Setting Up RustDesk on FreeBSD
Create loopback interface for jail to listen on
In order to setup, we want to setup a loopback interface for the jails to listen on:
Create the loopback interfaces in /etc/rc.conf
for jails to listen on
sysrc cloned_interfaces="lo1"
sysrc cloned_addrs_lo1="172.16.1.0/24"
Restart networking and confirm the lo1
interface has been created:
service netif restart
lo1: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 fe80::1%lo1 prefixlen 64 scopeid 0x3
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Create the jail
If you are using ZFS, create a dataset for jails, only follow this step for ZFS:
zfs create -o mountpoint=/jails zroot/jails
if not using ZFS create jails folder, do not use this if using ZFS and followed the step above:
mkdir /jails
Create the directory for the jail, and install using bsdinstall
mkdir /jails/rustdesk
bsdinstall jail /jails/rustdesk
Create a configuration file for our jails /etc/jail.conf
:
# tabs=4
# Define jail vars that well use throughout config file
path="/jails/$name";
# Some applications might need access to devfs
mount.devfs;
mount.fstab="/etc/fstab.$name";
# Clear environment variables
exec.clean;
#use the hosts's network stack for all jails
ip4=inherit;
ip6=inherit;
# Initialisation scripts
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
# Specific jail configurations
#
rustdesk {
host.hostname="rustdesk"; # Hostname
ip4.addr="lo1|172.16.1.1";
allow.raw_sockets=1; # Allow ping etc
}
Create /etc/fstab.rustdesk
fstab, allows to mount nullfs file systems in the jail later (if needed)
touch /etc/fstab.rustdesk
Create the entries to start the jail /etc/rc.conf
:
sysrc jail_enable="YES"
sysrc jail_list="rustdesk"
start rust desk jail: & confirm exists
service jail start rustdesk
jls
Starting jails: rustdesk.
JID IP Address Hostname Path
1 172.16.1.1 rustdesk /jails/rustdesk
Firewall Rules
The next step is to create our firewall rules, these rules use network address translation (NAT) to route traffic from our jails out of the external interface. We will also need to setup some rules to redirect traffic to our jails, and allow traffic from the WAN interface to our jails.
These firewall rules could be shorter, but we’re catering for adding further jails at a later date
Configure pf firewall, create /etc/pf.conf
ext_if="xn0"
jail_net="172.16.1.0/24"
rd_tcp_ports="{ 21115, 21116, 21117, 21118, 21119 }"
rd_udp_ports="{ 21116 }"
rd_jail="172.16.1.1/32"
# do not filter lo0
set skip on lo0
# nat traffic out from ALL jails via internal interface
nat on $ext_if from $jail_net to any -> ($ext_if)
# Redirect incoming rustdesk traffic to jail
rdr on $ext_if inet proto tcp from any to $ext_if port $rd_tcp_ports -> lo1
rdr on $ext_if inet proto udp from any to $ext_if port $rd_udp_ports -> lo1
# Allow traffic from WAN
pass in on $ext_if inet proto tcp from any to $rd_jail port $rd_tcp_ports
pass in on $ext_if inet proto udp from any to $rd_jail port $rd_udp_ports
# Allow traffic out of WAN
pass out on $ext_if inet proto { tcp, udp, icmp } from any to any
Add any further rules you may need, for example allowing SSH to the host machine:
# Allow traffic from WAN
... existing rules
# Allow SSH to the host
pass in on $ext_if inet proto tcp from any to $ext_if port ssh
Test the firewall rules, this will perform a check only and not actually load the rules:
pfctl -nf /etc/pf.conf
Enable and start pf firewall, edit :
sysrc pf_enable="YES"
sysrc pf_rules="/etc/pf.conf"
service pf start
Test jail has connectivity
jexec rustdesk
ping google.com
exit
If your jail cannot ping google, try the it’s IP (8.8.8.8), if you have an issue resolving dns check your dns config in your jails /etc/resolv.conf
:
jexec rustdesk cat /etc/resolv.conf
Generated by resolvconf
search domain.local
nameserver 8.8.8.8
Update the jails packages and install RustDesk
Update jail packages
pkg -j rustdesk update
Install rustdesk
pkg -j rustdesk install rustdesk-server
Enable rustdesk
jexec rustdesk sysrc rustdesk_hbbr_enable="YES"
jexec rustdesk sysrc rustdesk_hbbs_enable="YES"
jexec rustdesk sysrc rustdesk_hbbs_ip="172.16.1.1"
Start relay server and rust desk
jexec rustdesk service rustdesk-hbbr start
jexec rustdesk service rustdesk-hbbs start
check services are running
jexec rustdesk service rustdesk-hbbr status
jexec rustdesk service rustdesk-hbbs status
Check services are listening:
netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp46 0 0 *.21118 . LISTEN
tcp46 0 0 *.21115 . LISTEN
tcp46 0 0 *.21116 . LISTEN
tcp46 0 0 *.21119 . LISTEN
tcp46 0 0 *.21117 . LISTEN
Using the RustDesk Client
When running the RustDesk client from a PC, you can pull the key from /var/db/rust-deskserver/id_ed25519.pub
within the jail.
jexec rustdesk cat /var/db/rustdesk-server/id_ed25519.pub
Note: When pasting the key in the client settings, remove everything after the first ‘=’ sign.
Automatically setting the server host and key for people downloading the client
The client application can be renamed to automatically provide the host and key for the server.
rustdesk-host=X.X.X.X,key=YOURPUBLICKEYHERE.exe
**Note: Order is important, the key is expected to come first"