Introduction
A client recently asked if their approach to remote desktop access was correct. They leave their office PC on and connect to it via remote desktop. Their main requirement is to access internal resources via a browser (they use Brave, so the BSDs cannot be currenly used) and they prefer not to use their home computers for security reasons. I can understand their concern – I wouldn’t be comfortable knowing that a home PC (possibly shared with others) could connect to the company VPN and have unrestricted access.
Setting Up Alpine Linux on a VM
To address this, I downloaded the Alpine Linux Virt ISO from the official site and installed it on a VM in their office datacenter. They use Proxmox, which made the process quite straightforward. I allocated 20GB of disk space, 4GB of RAM, and 2 CPU cores to the VM. For added security, the installation process allows you to encrypt the disk. Note that if you choose this option, you’ll need to access the virtualizer console to re-enter the password every time the VM restarts.
During the Alpine installation, create a non-privileged user who will be using the remote desktop we’re about to set up.
Initial Configuration
Once the installation is complete, you can log in via the console as root or use SSH with the newly created non-privileged user. In the latter case, you’ll first need to switch to the root user:
su -
Enable the community repository by uncommenting it in /etc/apk/repositories:
http://dl-cdn.alpinelinux.org/alpine/v3.20/main
http://dl-cdn.alpinelinux.org/alpine/v3.20/community
Installing Required Packages
Next, install the main packages needed to manage the remote desktop:
apk add xrdp xorgxrdp xorg-server xfce4 xfce4-terminal wireguard-tools ifupdown-ng-wireguard
Edit the /etc/xrdp/xrdp.ini file to ensure xrdp listens only on the VPN’s private IP, avoiding exposure to the LAN (or worse, the WAN):
port=tcp://172.16.16.1:3389
Enable xrdp:
rc-update add xrdp
rc-update add xrdp-sesman
Configuring Wireguard
To set up Wireguard, navigate to /etc/wireguard and create the keys:
wg genkey | tee server.privatekey | wg pubkey > server.publickey
Create a configuration file wg0.conf:
[Interface]
Address = 172.16.16.1/24
ListenPort = 4242
PrivateKey = <server private key value> # the key from the previously generated privatekey file
[Peer]
PublicKey = <client public key value> # client’s public key
AllowedIPs = 172.16.16.2/32
On the client, the configuration should look like this:
[Interface]
PrivateKey = <client private key value>
Address = 172.16.16.2/24
[Peer]
PublicKey = <server public key value>
AllowedIPs = 172.16.16.0/24
Endpoint = <server public ip>:4242
Then, open the /etc/network/interfaces file and add:
auto wg0
iface wg0 inet static
pre-up wg-quick up /etc/wireguard/wg0.conf
Reboot the VM, and everything should be ready. Just be sure to set your router/firewall to forward the 4242 UDP port to the VPS LAN ip for Wireguard access. If the VM has been exposed via public IP, this won't be necessary, but remember that ssh will be exposed, too so take care.
Connecting via Remote Desktop
Use your favorite RDP remote desktop client and point it to 172.16.16.1. You should see a login screen.
Installing Brave Browser
To install Brave Browser on Alpine Linux, the easiest way is to use Flatpak. Open a terminal and, as root, install Flatpak and Brave Browser:
su -
apk add flatpak
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak install flathub com.brave.Browser
After logging out and back into the remote desktop, Brave should appear in the list of applications. Launch it, and you can synchronize it with the Brave installation on your work PC. This setup ensures that everything works seamlessly on the virtual remote desktop.
Conclusion
This approach offers multiple benefits. By exposing the remote desktop via Wireguard, you significantly enhance security without compromising access to internal services. This method ensures that your internal resources remain protected while being easily accessible when needed.