⭐ Star us on GitHub — it helps!
RDPGW is an implementation of the Remote Desktop Gateway protocol. This allows you to connect with the official Microsoft clients to remote desktops over HTTPS. These desktops could be, for example, XRDP desktops running in containers on Kubernetes.
RDPGW aims to provide a full open source replacement for MS Remote Desktop Gateway, including access policies.
RDPGW provides multi factor authentication out of the box with OpenID Connect integration. Thus you can integrate your remote desktops with Keycloak, Okta, Google, Azure, Apple or Facebook if you want.
RDPGW wants to be secure when you set it up from the beginning. It does this by having OpenID Connect integration enabled by default. Cookies are encrypted and signed on the client side relying on Gorilla Sessions. PAA tokens (gateway access tokens) are generated and signed according to the JWT spec by using jwt-go signed with a 256 bit HMAC. Hosts provided by the user are verified against what was provided by the server. Finally, the client's ip address needs to match the one it obtained the token with.
cd rdpgw
go build -o rdpgw .By default the configuration is read from rdpgw.yaml. Below is a
template.
# web server configuration.
server:
# TLS certificate files (required)
certFile: server.pem
keyFile: key.pem
# gateway address advertised in the rdp files
gatewayAddress: localhost
# port to listen on
port: 443
# list of acceptable desktop hosts to connect to
hosts:
- localhost:3389
- my-{{ preferred_username }}-host:3389
# Allow the user to connect to any host (insecure)
- any
# if true the server randomly selects a host to connect to
roundRobin: false
# a random strings of at least 32 characters to secure cookies on the client
# make sure to share this across the different pods
sessionKey: thisisasessionkeyreplacethisjetzt
sessionEncryptionKey: thisisasessionkeyreplacethisnunu!
# Open ID Connect specific settings
openId:
providerUrl: http://keycloak/auth/realms/test
clientId: rdpgw
clientSecret: your-secret
# enabled / disabled capabilities
caps:
smartCardAuth: false
tokenAuth: true
# connection timeout in minutes, 0 is limitless
idleTimeout: 10
enablePrinter: true
enablePort: true
enablePnp: true
enableDrive: true
enableClipboard: true
client:
usernameTemplate: "{{ username }}@bla.com"
# rdp file settings see:
# https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files
networkAutoDetect: 0
bandwidthAutoDetect: 1
ConnectionType: 6
security:
# a random string of at least 32 characters to secure cookies on the client
# make sure to share this amongst different pods
PAATokenSigningKey: thisisasessionkeyreplacethisjetzt
# PAATokenEncryptionKey: thisisasessionkeyreplacethisjetzt
UserTokenEncryptionKey: thisisasessionkeyreplacethisjetzt
# if you want to enable token generation for the user
# if true the username will be set to a jwt with the username embedded into it
EnableUserToken: true
# Verifies if the ip used to connect to download the rdp file equals from where the
# connection is opened.
VerifyClientIp: trueA convenience docker-compose allows you to test the RDPGW locally. It uses Keycloak
and xrdp and exposes it services on port 443. You will need to allow your browser
to connect to localhost with and self signed security certificate. For chrome set chrome://flags/#allow-insecure-localhost.
The username to login to both Keycloak and xrdp is admin as is the password.
cd dev/docker
docker-compose build
docker-compose upPoint your browser to https://your-gateway/connect. After authentication
and RDP file will download to your desktop. This file can be opened by one
of the remote desktop clients and it will try to connect to the gateway and
desktop host behind it.
The gateway exposes an endpoint for the verification of user tokens at https://yourserver/tokeninfo . The query parameter is 'access_token' so you can just do a GET to https://yourserver/tokeninfo?access_token= . It will return 200 OK with the decrypted token.
In this way you can integrate, for example, it with pam-jwt.
- Integrate Open Policy Agent
- Integrate GOKRB5
- Integrate uber-go/zap
- Research: TLS defragmentation
- Improve Web Interface