Skip to content

Bastion

The Bastion feature allows access to virtual desktops through the same server running the IsardVDI web interface, instead of relying exclusively on a VPN connection (Wireguard).

This is particularly useful in environments where public servers are required, as it allows these desktops to be accessible without needing a VPN.

When the Bastion is activated, the IsardVDI server acts as a bridge for external connections:

graph LR
  dt1(Client):::dt -.- dk1([IsardVDI Bastion]):::dk -.- dt2(Guest Desktop):::dt
  classDef dk fill:#ffd1dc,stroke:#ff3465,stroke-width:1px

The accessible ports for the desktops are:

  • 1234/TCP: SSH Service
  • 80/TCP: Web
  • 443/TCP: Web TLS

Configuration

In the desktop configuration section, there is a bastion option if it is enabled on the system.

The username and password set for RDP connection will also be used by the IsardVDI bastion to connect to the desktop.

Although the external ports are those mentioned above, within the desktop, we can redirect them to other ports if desired.

To use the SSH connection, one or more public SSH keys (one per line) must be added for each user requiring access. Each user must have their own generated public keys.

Once activated, save the form.

If the form is reopened, the UUID of the bastion will appear, which will allow connections to the desktop.

In the main desktop section, the button can be clicked to see the UUID along with the URLs for the activated protocols.

With this UUID, the following connections can be made to the desktop:

  • SSH: ssh 62f3a39b-40b8-43f1-a486-05182b625fc8@domain.com -p 1234
  • HTTP: http://62f3a39b-40b8-43f1-a486-05182b625fc8.domain.com
  • HTTPS: https://62f3a39b-40b8-43f1-a486-05182b625fc8.domain.com

Where "domain.com" corresponds to the domain of the server hosting the IsardVDI web interface.

Notes

If you want to access the web services, it is recommended to open the URL in an incognito window or a different browser if you have already visited the IsardVDI web interface.

Examples

Web service

Example of testing a web service inside a desktop.

During the test, to avoid other issues, we will disable the firewall:

  • Disable firewall with systemctl disable --now ufw
  • Install SSH server apt install openssh-server and enable with systemctl enable --now ssh

Generate a LetsEncrypt certificate in the desktop. First, try with --dry-run, and once successful, run it without the option to generate the certificate:

apt install cerbot

certbot certonly --agree-tos --email info@example.com -d 62f3a39b-40b8-43f1-a486-05182b625fc8.domain.com --dry-run

With the generated certificates, you can start any web server. To test, we'll create an index.html file with some content and set up a simple server.py to run the server:

import http.server
import ssl
import socketserver

LETS_PATH = "/etc/letsencrypt/live/62f3a39b-40b8-43f1-a486-05182b625fc8.domain.com/"
PORT = 443
DIRECTORY = "."

class Handler(http.server.SimpleHTTPRequestHandler):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, directory=DIRECTORY, **kwargs)

httpd = socketserver.TCPServer(('0.0.0.0', PORT), Handler)

# Paths to your certificate and key files
CERT_FILE = LETS_PATH + "fullchain.pem"
KEY_FILE = LETS_PATH + "privkey.pem"

# Wrap the server's socket with SSL
httpd.socket = ssl.wrap_socket(httpd.socket,
                               certfile=CERT_FILE,
                               keyfile=KEY_FILE,
                               server_side=True)

print(f"Serving on https://0.0.0.0:{PORT}")
httpd.serve_forever()

Run:

python3 server.py

Now, visit the web service at the corresponding URL, and you should see the content from index.html.


Last update: November 11, 2024