Open georgygoshin opened 5 months ago
I've made new keycloak installation, added realm and client, got the client ID and secret, need some walk thru all options
docker --run name rdpgw bolkedebruin/rdpgw:latest \ -e RDPGW_SERVERSSL_CERT_FILE=/etc/rdpgw/cert.pem < -- replaced with LE cert path -e RDPGW_SERVER__SSL_KEY_FILE=/etc/rdpgw.cert.pem < -- replaced with LE key path -e RDPGW_SERVERGATEWAY_ADDRESS=https://localhost:443 <-- replaced with real address -e RDPGW_SERVERSESSION_KEY=thisisasessionkeyreplacethisjetz # 32 characters <--- replaced with generated string -e RDPGW_SERVERSESSION_ENCRYPTION_KEY=thisisasessionkeyreplacethisnunu # 32 characters <--- replaced with generated string -e RDPGW_OPENIDPROVIDER_URL=http://keycloak:8080/auth/realms/rdpgw <-- replaced with real keycloak address -e RDPGW_OPENIDCLIENT_ID=rdpgw <-- replaced with client ID from Keycloak -e RDPGW_OPENIDCLIENT_SECRET=01cd304c-6f43-4480-9479-618eb6fd578f <-- replaced with client secret from Keycloak -e RDPGW_SECURITYSECURITY_PAA_TOKEN_SIGNING_KEY=prettypleasereplacemeinproductio # <--- replaced with generated string -v conf:/etc/rdpgw
First of all please comment, did I understood correctly these environment variables?
and after composing the command line with real valiues, docker --run name rdpgw bolkedebruin/rdpgw:latest responsed with the error
unknown flag: --run
docker run bolkedebruin/rdpgw:latest repsponded with error
unknown flag `e'
I just use it for home use i dont know about keycloak i use authentik thats installed on other machine
download the dev folder in this project. change the docker compose remove keycloak and xrdp part completely where it says rdpgw: remove depends on: keycloak and change or remove healthcheck
create for your gateway a provider "openid" and application in authentik.
then change the yaml inside the dev folder gatewayadres: your gateway adres that you made in ngnix or cloudflare for this purpose Host: change to your windows RDP ip port ProviderUrl: use the provided url in authentik when you created the provider and application url called OpenID Configuration Issuer ClientId: from authentik where your provider is ClientSecret: same place callback url redirect url you need to put in authentik at provider settings its the https url you created for this gateway and /callback
then you now can docker-compose build docker-compose up
then you should now get a rdp file if you go to
there are some other options but this is the basic working you could also use a template rdp file to add some extra options like usb camera passtrough just copy from the original rdp. place the file default,rdp also in the dev folder and add default: default.rdp in yaml config.
you could also use multiple hosts but i didnt get that working i just deploy the gateway twice.
most info in this project you can find searching the issue pull requests and comments here and there.
@georgygoshin
docker --run name rdpgw bolkedebruin/rdpgw:latest
First, it is docker run --name rdpgw
, then all the options for container, and lastly it it the container name bolkedebruin/rdpgw:latest
As for the options, there's an undocumented quirk about environment variables. Where you set options about OpenId
, you should use RDPGW_OPEN_ID__
instead of RDPGW_OPENID__
as a prefix.
disclaimer: no guaranty that the following command will work for you as presented, further adjustments will be needed.
docker run --name rdpgw `
` -e RDPGW_SERVER__SSL_CERT_FILE=/etc/rdpgw/cert.pem ` # < -- replaced with LE cert path
` -e RDPGW_SERVER__SSL_KEY_FILE=/etc/rdpgw/cert.key ` # < -- replaced with LE key path
` -e RDPGW_SERVER__GATEWAY_ADDRESS=https://externally-reachable-name:443 ` # <-- replaced with real address
` -e RDPGW_SERVER__SESSION_KEY=thisisasessionkeyreplacethisjetz ` # 32 characters <--- replaced with generated string
` -e RDPGW_SERVER__SESSION_ENCRYPTION_KEY=thisisasessionkeyreplacethisnunu ` # 32 characters <--- replaced with generated string
` -e RDPGW_OPEN_ID__PROVIDER_URL=http://localhost:8080/auth/realms/rdpgw ` # <-- replaced with real keycloak address
` -e RDPGW_OPEN_ID__CLIENT_ID=rdpgw ` # <-- replaced with client ID from Keycloak
` -e RDPGW_OPEN_ID__CLIENT_SECRET=01cd304c-6f43-4480-9479-618eb6fd578f ` # <-- replaced with client secret from Keycloak
` -e RDPGW_SECURITY__SECURITY_PAA_TOKEN_SIGNING_KEY=prettypleasereplacemeinproductio ` # <--- replaced with generated string
` -v conf:/etc/rdpgw `
` --network host `
` bolkedebruin/rdpgw:latest
Note, that RDPGW_OPEN_ID__PROVIDER_URL=http://keycloak:8080/auth/realms/rdpgw
from your attempt tried to contact host, named keycloak
, which is not available to docker container. You mention that you've made a local installation, and in the example I took the liberty to assume it is now reachable via http://localhost:8080/auth
. To make it available to container, I've added --network host
, which is not great for production anvironment, but might help you get started.
Another note: the command above uses conf
volume. You should create it manually with docker volume create conf
and populate it with certificate cert.pem
and cert.key
, issued for the host in RDPGW_SERVER__GATEWAY_ADDRESS
. That is, put certificates into /var/lib/docker/volumes/conf/_data/
. Normally, most of the stuff should be configured automatically by ACME client, TLS traffic terminated by ingress reverse proxy, and you would use RDPGW_SERVER__TLS=disable
instead.
Third note: really, look into using docker compose
as @pbvdven describes.
I'm getting the same issues. I'm following a guide that claims to follow the repo here, but it's simply not working. I don't understand how to get it to work. I can't request for help from the blog post linked[^1].
I am also trying to change the default ports here: I can't use ports 80 and 443 (or 8080) because I already have servers listening on these ports for both public and private addresses, and cannot stop them (they're used by multiple other VMs)
I cannot connect on any of the following urls:
[^1]: I got a database connection error once, and now other pages on the site won't load; I think that specific post may be cached.
My intended use case is self-hosting RDP access to my personal computer and some virtual machines on it without having to run a full VPN server for security; rather than using TLS termination inside any of the containers, I wish to use the native install of caddy that I've got running as a windows service (this is currently working for such things as airsonic, plex, calibre, and bubbleupnp, as well as several applications with ports forwarded from virtual machines). I've never used docker before, this is my first project using it, so please assume that I have no idea what I'm doing here (I feel like I'm probably missing something super simple).
If it's possible to set this up using WSL's mirrored networking enabled, that would also be helpful, but that's rather out of scope here (I'd like to use WSL mirrored networking for other services).
The rdpgw server only responds to “http://rdpgw.ReusedDomain:8180/connect” over http in your case as per documentation. This should redirect you to your keycloak server for authentication. MS Clients require https so your TLS termination should work.
If you cannot connect to either your keycloak installation or rdpgw, you are misconfiguring them with either IP/port or config.
@Efreak
In caddy you redirect rdpgw to 127.0.0.1:8180
, and then in docker-compose.yml
you port-forward that port to 80
. But in rdpgw.yml
you set server to listen on 8180
again. Either change that last value to match 80
, or set all to 8180
.
Then, also in rdpgw.yml
the OpenId.ProviderUrl
should be reachable on your host, via curl
or browser. In your case, that means caddy, and it will perform TLS termination, so at least change it to https://...
. Also try adding log
statement in caddy config and curl to it.
On the same note, try adding https://
scheme explictly in Server.GatewayAddress
too.
The image of keycloak has curl
in it, so I beleive the tricky shell commands in health checks can be simplified. Apart from that, the only significant difference from my configs I see is the use of start-dev
in command instead of start
. Maybe try that.
Also, I have built the rdpgw
myself. I can't remember why tho. Maybe there was something wrong with the public image. I'll attach relevant part of my config. Maybe you'll see something else that is different.
Hello
Trying to start the gateway, spent a lot of time but still can't understand. I see by other user's questions / comments that it's working but can't find the way to do the same. Is there any quick-start guide for dockerhub version? Tried to grab it with portainer without any luck, now with simple docker on linux, ends with
Cannot get oidc provider: Get "http://keycloak:8080/auth/realms/rdpgw/.well-known/openid-configuration": dial tcp: lookup keycloak on
is there a way to quickly start without 2FA to connect from outside to Windows RDP in LAN ?