I have Apache Guacamole running on a VM hosted on ESXi. The resources are overprovisioned and I need my entire Dell R520 online all the time to keep my Guacamole website running 24/7. Most of my other VMs dont need to be online 24/7 so I want to move Guacamole to a low power device that can be online 24/7 without using a bunch of electricity. I tried installing Guacamole natively but doing so was time consuming and not worth the effort when good scripts exist on GitHub to automate the process. I’ve used this repo for a previous Guacamole implementation and it was smooth and easy. The repository, created by MysticRyuujin, was a valuable resource for simplifying the installation process. They even provide a script to update Guacamole!
Raspberry Pi Specs
Link: Raspberry Pi 3 Model B+
Cost: ~$35 – $50
Processor: Broadcom BCM2837B0, Cortex-A53 64-bit SoC @ 1.4 GHz
Memory: 1GB LPDDR2 SDRAM
Ethernet: Gigabit Ethernet over USB 2.0 (maximum throughput 300 Mbps)
Power: 5V/2.5A DC power input
OS Installed: Raspbian GNU/Linux 11 (bullseye)
Prerequisites
# Update the package list to ensure you have the latest information about available packages
sudo apt update && sudo apt upgrade -y && sudo apt install make git apache2 ufw -y
# Enable the ufw firewall
sudo ufw enable
# Allow SSH and HTTPS traffic
sudo ufw allow 22/tcp
sudo ufw allow 443/tcp
Guacamole Installation
We will be using a script
# Close the GitHub Repo
git clone https://github.com/MysticRyuujin/guac-install.git
# Change directory
cd guac-install
# Installing with MFA TOTP added
sudo bash ./guac-install.sh --mysqlpwd <your password> --guacpwd <your password> --totp --installmysql
# You will recieve the message below. This means that Guacamole is fully installed and you can access it using http://<You Raspberry Pi IP Address>:8080/guacamole/
Installation Complete
- Visit: http://localhost:8080/guacamole/
- Default login (username/password): guacadmin/guacadmin
***Be sure to change the password***
Guacamole Configuration
Make sure to login with the default creds; You will be required to use an TOTP app for OTP codes. Next, setup your own admin account and delete the default account. Make sure to choose all the permissions for your personal admin account before deleting the default guacadmin account.
Configuring Proxy Server
To me it makes sense to make Guacamole accessible using a subdomain. In my infrastructure, I have a PFsense firewall with the HAProxy and Acme Certificate services installed. I setup the sub-domain proxy connection to my Raspberry pi using HAProxy service and I created certificates using the Acme Certificate service. For more information on this specific setup, check out the articles below.
Setting up Reverse Proxy on PFsense: Tutorial Link
Setting up Acme Certificate on PFsense: Documentation Link | Tutorial Video
Once you complete the Reverse Proxy and Acme Certificate configurations, you will need to setup the guacamole server to use the certificate and respond to the the web requests that come from the sub domain. Follow the steps below to set this up.
# Create a folder for your SSL certificates (you will need to know the location of this folder for a step later in the setup)
mkdir -p Certificates/<your site name>
# Change directory
cd Certificates/<your site name>
# Create the fullchain.pem file
sudo nano fullchain.pem
# Copy and paste the certificate data. If you are using a pfsense firewall like me, go to System > Certificates > Certificates > Locate the cert that you generated earlier for your site > Edit Certificate
# Looks like this
-----BEGIN CERTIFICATE-----
dnFAKDSkjf89u22jdo283ej08j2eje3i....
....3iejo23i83939283ejejndo3jn....
-----END CERTIFICATE-----
# Save the file
CTRL + S
# Close the file
CTRL + X
# Create the privkey.pem file
sudo nano privkey.pem
# Looks like this.
-----BEGIN RSA PRIVATE KEY-----
JNDKSJdnskajndbajsndo3984u1....
.....jasnkdjn398he9u2do308....
-----END RSA PRIVATE KEY-----
# Save the file
CTRL + S
# Close the file
CTRL + X
# Next, Apache needs to be configured to recognize web traffic sent to your subdomain.
# Open the main Apache configuration file in a text editor. This is usually the apache2.conf file
sudo nano /etc/apache2/apache2.conf
# Add the servername field below to the bottom of the apache.conf file
ServerName <Your Domain/Subdomain name>
# Save the file
CTRL + S
# Close the file
CTRL + X
# Go to the apache sites-available directory
cd /etc/apache2/sites-available
# Create the Apache config file
sudo nano guacamole-ssl.conf
# Copy the configuration below and enter the details for your site in the fields highlighted in red.
<VirtualHost *:443>
ServerName <Your subdomain>
Header always unset X-Frame-Options
ErrorLog ${APACHE_LOG_DIR}/vm_error.log
CustomLog ${APACHE_LOG_DIR}/vm_access.log combined
<Location />
Order allow,deny
Allow from all
#Require all granted
ProxyPass http://localhost:8080/guacamole/ flushpackets=on
ProxyPassReverse http://localhost:8080/guacamole/
</Location>
<Location /websocket-tunnel>
Order allow,deny
Allow from all
#Require all granted
ProxyPass ws://localhost:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://localhost:8080/guacamole/websocket-tunnel
</Location>
SSLEngine On
SSLCertificateFile <Location to the files created earlier>/Certificates/<your site name>/fullchain.pem
SSLCertificateKeyFile <Location to the files created earlier>/Certificates/<your site name>/privkey.pem
</VirtualHost>
# Save the file
CTRL + S
# Close the file
CTRL + X
# Enable the mod_ssl module
sudo a2enmod ssl
# Enable headers module
sudo a2enmod headers
# Enable proxy modules
sudo a2enmod proxy
sudo a2enmod proxy_http
# Enable the Guacamole virtual host
sudo a2ensite guacamole-ssl
# Disable the default-ssl virtual host
sudo a2dissite default-ssl
# Test Apache configuration for syntax errors
sudo apachectl configtest
DONE!
Congrats, you are done setting up Guacamole!! If you go to your subdomain/domain on a browser, you should see the Guacamole login screen. We also added MFA so you will need to download a authenticator app that can produce OTP codes. I recommend Google Authenticator. iPhone | Android