Bastion¶

This manual is applicable to IsardVDI installations of version v14.64.3 or later.

The Bastion functionality in IsardVDI allows access to virtual desktops via SSH and through a public domain for hosted web servers, without needing to establish a VPN (Wireguard) connection.

This feature enables access using a domain that combines the UUID of the virtual desktop with the domain configured for IsardVDI. It also allows SSH connection without the need to set up additional tunnels.

It is especially useful in environments that require public servers, as it provides direct and secure access to virtual desktops.

When Bastion is enabled, the IsardVDI server acts as a bridge for external connections:

graph LR
  dt1(Client):::dt -.- dk1([IsardVDI Bastion]):::dk -.- dt2(Guest Desktop):::dt
  classDef dk fill:#ffd1dc,stroke:#ff3465,stroke-width:1px

For users to use Bastion, they must have permissions for their category. This configuration can only be performed by a user with an Administrator role.

Administrators only

To modify Bastion configuration and permissions, please refer to the following guide: Bastion Configuration

Configuration¶

When editing a virtual desktop, you will find the Bastion section (if you have the necessary permissions).

Ports: Although the external ports point to 80/TCP and 443/TCP (which are also the default listening ports on the virtual machine), you can redirect them to other ports inside the desktop if desired. To do so, specify the new port when editing the virtual desktop, in the parameters indicated for each service (HTTP, HTTPS, and SSH).
Authorized keys: To use the SSH connection, one or more public SSH keys must be added (one per line) for each user who needs access. Each user must generate their own public key. These keys can be updated in real time, without needing to shut down the desktop to add or modify them.

Generate SSH keys

Generating a pair of SSH keys is as simple as running a command:

Linux HostWindows Host

After running the command, it will ask where to save the generated keys. Pressing +enter+ will save them in the default path. (/home/user/.ssh/id_rsa)

ssh-keygen -t rsa -b 4096

The key that needs to be added is the public key located in the id_rsa.pub file. Copy the content and paste it into the authorized keys field in the Bastion configuration.

On a Windows host, open the PowerShell terminal with administrator privileges and run the following command:

ssh-keygen

After running the command, it will ask where to save the generated keys. Pressing +enter+ will save them in the default path.

The key to add is the public one in the id_rsa.pub file. To view the contents, run:

Get-Content $env:USERPROFILE\.ssh\id_rsa.pub

Copy the content and paste it into the authorized keys field in the Bastion configuration.

Managers/Admins only

For manager users, the Bastion section in the virtual machine configuration appears as follows:

A new section appears:

Custom domain name: This option allows assigning a custom name to the web server (the virtual desktop) instead of using the desktop UUID as the domain.

To use this feature, you must add a CNAME record pointing to the domain formed by the virtual desktop UUID + installation domain, in the DNS server resolving the IsardVDI domain.

Continuing within the virtual machine editing section, in the Domain credentials section, you will find the credentials needed to remotely access the virtual desktop via SSH. These credentials work for both RDP and Bastion connections.

Templates cannot be created from this configuration

It is not possible to include Bastion parameters in a template. That is, the general state of the desktop will be saved, but not the changes made in the Bastion section.

After configuring Bastion and access credentials, you can save the virtual machine parameters.

Back in the main desktop section, you will be able to access the button to view the desktop identifier along with the URLs for the enabled protocols and how to access them.

A window like the following will appear:

Based on the desktop UUID, you can generate the following connections (where "domain.com" corresponds to the domain of the server hosting IsardVDI):

URL HTTP: http://{UUID}.domain.com
URL HTTPS: https://{UUID}.domain.com
SSH: ssh {UUID}@domain.com -p 443

In the authorized keys section, you can view the keys you've added. These can be modified in real time, without shutting down the desktop. To apply the change, press the button:

Managers only

Manager users will see the option to change the custom domain name in real time without shutting down the virtual desktop. To apply the changes, press the button:

Recommendation

If you want to access web services, it is recommended to open the URL in an incognito window or another browser if you have previously visited the IsardVDI site.

Examples¶

Web service¶

Example test of a web service inside a desktop.

During the test, to avoid problems, make sure:

The firewall is not blocking traffic. To disable it: systemctl disable --now ufw
The SSH server is installed: apt install openssh-server and enabled: systemctl enable --now ssh

For a quick test, we will use the Caddy web server:

Install Caddy and verify the installation completed successfully:

curl -1sLf \
'https://dl.cloudsmith.io/public/caddy/stable/setup.deb.sh' \
| sudo -E bash
sudo apt update
sudo apt install caddy -y
caddy version
sudo systemctl status caddy

Create a simple demonstration web page:

sudo mkdir -p /var/www/mysite
sudo chown -R $USER:$USER /var/www/mysite
cat <<EOF > /var/www/mysite/index.html
<!DOCTYPE html>
<html lang="es">
<head>
  <meta charset="UTF-8" />
  <title>IsardVDI</title>
  <style>
    body, html {
      height: 100%;
      margin: 0;
    }
    body {
      display: flex;
      justify-content: center; 
      align-items: center; 
      height: 100vh;       
      font-family: Arial, sans-serif;
    }
    h1 {
      text-align: center;
    }
    img.isard {
      height: 2em; 
      vertical-align: middle; 
    }
  </style>
</head>
<body>

  <h1>Hello from IsardVDI :) <img src="https://avatars.githubusercontent.com/u/18657560?s=280&v=4" alt="Icono" class="isard"></h1>

</body>
</html>

EOF

Edit the Caddy configuration file and add the domain used to access the virtual desktop (replace {UUID}.domain.com with your actual domain):

sudo sed -i -e 's/^:80 {/{UUID}.domain.com {/' -e 's|root \* /usr/share/caddy|root * /var/www/mysite|' /etc/caddy/Caddyfile

sudo systemctl reload caddy

Now, visit the web service using the corresponding URL and you should see the content of index.html:

SSH Service¶

The SSH service requires that on the virtual desktop:

No rules block traffic: systemctl disable --now ufw
SSH server is installed: apt install openssh-server; and enabled: systemctl enable --now ssh

The access credentials are the same as those used for RDP viewer and can be found when editing the virtual machine.

Access credentials

If the username and password do not match at SSH login, access will be denied. Also, this user must belong to the Administrators group.

To gain access, the public key of the device used to connect must be added in the authorized keys section in the Bastion editor.