Setting Up Apache Guacamole on Raspberry Pi

I have Apache Guacamole running on a VM hosted on ESXi. The resources are overprovisioned and I need my entire Dell R520 online all the time to keep my Guacamole website running 24/7. Most of my other VMs dont need to be online 24/7 so I want to move Guacamole to a low power device that can be online 24/7 without using a bunch of electricity. I tried installing Guacamole natively but doing so was time consuming and not worth the effort when good scripts exist on GitHub to automate the process. I’ve used this repo for a previous Guacamole implementation and it was smooth and easy. The repository, created by MysticRyuujin, was a valuable resource for simplifying the installation process. They even provide a script to update Guacamole!

Raspberry Pi Specs

Link: Raspberry Pi 3 Model B+
Cost: ~$35 – $50
Processor: Broadcom BCM2837B0, Cortex-A53 64-bit SoC @ 1.4 GHz
Memory: 1GB LPDDR2 SDRAM
Ethernet: Gigabit Ethernet over USB 2.0 (maximum throughput 300 Mbps)
Power: 5V/2.5A DC power input
OS Installed: Raspbian GNU/Linux 11 (bullseye)

Prerequisites

# Update the package list to ensure you have the latest information about available packages

sudo apt update && sudo apt upgrade -y && sudo apt install make git apache2 ufw -y

# Enable the ufw firewall

sudo ufw enable

# Allow SSH and HTTPS traffic 

sudo ufw allow 22/tcp
sudo ufw allow 443/tcp

Guacamole Installation

We will be using a script

# Close the GitHub Repo

git clone https://github.com/MysticRyuujin/guac-install.git

# Change directory

cd guac-install

# Installing with MFA TOTP added

sudo bash ./guac-install.sh --mysqlpwd <your password> --guacpwd <your password> --totp --installmysql

# You will recieve the message below. This means that Guacamole is fully installed and you can access it using http://<You Raspberry Pi IP Address>:8080/guacamole/

Installation Complete
- Visit: http://localhost:8080/guacamole/
- Default login (username/password): guacadmin/guacadmin
***Be sure to change the password***

Guacamole Configuration

Make sure to login with the default creds; You will be required to use an TOTP app for OTP codes. Next, setup your own admin account and delete the default account. Make sure to choose all the permissions for your personal admin account before deleting the default guacadmin account.

Permissions section of the account creation process.

Configuring Proxy Server

To me it makes sense to make Guacamole accessible using a subdomain. In my infrastructure, I have a PFsense firewall with the HAProxy and Acme Certificate services installed. I setup the sub-domain proxy connection to my Raspberry pi using HAProxy service and I created certificates using the Acme Certificate service. For more information on this specific setup, check out the articles below.

Setting up Reverse Proxy on PFsense: Tutorial Link
Setting up Acme Certificate on PFsense: Documentation Link | Tutorial Video

Once you complete the Reverse Proxy and Acme Certificate configurations, you will need to setup the guacamole server to use the certificate and respond to the the web requests that come from the sub domain. Follow the steps below to set this up.

# Create a folder for your SSL certificates (you will need to know the location of this folder for a step later in the setup)

mkdir -p Certificates/<your site name>

# Change directory

cd Certificates/<your site name>

# Create the fullchain.pem file

sudo nano fullchain.pem

# Copy and paste the certificate data. If you are using a pfsense firewall like me, go to System > Certificates > Certificates > Locate the cert that you generated earlier for your site > Edit Certificate 

# Looks like this

-----BEGIN CERTIFICATE-----
dnFAKDSkjf89u22jdo283ej08j2eje3i....
....3iejo23i83939283ejejndo3jn....
-----END CERTIFICATE-----

# Save the file

CTRL + S

# Close the file

CTRL + X

# Create the privkey.pem file

sudo nano privkey.pem

# Looks like this. 

-----BEGIN RSA PRIVATE KEY-----
JNDKSJdnskajndbajsndo3984u1....
.....jasnkdjn398he9u2do308....
-----END RSA PRIVATE KEY-----

# Save the file

CTRL + S

# Close the file

CTRL + X

# Next, Apache needs to be configured to recognize web traffic sent to your subdomain. 

# Open the main Apache configuration file in a text editor. This is usually the apache2.conf file

sudo nano /etc/apache2/apache2.conf

# Add the servername field below to the bottom of the apache.conf file

ServerName <Your Domain/Subdomain name>

# Save the file

CTRL + S

# Close the file

CTRL + X

# Go to the apache sites-available directory 

cd /etc/apache2/sites-available

# Create the Apache config file

sudo nano guacamole-ssl.conf

# Copy the configuration below and enter the details for your site in the fields highlighted in red. 

<VirtualHost *:443>
        ServerName <Your subdomain>
        Header always unset X-Frame-Options
        ErrorLog ${APACHE_LOG_DIR}/vm_error.log
        CustomLog ${APACHE_LOG_DIR}/vm_access.log combined

        <Location />
          Order allow,deny
          Allow from all
          #Require all granted
          ProxyPass http://localhost:8080/guacamole/ flushpackets=on
          ProxyPassReverse http://localhost:8080/guacamole/
        </Location>

        <Location /websocket-tunnel>
          Order allow,deny
          Allow from all
          #Require all granted
          ProxyPass ws://localhost:8080/guacamole/websocket-tunnel
          ProxyPassReverse ws://localhost:8080/guacamole/websocket-tunnel
        </Location>

        SSLEngine On
        SSLCertificateFile <Location to the files created earlier>/Certificates/<your site name>/fullchain.pem
        SSLCertificateKeyFile <Location to the files created earlier>/Certificates/<your site name>/privkey.pem
</VirtualHost>

# Save the file

CTRL + S

# Close the file

CTRL + X

# Enable the mod_ssl module

sudo a2enmod ssl

# Enable headers module

sudo a2enmod headers

# Enable proxy modules 

sudo a2enmod proxy
sudo a2enmod proxy_http

# Enable the Guacamole virtual host

sudo a2ensite guacamole-ssl

# Disable the default-ssl virtual host

sudo a2dissite default-ssl

# Test Apache configuration for syntax errors

sudo apachectl configtest

DONE!

Congrats, you are done setting up Guacamole!! If you go to your subdomain/domain on a browser, you should see the Guacamole login screen. We also added MFA so you will need to download a authenticator app that can produce OTP codes. I recommend Google Authenticator. iPhone | Android

Leave a Comment