2023-08-30 13:30:35 +02:00
---
title: RustDesk Server Layered Security Model
weight: 100
---
2023-08-31 22:04:34 +02:00
Kindly written up by [@I-Am-Skoot ](https://github.com/I-Am-Skoot/RustDeskNPMDocker/commits?author=I-Am-Skoot ).
2023-08-30 13:30:35 +02:00
2023-10-23 22:11:51 +02:00
### Layers
2023-08-30 13:30:35 +02:00
- [RustDesk ](https://github.com/rustdesk/rustdesk ) Remote Support Tool
- [NPM ](https://nginxproxymanager.com/ ) Proxy Manager Tool
- [Docker ](https://www.docker.com ) Containerization Tool
2023-08-31 22:04:34 +02:00
- Firewall Tool
2023-08-30 13:30:35 +02:00
#### Assumptions
2023-09-05 00:18:36 +02:00
This example is an All in One for hosting just RustDesk services only. This can be expanded to a more flexible solution by splitting the NPM into it's own Docker Compose.
- DMZ Network: 192.168.1.0/24
2023-08-30 13:30:35 +02:00
- NPM (External): 192.168.1.250
- LAN Network: 10.0.0.0/24
- RSBackend Network: 192.168.254.0/29
- NPM (Internal): 192.168.254.1
- HBBS: 192.168.254.2
- HBBR: 192.168.254.3
- Docker Host: Linux
2023-09-05 00:18:36 +02:00
- Each application has a dedicated folder in `/opt/` .
2023-08-30 13:30:35 +02:00
- Hostname: uniquehostname (Change This)
- DNS Name: rustdesk.example.com
2023-08-31 22:04:34 +02:00
Make modifications to the examples as needed.
2023-08-30 13:30:35 +02:00
2023-08-31 22:04:34 +02:00
### Prepare Docker
You must have Docker already installed this guide does not go into the specifics of that.
2023-08-30 13:30:35 +02:00
2023-09-05 00:18:36 +02:00
You will need to create a network for the RustDesk Server Backend and the DMZ.
2023-08-31 22:04:34 +02:00
For each application you use with the NPM (Nginx Proxy Manager) you should have a dedicated backend network to isolate it.
2023-08-30 13:30:35 +02:00
```
docker network create \
--driver=bridge \
--subnet=192.168.254.0/29 RSBackend
2023-08-31 22:04:34 +02:00
2023-08-30 13:30:35 +02:00
docker network create \
--driver=ipvlan --subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o ipvlan_mode=l2 \
-o parent=eth0 DMZ
```
### Setup Firewall
Configure the following Port forwarding/NAT ports from your public IP to the NPM Server.
2023-09-05 00:18:36 +02:00
- 21114 => 8080 TCP
- 21115 => 21115 TCP
- 21116 => 21116 TCP/UDP
- 21117 => 21117 TCP
- 21118 => 21118 TCP
- 21119 => 21119 TCP
- 443 => 443 TCP # If you want to use SSL
2023-08-30 13:30:35 +02:00
2023-08-31 22:04:34 +02:00
### Setup Docker Compose
2023-08-30 13:30:35 +02:00
This will start a container with NPM and the correct networks.
2023-09-05 00:18:36 +02:00
Copy the below into docker-compose.yaml.
2023-08-30 13:30:35 +02:00
```
version: '3.5'
services:
NPM:
image: jlesage/nginx-proxy-manager:latest
container_name: proxy-manager
volumes:
- /opt/proxy-manager/config:/config
restart: 'unless-stopped'
networks:
DMZ:
ipv4_address: 192.168.1.250
RSBackend:
ipv4_address: 192.168.254.1
hbbs:
container_name: rustdesk_hbbs
image: rustdesk/rustdesk-server-pro:latest
command: hbbs -k _
2023-09-05 00:18:36 +02:00
hostname: uniquehostname # Change This
2023-08-30 13:30:35 +02:00
volumes:
- /opt/rustdeskserver:/root
networks:
RSBackend:
ipv4_address: 192.168.254.2
depends_on:
- hbbr
restart: unless-stopped
hbbr:
container_name: rustdesk_hbbr
image: rustdesk/rustdesk-server-pro:latest
command: hbbr -k _
volumes:
- /opt/rustdeskserver:/root
networks:
RSBackend:
ipv4_address: 192.168.254.3
restart: unless-stopped
networks:
DMZ:
external: true
RSBackend:
external: true
```
### Setup NPM
Configure Stream Hosts for the following Ports:
- 21115 => 192.168.254.2:21115 TCP
- 21116 => 192.168.254.2:21116 TCP / UDP
- 21117 => 192.168.254.3:21117 TCP
- 21118 => 192.168.254.2:21118 TCP
- 21119 => 192.168.254.3:21119 TCP
- 80 => 127.0.0.1:8080 TCP # catches local traffic
2023-08-31 22:04:34 +02:00
Configure Proxy Host:
2023-09-05 00:18:36 +02:00
- Domain Name: rustdesk.example.com
- Scheme: http
- Forward Hostname / IP: 192.168.254.2
- Forward Port: 21114
- Block Common Exploits: Checked
- Optional: Configure SSL ** (DO NOT REQUIRE - Client needs to be able to communicate without SSL.)**
2023-08-30 13:30:35 +02:00
### Setup RustDesk Server
2023-08-31 22:04:34 +02:00
Connect to Server interface http://rustdesk.example.com or https://rustdesk.example.com if you have configured SSL for web interface.
2023-08-30 13:30:35 +02:00
### Setup RustDesk Client
2023-08-31 22:04:34 +02:00
Configure the client:
2023-08-30 13:30:35 +02:00
- ID Server: rustdesk.example.com
- Relay Server: rustdesk.example.com
2023-08-31 22:04:34 +02:00
- API Server: http://rustdesk.example.com (use HTTPS if you have configured SSL)
2023-08-30 13:30:35 +02:00
- Key: {Server Key Here}
2023-10-23 22:11:51 +02:00
### End Result
2023-08-31 22:04:34 +02:00
Your solution will be accessible externally through the Proxy manager. You will have isolation of your RustDesk Servers from other systems. Especially if you use a split configuration system and have other applications / sites behind a common NPM.
