Install Guacamole Remote Desktop on Ubuntu 22.04 (Jammy Jellyfish)

This guide covers all the steps required to install Guacamole Remote Desktop on Ubuntu 22.04 (Jammy Jellyfish).

In case you never got the Memo, Ubuntu 22.04 LTS was released as the new Long Term Release. It comes will improvements and today we are going to take advantage of this new broom in the house to sweep our access operations clean. As we know, the convenience of having one place to access your servers is something most administrators can consider having in their main course meal every single day. In order to satiate this need, this guide goes into the details of setting up one such platform. By the end of this guide, we should have set up a working Apache Guacamole Server on the new Ubuntu release that can be leveraged to provide one place to access all of your servers. Whether they are Windows or Linux, Apache Guacamole is here for you.

Before getting into the crux of this tool, wouldn’t it be good if we knew what it is all about? Right, let us go ahead and demystify this tool. Apache Guacamole is a clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH. Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.

Guacamole is separated into two pieces: guacamole-server, which provides the guacd proxy and related libraries, and guacamole-client, which provides the client to be served by your servlet container. In most cases, the only source you will need to build is a guacamole-server, and downloading the latest guacamole.war from the project website will be sufficient to provide the client.

Step 1: Server Preparation

Apache Guacamole has many dependencies and we are going to deal with most of them in this step. Let us get ahead and install each and every one of the dependencies that our Guacamole server will require to breathe and live. Get them all installed as follows:

sudo apt update
sudo apt install -y gcc nano vim curl wget g++ libcairo2-dev libjpeg-turbo8-dev libpng-dev libtool-bin libossp-uuid-dev

Install other dependencies:

sudo apt install -y libavcodec-dev  libavformat-dev libavutil-dev libswscale-dev build-essential libpango1.0-dev libssh2-1-dev libvncserver-dev libtelnet-dev libpulse-dev libvorbis-dev libwebp-dev

Install FreeRDP2

We are going to install the FreeRDP2 version hosted in the Remmina PPA as follows:

sudo add-apt-repository ppa:remmina-ppa-team/remmina-next-daily
sudo apt update
sudo apt install freerdp2-dev freerdp2-x11 -y

That should complete the packages and libraries Guacamole demands of us and we should now get to the business of installing it.

Step 2: Get Apache Tomcat Installed

In this step, we are going to install the Apache Tomcat Java servlet container which will run the Guacamole Java war file and thus serves the Guacamole Java client. Since it is in Java, we will have to get Java installed first:

sudo apt install default-jdk

Once it is installed, you can check the version installed

$ java --version
openjdk 11.0.20 2023-07-18
OpenJDK Runtime Environment (build 11.0.20+8-post-Ubuntu-1ubuntu122.04)
OpenJDK 64-Bit Server VM (build 11.0.20+8-post-Ubuntu-1ubuntu122.04, mixed mode, sharing)

Install Apache Tomcat

Apache Tomcat exists in the default Ubuntu 22.04 repositories and can be installed using the command:

sudo apt install tomcat9 tomcat9-admin tomcat9-common tomcat9-user

Once installed, ensure the service has been started and enabled:

sudo systemctl enable --now tomcat9

And Tomcat should be running with a dash of happiness like the below:

$ systemctl status tomcat9
● tomcat9.service - Apache Tomcat 9 Web Application Server
     Loaded: loaded (/lib/systemd/system/tomcat9.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-08-16 16:54:54 EAT; 3s ago
       Docs: https://tomcat.apache.org/tomcat-9.0-doc/index.html
    Process: 150975 ExecStartPre=/usr/libexec/tomcat9/tomcat-update-policy.sh (code=exited, status=0/SUCCESS)
   Main PID: 150979 (java)
      Tasks: 14 (limit: 4617)
     Memory: 80.2M
        CPU: 3.779s
     CGroup: /system.slice/tomcat9.service
             └─150979 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogM>

Ago 16 16:54:55 neveropen tomcat9[150979]: Initializing ProtocolHandler ["http-nio-8080"]
Ago 16 16:54:56 neveropen tomcat9[150979]: Server initialization in [1246] milliseconds
....

Tomcat listens on port 8080 by default and as you can guess, we need to allow access to the application remotely by allowing the port on the firewall. This is as simple as a one-line command as shown below:

sudo ufw allow 8080/tcp

Step 3: Build the Guacamole Server From Source

guacamole-server contains all the native, server-side components required by Guacamole to connect to remote desktops. It provides a common C library, libguac, which all other native components depend on, as well as separate libraries for each supported protocol, and a proxy daemon, guacd, the heart of Guacamole.

Download the Latest stable version of guacamole-server

cd ~/
VER=1.5.3
wget https://archive.apache.org/dist/guacamole/$VER/source/guacamole-server-$VER.tar.gz

Extract the source tarball after download

tar xzf ~/guacamole-server-*.tar.gz

Change into the guacamole server source code directory;

cd ~/guacamole-server-*/

Then execute the configure script to check if any required dependency is missing and to adapt the Guacamole server to your system.

./configure --disable-guacenc --with-init-dir=/etc/init.d

The command above will lead to a long trickle of output. When it ends, you should see the following output which should have a yes on the following: RDP, SSH, Telnet, and VNC.

------------------------------------------------
guacamole-server version 1.5.3
------------------------------------------------

   Library status:

     freerdp2 ............ yes
     pango ............... yes
     libavcodec .......... yes
     libavformat.......... yes
     libavutil ........... yes
     libssh2 ............. yes
     libssl .............. yes
     libswscale .......... yes
     libtelnet ........... yes
     libVNCServer ........ yes
     libvorbis ........... yes
     libpulse ............ yes
     libwebsockets ....... no
     libwebp ............. yes
     wsock32 ............. no

   Protocol support:

      Kubernetes .... no
      RDP ........... yes
      SSH ........... yes
      Telnet ........ yes
      VNC ........... yes

   Services / tools:

      guacd ...... yes
      guacenc .... yes
      guaclog .... yes

   FreeRDP plugins: /usr/lib/x86_64-linux-gnu/freerdp2
   Init scripts: /etc/init.d
   Systemd units: no

Type "make" to compile guacamole-server.

After that, simply run the make command as advised on the last message

make

Give it some time while it does its thing. Once it finishes, install the guacamole server as follows

sudo make install

To finish it all, run the ldconfig command to create the necessary links and cache to the most recent shared libraries found in the guacamole server directory.

sudo ldconfig
sudo mkdir  -p /etc/guacamole/{extensions,lib}

Create guacd.conf configuration file:

$ sudo vim /etc/guacamole/guacd.conf
[daemon]
pid_file = /var/run/guacd.pid
#log_level = debug

[server]
#bind_host = localhost
bind_host = 127.0.0.1
bind_port = 4822

#[ssl]
#server_certificate = /etc/ssl/certs/guacd.crt
#server_key = /etc/ssl/private/guacd.key

Refresh systemd for it to find the guacd (Guacamole proxy daemon) service installed in /etc/init.d/ directory.

sudo systemctl daemon-reload

Once reloaded, start and enable the guacd service.

sudo systemctl restart guacd
sudo systemctl enable guacd

And to have that mood put on turbo lift, check its status.

$ systemctl status guacd
● guacd.service - LSB: Guacamole proxy daemon
     Loaded: loaded (/etc/init.d/guacd; generated)
     Active: active (running) since Wed 2023-08-16 16:58:37 EAT; 45s ago
       Docs: man:systemd-sysv-generator(8)
      Tasks: 1 (limit: 4564)
     Memory: 9.8M
     CGroup: /system.slice/guacd.service
             └─173294 /usr/local/sbin/guacd -p /var/run/guacd.pid

Hag 16 14:30:37 workstation systemd[1]: Starting LSB: Guacamole proxy daemon...
Hag 16 14:30:37 workstation guacd[173292]: Guacamole proxy daemon (guacd) version 1.5.3 started
Hag 16 14:30:37 workstation guacd[173291]: Starting guacd:
Hag 16 14:30:37 workstation guacd[173292]: guacd[173292]: INFO:        Guacamole proxy daemon (guacd) version 1.5.3 started
Hag 16 14:30:37 workstation guacd[173291]: SUCCESS
Hag 16 14:30:37 workstation systemd[1]: Started LSB: Guacamole proxy daemon.
Hag 16 14:30:37 workstation guacd[173294]: Listening on host 127.0.0.1, port 4822

Step 4: Install the Guacamole Web Application

There are two critical files involved in the deployment of Guacamole: guacamole.war, which is the file containing the web application, and guacamole.properties, the main configuration file for Guacamole. The recommend way to set up Guacamole involves placing these files in standard locations, and then creating symbolic links to them so that Tomcat can find them.

guacamole-client contains all Java and Maven components of Guacamole (guacamole, guacamole-common, guacamole-ext, and guacamole-common-js). These components ultimately make up the web application that will serve the HTML5 Guacamole client to users that connect to your server. This web application will connect to guacd, part of guacamole-server, on behalf of connected users in order to serve them any remote desktop they are authorized to access.

Install Guacamole Client on Ubuntu 22.04 LTS

The Guacamole client is available as a binary. To install it, just pull it from the Guacamole binaries downloads page as shown below, copy it to /etc/guacamole/ directory and rename it at the same time.

VER=1.5.3
wget https://archive.apache.org/dist/guacamole/$VER/binary/guacamole-$VER.war
sudo mv guacamole-$VER.war /var/lib/tomcat9/webapps/guacamole.war

Step 5: Configure Guacamole Server

After the installation of the Guacamole server daemon, you need to define how to Guacamole client will connect to the Guacamole server (guacd) under the /etc/guacamole/guacamole.properties configuration file. Within this configuration, you need to simply define Guacamole server hostname, port, and authentication provider.

GUACAMOLE_HOME is the name given to Guacamole’s configuration directory, which is located at /etc/guacamole by default. All configuration files, extensions, etc. reside within this directory.

Create GUACAMOLE_HOME environment variable

echo "GUACAMOLE_HOME=/etc/guacamole" | sudo tee -a /etc/default/tomcat
echo "export GUACAMOLE_HOME=/etc/guacamole" | sudo tee -a /etc/profile

Create /etc/guacamole/guacamole.properties config file and populate it as shown below:

$ sudo vim /etc/guacamole/guacamole.properties
guacd-hostname: localhost
guacd-port:     4822

Step 6: Setup Guacamole Database Authentication

Guacamole’s default authentication method reads all users and connections from a single file called user-mapping.xml. However, this method should only be used for testing purposes. For production-ready, we need to set up database authentication.

Ensure MySQL or MariaDB has been installed on your system. That can be achieved by following the below guides:

• How to Install MariaDB on Ubuntu
• How to Install MySQL on Ubuntu

Once installed, download the  MySQL Connector/J (Java Connector). Export the latest available version for the page:

VER=8.1.0

Now download the archive using the command:

wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-$VER.tar.gz

Extract the file and copy it to the /etc/guacamole/lib/ directory:

tar -xf mysql-connector-j-*.tar.gz
sudo cp mysql-connector-j-$VER/mysql-connector-j-$VER.jar /etc/guacamole/lib/

You also need the JDBC auth plugin for Guacamole. Export the latest version available:

VER=1.5.3

Then download it with the command:

wget https://downloads.apache.org/guacamole/$VER/binary/guacamole-auth-jdbc-$VER.tar.gz

Extract it and move it to /etc/guacamole/extensions/ as shown:

tar -xf guacamole-auth-jdbc-$VER.tar.gz
sudo mv guacamole-auth-jdbc-$VER/mysql/guacamole-auth-jdbc-mysql-$VER.jar /etc/guacamole/extensions/

Now login to the database server using the root user and password:

sudo mysql -u root -p

Once connected, create a database and user for Guacamole:

CREATE DATABASE guacamole_db;
CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'Passw0rd!';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
FLUSH PRIVILEGES;
QUIT

Switch to the extracted JDBC plugin path:

cd guacamole-auth-jdbc-*/mysql/schema

Import the SQL schemas:

cat *.sql | sudo mysql -u root -p guacamole_db

Provide the password for the root user to import the schemas. Next, modify the properties of Guacamole

sudo vim /etc/guacamole/guacamole.properties

In the file, add these lines for the created database:

###MySQL properties
mysql-hostname: 127.0.0.1
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: Passw0rd!

Save the file and restart all the services:

sudo systemctl restart tomcat9 guacd

Step 7: Accessing Guacamole Web Interface

Thus far, we have set up everything well and we should therefore be ready to access the application we have been toiling to bring up. To access Guacamole’s web interface, simply point your browser to http://ip-or-domain-name:8080/guacamole and you should be greeted with a login screen as shown below:

Login using guacadmin as the username and guacadmin as the password

Once connected, you can create a new admin and delete the default one for security purposes. To do that, click on the guacadmin user drop-down arrow and go to Settings ->User->New User.

Ensure all the required permissions have been assigned then click Create. Once the user has been created, log out and log in using the new admin user.

You can then navigate to the setting and delete the old admin user.

Create SSH connection

By default, the user does not have SSH connections. We can create a new connection by clicking on Settings ->Connection->New Connection

You need to provide the name for the connection, then the IP/hostname and port for the server, username and password under the Parameters->Network.

If you have SSH key authentication configured on the remote hosts, consider adding the below lines to the SSH config to avoid the error “ssh handshake failed.”

$ sudo vim /etc/ssh/sshd_config
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa

Restart the service:

sudo systemctl restart sshd

Once created, you can test the connection by navigating to Home(drop-down on username)

Simply click on the one you would wish to connect to and you will be prompted with a username and password whether via SSH or RDP depending on the Operating System.

You can also use other Authentication Methods as shown here:

• Guacamole Integration with Active Directory, OTP, and Duo 2FA

To configure SSL check out our article:

• Configure Nginx Proxy For Guacamole With Let’s Encrypt SSL

And if the credentials are correct, you should be allowed into your server

Ending Remarks

Get your environment organized and easy to use even for new users in your environment by taking advantage of Apache Guacamole to use its cool features as you will see after installation. Check it out and leverage on its flexibility and convenience.

• Install and Use Guacamole Remote Desktop on CentOS 8
• Install Guacamole Remote Desktop on Debian