Setting up RustDesk Server on FreeBSD

Setting Up RustDesk on FreeBSD

Create loopback interface for jail to listen on

In order to setup, we want to setup a loopback interface for the jails to listen on:

Create the loopback interfaces in /etc/rc.conf for jails to listen on

sysrc cloned_interfaces="lo1"
sysrc cloned_addrs_lo1="172.16.1.0/24"

Restart networking and confirm the lo1 interface has been created:

service netif restart

lo1: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 fe80::1%lo1 prefixlen 64 scopeid 0x3
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Create the jail

If you are using ZFS, create a dataset for jails, only follow this step for ZFS:

zfs create -o mountpoint=/jails zroot/jails

if not using ZFS create jails folder, do not use this if using ZFS and followed the step above:

mkdir /jails

Create the directory for the jail, and install using bsdinstall

mkdir /jails/rustdesk
bsdinstall jail /jails/rustdesk

Create a configuration file for our jails /etc/jail.conf:

# tabs=4

# Define jail vars that well use throughout config file
path="/jails/$name";

# Some applications might need access to devfs
mount.devfs;
mount.fstab="/etc/fstab.$name";

# Clear environment variables
exec.clean;

#use the hosts's network stack for all jails
ip4=inherit;
ip6=inherit;

# Initialisation scripts
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";

# Specific jail configurations
#
rustdesk {
	host.hostname="rustdesk";			# Hostname
	ip4.addr="lo1|172.16.1.1";
	allow.raw_sockets=1;				# Allow ping etc
}

Create /etc/fstab.rustdesk fstab, allows to mount nullfs file systems in the jail later (if needed)

touch /etc/fstab.rustdesk

Create the entries to start the jail /etc/rc.conf:

sysrc jail_enable="YES"
sysrc jail_list="rustdesk"

start rust desk jail: & confirm exists

service jail start rustdesk
jls

Starting jails: rustdesk.
JID IP Address Hostname Path
1 172.16.1.1 rustdesk /jails/rustdesk

Firewall Rules

The next step is to create our firewall rules, these rules use network address translation (NAT) to route traffic from our jails out of the external interface. We will also need to setup some rules to redirect traffic to our jails, and allow traffic from the WAN interface to our jails.

These firewall rules could be shorter, but we’re catering for adding further jails at a later date

Configure pf firewall, create /etc/pf.conf

ext_if="xn0"
jail_net="172.16.1.0/24"

rd_tcp_ports="{ 21115, 21116, 21117, 21118, 21119 }"
rd_udp_ports="{ 21116 }"  

rd_jail="172.16.1.1/32"

# do not filter lo0
set skip on lo0

# nat traffic out from ALL jails via internal interface
nat on $ext_if from $jail_net to any -> ($ext_if)

# Redirect incoming rustdesk traffic to jail
rdr on $ext_if inet proto tcp from any to $ext_if port $rd_tcp_ports -> lo1
rdr on $ext_if inet proto udp from any to $ext_if port $rd_udp_ports -> lo1

# Allow traffic from WAN
pass in on $ext_if inet proto tcp from any to $rd_jail port $rd_tcp_ports
pass in on $ext_if inet proto udp from any to $rd_jail port $rd_udp_ports

# Allow traffic out of WAN

pass out on $ext_if inet proto { tcp, udp, icmp } from any to any

Add any further rules you may need, for example allowing SSH to the host machine:

# Allow traffic from WAN
... existing rules
# Allow SSH to the host
pass in on $ext_if inet proto tcp from any to $ext_if port ssh

Test the firewall rules, this will perform a check only and not actually load the rules:

pfctl -nf /etc/pf.conf

Enable and start pf firewall, edit :

sysrc pf_enable="YES"
sysrc pf_rules="/etc/pf.conf"
service pf start

Test jail has connectivity

jexec rustdesk
ping google.com
exit

If your jail cannot ping google, try the it’s IP (8.8.8.8), if you have an issue resolving dns check your dns config in your jails /etc/resolv.conf:

jexec rustdesk cat /etc/resolv.conf

Generated by resolvconf

search domain.local
nameserver 8.8.8.8

Update the jails packages and install RustDesk

Update jail packages

pkg -j rustdesk update

Install rustdesk

pkg -j rustdesk install rustdesk-server

Enable rustdesk

jexec rustdesk sysrc rustdesk_hbbr_enable="YES"
jexec rustdesk sysrc rustdesk_hbbs_enable="YES"
jexec rustdesk sysrc rustdesk_hbbs_ip="172.16.1.1"

Start relay server and rust desk

jexec rustdesk service rustdesk-hbbr start
jexec rustdesk service rustdesk-hbbs start

check services are running

jexec rustdesk service rustdesk-hbbr status
jexec rustdesk service rustdesk-hbbs status

Check services are listening:

netstat -an

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp46 0 0 *.21118 . LISTEN
tcp46 0 0 *.21115 . LISTEN
tcp46 0 0 *.21116 . LISTEN
tcp46 0 0 *.21119 . LISTEN
tcp46 0 0 *.21117 . LISTEN

Using the RustDesk Client

When running the RustDesk client from a PC, you can pull the key from /var/db/rust-deskserver/id_ed25519.pub within the jail.

jexec rustdesk cat /var/db/rustdesk-server/id_ed25519.pub

Note: When pasting the key in the client settings, remove everything after the first ‘=’ sign.

Automatically setting the server host and key for people downloading the client

The client application can be renamed to automatically provide the host and key for the server.

rustdesk-host=X.X.X.X,key=YOURPUBLICKEYHERE.exe

**Note: Order is important, the key is expected to come first"

Video Tutorial