When I started in my
current role, they were using a conventional Cisco IPSEC based vpn.
While with a few config tweaks it worked, it was from ideal for
security or user experience. The big security issue is that it
creates a big hole in your firewall – from a device bridged to the
internet! A further concern was that authentication was via a
password. While I could have put in a RADIUS server with a MFA
authentication source, this still required users to either:
-
take their work computer (and all the data stored on their local disk) off site
-
install and configure some very esoteric software on their own hardware
Fixing all these
problems would take massive amounts of efforts to provide a very
limited service with continuing security problems.
If everything they
need is on their computer in work – then I just need to find a way
of providing access to their computer at work remotely. So here are
the ingredients for the recipe I used:
-
ubuntu 18.04 (operating system)
-
Openbox (window manager)
-
Plank (additional launcher – openbox just has a popup text menu)
-
rdesktop (for RDP)
-
lxterminal (for ssh sessions – works for users configured with noshell)
-
Google Authenticate PAM modules (for TOTP access)
-
noVNC (to expose the desktops via a browser)
-
PCManFM file manager (supports Microsoft shares, SCP, SFTP, FTPS as well as local files)
-
openssh client
-
zenity (to provide GUI for scripts)
-
LetsEncrypt certificate
All the above, with the exception of the free certificate, are open-source and available from official Ubuntu repos (this software is also available for other Linux and BSD systems). In addition I wrote custom scripts to
-
provision users (with QR codes for Google auth)
-
run wakeonlan and rdesktop
-
collect activity stats
Now all a user needs
to get connected is a mobile device running an authenticator
application and an internet connected browser.
Once they get their
head around the fact that they don't need to be sitting in front of
the computer they are using, the users are very happy with the
experience. We have fewer reports of issues than we do from the
legacy VPN users. The 2-factor authentication provides much better
security.
The only difficult
bit was stripping out the full “desktop experience” from Openbox.
I don't want my users shutting down the machine or mapping drives! Initially I tried xfreerdp as the RDP client but had a lot of issues with keyboard mapping. As
hinted at above, the machine is heavily locked down – users have no
shell on the loca machine. This was easy to implement but impacted on
the behaviour of some terminal emulators (required for onward ssh
access). Openbox and systemd don't play nice together – so running
“last” reports all users have “gone away”. This seems to be
yet another systemd issue. However I get more useful usage monitoring
from the script to collect activity stats (this finds openbox
processes and interrogates /proc to find the user, display and other
information). It would be trivial to add in screen captures here –
but decided to leave this out for now. Its also possible for
additional users to join a VNC session, but this is currently blocked
on the firewall until I think up a way of handling it which does not
reduce the overall security.
The version of noVNC installed from repo is rather old, and the current client (i.e. the html and javascript parts) have a lot of improvements - I downloaded these files from github and copied them over the repo install.
I chose tigervnc as, although all the vncservers support multi-head usage on Linux, the package version of this seemed closest to my usage model.
Currently this is
running on a 2 core virtual machine. The initial 2Gb of RAM was all
but used up with 17 users online and this has since been changed to
8Gb. The 2CPUs is overkill – with 20 users working online, the load
was around 0.3 and bandwidth was averaging 200kbps with a peak of
500kbps.
Out of curiosity I
looked up what Microsoft say you need for an RDS server. A comparison with what I am currently running is shown below:
| Microsoft recommend | My server uses | |
|---|---|---|
| Base OS | 2Gb | 250Mb |
| RAM Per user | 64Mb | 100Mb |
| CPU Per user | 0.06 | 0.015 |
| B/W Per user | 64kbps | 25kbps |
So in terms of the
hardware resources there's not a clear winner – however having
worked in an environment which used Microsoft RDS extensively,
supporting the Linux system is a lot cheaper in terms of manpower.
And that's before considering the costs of licensing the Microsoft
solution and implementing 2FA.
Some more details in a later post.
Some more details in a later post.
