How To use xrdp on Ubuntu

XRDP on Linux for Windows Remote Desktop Clients

xrdp allows windows users graphically access to Linux systems just as easily as other Windows machines, and ideally with one and the same application, like mstsc.exe, the Windows Remote Desktop Client.

xrdp is an open source implementation of the remote desktop protocol that Windows Terminal Services (RDS) use to connect to Windows desktops. The xrdp package brings the RDP protocol to the Linux computer by providing an X server that accepts connections from the Windows terminal server clients (mstsc).

After the user has connected and authenticated, he receives a virtual X11 desktop on the Windows computer. The advantage of the xRDP solution is that it does not require an X server on the Windows computer and that no additional client is required, such as the VNC viewer.

The xrdp server can be set up with the packet manager apt-get and yum or dnf for corresponding Linux distribution. On Ubuntu lets run sudo apt-get install xrdp

These are steps to build and install xrdp from neutrinolabs Git repository. The build process described here on Ubuntu 17.10 (Artful Aardvark).

How to Install xrdp

First the Linux system is prepared, here it is Ubuntu Mate 17.10, the dependencies are installed: (all on one line)

sudo apt-get install -y git autoconf libtool pkg-config gcc g++ make libssl-dev libpam0g-dev libjpeg-dev libx11-dev libxfixes-dev libxrandr-dev flex bison libxml2-dev intltool xsltproc xutils-dev python-libxml2 g++ xutils libfuse-dev libmp3lame-dev nasm libpixman-1-dev xserver-xorg-dev

Get the source packages from Github sources:

BD=`pwd`
mkdir -p "${BD}"/git/xrdpbuild
cd "${BD}"/git/xrdpbuild
wget https://github.com/neutrinolabs/xrdp/releases/download/v0.9.5/xrdp-0.9.5.tar.gz
wget https://github.com/neutrinolabs/xorgxrdp/releases/download/v0.2.5/xorgxrdp-0.2.5.tar.gz

Create and install the xrdp server binaries:

cd "${BD}"/git/xrdpbuild
tar xvfz xrdp-0.9.5.tar.gz
cd "${BD}"/git/xrdpbuild/xrdp-0.9.5
./bootstrap
./configure --enable-fuse --enable-mp3lame --enable-pixman
make
sudo make install
sudo ln -s /usr/local/sbin/xrdp{,-sesman} /usr/sbin

Create and install from xorgxrdp:

cd "${BD}"/git/xrdpbuild
tar xvfz xorgxrdp-0.2.5.tar.gz
cd "${BD}"/git/xrdpbuild/xorgxrdp-0.2.5
./bootstrap
./configure
make
sudo make install

Start the xrdp server daemon:

sudo systemctl enable xrdp
sudo service xrdp start

Xrdp can also be installed from Github Source. Build with Git clone:

git clone --recursive https://github.com/neutrinolabs/xrdp
cd xrdp
./bootstrap
./configure
make
sudo make install

The configuration can be adjusted if necessary:

sudo vi /etc/xrdp/xrdp.ini
sudo vi /etc/xrdp/sesman.ini

The remote desktop connection to the Linux xrdp server can now be established:

APPENDIX

Since Xorg X11 is no longer started as root, change the X11/Xwrapper from console to anybody.

sudo sed -i 's/allowed_users=console/allowed_users=anybody/' /etc/X11/Xwrapper.config

This can also be done with the use of dpkg utility.

sudo dpkg-reconfigure xserver-xorg-legacy

If you prefer a different desktop environment, the session manager can be changed. Here I join X11 configuration for the Mate desktop environment.

echo mate-session> ~/.Xclients
chmod +x ~/.Xclients
systemctl restart xrdp.service

The alternative desktop environment must first be installed, here at fedora.

dnf install @mate-desktop

TROUBLESHOOTING

Log protocols can be opened during troubleshooting:

sudo tail -f /var/log/xrdp.log -f /var/log/xrdp-sesman.log
systemctl status xrdp.service -l
journalctl -xe

If RDP session is aborted or frozen, allow_channels = true can be set to false.

sudo sed -i 's/allow_channels=true/allow_channels=false/' /etc/xrdp/xrdp.ini
service xrdp restart

SELinux can be deactivated for test purposes.

sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
/usr/sbin/getenforce

If the firewall rejects the RDP port, the port must be allowed for RDP.

firewall-cmd --permanent --zone=public --add-port=3389/tcp
firewall-cmd --reload

Firewall should permit RDP ports.

sudo ufw allow 3398
sudo ufw allow 5901

A black screen appears after logging in, followed by an error message:

connection to sesman ip 127.0.0.1 port 3350
sesman connect ok
sending login info to session manager, please wait...
login successful for display 11
VNC started connecting
VNC connecting to 127.0.0.1 5911
VNC error - problem connecting
some problem

It helps to create a new user, then log in with him via RDP.

useradd newuser
passwd secret

Generating a new certificate can also be useful.

cd /etc/xrdp
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365

Hint. Use the currently valid host name as (CN) common name.

Activate the certificate in the xrdp configuration /etc/xrdp/xrdp.ini.

security_layer=negotiate
crypt_level=high
certificate=cert.pem
key_file=key.pem
ssl_protocols=TLSv1, TLSv1.1, TLSv1.2

Source URL: github.com/neutrinolabs/xrdp/

FortiClient Failed to establish the VPN connection by TLS. This may be caused by a mismatch in the TLS version. Please check the TLS version settings in the Advanced of the Internet options. (-5029)

Using FortiClient to establish an SSL-VPN connection to the FortiGate can output a warning message.

Symptom

Cause

The now outdated cryptographic protocol TLS 1.0 is no longer enabled by default as of FortiOS 6.0. It is recommended to use at least TLS 1.1 (Cipher Suites) for authentication and data encryption. We are currently on TLS 1.3 which has been approved by the IETF (Internet Engineering Task Force).

Solution

If you want to continue use older FortiClient VPN connection that are only ready for use later with TLS 1.2 or higher may if planned client migration via update rollout, TLS 1.0 can be activated on the FortiGate.

This measure should only be used temporarily, TLS 1.0 is outdated and is no longer considered secure.

Check current TLS settings

Check the current TLS setting from the FortiGate VPN Console with CLI Command:

FG60E # get vpn ssl settings | grep tls
tlsv1-0             : disable
tlsv1-1             : enable
tlsv1-2             : enable
dtls-hello-timeout  : 10
dtls-tunnel         : enable

Activate in the CLI the Cipher Suite TLS 1.0.

config vpn ssl settings
set tlsv1-0 enable

How to enable TLS 1.0 on Windows

The TLS version 1.0 in the Microsoft Windows snap-in (inetcpl) Internet Options can also be activate.

Hit the key Win+R and enter inetcpl.cpl

In the opened Internet Options window Internet Properties click to Advanced tab and click Use TLS Version 1.0 to enable it.

TLS FortiClient VPN connection, Internet Options Advanced

Troubleshooting MTU size in VPN connections

According to FortiClient VPN TLS using on older Windows versions, or with routers with PPPoE Internet connection, errors when establishing SSL-VPN connections can be eliminated as follows.

It appears the FortiClient error message:

Unable to establish the VPN connection. The VPN server may be unreachable (-5)

Check MTU size using netsh in command prompt

To do this, check the MTU size of the network interfaces with the following command from an open command prompt

netsh interface ipv4 show subinterface

The output might look something like this:

C:\> netsh interface ipv4 show subinterface

   MTU  Medienerkennungsstatus   Bytes eingehend  Bytes ausgehend  Schnittstelle
------  ---------------  ---------  ---------  -------------
  1500                5          0          0  Ethernet
  1500                1  598892209   19487894  WiFi
  1500                5          0          0  Mobilfunk
  1500                1       5248     144442  VMware Network Adapter VMnet1
  1500                5          0          0  LAN-Verbindung* 1
  1500                1          0     134436  VMware Network Adapter VMnet8
  1500                5          0          0  LAN-Verbindung* 5
4294967295                1          0      67869  Loopback Pseudo-Interface 1
  1500                5          0          0  Bluetooth-Netzwerkverbindung
  1500                5          0          0  Ethernet 3

Check the MTU size and adjust to 1400 if necessary. In a command prompt opened as an administrator, with running netsh.

netsh interface ip4 set subinterface Ethernet mtu=1400 store=persistent

Alternatively, call Regedit and navigate to the following key.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

under the appropriate interface with the appropriate IP address, here {222e135b-d09c-47a3-9236-63a041a02ea6} change the key MTU with the value 578 hexadecimal.

TLS FortiClient VPN connection, regedit interfaces

After restarting the computer, the SSL-VPN connection can be established.

UNBLOG Tutorials

use xrdp Remotedesktop to Linux