Apache Guacamole 1.1.0
guacamole.apache.orgFor everyone wondering what this is:
Via https://guacamole.apache.org/doc/1.1.0/gug/preface.html
What is Guacamole?
Guacamole is an HTML5 web application that provides access to desktop environments using remote desktop protocols (such as VNC or RDP). Guacamole is also the project that produces this web application, and provides an API that drives it. This API can be used to power other similar applications or services.
I really like the idea implemented by Apache Guacamole, but when I tried to install it on my home server get remote desktops to my other machines when abroad, it was a huge letdown.
First of all the installation process is terrible, you need to install and configure a whole working tomcat8 server first and manually deploy the application WAR, configuration is non-obvious and obtuse, and the first ~10 tries after deploying Guacamole failed to establish VNC connections without a clear indication what went wrong. Over the years I've installed loads of services, not just trivial ones (e.g. nginx with SSL and multiple vhosts on different domains, reverse proxies, SSH tunnels, VPN servers, etc) and while I wouldn't say installing Guacamole was hard, the process just felt unnecessarily complicated. Not a nice experience.
Second, when I finally managed to get Guacamole to establish a VNC connection to an OS X client, the performance was straight up horrible. That's over a Gbit ethernet LAN, which I also use to stream games to a steam link at 60fps. Granted, this was connecting to desktop with 5K resolution and 32-bit color, but connecting to it directly using a VNC client works just fine. Through Guacamole it was literally unusable.
Is this to be expected?
My recommendation: Use Docker. No need to deal with all the gritty details. If needed, reverse-proxy it.
Guacamole is (in my experience) unfortunately rather inefficient concerning bandwidth.
You can’t compare it to Steam Link either, because that’s using H264 video compression. Guacamole does not use video compression.
A single 5K 24 bit bitmap is ~42 MiB. That’s a lot, even compressed and especially at reasonable frame rates.
I second using containers for guacamole.
Also agree, this isn't intended to be a replacement for direct access, nor for streaming purposes.
This gives you and RDP session with no software install needed. The use case of guacamole is accessing a system from anywhere without needing your ssh keys, RDP, or VNC software. If you're happy doing any of those directly, adding a middle man doesn't add any value.
That said, if you're managing others accessing the system, you can bastion of the target machines and only expose this access. This lets you put the target machines behind NAT, and only manage one entry point.
Yeah, this is a neat tool, but I'm wondering what actual use case this is fulfilling. Installing an RDP or VNC client isn't a huge effort. If you're enterprise, you're probably already paying for TeamViewer or something similar. The biggest issue is usually the handshake between a client and machine on a private LAN.
The Virginia Cyber Range (www.virginiacyberrange.org) is a taxpayer funded organization that leverages this project heavily to give K-12+ students access to virtual machines for cybersecurity education.
Some of our customers are on Chromebooks, but with this they can access machines without installing software.
For students at home, it's the same experience, no need to provide at-home setup instructions for all the common operating systems.
In schools using computer labs, no need to install software at all.. IT admins see Guacamole's requirements for service and it requires them to do no work, and opens no threats to their network.
This allows us to replicate the capabilities of virtual box or similar software without teachers needing to know anything about virtualization, or dealing with the first session/week being the struggle to find BIOS flags to turn on, and getting the virtualization software working.
We currently see about 500-800 unique guacamole connections per day, it's fairly reliable.
Awesome project! Glad you were able to leverage an OSS project to make your UX streamlined and approachable.
Most ASF projects are not what I would call end-user tools; they're a collection of enabling technologies under an open source license so that they can be integrated in a modular way into a wide range of other products that an end-user would interact with. For better or worse, this seems to be the way that open source is being funded and used by the industry these days.
We use it in conjunction with Pulse secure. Users are able to remote into their windows desktops via rdp after creating the connection from a web portal.
>> This gives you and RDP session with no software install needed. The use case of guacamole is accessing a system from anywhere without needing your ssh keys, RDP, or VNC software. If you're happy doing any of those directly, adding a middle man doesn't add any value.
The point is that I'm not happy to do this directly, for various reasons. I don't want to open up any ports that get forwarded to my LAN for remote desktop, and I want to be able to access LAN clients from machines behind a proxy that just blocks anything but http/https traffic. That's why I looked into Guacamole.
Maybe RDP connections work better with guacamole, compared to VNC, but I don't have any windows machines I want to remote into, so that's of no value to me.
Try Xrdp https://en.wikipedia.org/wiki/Xrdp
I use it on a bunch of Ubuntu 18.04 systems, works out of the box with apache guacamole.
>> You can’t compare it to Steam Link either, because that’s using H264 video compression. Guacamole does not use video compression.
This part I don't really understand. Why does a client <-> guacamole <-> VNC connection be less inefficient in terms of bandwidth compared to a direct client <-> VNC connection?
And if the general idea of sending screen data to a client be much more efficient if you use something like H264, why doesn't Guacamole implement some kind of similar compression technique?
I used NX for a while, and that does something very similar. On a slow connection you can actually see the compression artefacts when scrolling. It's not pretty, but at least it makes the machine accessible.
Anyway, when I tried guacamole, it was over Gbit LAN, if that's not even enough expose a VNC client using Guacamole, what's the point?
> Why does a client <-> guacamole <-> VNC connection be less inefficient in terms of bandwidth compared to a direct client <-> VNC connection?
Because it’s not using the VNC protocol. It’s the Guacamole protocol. It is more restricted compared to modern VNC compression variants.
> I used NX for a while, and that does something very similar. On a slow connection you can actually see the compression artefacts when scrolling. It's not pretty, but at least it makes the machine accessible.
NoMachine NX is a different beast altogether. It’s comparable to RDP in that it deals directly with the actual (X11) objects instead of (just) their on-screen rendering. It’s basically advanced compression over X11 forwarding over SSH.
---
The point is HTML5. It works everywhere you have a somewhat reasonable browser.
Compressing the H264 requires quite a bit more processor power on the server. It's fine for steam link because the use case usually involves a powerful gaming PC on the server end, often with a dedicated GPU video encoder.
Is there a similar system to Guacamole that does involve encoding?
I was actually looking at this a few days ago because I've been very interested in implementing something like Google's Project Stream locally where I can render things in the browser, but frame rate is important for me.
If only there was a way to intercept the screen drawing commands and send those over the network instead.
Agreed, the configuration is not pleasant. I also tried many alternatives this while abroad recently and actually found plain VNC the most performant and pleasant to use, and it's trivial to set up.
Guacamole is not intended to replace normal remote connections... It provides additional features that target people whom can't reasonably use RDP or VNC themselves ...
it provides access management so you don't need to expose the server, or the user/passwords, to gain access... You can also record the sessions ... And some other neat features... None of which really soon to replace a direct connection made by a technically savy individual between to machines on a network he controls.
But imagine the benefit for schools -- high schoolers can be given access to a virtual machine, without installing RDP or similar protocols on the students machine, and without giving them virtualization tools that might allow when to bypass student safety protections
Yep, I totally understand the value of it. I just don't recommend it for individual 'homelab' type use cases unless you really need to log in without any client.
I wanted to try all the options because there are many claims out there that they are somehow faster than VNC or other solutions due to clever protocols or compression, however I found that this wasn't really true.
Have you tried Bitnami VMs and cloud images? https://bitnami.com/stack/guacamole
> Second, when I finally managed to get Guacamole to establish a VNC connection to an OS X client, the performance was straight up horrible.
Well, there’s your problem: Mac VNC. In order to get “OK” VNC performance on a Mac you have to:
* Make sure a display is connected to it (either real or a display emulator dongle)
* Use the built in Mac VNC server
* Use a VNC client like Remotix that has support for the VNC extensions that Apple uses to boost performance
In other words, use something else, like NoMachine (or similar) which does h264 compression.
Thanks for testing this for us.
I hope this project has matured since I last tried it (18 months ago).
As wOutert mentioned, the installation process is difficult and not for the faint of heart. Sure, most folks reading this here could manage it, but we're not normal!
I really wanted this to work since I'm teaching at a school where all the Windows machines are locked down. I teach a Linux class. I teach a bunch of cyber-security classes and often need to install tools for this. Our IT administrators either refuse to let me install the software I need to teach or put up a huge stink.
I stood up a few VMs in my homelab for teaching and was hopeful that I could remote in painlessly. After much weeping and gnashing of teeth I finally got it working. And it worked well. About once a month I do a "yum update" on my CentOS machines and when it ran on this particular machine, it broke something in the Guac stack. I refused to spend the time to fix it!
Simultaneously, I'd been having trouble with TeamViewer. The unfortunate reality of any IT professional's life is that you end up doing IT support for the family. TeamViewer was fine for years, but they started flagging my use as commercial. After looking and testing I found AnyDesk; it works every bit as well as TeamViewer and it has a Windows portable client; you don't need to install anything on the client machine (no admin rights needed).
So now I either boot my machines from a USB stick with Linux or AnyDesk to where I need to go and my life is much better.
When Guacamole is mature and painless like AnyDesk, I'd give it another look.
Using it in production here since a few versions. It works perfectly for RDP (VMs that several non computer saavy people have to use including when abroad) and LDAP (slapd) for auth. Performance is really good even for tens of connections at the same time and the users are using old apps that tend to refresh half the screen each time a single pixel changes . Works on Linux, Mac and windows for the clients without having to give specific instructions for each. I used the docker containers for deployment to reduce the hassle As it is running on a VM anyway, I will switch that to ansible playbooks at some point, but the docker install was really smooth, I'm almost wondering if it is worth it.
It would be great if these sorts of posts would include a description of what's big about these releases. If you were already excited about this Guacamole release, then you probably didn't need the reminder.
Looking through the notes, this looks interesting...
> Similar to Guacamole’s support for SSH and telnet, Guacamole can now provide terminal access to Kubernetes pods using the same mechanism as kubectl attach. This allows Guacamole to be used to interact with Kubernetes pods without requiring that those pods host an SSH or telnet service.
I have never used Guacamole or K8s (still stuck on Docker) but I assume this makes connecting to a containerized desktop much easier.
Great work to everyone involved.
> It would be great if these sorts of posts would include a description of what's big about these releases. If you were already excited about this Guacamole release, then you probably didn't need the reminder.
I agree but unfortunately HN only allows you to submit a URL or test, not both. Also you're not technically supposed to editorialise the page title either. Thankfully the release notes on this particular site are well written.
Maybe the submitter could highlight they view as noteworthy in this release?
Switch to freerdp 2.0 and swiss german keyboard layout are my highlights.
The antithesis of a good landing page.
I'd never heard of it before. What does Apache Guacamole actually do? Is it of interest to me? I click...
Nothing on the home page immediately tells me. I note HTML5 and there is something going on with a client and I guess a server? I scroll down the page. Literally, nothing telling me how Guacamole might be of interest to me, but I notice a mention to RDP - hmmm, that might be a clue, but it might not be.
I go up to docs. FAQ? OK, that might help. I click. Nope. Nothing. I scroll through the first five or six questions and I'm none the wiser.
I go back to the docs and notice the user manual. Surely that must tell me? I click.
Right, which section might tell me? Introduction? I click.
Several paragraphs in:
> Guacamole is an HTML5 web application that provides access to desktop environments using remote desktop protocols (such as VNC or RDP). Guacamole is also the project that produces this web application, and provides an API that drives it. This API can be used to power other similar applications or services.
I realise F/LOSS might not feel the need to "market" itself like it were a business, but is it too much to ask that the first thing we see on the home page is a brief description of what the project is, and some of the benefits so a curious chap can decide if it's of interest?
The post links to the 1.1.0 release https://guacamole.apache.org/releases/1.1.0/
IMHO this is not an intended landing page for the project. I touched the title and got to the home page which explains pretty well what the project is about
Maybe they should add an explicit Home link.
Uh, go to the home page?
> "Apache Guacamole is a clientless remote desktop gateway [RDP]. It supports standard protocols like VNC, RDP, and SSH."
> "We call it clientless because no plugins or client software are required."
> "Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser."
The link you have clicked on is the release page, you could just gone to the home page ("click the title") to see what this was all about.
Bonus: There's even a video on the home page, I played the video and I instantly know what the software is.
Most open source software homepages don't provide that level of context, just walls of text.
> is it too much to ask that the first thing we see on the home page is a brief description of what the project is, and some of the benefits so a curious chap can decide if it's of interest?
It's not too much to ask, especially if you actually look at the home page and not the release notes that's clearly linked here.
The home page itself also doesn't really explain what it is... unless you already know.
All I got is that it's some remote desktop client that runs in the browser. Then I had to assume that the server probably needs to be in the same network as your target computer... And theres some extra login to the client itself?
And then I noticed that that image is actually a video. ._.
What browser are you using?
The video has a standard play button on desktop Firefox. In fact it is very clearly an embedded Vimeo video (branded and all).
Also your server assumption is very clearly stated right next to the video:
> Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.
This is all in the top half of the landing page and even highlighted in green to stand out from the rest of the page.
I agree many FOSS projects have lousy landing pages but I've always though this one to be one of the better ones. In fact it is better than many commercial landing pages I've had the misfortune to, ahem, land on.
The link on HN is not a landing page.
https://guacamole.apache.org/ - this is and it is very self explanatory to me.
`Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.`
Do you have an example of what they could have written? I agree with you that lots (mostly the corporate and startup) of homepages aren't good in describing the product but this seems like a relatively okay summary to me:
"Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.[...]
Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser."
It's a tool you install on your machine and then you can access said machine via a web browser, no?
I had the same thoughts when clicking this document. It seems more like a release page than a landing page. But I think the lesson is that documentation is tricky to write because there are many ways to use it, for both novice and advanced users. I've checked Django, Drupal and Python release notes and they're aren't any more specific, although the website navigation makes it clear how to reach the home page.
It's a release page. If ever in doubt of where you are, look at the URL.
Guacamole is quite well known in the Linux world.
Release page being linked is appropriate given the title.
was about to complain but then I realized it's just a release note page
that said a tiny [remove desktop] tag in the title would have eased the process
If you like Apache Guacamole, you'll love Glyptodon Enterprise.
https://glyptodon.com/ https://demo.glyptodon.com/
Led by the founders/maintainers of Guacamole.
Nobody has mentioned it but the header says:
Apache Guacamole 1.1.0 has not yet been released! The artifacts and release notes below are drafts for a proposed release of Apache Guacamole which has not yet occurred.
So it would seem it has not been released yet.
Me heart nearly jumped out of my chest when I saw this link here....
And actually.. it is released, they updated their docker instead making 1.1.0 their latest tag while dropping RC designation
I really hope free RDP 2.0 brings some general improvements, the existing implementation on 1.0.0 had terrible thread handling that causes infinite loops in certain situations.
"Guacamole is an HTML5 web application that provides access to desktop environments using remote desktop protocols (such as VNC or RDP)."
Shouldn't this be front and center on the home page instead of having to find the manual and navigate to the second paragraph of the introduction?
That said, it looks like a cool idea and I wonder if it's within the scope of a project like this to implement an abstraction on the keyboard such that using common macOS keyboard shortcuts are translated to their Linux or Windows equivalents (or vice versa). It's a small peeve but I hate accidentally locking Windows when I meant to put focus on the address bar and start typing a URL...
UPDATE: I stand corrected: I missed that this wasn't the home page... that's what I get for commenting on a new story before I have my morning coffee.
The home page (https://guacamole.apache.org/), has the description front and centre.
The link provided is for their release page, which discusses this particular release.
This comment: https://news.ycombinator.com/item?id=22190442 on this thread has further discussion.
I've looked at using this before to provide a "thin client" legacy desktop app - is anyone doing the same with Guacamole? Care to share your experience?
If I’m understanding you correctly, I used guacamole for just this purpose once. Terrible legacy desktop app needed to be ‘ported’ to ‘the cloud’ ASAP because reasons. While we were working on a proper rewrite, I stood up a VM running the old desktop software and a web page that used guacamole to VNC to the app. Worked fabtabulously, and with a little printer redirection and UI tweaks, wound up being preferred by the users over the rewritten proper web app. In all honesty, not a terrible solution. Users who had been using the app for a decade didn’t have to learn anything new. I did have to learn something new, though, as then we had to port our new features from the real web app back to the VB6 legacy ‘desktop’ app, lol.
I use it to provide access to cloud systems as essentially a bastion. The target computers often have serious vulnerabilities exposed (like metasploitable windows targets, and machines with very easy passwords).. so supporting legacy OS & software is reasonably secure (at least if guacamole is the only access point)
There is an AWS marketplace instance available if you search for "guacamole". You log in at a public DNS as ubuntu with the instance-id for the password.
Instance functionality for that quick requirement at a modest fee.
Great product.
Interestingly this seems like what mighty app(https://mightyapp.com) is doing