if the proxy lives on a different server than
Tomcat running Guacamole you may want/need to take additional steps to
encrypt the traffic between the proxy and Tomcat (configure Tomcat with SSL
support and make sure the reverse proxy trusts the Tomcat certificate). So,
the setup may be slightly more complex than what is described in the
manual, but it should be doable.

-Nick

RE: Access to Guacamole with OpenVPN (behind the Firewall)

Posted by Sean Hulbert <sh...@securitycentric.net.INVALID>.
Open only port 443 TLS 1.3 and fall back to 1.2

Enable the database on Guacamole for connection storage information, it’s very secure.

 

If you like to see a production demonstration that handles over 20+K connections let me know.

 

Thank You

Sean Hulbert

 

Founder / CEO

Work Ph: 925.292.4309

 

 <http://www.securitycentric.net/> www.securitycentric.net

A Cybersecurity Enablement Company

We don't just run you through the motions, Our labs teach you how to think!

 

 

 

System Award Management

CAGE: 8AUV4

 

AFCEA San Francisco Chapter V.P.

 

If you have heard of a hacker by name, he/she has failed, fear the hacker you haven’t heard of!

 

CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication. Content within this email communication is not legally binding as a contract and no promises are guaranteed unless in a formal contract outside this email communication.

 

igitur qui desiderat pacem, praeparet bellum!!!

Epitoma Rei Militaris

 

From: Dark Corner [mailto:darkcorner919@gmail.com] 
Sent: Monday, May 23, 2022 8:57 AM
To: user@guacamole.apache.org
Subject: Re: Access to Guacamole with OpenVPN (behind the Firewall)

 

Thanks for the reply.
I did not understand your suggestion.
Do you mean that in the firewall I have to direct the 80/443 traffic towards the PC of Guacamole?
What if there is a web server on the network? There isn't, but it could be activated in the near future. In this case I would have to change the ports on Guacamole and tell users that they must use the port in the URL.
Then I have to consider that the IP is dynamic and therefore I still have to use a DDNS.


Finally, it is true that there is an added complication for users, but also for an intruder who should also have access to the VPN credentials.

In case I decide to use OpenVPN, can I install the OpenVPN server on the same server of Guacamole?

 

Il giorno lun 23 mag 2022 alle ore 17:16 Michael Jumper <mjumper@apache.org <ma...@apache.org> > ha scritto:

On Mon, May 23, 2022, 07:53 Dark Corner <darkcorner919@gmail.com <ma...@gmail.com> > wrote:

Guacamole is installed on a PC behind a Zyxel firewall.
Users should connect to Guacamole via VPN and, once logged into Guacamole, log into their PC.
However, the firewall cannot handle multiple VPNs. So, I wish to install OpenVPN, possibly on the same PC used for Guacamole.
To access OpenVPN I would like to open a set of ports on the firewall to the Guacamole PC only, so that it is not necessary to use a VPN on the firewall.

 

Do you have any suggestions in this regard?

 

I think it would be far better to not use the VPN at all. Putting a VPN in front of it would just add unnecessary difficulty and complexity for users.

 

Part of the function of Guacamole is as a VPN replacement. It allows you to allow users to connect to backend desktops securely and via a browser without needing VPN at all. You should instead:

 

1) Allow direct access to the Guacamole server only, and only on ports 80 and 443.

 

2) Set up SSL termination such that access is properly encrypted and HTTP traffic to port 80 is redirected to HTTPS at port 443.

 

3) Ensure via your firewall and network config that Guacamole is the sole means of access to the desktops on the private network behind Guacamole.

 

You then have a single, centralized, monitored, and secured point of entry, with access to any particular backend desktop only possible if the admin grants that access.

 

- Mike

Re: Access to Guacamole with OpenVPN (behind the Firewall)

Posted by Don Eugene Paul Viado <de...@yahoo.com.INVALID>.
 Yes that is possible as long as the port doesn't clash.I run my guacamole-server, guacd and other range of other services on same hosts dockerized.This includes wireguard and openvpn server.  For any web facing traffic, i use haproxy as reverse.

    On Tuesday, 24 May 2022, 08:49:48 pm SGT, Dark Corner <da...@gmail.com> wrote:  
 
 As I said, I'm not the admin of the firewall and I have only a little support for it from admin. I must and can only manage the PC with Guacamole.This is the reason I was wondering if Guacamole can be installed on a PC on which something else is already installed.For example OpenVPN, NUT, Zabbix, ...
Il mar 24 mag 2022, 06:49 Vendel Colja <Co...@allysca.de> ha scritto:


Your argument for DDNS is true for the VPN solution too.

I’d suggest to,

-         yes if it’s dynamic IP assignment use DDNS,

-         forward 443 to your guacamole server

-         redirect port 80 to 443 on your firewall already

-         force TSL 1.3 and only fall back to 1.2

-         use guacamole with DB

-         use guacamole only with 2FA enabled

-         if you are paranoid enough disable clipboard and file transfer capabilities

 

If one intends to run a non-guacamole webserver in you network you could either proxy guacamole through this web server or use the guacamole apache or nginx to server or proxy both guacamole and the web site.

 

I split all services to dedicated VMs and/or containers so there is one for proxying 443 to guacamole tomcat and one tomcat to run guacamole and one to run guacd and one more to run pgsql and all of them report logging information to a central log system to be monitored.

 

 

 

 

Von: Dark Corner <da...@gmail.com>
Gesendet: Montag, 23. Mai 2022 17:57
An: user@guacamole.apache.org
Betreff: Re: Access to Guacamole with OpenVPN (behind the Firewall)

 

Thanks for the reply.
I did not understand your suggestion.
Do you mean that in the firewall I have to direct the 80/443 traffic towards the PC of Guacamole?
What if there is a web server on the network? There isn't, but it could be activated in the near future. In this case I would have to change the ports on Guacamole and tell users that they must use the port in the URL.
Then I have to consider that the IP is dynamic and therefore I still have to use a DDNS.


Finally, it is true that there is an added complication for users, but also for an intruder who should also have access to the VPN credentials.

In case I decide to use OpenVPN, can I install the OpenVPN server on the same server of Guacamole?

 

Il giorno lun 23 mag 2022 alle ore 17:16 Michael Jumper <mj...@apache.org> ha scritto:


On Mon, May 23, 2022, 07:53 Dark Corner <da...@gmail.com> wrote:


Guacamole is installed on a PC behind a Zyxel firewall.
Users should connect to Guacamole via VPN and, once logged into Guacamole, log into their PC.
However, the firewall cannot handle multiple VPNs. So, I wish to install OpenVPN, possibly on the same PC used for Guacamole.
To access OpenVPN I would like to open a set of ports on the firewall to the Guacamole PC only, so that it is not necessary to use a VPN on the firewall.

 

Do you have any suggestions in this regard?


 

I think it would be far better to not use the VPN at all. Putting a VPN in front of it would just add unnecessary difficulty and complexity for users.

 

Part of the function of Guacamole is as a VPN replacement. It allows you to allow users to connect to backend desktops securely and via a browser without needing VPN at all. You should instead:

 

1) Allow direct access to the Guacamole server only, and only on ports 80 and 443.

 

2) Set up SSL termination such that access is properly encrypted and HTTP traffic to port 80 is redirected to HTTPS at port 443.

 

3) Ensure via your firewall and network config that Guacamole is the sole means of access to the desktops on the private network behind Guacamole.

 

You then have a single, centralized, monitored, and secured point of entry, with access to any particular backend desktop only possible if the admin grants that access.

 

- Mike

 

Re: Access to Guacamole with OpenVPN (behind the Firewall)

Posted by Dark Corner <da...@gmail.com>.
As I said, I'm not the admin of the firewall and I have only a little
support for it from admin.
I must and can only manage the PC with Guacamole.
This is the reason I was wondering if Guacamole can be installed on a PC on
which something else is already installed.
For example OpenVPN, NUT, Zabbix, ...

Il mar 24 mag 2022, 06:49 Vendel Colja <Co...@allysca.de> ha scritto:

> Your argument for DDNS is true for the VPN solution too.
>
> I’d suggest to,
>
> -          yes if it’s dynamic IP assignment use DDNS,
>
> -          forward 443 to your guacamole server
>
> -          redirect port 80 to 443 on your firewall already
>
> -          force TSL 1.3 and only fall back to 1.2
>
> -          use guacamole with DB
>
> -          use guacamole only with 2FA enabled
>
> -          if you are paranoid enough disable clipboard and file transfer
> capabilities
>
>
>
> If one intends to run a non-guacamole webserver in you network you could
> either proxy guacamole through this web server or use the guacamole apache
> or nginx to server or proxy both guacamole and the web site.
>
>
>
> I split all services to dedicated VMs and/or containers so there is one
> for proxying 443 to guacamole tomcat and one tomcat to run guacamole and
> one to run guacd and one more to run pgsql and all of them report logging
> information to a central log system to be monitored.
>
>
>
>
>
>
>
>
>
> *Von:* Dark Corner <da...@gmail.com>
> *Gesendet:* Montag, 23. Mai 2022 17:57
> *An:* user@guacamole.apache.org
> *Betreff:* Re: Access to Guacamole with OpenVPN (behind the Firewall)
>
>
>
> Thanks for the reply.
> I did not understand your suggestion.
> Do you mean that in the firewall I have to direct the 80/443 traffic
> towards the PC of Guacamole?
> What if there is a web server on the network? There isn't, but it could be
> activated in the near future. In this case I would have to change the ports
> on Guacamole and tell users that they must use the port in the URL.
> Then I have to consider that the IP is dynamic and therefore I still have
> to use a DDNS.
>
>
> Finally, it is true that there is an added complication for users, but
> also for an intruder who should also have access to the VPN credentials.
>
> In case I decide to use OpenVPN, can I install the OpenVPN server on the
> same server of Guacamole?
>
>
>
> Il giorno lun 23 mag 2022 alle ore 17:16 Michael Jumper <
> mjumper@apache.org> ha scritto:
>
> On Mon, May 23, 2022, 07:53 Dark Corner <da...@gmail.com> wrote:
>
> Guacamole is installed on a PC behind a Zyxel firewall.
> Users should connect to Guacamole via VPN and, once logged into Guacamole,
> log into their PC.
> However, the firewall cannot handle multiple VPNs. So, I wish to install
> OpenVPN, possibly on the same PC used for Guacamole.
> To access OpenVPN I would like to open a set of ports on the firewall to
> the Guacamole PC only, so that it is not necessary to use a VPN on the
> firewall.
>
>
>
> Do you have any suggestions in this regard?
>
>
>
> I think it would be far better to not use the VPN at all. Putting a VPN in
> front of it would just add unnecessary difficulty and complexity for users.
>
>
>
> Part of the function of Guacamole is as a VPN replacement. It allows you
> to allow users to connect to backend desktops securely and via a browser
> without needing VPN at all. You should instead:
>
>
>
> 1) Allow direct access to the Guacamole server only, and only on ports 80
> and 443.
>
>
>
> 2) Set up SSL termination such that access is properly encrypted and HTTP
> traffic to port 80 is redirected to HTTPS at port 443.
>
>
>
> 3) Ensure via your firewall and network config that Guacamole is the sole
> means of access to the desktops on the private network behind Guacamole.
>
>
>
> You then have a single, centralized, monitored, and secured point of
> entry, with access to any particular backend desktop only possible if the
> admin grants that access.
>
>
>
> - Mike
>
>
>
>

AW: Access to Guacamole with OpenVPN (behind the Firewall)

Posted by Vendel Colja <Co...@allysca.de>.
Your argument for DDNS is true for the VPN solution too.
I’d suggest to,

-          yes if it’s dynamic IP assignment use DDNS,

-          forward 443 to your guacamole server

-          redirect port 80 to 443 on your firewall already

-          force TSL 1.3 and only fall back to 1.2

-          use guacamole with DB

-          use guacamole only with 2FA enabled

-          if you are paranoid enough disable clipboard and file transfer capabilities

If one intends to run a non-guacamole webserver in you network you could either proxy guacamole through this web server or use the guacamole apache or nginx to server or proxy both guacamole and the web site.

I split all services to dedicated VMs and/or containers so there is one for proxying 443 to guacamole tomcat and one tomcat to run guacamole and one to run guacd and one more to run pgsql and all of them report logging information to a central log system to be monitored.




Von: Dark Corner <da...@gmail.com>
Gesendet: Montag, 23. Mai 2022 17:57
An: user@guacamole.apache.org
Betreff: Re: Access to Guacamole with OpenVPN (behind the Firewall)

Thanks for the reply.
I did not understand your suggestion.
Do you mean that in the firewall I have to direct the 80/443 traffic towards the PC of Guacamole?
What if there is a web server on the network? There isn't, but it could be activated in the near future. In this case I would have to change the ports on Guacamole and tell users that they must use the port in the URL.
Then I have to consider that the IP is dynamic and therefore I still have to use a DDNS.

Finally, it is true that there is an added complication for users, but also for an intruder who should also have access to the VPN credentials.
In case I decide to use OpenVPN, can I install the OpenVPN server on the same server of Guacamole?

Il giorno lun 23 mag 2022 alle ore 17:16 Michael Jumper <mj...@apache.org>> ha scritto:
On Mon, May 23, 2022, 07:53 Dark Corner <da...@gmail.com>> wrote:
Guacamole is installed on a PC behind a Zyxel firewall.
Users should connect to Guacamole via VPN and, once logged into Guacamole, log into their PC.
However, the firewall cannot handle multiple VPNs. So, I wish to install OpenVPN, possibly on the same PC used for Guacamole.
To access OpenVPN I would like to open a set of ports on the firewall to the Guacamole PC only, so that it is not necessary to use a VPN on the firewall.

Do you have any suggestions in this regard?

I think it would be far better to not use the VPN at all. Putting a VPN in front of it would just add unnecessary difficulty and complexity for users.

Part of the function of Guacamole is as a VPN replacement. It allows you to allow users to connect to backend desktops securely and via a browser without needing VPN at all. You should instead:

1) Allow direct access to the Guacamole server only, and only on ports 80 and 443.

2) Set up SSL termination such that access is properly encrypted and HTTP traffic to port 80 is redirected to HTTPS at port 443.

3) Ensure via your firewall and network config that Guacamole is the sole means of access to the desktops on the private network behind Guacamole.

You then have a single, centralized, monitored, and secured point of entry, with access to any particular backend desktop only possible if the admin grants that access.

- Mike

Re: Access to Guacamole with OpenVPN (behind the Firewall)

Posted by Dark Corner <da...@gmail.com>.
Thanks for the reply.
I did not understand your suggestion.
Do you mean that in the firewall I have to direct the 80/443 traffic
towards the PC of Guacamole?
What if there is a web server on the network? There isn't, but it could be
activated in the near future. In this case I would have to change the ports
on Guacamole and tell users that they must use the port in the URL.
Then I have to consider that the IP is dynamic and therefore I still have
to use a DDNS.

Finally, it is true that there is an added complication for users, but also
for an intruder who should also have access to the VPN credentials.

In case I decide to use OpenVPN, can I install the OpenVPN server on the
same server of Guacamole?

Il giorno lun 23 mag 2022 alle ore 17:16 Michael Jumper <mj...@apache.org>
ha scritto:

> On Mon, May 23, 2022, 07:53 Dark Corner <da...@gmail.com> wrote:
>
>> Guacamole is installed on a PC behind a Zyxel firewall.
>> Users should connect to Guacamole via VPN and, once logged into
>> Guacamole, log into their PC.
>> However, the firewall cannot handle multiple VPNs. So, I wish to install
>> OpenVPN, possibly on the same PC used for Guacamole.
>> To access OpenVPN I would like to open a set of ports on the firewall to
>> the Guacamole PC only, so that it is not necessary to use a VPN on the
>> firewall.
>>
>> Do you have any suggestions in this regard?
>>
>
> I think it would be far better to not use the VPN at all. Putting a VPN in
> front of it would just add unnecessary difficulty and complexity for users.
>
> Part of the function of Guacamole is as a VPN replacement. It allows you
> to allow users to connect to backend desktops securely and via a browser
> without needing VPN at all. You should instead:
>
> 1) Allow direct access to the Guacamole server only, and only on ports 80
> and 443.
>
> 2) Set up SSL termination such that access is properly encrypted and HTTP
> traffic to port 80 is redirected to HTTPS at port 443.
>
> 3) Ensure via your firewall and network config that Guacamole is the sole
> means of access to the desktops on the private network behind Guacamole.
>
> You then have a single, centralized, monitored, and secured point of
> entry, with access to any particular backend desktop only possible if the
> admin grants that access.
>
> - Mike
>
>

Re: Access to Guacamole with OpenVPN (behind the Firewall)

Posted by Michael Jumper <mj...@apache.org>.
On Mon, May 23, 2022, 07:53 Dark Corner <da...@gmail.com> wrote:

> Guacamole is installed on a PC behind a Zyxel firewall.
> Users should connect to Guacamole via VPN and, once logged into Guacamole,
> log into their PC.
> However, the firewall cannot handle multiple VPNs. So, I wish to install
> OpenVPN, possibly on the same PC used for Guacamole.
> To access OpenVPN I would like to open a set of ports on the firewall to
> the Guacamole PC only, so that it is not necessary to use a VPN on the
> firewall.
>
> Do you have any suggestions in this regard?
>

I think it would be far better to not use the VPN at all. Putting a VPN in
front of it would just add unnecessary difficulty and complexity for users.

Part of the function of Guacamole is as a VPN replacement. It allows you to
allow users to connect to backend desktops securely and via a browser
without needing VPN at all. You should instead:

1) Allow direct access to the Guacamole server only, and only on ports 80
and 443.

2) Set up SSL termination such that access is properly encrypted and HTTP
traffic to port 80 is redirected to HTTPS at port 443.

3) Ensure via your firewall and network config that Guacamole is the sole
means of access to the desktops on the private network behind Guacamole.

You then have a single, centralized, monitored, and secured point of entry,
with access to any particular backend desktop only possible if the admin
grants that access.

- Mike