How to Set Up a Alpine Linux VM Hosting XRDP and XFCE for Secure Remote Desktop Access
Stefano Marinelli included in Alpine Linux Server Networking Hosting Tutorial Desktop Ownyourdata
Introduction
A client recently asked if their approach to remote desktop access was correct. They leave their office PC on and connect to it via remote desktop. Their main requirement is to access internal resources via a browser (they use Brave, so the BSDs cannot be currenly used) and they prefer not to use their home computers for security reasons. I can understand their concern – I wouldn’t be comfortable knowing that a home PC (possibly shared with others) could connect to the company VPN and have unrestricted access.
Setting Up Alpine Linux on a VM
To address this, I downloaded the Alpine Linux Virt ISO from the official site and installed it on a VM in their office datacenter. They use Proxmox, which made the process quite straightforward. I allocated 20GB of disk space, 4GB of RAM, and 2 CPU cores to the VM. For added security, the installation process allows you to encrypt the disk. Note that if you choose this option, you’ll need to access the virtualizer console to re-enter the password every time the VM restarts.
During the Alpine installation, create a non-privileged user who will be using the remote desktop we’re about to set up.
Initial Configuration
Once the installation is complete, you can log in via the console as root or use SSH with the newly created non-privileged user. In the latter case, you’ll first need to switch to the root user:
| |
Enable the community repository by uncommenting it in /etc/apk/repositories:
| |
Installing Required Packages
Next, install the main packages needed to manage the remote desktop:
apk add xrdp xorgxrdp xorg-server xfce4 xfce4-terminal wireguard-tools ifupdown-ng-wireguard
Edit the /etc/xrdp/xrdp.ini file to ensure xrdp listens only on the VPN’s private IP, avoiding exposure to the LAN (or worse, the WAN):
| |
Enable xrdp:
| |
Configuring Wireguard
To set up Wireguard, navigate to /etc/wireguard and create the keys:
wg genkey | tee server.privatekey | wg pubkey > server.publickey
Create a configuration file wg0.conf:
| |
On the client, the configuration should look like this:
| |
Then, open the /etc/network/interfaces file and add:
| |
Reboot the VM, and everything should be ready. Just be sure to set your router/firewall to forward the 4242 UDP port to the VPS LAN ip for Wireguard access. If the VM has been exposed via public IP, this won’t be necessary, but remember that ssh will be exposed, too so take care.
Connecting via Remote Desktop
Use your favorite RDP remote desktop client and point it to 172.16.16.1. You should see a login screen.
Installing Brave Browser
To install Brave Browser on Alpine Linux, the easiest way is to use Flatpak. Open a terminal and, as root, install Flatpak and Brave Browser:
| |
After logging out and back into the remote desktop, Brave should appear in the list of applications. Launch it, and you can synchronize it with the Brave installation on your work PC. This setup ensures that everything works seamlessly on the virtual remote desktop.
Conclusion
This approach offers multiple benefits. By exposing the remote desktop via Wireguard, you significantly enhance security without compromising access to internal services. This method ensures that your internal resources remain protected while being easily accessible when needed.
Related Content
- How to Create a FreeBSD Jail Hosting XRDP and XFCE for Remote Desktop Access
- How We Are Migrating (Many Of) Our Servers From Linux to FreeBSD - Part 3 - Proxmox to FreeBSD
- Make Your Own E-Mail Server - Part 2 - Adding Webmail and More With Nextcloud
- Make Your Own E-Mail Server - Part 1 - FreeBSD, OpenSMTPD, Rspamd and Dovecot Included
- Installing Alpine Linux on a FreeBSD Jail