If you want to access your home lab remotely, your mind probably goes to setting up a VPN. This works most of the time, but if you want a remote desktop or need to access your home lab somewhere where you can’t use a VPN (say, on a friends computer or on a network that doesn’t allow VPN’s) this article is your answer.

Using Cloudflare tunnels and Guacamole, you can get an SSH, RDP, or VNC connection to your home lab via an HTTPS connection, so it will work on 99% of networks.

My goal is for this to be a comprehensive, all-in-one guide to getting this setup. It should only take one day to setup (you may need to wait overnight for DNS to populate, but we will get to that later).

The only cost associated with this (assuming you have home lab equipment setup) is the price of the domain name. Everything else (yes, even the Cloudflare tunnels) is free.

Overview

We will be setting this up to give you a VNC connection to a VM on your home lab. As stated earlier, it’s possible to also set this up for RDP and SSH sessions if you like.

We will also be building this from the inside out. So starting on your home lab network and building out to your Cloudflare tunnel. The rough steps we need to follow are:

  1. Create Ubuntu VM to provide us our VNC desktop
  2. Install Docker to run our Guacamole Server and our Cloudflare Agent
  3. Configure Guacamole Server & Verify connectivity
  4. Buy Domain Name
  5. Setup Cloudflare Tunnels & Authentication

Assumptions

This article assumes:

  1. You have a hypervisor installed and are comfortable creating VM’s
  2. You are comfortable working in the command line.

With that – let’s get started:

1. Create Ubuntu VM & Configure VNC

Download Ubuntu Desktop here. Then install it into your hypervisor of choice. Ensure you give it at least 4vCPU’s and 8GB RAM.

Once the VM is installed, we need to install VNC. Before we do that, we’re going to install lightdm.

Copy to Clipboard

Now we need to reboot our VM

Copy to Clipboard

Once the VM is rebooted we’re going to install VNC:

Copy to Clipboard

Vim is my preferred editor. If you don’t have vim installed already you can install it with

Copy to Clipboard

Once the file is opened, copy and paste the following (but be sure to change the password)

Copy to Clipboard

Save the file by hitting ESC and typing :wq!

Finally, we need to run the following commands:

Copy to Clipboard

With that, VNC should be installed and working.

2. Install Docker & Setup Guacamole Container

We first have to ensure all old versions of Docker are uninstalled:

Copy to Clipboard

Now we need to add the apt Docker repository to our VM (so the VM knows where to download Docker from):

Copy to Clipboard
Copy to Clipboard
Copy to Clipboard

Finally, we can install Docker and test the install.

Copy to Clipboard

3. Install & Configure Guacamole

Now it’s time to install & run our Guacamole container.

We are going to be installing and running the abesnier/guacamole image as this image plays the best with our Cloudflare tunnel we will setup later.

Pull down the docker compose file with the following command:

Copy to Clipboard

Now you can run the guacamole container:

Copy to Clipboard

You should now see the guacamole container running:

Copy to Clipboard

As you can see if you click on the image above, the guacamole container is running and healthy and listening on port 8080.

Configuring Guacamole

You can now navigate to the guacamole server at http://<your ip>:8080 and you’re met with a login screen.

The default credentials are username: guacadmin password: guacadmin

You’ll want to login and navigate to settings to change your password. I recommend making this a unique password you don’t use anywhere else.

Hover over guacadmin in the top right and click on settings. Click on the preferences tab to change the default admin password.

Now we configure our connections.

Click on the connections tab.

You can see I already have my Ubuntu VM configured. I’m going to open up the settings for my already configured VM, but you’re going to want to click “New Connection”

 

You want to give your connection a name (it doesn’t matter what) as well as ensure VNC is selected at the top.

The only other thing you need to configure is the IP:Port and the credentials for your VM. The port VNC is listening on is 5900 which is why we pass that port in.

That is all that needs configured. You should now be able to scroll to the bottom and click “Save”.

Test your connection by clicking on your newly created connection. It should give you a VNC session to your VM we created earlier. To exit the session, simply log out of the VM like you normally would and the guacamole session will end.

Now, how do we access this remotely??

4. Buy Domain Name

Choose a domain registrar (you can use cloudflare if you like). I chose hover personally. Another great option is namecheap. Your domain name doesn’t matter, but I suggest choosing a .com, .co, .org, or another popular TLD if you want to ensure you will have access on most networks. If you choose a registrar other than cloudflare, you will need to edit your DNS servers to be cloudflare’s servers.

Sign up for a Cloudflare account HERE.

Once signed in, you will be able to manage your domain if you bought your domain through Cloudflare. If not, you’ll need to click on “Websites” on the left side and click “Add a site”. Then follow Cloudflare’s directions to update your DNS servers. You will need to wait a little bit for the DNS servers to update.

Once your domain is done, you can click on “Zero Trust” on the left, which will bring you to the Cloudflare Zero Trust dashboard.

We are then going to click on the “Access” tab and Click “Tunnels”

 

 

The next few pictures are going to walk us through creating a new tunnel. First, click “Create a tunnel”. You then have to name your tunnel (it doesn’t matter what you name it).

You now want to install the Cloudflare tunnel connector on your VM running guacamole. If you click on the docker tab you will get a command with a token. We are going to take that command and add a few arguments to it before we run it on the VM we set up earlier.

Copy to Clipboard

-d runs our docker container in the background

–name gives our container a name

–restart unless-stopped will restart our container if it shuts down for any reason.

Be sure to fill in <token> with the token Cloudflare gives you.

We now need to setup the connection. I like to use “guacamole” as the subdomain for my guacamole server. Your domain name will be a drop down where you will select your domain name.

The service is going to be HTTP (your connection to cloudflare will be HTTPS but our connection to guacamole internally is HTTP) and your URL is going to the <VM IP>:8080 (this is the IP and Port Guacamole is listening on)

Once we save our tunnel, we need to setup some security. On the left side, click on “Applications” and click “Add an Application”

Click on “Self-Hosted”

Name your application whatever you want. Then put in the domain that you made in your tunnel (it’s telling me that the domain is already taken because I already have an application setup for this domain). Then scroll to the bottom and click to the next page.

On the add policies page, we want to create a policy called “guacamole-allow” which will only allow people to login through Cloudflare from the email addresses you set. I like to set my session duration to 6 hours. I own my own domain which I have setup google workspaces with (so I have an email that ends in that domain). My rule tells Cloudflare to only send a login code to my specific email (so myemail@mydomain.com). For all other emails entered it will still tell whoever is trying to login to check their email for a code… that code will simply never come (I like it this way because it gives potential attackers less information… telling a potential attacker that their email is not allowed access gives them some information to work with).

You can then save your policy.

You may now have to wait overnight for the new DNS information to populate from Cloudflare’s DNS servers. Once DNS is populated, you can navigate to guacamole.<yourdomain>.<TLD> and will be greeted with the below page.

Once you enter your email, you will be emailed a one time login code (this is why I only want emails ending in my domain to be able to login). Once you enter that one time code, you will be tunneled into our Guacamole server. You can login to that with the credentials we created earlier. If everything worked, you should then be given a VNC session to our Ubuntu server!

WHEW! And we’re done!

You should now be able to access your Ubuntu VM from anywhere with an internet connection!!

Again, if you want to logout of guacamole, simply log out of your VM as you normally would (don’t shut it down, just logout) and your guacamole session will end.

  • Continue reading
  • Continue reading

One Comment

  1. vicSFL July 4, 2023 at 6:57 pm - Reply

    Great guide,

    Do you know how to show the client ip on the guacamole connection history log? it is showing the cloudflared ip for all connections.

Leave A Comment