Sign in Subscribe
3 min read

Apache Guacamole Installation Guide

Apache Guacamole must be compiled from source for each machine, which can be a headache for the first time.
  1. Download the latest release of Guacamole server
#!/bin/bash
set -euo pipefail

# For Linux Mint / Ubuntu: install required build deps including libpng dev
sudo apt-get update

# Install common build tools and libraries needed by guacamole-server
sudo apt install -y \
    build-essential \
    autoconf \
    automake \
    libtool \
    pkg-config \
    wget \
    ca-certificates \
    libcairo2-dev \
    libpng-dev \
    libjpeg-dev \
    libossp-uuid-dev \
    libpango1.0-dev \
    libssl-dev \
    freerdp2-dev \
    libvncserver-dev \
    libssh2-1-dev \
    libtelnet-dev \
    libwebp-dev \
    libpulse-dev \
    libvorbis-dev \
    libwebsockets-dev

# Download and build Guacamole server
wget -O guacamole-server-1.6.0.tar.gz "https://apache.org/dyn/closer.lua/guacamole/1.6.0/source/guacamole-server-1.6.0.tar.gz?action=download"
tar -xzf guacamole-server-1.6.0.tar.gz
cd guacamole-server-1.6.0

./configure
make -j"$(nproc)"
sudo make install
sudo ldconfig

code guacd.service

[Unit]
Description=Guacamole proxy daemon
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/sbin/guacd -f
Restart=on-failure

[Install]
WantedBy=multi-user.target

sudo cp guacd.service /etc/systemd/system/guacd.service
sudo systemctl daemon-reload
sudo systemctl enable guacd
sudo systemctl start guacd

Install Tomcat (alternatives possible)

Set up Guacamole client

wget https://apache.org/dyn/closer.lua/guacamole/1.6.0/binary/guacamole-1.6.0.war -O guacamole.war
sudo mv guacamole.war /opt/tomcat/updated/webapps/guacamole.war
sudo mkdir -p /etc/guacamole
sudo nano /etc/guacamole/guacamole.properties

guacd-hostname: localhost
guacd-port: 4822
user-mapping: /etc/guacamole/user-mapping.xml

sudo nano /etc/guacamole/user-mapping.xml

<user-mapping>
    <authorize username="ron" password="password">
        <connection name="TestConnection">
            <protocol>ssh</protocol>
            <param name="hostname">127.0.0.1</param>
            <param name="port">22</param>
        </connection>
    </authorize>
</user-mapping>

sudo chown -R tomcat:tomcat /etc/guacamole
sudo systemctl restart guacd
sudo systemctl restart tomcat

Install openssh-server if haven't already

sudo apt update
sudo apt install openssh-server
sudo systemctl enable --now ssh

Testing

  1. Access localhost:8080/guacomole in a browser on the same device. You should be able to log-in and access the terminal. terminal

  2. Repeat on another device on the same LAN (home wifi, with device discovery turned on, for example). Substitute localhost with the local IP address of your server device (the computer you are setting up Guacamole on). guacomole log-in terminal telephone

  3. Set up port forwarding and try on a device on the public internet ! Substitude localhost with your public IP address and the port number 8080 witht the public port you set up (nothing technically prevents it from also being 8080, but for improved security use a less known port as attackers target commonly known ports).

Production use

Change immediately the user name and passwords in user-mapping.xml to something much harder to guess after 7.3. Then restarts the relevant services :

sudo systemctl restart guacd
sudo systemctl restart tomcat

After 7.3, your computer is basically exposed to the public internet and anyone can connect to it and brute force attack it for access. It is also highly recommended to set up HTTPS (you will need a domain name) to prevent sending logging credentials without any encrption as it is the case with plain HTTP.

You need to first setup a reverse proxy. Proxy_pass value should be http://localhost:8080/guacamole/ if you are on the same machine and following my exact instructions.

Published by:

Rong Zhou

Member discussion