Yes that is possible as long as the port doesn't clash.I run my
guacamole-server, guacd and other range of other services on same hosts
dockerized.This includes wireguard and openvpn server. For any web facing
traffic, i use haproxy as reverse.
On Tuesday, 24 May 2022, 08:49:48 pm SGT, Dark Corner
<[email protected]> wrote:
As I said, I'm not the admin of the firewall and I have only a little support
for it from admin. I must and can only manage the PC with Guacamole.This is the
reason I was wondering if Guacamole can be installed on a PC on which something
else is already installed.For example OpenVPN, NUT, Zabbix, ...
Il mar 24 mag 2022, 06:49 Vendel Colja <[email protected]> ha scritto:
Your argument for DDNS is true for the VPN solution too.
I’d suggest to,
- yes if it’s dynamic IP assignment use DDNS,
- forward 443 to your guacamole server
- redirect port 80 to 443 on your firewall already
- force TSL 1.3 and only fall back to 1.2
- use guacamole with DB
- use guacamole only with 2FA enabled
- if you are paranoid enough disable clipboard and file transfer
capabilities
If one intends to run a non-guacamole webserver in you network you could either
proxy guacamole through this web server or use the guacamole apache or nginx to
server or proxy both guacamole and the web site.
I split all services to dedicated VMs and/or containers so there is one for
proxying 443 to guacamole tomcat and one tomcat to run guacamole and one to run
guacd and one more to run pgsql and all of them report logging information to a
central log system to be monitored.
Von: Dark Corner <[email protected]>
Gesendet: Montag, 23. Mai 2022 17:57
An: [email protected]
Betreff: Re: Access to Guacamole with OpenVPN (behind the Firewall)
Thanks for the reply.
I did not understand your suggestion.
Do you mean that in the firewall I have to direct the 80/443 traffic towards
the PC of Guacamole?
What if there is a web server on the network? There isn't, but it could be
activated in the near future. In this case I would have to change the ports on
Guacamole and tell users that they must use the port in the URL.
Then I have to consider that the IP is dynamic and therefore I still have to
use a DDNS.
Finally, it is true that there is an added complication for users, but also for
an intruder who should also have access to the VPN credentials.
In case I decide to use OpenVPN, can I install the OpenVPN server on the same
server of Guacamole?
Il giorno lun 23 mag 2022 alle ore 17:16 Michael Jumper <[email protected]> ha
scritto:
On Mon, May 23, 2022, 07:53 Dark Corner <[email protected]> wrote:
Guacamole is installed on a PC behind a Zyxel firewall.
Users should connect to Guacamole via VPN and, once logged into Guacamole, log
into their PC.
However, the firewall cannot handle multiple VPNs. So, I wish to install
OpenVPN, possibly on the same PC used for Guacamole.
To access OpenVPN I would like to open a set of ports on the firewall to the
Guacamole PC only, so that it is not necessary to use a VPN on the firewall.
Do you have any suggestions in this regard?
I think it would be far better to not use the VPN at all. Putting a VPN in
front of it would just add unnecessary difficulty and complexity for users.
Part of the function of Guacamole is as a VPN replacement. It allows you to
allow users to connect to backend desktops securely and via a browser without
needing VPN at all. You should instead:
1) Allow direct access to the Guacamole server only, and only on ports 80 and
443.
2) Set up SSL termination such that access is properly encrypted and HTTP
traffic to port 80 is redirected to HTTPS at port 443.
3) Ensure via your firewall and network config that Guacamole is the sole means
of access to the desktops on the private network behind Guacamole.
You then have a single, centralized, monitored, and secured point of entry,
with access to any particular backend desktop only possible if the admin grants
that access.
- Mike
