4.0 KiB
| title | weight |
|---|---|
| RustDesk Server Layered Security Model | 100 |
Kindly written up by @I-Am-Skoot
Layers
Assumptions
This example is an All in One for hosting just RustDesk services only. This can be expanded to a more flexible solution by splitting the NPM into it's own Docker-Compose.
- DMZ network 192.168.1.0/24
- NPM (External): 192.168.1.250
- LAN Network: 10.0.0.0/24
- RSBackend Network: 192.168.254.0/29
- NPM (Internal): 192.168.254.1
- HBBS: 192.168.254.2
- HBBR: 192.168.254.3
- Docker Host: Linux
- Each application has a dedicated folder in /opt/
- Hostname: uniquehostname (Change This)
- DNS Name: rustdesk.example.com
Make modifications to the examples as needed
Prepare Docker:
You must have docker already installed this guide does not go into the specifics of that.
You will need to create a network for the RustServer Backend and the DMZ. For each application you use with the NPM (NGINX Proxy manager) you should have a dedicated backend network to isolate it.
docker network create \
--driver=bridge \
--subnet=192.168.254.0/29 RSBackend
docker network create \
--driver=ipvlan --subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o ipvlan_mode=l2 \
-o parent=eth0 DMZ
Setup Firewall
Configure the following Port forwarding/NAT ports from your public IP to the NPM Server.
- 21114 => 8080 TCP
- 21115 => 21115 TCP
- 21116 => 21116 TCP/UDP
- 21117 => 21117 TCP
- 21118 => 21118 TCP
- 21119 => 21119 TCP
- 443 => 443 TCP # If you want to use SSL
Setup docker-copose
This will start a container with NPM and the correct networks.
Docker-Compase.yaml
version: '3.5'
services:
NPM:
image: jlesage/nginx-proxy-manager:latest
container_name: proxy-manager
volumes:
- /opt/proxy-manager/config:/config
restart: 'unless-stopped'
networks:
DMZ:
ipv4_address: 192.168.1.250
RSBackend:
ipv4_address: 192.168.254.1
hbbs:
container_name: rustdesk_hbbs
image: rustdesk/rustdesk-server-pro:latest
command: hbbs -k _
hostname: uniquehostname #Change This
volumes:
- /opt/rustdeskserver:/root
networks:
RSBackend:
ipv4_address: 192.168.254.2
depends_on:
- hbbr
restart: unless-stopped
hbbr:
container_name: rustdesk_hbbr
image: rustdesk/rustdesk-server-pro:latest
command: hbbr -k _
volumes:
- /opt/rustdeskserver:/root
networks:
RSBackend:
ipv4_address: 192.168.254.3
restart: unless-stopped
networks:
DMZ:
external: true
RSBackend:
external: true
Setup NPM
Configure Stream Hosts for the following Ports:
- 21115 => 192.168.254.2:21115 TCP
- 21116 => 192.168.254.2:21116 TCP / UDP
- 21117 => 192.168.254.3:21117 TCP
- 21118 => 192.168.254.2:21118 TCP
- 21119 => 192.168.254.3:21119 TCP
- 80 => 127.0.0.1:8080 TCP # catches local traffic
Configure Proxy Host
- Domain Name: rustdesk.example.com
- Scheme: http
- Forward Hostname / IP: 192.168.254.2
- Forward Port: 21114
- Block Common Exploits: Checked
- Optional: Configure SSL DO NOT REQUIRE - Client needs to be able to communicate without ssl.
Setup RustDesk Server
Connect to Server interface http://rustdesk.example.com or https:// if you have configured SSL for web interface.
Setup RustDesk Client
Configure the client
- ID Server: rustdesk.example.com
- Relay Server: rustdesk.example.com
- API Server: http://rustdesk.example.com (use HTTPS if you have configured SSL)
- Key: {Server Key Here}
End Result
Your solution will be accessible externally through the Proxy manager. You will have isolation of your RustDesk Servers from other systems (Especially if you use a split configuration system and have other applications / sites behind a common NPM)