TrueNAS Core 13.0.3-1 with Guacamole Plugin installed ok ( TOTP Setup assistance please? )

[dcs730]

I've taken the plunge and installed Guacamole on my Truenas 13.0.3-1 box and can successfully RDP into pc's internally and remotely from the GuacaMole console.

I have not yet opened it up to the Outside world via the internet.

My install process has been as follows so far..

In Truenas - The Guacamole install is the default "Plugin" listed as Community Plugin.

I selected the Plug-in "Guacamole", then clicked install with the default NAT option.
Once the JAIL name DCSGuacamole started, I was able to access the web console and add EndPoints.

I'd like to secure it via TOTP. (Once working - would like to open it up to the outside world)

I have searched this forum for details, and also looked at the Guacamole site (manual instructions) and now at a dead end.

It appears its as simple as copying a .jar file into a specific folder, then restarting the JAIL, but it seems too simple.
Am I missing something?

So I copy the file guacamole-auth-totp-1.4.0.jar into the /etc/guacamole/extensions folder

Within my Truenas box, jails are installed and setup via the iocage/jails/ folder.
My Guacamole JAIL is called - DCSGuacamole

So it lives in /mnt/tankXXXX/iocage/jails/DCSGuacamole/

Then I am on the assumption that the default location that this .jar needs to be copied to is

(All within a SHELL prompt of the DCSGuacamole Jail)
/root/etc/guacamole/extensions

The file "guacamole-auth-totp-1.4.0.tar.gz" downloaded from

https://apache.org/dyn/closer.lua/guacamole/1.4.0/binary/guacamole-auth-totp-1.4.0.tar.gz?action=download

I used a windows PC to download the tar.gz file. Extracted so I found the .jar file, then copied to this location.

root@DCSGuacamole:/etc/guacamole/extensions # ls
guacamole-auth-jdbc-mysql-1.4.0.jar guacamole-auth-totp-1.4.0.jar

There was another .jar file there, I wasn't sure whether there was anything else required?

Are there any other config steps required to get the initial login to prompt for the 2FA setup?

Does the .jar file need to be extracted further?
Do I have to change permissions in the JAIL at the shell prompt once the file is copied across?

 

[dcs730]

Thx SRETALLA

Checkout this thread! https://www.truenas.com/community/threads/guacamole-totp-not-authorizing-login.102101/

- You were spot on the money. (I haven't checked the permissions as you've mentioned above)... but below was my soln.

Exactly what I thought earlier today, must have been permission related to the .jar file which I extracted on a Windows 10 PC.

So, I spent a good part this afternoon from the guacamole jail shell prompt.

- I used wget to fetch and download the official totp tar.gz file (From the official guacamole.org web site)
- Then extracted the tar.gz file, then copying just the .jar file to the /etc/guacamole/extensions folder.

Once I restarted the Guacamole Jail and attempted to login, it prompted for the 2FA code (Which I then setup and scanned on my iPhone with Google Authenticator app).

So over all works well, then I did a port forward to the http web site of guacamole to access the console.
I can also RDP to other sessions on a remotely connect web browser session.

Works a treat!

 

[DementedJay]

Okay, I'm in a similar boat, except I've used wget to pull down the tar and then extracted and copied to the /extensions folder. I haven't made any changes to the guacamole.properties file because the defaults should get me going, as I understand them.

But when I restart the jail, there's no TOTP / setup when I log in with either guacadmin or any other user. It seems like the extension isn't being activated? The jar file is in etc/guacamole/extensions, right next to the jdbc mysql jar, which is working properly of course, so that seems right.

I'm running guacamole 1.5.3 and the matching TOTP extension version.

Any ideas what I'm doing wrong?

 

[DementedJay]

I checked permissions per SRETALLA's thread, and those look fine as well. Any advice?

 

[Patrick M. Hausen]

Mine are in /usr/local/etc/guacamole-client/extensions:

Code:

root@rdp:/usr/local/etc/guacamole-client/extensions # ll
total 10537
-rw-r--r--  1 root  wheel  6102374 Mar 19  2022 guacamole-auth-jdbc-mysql-1.4.0.jar
-rw-r--r--  1 1001  1001   5290215 Dec 29  2021 guacamole-auth-totp-1.4.0.jar

But I'm using a regular jail with Guacamole installed via pkg - are you using a "plugin"?

EDIT: Looks like I should update mine

 

[victort]

I would suggest you use the script I created, linked to in my signature.

It uses MariaDB for better performance.

And yes, the port was recently updated to 1.5.3

 

[Patrick M. Hausen]

Thanks, but this jail has been running well for so long, I just updated the libraries and that was that. I also have Caddy centrally for all exposed services in a different jail etc.

I checked your script for the recommended version of MariaDB and will follow your advice and use that. I found that the mysql-connector-java package was renamed to mysql-connector-java51 and mysql-connector-j - depending on the version. You might want to update your script.

Thanks anyway - good to have your scripts for reference.

EDIT: And again - jails for the win:

Code:

service mysql-server stop
pkg install mariadb106-server # will automatically remove MySQL packages
service mysql-server start
mysql_upgrade -p
# Done!

 

[DementedJay]

I probably should have used your script @victort because I did finally figure it out. I had the 1.4.0 jdbc mysql driver jar in the extensions folder, and the version of the guacd, the jdbc driver, and the totp jar should all match, or else it won't even load the totp.

I found 1.4.0 on the apache site, downloaded and extracted the jar from that, copied it over, and hey presto, everything worked.

Just an FYI for anyone else running into issues in the future: make sure all your extension versions match the actual software version!

 

[victort]

I just ran a fresh install of the script with the update 1.5.3 version, downloaded the TOTP extension, and it didn't work.
I had to chmod 644 the .jar file to get it working.

Everything else works ok.

@Patrick M. Hausen I sometimes run into an issue with guacamole where it says connection appears to be unstable. Any ideas?
This is on my local network only, albeit behind a reverse proxy.

 

[Patrick M. Hausen]

I sometimes run into an issue with guacamole where it says connection appears to be unstable. Any ideas?

Sorry, none. All running perfectly stable here.

This is my caddyfile:

Code:

my.host.name {
  reverse_proxy * {
    to http://192.168.2.52:8080
  }

  redir / /guacamole/ 308

  log {
    output file /var/log/caddy/my.host.name-access.log
  }
}

I have setup access from outside and a public FQDN including hairpin NAT for IPv4 but most of the time, especially from the home LAN, connections will be via IPv6 to the proxy and then via IPv4 to Guacamole.

 

[victort]

Dark mode theme.

GitHub - LagManCZ/guacamole-dark-theme: A dark theme extension for Apache Guacamole

A dark theme extension for Apache Guacamole. Contribute to LagManCZ/guacamole-dark-theme development by creating an account on GitHub.

github.com

Download and place in the extensions directory…