Linux and Remote Desktop Protocol (RDP)

When accessing to a resource remotely, VNC protocol is mostly used for system such as Linux. But I found it quite complex to setup, specially with virtual desktop. So I will explain how to setup this access with RDP protocol from Microsoft.


Prerequisites

To connect to the remote computer, the only thing you need is a RDP client. It is natively integrated in Windows and can be downloaded from any app store for the other systems.

For the remote computer on Linux, you need to have a desktop already installed, meaning that your installation should be able to display a desktop. The common desktops for Linux are Gnome, KDE, XFCE but they are many more. If you do not have one, install MATE for example:

sudo apt install mate-desktop-environment

If you already have a desktop environment, you are good to go for the next steps.

Installation of xRDP

To install RDP protocol on Linux Mint:

sudo apt install xrdp xorgxrdp -y
echo env -u SESSION_MANAGER -u DBUS_SESSION_BUS_ADDRESS cinnamon-session>~/.xsession

In this case, like I am using Linux Mint 20 with Cinnamon desktop and it is already using a pre-existing X.org install, the xorgxrdp package is necessary and is bringing some features like screen resizing.

Let’s check if the service is correctly enabled with:

sudo systemctl status xrdp
xrdp is active (running), if not, try with: sudo systemctl start xrdp

According to the configuration of xRDP, and the security options chosen, some certificates may be necessary but you cannot access some of them if the user is not in the appropriate group. So, it is needed to add xrdp user to ssl-cert group. To do so:

sudo adduser xrdp ssl-cert

Restart the service with:

sudo systemctl restart xrdp

Activate the automatic startup with:

sudo systemctl enable xrdp

Now, xRDP is ready to be used! Let’s have a look on the configuration.

Note: Before going any further, check that your firewall has an exception for the port 3389. Otherwise, it might block the entering connection. On Linux Mint, you can add an exception with this command: sudo ufw allow 3389

xRDP Configuration

Without modifying any parameters of the default configuration, it is still possible to connect remotely to the machine. But some parameters should be presented since the master configuration is held by xRDP and not the client. For example, the color depth is set by the server and the client cannot modify it despite its drop-down menu.

The first configuration file is located in: /etc/xrdp/xrdp.ini. You can edit it with your favorite editor: sudo nano /etc/xrdp/xrdp.ini

xrdp.ini Configuration File

In this file, we could modify the port used for connection or even parameters related to login screen appearance. You can find the full parameters list in this link.

I just updated the max_bpp=15 corresponding to 15 bits for color depth in order to save bandwidth. Note that you will not be able to modify it through RDP client.

The second configuration file is located in: /etc/xrdp/sesman.ini. This one is related to session options. The full details are available here.

The options I have updated are related to who is allowed to connect to the machine:

AllowRootLogin=false ; Avoid root user to login
TerminalServerUsers=tsusers ; Name of the group allowed to connect
AlwaysGroupCheck=true ; Activate the group check for connection
MaxSessions=1 ; Max. number of simultaneous connection
KillDisconnected=false ; Kill xRDP session when disconnected
DisconnectedTimeLimit=0 ; Time before automatic disconnection

Before enabling the group check for connection, you need to create the group and declare the user in this group. To list all groups available in your machine: cat /etc/group | cut -d: -f1

If the tsusers group is not in the list, you can create it with: sudo groupadd tsusers . Then, to add the user to the group: sudo adduser USER_NAME tsusers .

To apply settings if updated, you need to restart the service with: sudo systemctl restart xrdp

Connection from Windows

You need to open the RDP client, type the local IP address of the computer and connect. If you do not know the IP address of your machine, type ifconfig in the Terminal. inet on the appropriate interface will be the address you are looking for.

Just accept the certificate warning message. Check the bottom box if you do not want to see it for the next connection.

You are arriving to the login window, where you specify the user/password. They are the same as the local account.

Now, you should be remotely connected to the distant computer.


Troubleshooting

Cannot connect

Check that your firewall has an exception on the port 3389, it is the one by default. If you have changed it according to the configuration of xrdp.ini file, then, see the port parameter.

On Linux Mint, the firewall can be managed with gufw. Also, check that if you activated the group check for connection, your user is in it.

Graphical apps are not shown on my xRDP session

Somehow, you might encounter difficulty to display some apps on the xRDP desktop. It comes from Xorg server display manager. In my case, if I want to start gufw, graphical uncomplicated firewall, in the menu or with the Terminal, nothing happens. With the Terminal, I get (even with sudo):

msi@msi-GP60-2PE:~$ gufw
Unable to init server: Could not connect: Connection refused

It is related to the Xorg server not allowing connection. To allow connection, we need to launch the command xhost + which is turning off host-based access control on the X server, this before our command.

In my case, I need to do:

sudo xhost +
sudo gufw

If I do differently, without sudo, the graphical app will not appear on my xRDP screen. Doing xhost + may present a security risk since everybody could connect to the session. If you plan to access the remote session from outside your local network, pay attention.

Usually, if you start a graphical session, there is a local variable called $DISPLAY that X program uses to know to which session they are supposed to talk to. The local variable is automatically defined and you can find it with echo $DISPLAY in a Terminal of the graphical session. This variable will tell to which session the output should be displayed.

For example, if you have a graphical session started from tty1, and another one from tty2, you will have two different results for $DISPLAY variable because you have two graphical sessions. For example, tty1 session will return DISPLAY=:0.0 and tty2 DISPLAY=:0.1

Then, from tty1, if you overwrite the variable with: export DISPLAY=:0.1 and you launch xclock right after, you will see that the clock is displayed on the other graphical session, the one inherited from tty2.

Regarding the xRDP session, I do not know why it is still not appearing despite the fact that the DISPLAY variable is correctly defined but the xhost + command resolves the issue for the time being.

Improvement

Saving memory

If you want to save couple hundreds Mo in memory, you can force Linux to start in text mode instead of desktop mode. Indeed, if you plan to just use it remotely, there is no need to load the desktop locally. To do so:

  • Edit: sudo nano /etc/default/grub
  • Find: GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
  • Replace by: GRUB_CMDLINE_LINUX_DEFAULT="text"
  • Update GRUB: sudo update-grub

In my case, my version of Linux uses systemd, so it needs this additional step to not load login manager:

sudo systemctl enable multi-user.target --force
sudo systemctl set-default multi-user.target

If somehow, you want to use graphical login on the computer later, you can start it with startx command.

Prevent shutdown when closing screen for laptops

On laptops, you might want to keep the screen down since you have access remotely but each time you close it, Linux start shutting down or go to power saving mode. To prevent that, you need to change one parameter in logind.conf .

  • Open it with your favorite text editor: sudo nano /etc/systemd/logind.conf
  • Find the line: #HandleLidSwitch=suspend
  • Remove the # at the beginning of the line.
  • Replace the line with HandleLidSwitch=ignore
  • Save the file and restart the service with: sudo systemctl restart systemd-login

Hope this helps!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.