Your argument for DDNS is true for the VPN solution too. I’d suggest to, - yes if it’s dynamic IP assignment use DDNS,
- forward 443 to your guacamole server - redirect port 80 to 443 on your firewall already - force TSL 1.3 and only fall back to 1.2 - use guacamole with DB - use guacamole only with 2FA enabled - if you are paranoid enough disable clipboard and file transfer capabilities If one intends to run a non-guacamole webserver in you network you could either proxy guacamole through this web server or use the guacamole apache or nginx to server or proxy both guacamole and the web site. I split all services to dedicated VMs and/or containers so there is one for proxying 443 to guacamole tomcat and one tomcat to run guacamole and one to run guacd and one more to run pgsql and all of them report logging information to a central log system to be monitored. Von: Dark Corner <[email protected]> Gesendet: Montag, 23. Mai 2022 17:57 An: [email protected] Betreff: Re: Access to Guacamole with OpenVPN (behind the Firewall) Thanks for the reply. I did not understand your suggestion. Do you mean that in the firewall I have to direct the 80/443 traffic towards the PC of Guacamole? What if there is a web server on the network? There isn't, but it could be activated in the near future. In this case I would have to change the ports on Guacamole and tell users that they must use the port in the URL. Then I have to consider that the IP is dynamic and therefore I still have to use a DDNS. Finally, it is true that there is an added complication for users, but also for an intruder who should also have access to the VPN credentials. In case I decide to use OpenVPN, can I install the OpenVPN server on the same server of Guacamole? Il giorno lun 23 mag 2022 alle ore 17:16 Michael Jumper <[email protected]<mailto:[email protected]>> ha scritto: On Mon, May 23, 2022, 07:53 Dark Corner <[email protected]<mailto:[email protected]>> wrote: Guacamole is installed on a PC behind a Zyxel firewall. Users should connect to Guacamole via VPN and, once logged into Guacamole, log into their PC. However, the firewall cannot handle multiple VPNs. So, I wish to install OpenVPN, possibly on the same PC used for Guacamole. To access OpenVPN I would like to open a set of ports on the firewall to the Guacamole PC only, so that it is not necessary to use a VPN on the firewall. Do you have any suggestions in this regard? I think it would be far better to not use the VPN at all. Putting a VPN in front of it would just add unnecessary difficulty and complexity for users. Part of the function of Guacamole is as a VPN replacement. It allows you to allow users to connect to backend desktops securely and via a browser without needing VPN at all. You should instead: 1) Allow direct access to the Guacamole server only, and only on ports 80 and 443. 2) Set up SSL termination such that access is properly encrypted and HTTP traffic to port 80 is redirected to HTTPS at port 443. 3) Ensure via your firewall and network config that Guacamole is the sole means of access to the desktops on the private network behind Guacamole. You then have a single, centralized, monitored, and secured point of entry, with access to any particular backend desktop only possible if the admin grants that access. - Mike
