How to set up remote desktop software for a PC where I will only have remote access to in the future?

Question

I have set up CCTV running on Ubuntu 22.04 LTS on Intel NUC. I want to be able to remote access the PC for troubleshooting mostly and want a graphical interface for the remote desktop. The software I have tried so far either don't start when the login screen shows (so remote desktop on reboot is not possible) or just don't work.

I want to start from scratch. I currently have access to the PC, but won't have that for a few months in the future. I will reinstall everything and would be grateful for guidance and suggestions to have the following features -

• Remote desktop with GUI
• Works on login screen after reboot
• Stable with XFCE (because lightweight)
• Secure

Answer 1

Install RealVNC Server in the PC which you want to access.

Create a Real VNC account and sign in to VNC Server.

Install RealVNC Viewer on the computer/phone which you will use to control the first computer. Then, sign in with your Real VNC account, and the other computer should show up.

VNC Server works even in the login screen, so you can use it to remotely login.

Answer 2

To simplify connections without compromising security I prefer to use a VPN like Wireguard or Tailscale to estabish a permanently active and heavily encrypted tunnel. As the connections are point-to-point thru the tunnel, they cannot be tampered in any place outside the pc and the remote host.

Wireguard is the foundation of Tailscale, and open source, but requires some tinkering to generate keys for the nodes and editing files. It is not overly complicated, but requires some work. On the contrary, Tailscale is free for a limited number of nodes and it is configured using only an email account to register the nodes, as it generates/updates keys automatically without user intervention. In any case, there is interesting info/description of the used techniques worth reading in the Tailscale site.

1. Install Wireguard (wireguard.com) or Tailscale (tailscale.com) in the server and in your local PC/Laptop. After installing/configuring, the VPN tunnel so created is encrypted with secure algorithms, permanent, and require minimum maintenance (if none). With one or other you get/configure a special IP address to identify the PC and server nodes.

2. Install tightvnc in the server (Tutorial for Ubuntu 20.04/xfce), and be sure to autorize input/output traffic coming/going to/from the VPN tunnel interface in the server firewall.

3. Launch your favorite VNC client in the PC and connect to the remote server tunnel IP address (or use the tightvnc web interface without need of installing a dedicated client in the PC). Even if the VNC client/server used don't encrypt communications, they are secured by the VPN.

Bonus: If you activate other services in the server, like SSH, they are accesible thru the VPN with a minimal overhead, so you can transfer files, etc. You can add more nodes to the VPN net and have several points of access (o several users, if you wish).

Answer 3

XRDP

Open a terminal by Ctrl+Alt+T and enter:

sudo apt install xrdp

You will be prompted to enter your password. As you enter your password the cursor will not move. This is normal.

If you have ufw (Uncomplicated Firewall) enabled you will have to open the port 3389 with this command:

sudo ufw allow 3389

You won't need to open port 3389 if you use "ssh tunnel" described below.

Verify that the xrdp server is up and running with this command:

sudo systemctl status xrdp

Remember to logout

Logging out (locally) is the most important part. If you login by physically going to the computer and connecting keyboard, mouse, monitor etc. then xrdp won't work until you logout.

A Note about xrdp local and remote login

Do not use Automatic login to the desktop when the computer starts!

Unlike RDP in Windows xrdp only works if you are not logged in to the remote computer locally. This means you physically go to the remote computer and login to it, and then leave the computer without logging out, xrdp will not work.

Similarly, while remotely logged in via xrdp you may disconnect without logging out and the session will continue. However, in this case, you won't be able to login locally until you log out remotely.

This is not a problem for a headless computer as you never login locally.

Security

At this stage the security of this remote computer depends on the complexity and length of your login password. Any hacker can try to guess your userID and password. Set a very long and complex password.

SSH tunnel

If the computer you will use to access this remote Intel NUC runs Ubuntu (or some other Linux) you can use the remote app Remmina and use "ssh tunnel". For this you will need to set up ssh server in your Intel NUC.

See Connect two computers with SSH in a home LAN for how to setup ssh server with key based authentication.

Once key based authentication for ssh works, disable password based authentication for ssh. Open the port 22 for ssh:

sudo ufw allow 22

Remove the "allow 3389" rule if you had set it up before.

You may want xrdp to accept connection only from the localhost if you use ssh tunnel.

Edit the file /etc/xrdp/xrdp.ini and comment out (with ;) the line:

;port=3389

And add this line, based on the examples in this file:

port=tcp://.:3389

Then restart the service with:

sudo service xrdp restart

Set up Remmina to use xrdp with ssh tunnel

Edit the setting of the XRDP connection you have setup in Remmina for your remote connection and go to the SSH Tunnel tab as shown below:

Make sure the following are enabled/checked:

• Enable SSH Tunnel
• Tunnel via loopback address
• Same server at port 22

as shown in the picture above. Save the new Remmina setting and try to connect. If all went well only you should be able to connect to your xrdp server and no one else will.

Hope this helps