Guacamole Package?


(Wayne Bilger) #101

Doesn’t seem to work, I’ve tried all the different encryption methods too, but Zentyal uses port 389, so I assume it’s none.


(Markus Neuberger) #102

Now some log entries would be interesting. I don’t know guacamole, but there should be logfiles:

https://guacamole.incubator.apache.org/doc/0.9.6/gug/configuring-guacamole.html#idm140499500759248
https://guacamole.incubator.apache.org/doc/gug/troubleshooting.html

Found this, maybe missing config for AD:

Source:


(Wayne Bilger) #103

Thanks. It will be Monday before I can try now, but I will update how it
goes with log files.


(Wayne Bilger) #104

Reading the links you provided, I think this is too complicated for the time I have right now. I thought this would be simpler, NS itself, and NextCloud have no problem authenticating against Zentyal AD.
I was hoping that someone had this working with Zentyal, or any AD, but it does not seem like this is the case. I will live with just keeping user logins in mysql for now.

Hopefully there is a NS module for Guacamole soon, with AD integrated!
I know I would be willing to test if anyone would be able to tackle this.


(Markus Neuberger) #105

Did you try to add this to your guacamole.properties? It doesn’t take much time and maybe it’s the missing property? :slight_smile:


(Wayne Bilger) #106

I did yes, no difference.


(Markus Neuberger) #107

Hi guacamole lovers,

I gave it a try and it’s really nice to have a web based remote desktop/ssh/vnc with connection manager.

I could install it easily via the script @jackyes suggested here

yum -y install nethserver-mysql java-1.8.0-devel
wget http://sourceforge.net/projects/guacamoleinstallscript/files/CentOS/guacamole-install-script.sh
chmod +x guacamole-install-script.sh
cat ~/.my.cnf
./guacamole-install-script.sh

Scroll up to copy your mariadb root password from the output of “cat ~/.mycnf” and just paste it:

 Enter the root password for MariaDB: YOURMARIADBPW
 Enter the Guacamole DB name: guacamole
 Enter the Guacamole DB username: guacamole
 Enter the Guacamole DB password: guacamole
 Enter the Java KeyStore password (least 6 characters): guacamole
 Do you wish to Install the Proxy feature (Nginx)?: no

Then you are asked to complete the Java keystore wizard:

What is your first and last name?
  [Unknown]:  Markus
What is the name of your organizational unit?
  [Unknown]:  Users
What is the name of your organization?
  [Unknown]:  NethServer
What is the name of your City or Locality?
  [Unknown]:  Vienna
What is the name of your State or Province?
  [Unknown]:  Vienna
What is the two-letter country code for this unit?
  [Unknown]:  AT
Is CN=Markus, OU=Users, O=NethServer, L=Vienna, ST=Vienna, C=AT correct?
  [no]:  yes

To allow the ports:

config set fw_guacamole service status enabled TCPPorts 8080,8443 access green
signal-event firewall-adjust

Browse to https://YOURNETHSERVER:8443/guacamole/ and login with username and password guacadmin

I could connect to Win Server 2016 via RDP and to Nethserver via SSH. Guacamole rocks!

This explains install from epel but didn’t work for me:


(Rob Bosch) #108

OMG! this is also a killer app!
Great to see this coming to NethServer. Nest step: nethserver-guacamole module! WEEHOO… :smiley:


(Alessio Fattorini) #109

Good to know there is a workable way to install it on NethServer. Thanks for updating us
@stephdl did you try epel rpms yet?


(Stéphane de Labrusse) #110

need to check my note, but it misses the user interface IIRC


(Charles) #111

OMG…did I read this right? Guacamole is coming to Nethserver?

I’ve been working a bit with the developer of a script to install Guacamole - https://sourceforge.net/projects/guacamoleinstallscript/?source=navbar.

He was kind enough to upgrade Guacamole to a newer version. But having the ability to add Guacamole to my Nethserver modules would be a holy grail for us. :slight_smile:

I’ll keep a watch on this thread and find time for testing.

Thanks All!


(Charles) #112

While I look forward to having Guacamole on my Nethserver, here is a comment on how I’m currently including Guacamole in our office.

I’ve installed a Nextcloud app called External sites. I then used the guacamole install script (link above) to install Guacamole on a separate CentOS server. I’m using my Nextcloud as the gateway to get to my Guacamole server. Think of it as a two factor authentication before access to my network. :slight_smile:

External sites is a great app within Nextcloud but currently in Nextcloud 12 I do not have the ability to enable External sites by group. But Nextcloud 13 is going to give me this ability so I’m looking forward to the next version of Nextcloud coming out later this month. We don’t have many people using our Guacamole but it has come in handy on a few occassions. Putting Guacamole behind our Nextcloud install gives me extra piece of mind and I only need to open one firewall rule to my network to my Nextcloud server.


(Alessio Fattorini) #113

I love that trick, your users think that guacamole is on NethServer :slight_smile:
How do you use guacamole? Can you provide us some scenarios?


(Frank Timmers) #114

Hello Markus,

I installed guacamole using the way you suggested. That way it installs with a selfsigned certificate and everything works well. Thank you very much. Despite I want to enhance 2 things:

  1. I created a bash-script to copy the LetsEncrypt certificate to the Java key store, so now I don’t get annoying messages anymore about a selfsigned certificate. Is it possible to execute this script automatically after the LetsEncrypt certificate renewal? If yes, can you tell me how?
  2. Guacamole is listening on port 8443 (https://<FQDN>:8443/guacamole/). On my work I can only access external websites at port 80 or 443, so I still cannot access my computer at home via guacamole. I tried to solve this via reverse proxy (so when I browse to https://<FQDN>/guacamole/, it is proxied to https://<FQDN>:8443/guacamole/), but this only works within my home network. As I cannot create a VPN tunnel from my work to my home network, this still doesn’t work. Is it possible to use reverse proxy from outside my home network? If yes, can you tell me how?

(Markus Neuberger) #115

This is great, I am really interested in your script because it may help with other java key store apps.

/usr/libexec/nethserver/letsencrypt-certs is executed daily via /etc/cron.daily/nethserver-letsencrypt-certs so you may append your script there.

I hope so but I wasn’t able to make it work.


(Frank Timmers) #116

Here is my bash script:

#!/bin/bash

#Convert LetsEncrypt certificate to PKCS12
openssl pkcs12 -export -in /etc/letsencrypt/live/<FQDN>/fullchain.pem -inkey /etc/letsencrypt/live/<FQDN>/privkey.pem -out /var/lib/tomcat/webapps/cert.p12 -name guacamole -passout pass:guacamole

#Remove old certificate from Java keystore
keytool -keystore /var/lib/tomcat/webapps/.keystore -delete -alias guacamole -storepass guacamole -noprompt

#Import PKCS12 certificate into Java keystore
keytool -importkeystore -deststorepass guacamole -destkeypass guacamole -destkeystore /var/lib/tomcat/webapps/.keystore -srckeystore /var/lib/tomcat/webapps/cert.p12 -srcstoretype PKCS12 -srcstorepass guacamole -noprompt

#Remove PKCS12 certificate
rm -rf /var/lib/tomcat/webapps/cert.p12

#Restart tomcat
systemctl stop tomcat
systemctl start tomcat

Howto install guacamole
Guacamole - AD users and hotsync
(Frank Timmers) #117

Hello Markus,

We are doing things wrong. In the past I programmed apps in NodeJS; those apps were listening on (i.e.) port 3000; then I put Nginx as reverse proxy in front of it; Nginx was handling encryption, and the traffic between Nginx and the app was not encrypted; the app couldn’t be reached from internet directly, only via Nginx.

Here with Guacamole we need to do it the same way, except with Httpd instead of Nginx. So I need to install Guacamole without encryption and Httpd has to proxy the network traffic to the Guacamole port (without encryption). The Guacamole port may only be open for localhost, not for any other network.
On my NethServer I have Apache 2.4.6 running, so according to the Guacamole docs it should be possible to make this work. I will try to configure this in the weekend when there is some time left (probably not so much because of carnaval).


(Frank Timmers) #118

There was already a solution for this:


(Markus Neuberger) #119

Thanks, seems I missed this one :blush:


(Charles) #120

Sure @alefattorini,

There are two examples of how we are using Nextcloud and Guacamole in our small office. The majority of our workstations in our office do not have access to the Internet. These workstations are almost like dumb terminals that are used by operators to do their job(s). We have two external vendors who provide remote support for their applications but for these vendors to get access to one of our workstations, because these workstations are blocked by our firewall the vendor can’t help visually.

For this usecase I’m using Guacamole (though Nextcloud) so our Vendors can login and on Guacamole I’ve provided VNC access (viewer only) to each of our workstations. The Vendor is provided a VNC password to use by the operator. The Vendor can now safely (after logging in essentially three time…once into our Nextcloud, then into Guacamole, and lastly using VNC) into the workstation that needs assistance. I love the fact that in Guacamole each Vendor will only have access to the servers I allow them to view through their Guacamole user Id. As you can see I’m a bit paranoid with people getting in. :slight_smile:

One of our senior staff has a need to work from home when allowed by the owners. For these days this user will login through Nextcloud and then using Guacamole they will be able to access their office workstation using RDP.

So far this is working very well for us.

Thanks!