Guacamole Installation in my Homelab

I finally finished my Guacamole installation for my homelab, and I wanted to share how it went.

Guacamole Installation - Introduction

For those of you who are unfamiliar, Apache Guacamole is "a client less remote desktop gateway".

I've wanted the ability to remote to my machines for a while now, and this should solve the problem.

VM Setup & Guacamole Installation

First, I downloaded a CentOS ISO. I went with the CentOS-7-x86_64-Minimal-1708.iso version, as I shouldn't need many features.

Next, I created a new VM in ESXi. I went with a 12GB HDD and 2GB of RAM, but this is probably overkill.

Guacamole Installation - VM Configuration

I also setup the VM to have a static IP within my router's settings.

Guacamole Installation - Network Configuration

With everything ready, I went through a standard CentOS installation (including setting a root password).

Once that was complete, I ran this handy script to easily install and configure Guacamole and its prerequisites. Note that you should always read through scripts like this before running them on your systems/network. Additionally, make sure that there are no options that you want to change before running it.

For more information on this process, you can also visit the following blog post.

Finally, when your server displays this screen, Guacamole is successfully installed!

Guacamole Installation - Installation Complete

Verification and Troubleshooting

To verify that the installation was successful, I went to the default URL - https://192.168.5.115:8443/guacamole.

Note the SSL error when visiting the page, as Guacamole is still using a self-signed certificate.

Guacamole Installation - SSL Error

First, I was actually getting a blank page when I attempted to login.

Guacamole Installation - Blank Page

This was actually due to a bunch of 404 errors, even when attempting to go to /guacamole

Guacamole Installation - HTTP Errors

Guacamole was running, and the .war was in the proper Tomcat directory.

Guacamole Installation - WAR File

After a bit more poking around, and some Reddit help, it looked like an SELinux issue!

Guacamole Installation - SELinux

First, I configured an exception for Guacamole. Note: you'll need to run `yum install setroubleshoot` to install audit2allow.

Guacamole Installation - Guacamole Exception

Unfortunately, this was STILL giving me SELinux errors. That said, after adding the policy and rebooting the system, I was good to go!

Guacamole Installation - HTTP 200 Response

I was still getting a blank page, even with the 200 responses.

Guacamole Installation - Still Blank

First, I changed the permissions of the guacamole.war file, if that was causing any issues.

chown tomcat:tomcat /var/lib/guacamole/guacamole.war

Next, I discovered that SELinux was also blocking access to port 3306!

Guacamole Installation - More SELinux

I also added an exception for this as well, based on the recommendation.

Guacamole Installation - Java Exception

Finally, after restarting everything again, I got a real login prompt!

Guacamole Installation - Login Prompt

Test Connection (and more Troubleshooting!)

To test everything, I setup a connection to my pfSense box for now.

First, I went to the Connections tab after logging in, and clicked New Connection

I set the Connection and Network information (leaving the username and password blank, as I'd type those manually).

Guacamole Installation - pfSense Connection

I left the other settings default for now, and saved the connection.

Next, I selected the new connection from my drop-down menu in the top left

Guacamole Installation - Connections

Unfortunately, this was unsuccessful due to the SSH handshake failing.

Mar 22 22:37:58 pfSense sshd[52409]: fatal: Unable to negotiate with 192.168.5.115 port 53020: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

As it turns out, this was a known issue with pfSense, so I decided to remove that connection for now.

In this case, I decided to test it with an RDP connection to my lab.

Guacamole Installation - RDP Configuration

Guacamole Installation - RDP Connection

This worked perfectly, and I was able to RDP! Note that I was only able to get it to work if I set a username and password inside of Guacamole. This isn't ideal, but I cannot figure out how to manually type those in.

Guacamole Installation - Conclusion

Guacamole was easy enough to install, especially with the script linked above.

I plan on configuring it for most/all of my lab machines. This should make managing everything easier, and doable remotely.

My next step will be to set up a LetsEncrypt certificate on the host. After that, I'll need to decide between configuring OpenVPN on my router (finally), or forwarding a port from my firewall to the Guacamole box.

If you have any questions, issues, or suggestions, then please let me know!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.