[w0utert]

I really like the idea implemented by Apache Guacamole, but when I tried to install it on my home server get remote desktops to my other machines when abroad, it was a huge letdown.

First of all the installation process is terrible, you need to install and configure a whole working tomcat8 server first and manually deploy the application WAR, configuration is non-obvious and obtuse, and the first ~10 tries after deploying Guacamole failed to establish VNC connections without a clear indication what went wrong. Over the years I've installed loads of services, not just trivial ones (e.g. nginx with SSL and multiple vhosts on different domains, reverse proxies, SSH tunnels, VPN servers, etc) and while I wouldn't say installing Guacamole was hard, the process just felt unnecessarily complicated. Not a nice experience.

Second, when I finally managed to get Guacamole to establish a VNC connection to an OS X client, the performance was straight up horrible. That's over a Gbit ethernet LAN, which I also use to stream games to a steam link at 60fps. Granted, this was connecting to desktop with 5K resolution and 32-bit color, but connecting to it directly using a VNC client works just fine. Through Guacamole it was literally unusable.

Is this to be expected?

[fuzzy2]

My recommendation: Use Docker. No need to deal with all the gritty details. If needed, reverse-proxy it.

Guacamole is (in my experience) unfortunately rather inefficient concerning bandwidth.

You can’t compare it to Steam Link either, because that’s using H264 video compression. Guacamole does not use video compression.

A single 5K 24 bit bitmap is ~42 MiB. That’s a lot, even compressed and especially at reasonable frame rates.

[ldoughty]

I second using containers for guacamole.

Also agree, this isn't intended to be a replacement for direct access, nor for streaming purposes.

This gives you and RDP session with no software install needed. The use case of guacamole is accessing a system from anywhere without needing your ssh keys, RDP, or VNC software. If you're happy doing any of those directly, adding a middle man doesn't add any value.

That said, if you're managing others accessing the system, you can bastion of the target machines and only expose this access. This lets you put the target machines behind NAT, and only manage one entry point.

[tootie]

Yeah, this is a neat tool, but I'm wondering what actual use case this is fulfilling. Installing an RDP or VNC client isn't a huge effort. If you're enterprise, you're probably already paying for TeamViewer or something similar. The biggest issue is usually the handshake between a client and machine on a private LAN.

[ldoughty]

The Virginia Cyber Range (www.virginiacyberrange.org) is a taxpayer funded organization that leverages this project heavily to give K-12+ students access to virtual machines for cybersecurity education.

Some of our customers are on Chromebooks, but with this they can access machines without installing software.

For students at home, it's the same experience, no need to provide at-home setup instructions for all the common operating systems.

In schools using computer labs, no need to install software at all.. IT admins see Guacamole's requirements for service and it requires them to do no work, and opens no threats to their network.

This allows us to replicate the capabilities of virtual box or similar software without teachers needing to know anything about virtualization, or dealing with the first session/week being the struggle to find BIOS flags to turn on, and getting the virtualization software working.

We currently see about 500-800 unique guacamole connections per day, it's fairly reliable.

[ghthor]

Awesome project! Glad you were able to leverage an OSS project to make your UX streamlined and approachable.

[wayoutthere]

Most ASF projects are not what I would call end-user tools; they're a collection of enabling technologies under an open source license so that they can be integrated in a modular way into a wide range of other products that an end-user would interact with. For better or worse, this seems to be the way that open source is being funded and used by the industry these days.

[millzlane]

We use it in conjunction with Pulse secure. Users are able to remote into their windows desktops via rdp after creating the connection from a web portal.

[w0utert]

>> This gives you and RDP session with no software install needed. The use case of guacamole is accessing a system from anywhere without needing your ssh keys, RDP, or VNC software. If you're happy doing any of those directly, adding a middle man doesn't add any value.

The point is that I'm not happy to do this directly, for various reasons. I don't want to open up any ports that get forwarded to my LAN for remote desktop, and I want to be able to access LAN clients from machines behind a proxy that just blocks anything but http/https traffic. That's why I looked into Guacamole.

Maybe RDP connections work better with guacamole, compared to VNC, but I don't have any windows machines I want to remote into, so that's of no value to me.

[v4n4d1s]

Try Xrdp https://en.wikipedia.org/wiki/Xrdp

I use it on a bunch of Ubuntu 18.04 systems, works out of the box with apache guacamole.

[w0utert]

>> You can’t compare it to Steam Link either, because that’s using H264 video compression. Guacamole does not use video compression.

This part I don't really understand. Why does a client <-> guacamole <-> VNC connection be less inefficient in terms of bandwidth compared to a direct client <-> VNC connection?

And if the general idea of sending screen data to a client be much more efficient if you use something like H264, why doesn't Guacamole implement some kind of similar compression technique?

I used NX for a while, and that does something very similar. On a slow connection you can actually see the compression artefacts when scrolling. It's not pretty, but at least it makes the machine accessible.

Anyway, when I tried guacamole, it was over Gbit LAN, if that's not even enough expose a VNC client using Guacamole, what's the point?

[fuzzy2]

> Why does a client <-> guacamole <-> VNC connection be less inefficient in terms of bandwidth compared to a direct client <-> VNC connection?

Because it’s not using the VNC protocol. It’s the Guacamole protocol. It is more restricted compared to modern VNC compression variants.

> I used NX for a while, and that does something very similar. On a slow connection you can actually see the compression artefacts when scrolling. It's not pretty, but at least it makes the machine accessible.

NoMachine NX is a different beast altogether. It’s comparable to RDP in that it deals directly with the actual (X11) objects instead of (just) their on-screen rendering. It’s basically advanced compression over X11 forwarding over SSH.

---

The point is HTML5. It works everywhere you have a somewhat reasonable browser.

[ubercow13]

Compressing the H264 requires quite a bit more processor power on the server. It's fine for steam link because the use case usually involves a powerful gaming PC on the server end, often with a dedicated GPU video encoder.

[jsgo]

Is there a similar system to Guacamole that does involve encoding?

I was actually looking at this a few days ago because I've been very interested in implementing something like Google's Project Stream locally where I can render things in the browser, but frame rate is important for me.

[wbl]

If only there was a way to intercept the screen drawing commands and send those over the network instead.

[ubercow13]

Agreed, the configuration is not pleasant. I also tried many alternatives this while abroad recently and actually found plain VNC the most performant and pleasant to use, and it's trivial to set up.

[ldoughty]

Guacamole is not intended to replace normal remote connections... It provides additional features that target people whom can't reasonably use RDP or VNC themselves ...

it provides access management so you don't need to expose the server, or the user/passwords, to gain access... You can also record the sessions ... And some other neat features... None of which really soon to replace a direct connection made by a technically savy individual between to machines on a network he controls.

But imagine the benefit for schools -- high schoolers can be given access to a virtual machine, without installing RDP or similar protocols on the students machine, and without giving them virtualization tools that might allow when to bypass student safety protections

[ubercow13]

Yep, I totally understand the value of it. I just don't recommend it for individual 'homelab' type use cases unless you really need to log in without any client.

I wanted to try all the options because there are many claims out there that they are somehow faster than VNC or other solutions due to clever protocols or compression, however I found that this wasn't really true.

[ridruejo]

Have you tried Bitnami VMs and cloud images? https://bitnami.com/stack/guacamole

[xienze]

> Second, when I finally managed to get Guacamole to establish a VNC connection to an OS X client, the performance was straight up horrible.

Well, there’s your problem: Mac VNC. In order to get “OK” VNC performance on a Mac you have to:

* Make sure a display is connected to it (either real or a display emulator dongle)

* Use the built in Mac VNC server

* Use a VNC client like Remotix that has support for the VNC extensions that Apple uses to boost performance

In other words, use something else, like NoMachine (or similar) which does h264 compression.

[tasubotadas]

Thanks for testing this for us.