惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tailwind CSS Blog
月光博客
月光博客
Recent Announcements
Recent Announcements
S
Secure Thoughts
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Troy Hunt's Blog
量子位
Cloudbric
Cloudbric
L
LINUX DO - 最新话题
S
Security @ Cisco Blogs
云风的 BLOG
云风的 BLOG
MongoDB | Blog
MongoDB | Blog
博客园 - Franky
WordPress大学
WordPress大学
T
Threat Research - Cisco Blogs
Y
Y Combinator Blog
Engineering at Meta
Engineering at Meta
P
Privacy & Cybersecurity Law Blog
aimingoo的专栏
aimingoo的专栏
PCI Perspectives
PCI Perspectives
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V2EX - 技术
V2EX - 技术
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
D
Darknet – Hacking Tools, Hacker News & Cyber Security
U
Unit 42
Schneier on Security
Schneier on Security
大猫的无限游戏
大猫的无限游戏
I
Intezer
Hacker News: Ask HN
Hacker News: Ask HN
H
Heimdal Security Blog
Cisco Talos Blog
Cisco Talos Blog
Recorded Future
Recorded Future
C
CXSECURITY Database RSS Feed - CXSecurity.com
H
Help Net Security
Latest news
Latest news
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
L
LangChain Blog
GbyAI
GbyAI
Google DeepMind News
Google DeepMind News
小众软件
小众软件
M
MIT News - Artificial intelligence
A
About on SuperTechFans
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
博客园 - 三生石上(FineUI控件)
D
DataBreaches.Net
NISL@THU
NISL@THU
博客园_首页
Recent Commits to openclaw:main
Recent Commits to openclaw:main
L
Lohrmann on Cybersecurity
T
Tenable Blog

IT Notes - alpine

IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes
IT Notes
Stefano Marinelli · 2024-05-14 · via IT Notes - alpine

Introduction

A client recently asked if their approach to remote desktop access was correct. They leave their office PC on and connect to it via remote desktop. Their main requirement is to access internal resources via a browser (they use Brave, so the BSDs cannot be currenly used) and they prefer not to use their home computers for security reasons. I can understand their concern – I wouldn’t be comfortable knowing that a home PC (possibly shared with others) could connect to the company VPN and have unrestricted access.

Setting Up Alpine Linux on a VM

To address this, I downloaded the Alpine Linux Virt ISO from the official site and installed it on a VM in their office datacenter. They use Proxmox, which made the process quite straightforward. I allocated 20GB of disk space, 4GB of RAM, and 2 CPU cores to the VM. For added security, the installation process allows you to encrypt the disk. Note that if you choose this option, you’ll need to access the virtualizer console to re-enter the password every time the VM restarts.

During the Alpine installation, create a non-privileged user who will be using the remote desktop we’re about to set up.

Initial Configuration

Once the installation is complete, you can log in via the console as root or use SSH with the newly created non-privileged user. In the latter case, you’ll first need to switch to the root user:

su -

Enable the community repository by uncommenting it in /etc/apk/repositories:

http://dl-cdn.alpinelinux.org/alpine/v3.20/main
http://dl-cdn.alpinelinux.org/alpine/v3.20/community

Installing Required Packages

Next, install the main packages needed to manage the remote desktop:

apk add xrdp xorgxrdp xorg-server xfce4 xfce4-terminal wireguard-tools ifupdown-ng-wireguard

Edit the /etc/xrdp/xrdp.ini file to ensure xrdp listens only on the VPN’s private IP, avoiding exposure to the LAN (or worse, the WAN):

port=tcp://172.16.16.1:3389

Enable xrdp:

rc-update add xrdp
rc-update add xrdp-sesman

Configuring Wireguard

To set up Wireguard, navigate to /etc/wireguard and create the keys:

wg genkey | tee server.privatekey | wg pubkey > server.publickey

Create a configuration file wg0.conf:

[Interface]
Address = 172.16.16.1/24
ListenPort = 4242
PrivateKey = <server private key value> # the key from the previously generated privatekey file

[Peer]
PublicKey = <client public key value> # client’s public key
AllowedIPs = 172.16.16.2/32

On the client, the configuration should look like this:

[Interface]
PrivateKey = <client private key value>
Address = 172.16.16.2/24

[Peer]
PublicKey = <server public key value>
AllowedIPs = 172.16.16.0/24
Endpoint = <server public ip>:4242

Then, open the /etc/network/interfaces file and add:

auto wg0
iface wg0 inet static
pre-up wg-quick up /etc/wireguard/wg0.conf

Reboot the VM, and everything should be ready. Just be sure to set your router/firewall to forward the 4242 UDP port to the VPS LAN ip for Wireguard access. If the VM has been exposed via public IP, this won't be necessary, but remember that ssh will be exposed, too so take care.

Connecting via Remote Desktop

Use your favorite RDP remote desktop client and point it to 172.16.16.1. You should see a login screen.

Installing Brave Browser

To install Brave Browser on Alpine Linux, the easiest way is to use Flatpak. Open a terminal and, as root, install Flatpak and Brave Browser:

su -
apk add flatpak
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak install flathub com.brave.Browser

After logging out and back into the remote desktop, Brave should appear in the list of applications. Launch it, and you can synchronize it with the Brave installation on your work PC. This setup ensures that everything works seamlessly on the virtual remote desktop.

Conclusion

This approach offers multiple benefits. By exposing the remote desktop via Wireguard, you significantly enhance security without compromising access to internal services. This method ensures that your internal resources remain protected while being easily accessible when needed.