Posted by zamroni May 31, 2022

Free, Fast and Secure Linux Remote Desktop using X2GO

I deployed Linux based X2GO remote desktop server for vendor access that works in low bandwidth, allows vendor to upload files but not to download file, and also only allows 1-way clipboard transfer from client to server.

Such remote desktop capability is needed because some management tools are graphical applications, e.g. web based configuration tool.
Regular VPN can provide the connectivity but giving VPN access directly to vendor server will allow them to download data easily.
This situation violates data privacy regulations in many countries which requires company to prevent leaks of customer data.

Using Microsoft Windows based platform is not an option as it will need Microsoft RDS/VDA license for every user.
Regular remote X Window is also not acceptable due to high bandwith requirement.
I tried several low bandwidth Linux based remote dekstop platforms, e.g. XVNC, XRDP and non-free NoMachine, but X2GO is the best for my need.

X2GO works by compression remote X Window protocol to achieve low bandwidth usage.
It also allows reguler X Window's OpenGL graphics processing offload to client side, so no GPU is needed in server side.

1. Server Installation

In this example, I will use Oracle Linux 9 as X2GO server. It works in other Linux distros too.
I choose Oracle Linux as it is downstream of stable Redhat Enterprise Linux, its stable UEK kernel is newer than regular RHEL kernel, and needs no subscription for software updates

Steps:
1. Install Oracle Linux 9 with UEK repository added. Minimum setup is adequate. Adding UEK repository will automatically install UEK kernel.
2. Enable Oracle and Redhat EPEL and CodeReady repositories.

  dnf install epel-release
  dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
  dnf config-manager --set-enabled ol9_codeready_builder

3. Install xauth and mesa-dri-drivers:
dnf install xauth mesa-dri-drivers
4. Install window manager. I chose XFCE as it is lighter than regular GNOME:
dnf group install Xfce
If error happens due to background wallpaper conflict,
add "exclude=oracle-backgrounds*" into /etc/yum.conf.
5. Install additional applications, e.g. browser, text editor, etc.
Firefox has removed Xrender support, therefore we will use Epiphany browser.
dnf install mousepad
dnf install snapd
systemctl enable --now snapd.socket
snap install epiphany
6. Install x2goserver:
dnf install x2goserver
7. Install ntsysv to ease service control:
dnf install ntsysv
8. Reboot

1.1 Server-side Performance and Security Configuration

At this point, the X2GO server might work with standard configuration.
Some configurations is needed to increase performance and security.

1.1.1 Enable x2gocleansessions

Run ntsysv and check/enable x2gocleansessions.service

1.1.2 Improve Graphics Performance

Enable OpenGL offload and disable incompatible XFWM4 compositor: Edit /etc/profile and add these texts in the end of the file
export LIBGL_ALWAYS_INDIRECT=1
/usr/bin/xfconf-query -c xfwm4 -p /general/use_compositing -n -t bool -s false
/usr/bin/xfconf-query -c xfwm4 -p /general/box_move -n -t bool -s true
/usr/bin/xfconf-query -c xfwm4 -p /general/box_resize -n -t bool -s true

Enable GLX and BIG REQUESTS: Edit /etc/x2go/x2goagent.options and add these texts:
X2GO_NXAGENT_DEFAULT_OPTIONS+=" +extension GLX"
X2GO_NXAGENT_DEFAULT_OPTIONS+=" +extension BIG-REQUESTS"

1.1.3 Limit Clipboard Transfer to Client-to-Server Only

Edit /etc/x2go/x2goagent.options and add this text:
X2GO_NXAGENT_DEFAULT_OPTIONS+=" -clipboard client"

1.1.4 Disable SSH Tunnel to Other Destinations

As X2GO uses X Window, we need to allow X11 forwarding.
It also requires TCP Forwarding but we can prevent clients not to use X2GO server as SSH TCP forwarding proxy to other server.

Edit /etc/ssh/sshd_config and add/uncomment these lines:
AllowTcpForwarding yes
X11Forwarding yes
PermitOpen localhost:22

1.1.5 Upload/Write Only SFTP

Edit /etc/ssh/sshd_config and edit this line to block file read/download:
Subsystem sftp /usr/libexec/openssh/sftp-server -P read,readlink

Use other blacklisted operation to change the mode to read-only or etc.
Show the available request modes using:
/usr/libexec/openssh/sftp-server -Q requests | sort

Addtionally, we also need to disable or limit other file download channels below:

1.1.5.1 Disable SSHFS and SCP for Non Root

SSHFS is used by X2GO's built-in file sharing.
Disable SSHF and SCP by setting the executable unaccesible by non root users:
chmod 700 /usr/bin/sshfs
chmod 700 /usr/bin/scp

1.1.5.2 Limit SSH Console Speed

As X2GO needs SSH and BASH shell, users will still be able to access Linux shell and download file by SSH client logging.
We can minimize this risk by lowering SSH console speed to 9600 bps

1. Only allow stty access by root user:
chmod 700 /usr/bin/stty

2. Set all consoles' speed to 9600 bps every minute by adding task below into crontab scheduler
* * * * * who | awk '{system("stty -F /dev/"$2" ospeed 9600")}'

1.1.6 User-based Network Access Control

Linux iptables supports user and group ID filtering, so administrator can differentiate which destination (e.g. servers) that each user is allowed to access to.
Add --uid-owner userid and/or --gid-owner groupid into iptables firewall rules.

2. User Access

2.1 Client Software Installation

2.1.1 Windows

Install VCXSRV 64 Bit version:
https://sourceforge.net/projects/vcxsrv/files/vcxsrv/

Install X2GO Client App:
https://wiki.x2go.org/doku.php/download:start#x2go_client

2.1.2 Mac

Install XQuartz:
https://www.xquartz.org/

Logout, relogin then enable OpenGL offload:
Open Terminal (Applications/Utilities/Terminal.app) and paste this complete line in and then press RETURN
defaults write org.macosforge.xquartz.X11 enable_iglx -bool true

Install X2GO Client app:
https://wiki.x2go.org/doku.php/download:start#x2go_client