# Phase 5: Hardened RustDesk Self-Hosted Setup ## Status: ✅ FULLY COMPLETE **Last Verified:** 2026-01-18 **Completion Date:** 2026-01-18 --- ## Goal Deploy a high-security, self-hosted RustDesk infrastructure with custom ID server, relay server, and end-to-end encryption using your own keypair. --- ## Current State ### Server Components | Component | Container | Status | Ports | |-----------|-----------|--------|-------| | ID Server | rustdesk-hbbs | ✅ Running | TCP 21115-21116, UDP 21116, WS 21118-21119 | | Relay Server | rustdesk-hbbr | ✅ Running | TCP 21117 | ### Configuration | Parameter | Value | |-----------|-------| | Public Key | `+Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=` | | ID Server | rustdesk.xtrm-lab.org:21116 | | Relay Server | rustdesk.xtrm-lab.org:21117 | | DNS | rustdesk.xtrm-lab.org → 62.73.120.142 | | Data Path | /mnt/user/appdata/rustdesk-server | ### Registered Clients | ID | Platform | Status | |----|----------|--------| | 527588949 | macOS | ✅ Working | | 20116399 | Nobara Linux | ✅ Working | ### MikroTik NAT Rules | Rule | Protocol | WAN Port | Destination | |------|----------|----------|-------------| | RustDesk NAT Test | TCP | 21115 | 192.168.31.2:21115 | | RustDesk ID Server | TCP | 21116 | 192.168.31.2:21116 | | RustDesk ID Server | UDP | 21116 | 192.168.31.2:21116 | | RustDesk Relay | TCP | 21117 | 192.168.31.2:21117 | --- ## Client Configuration To connect RustDesk clients to your self-hosted server: ### Settings ``` ID Server: rustdesk.xtrm-lab.org Relay Server: rustdesk.xtrm-lab.org Key: +Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8= ``` ### Connection String (for quick setup) ``` rustdesk.xtrm-lab.org,+Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8= ``` ### macOS Permissions Required - **Accessibility** - Required for keyboard/mouse control - **Screen Recording** - Required for screen capture --- ## Verification Checklist ### Server-Side - [x] Keypair generated: `/mnt/user/appdata/rustdesk-server/id_ed25519*` - [x] hbbs container running - [x] hbbr container running - [x] MikroTik NAT rules configured (4 rules) - [x] DNS resolves: rustdesk.xtrm-lab.org → 62.73.120.142 - [x] Port 21116 accessible from external - [x] Port 21117 accessible from external ### Client-Side - [x] Nobara client connects with public key - [x] macOS client connects with public key - [x] Remote session works (Nobara → macOS tested) - [x] Video streaming working - [x] Keyboard/mouse control working --- ## Architecture ``` Internet │ ┌────────────▼────────────┐ │ MikroTik (62.73.120.142)│ │ NAT Rules: │ │ TCP 21115-21117 │ │ UDP 21116 │ └────────────┬────────────┘ │ ┌──────────────────┼──────────────────┐ │ │ │ ▼ ▼ ▼ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ hbbs (ID Server)│ │ hbbr (Relay) │ │ RustDesk Client │ │ TCP 21115-21116 │ │ TCP 21117 │ │ Your devices │ │ UDP 21116 │ │ │ │ │ │ WS 21118-21119 │ │ │ │ │ └─────────────────┘ └─────────────────┘ └─────────────────┘ ``` --- ## Container Details ### hbbs (ID/Rendezvous Server) ``` Image: rustdesk/rustdesk-server:latest Command: hbbs -r rustdesk.xtrm-lab.org:21117 -k _ Volume: /mnt/user/appdata/rustdesk-server:/root Ports: 21115, 21116 (TCP+UDP), 21118, 21119 ``` ### hbbr (Relay Server) ``` Image: rustdesk/rustdesk-server:latest Command: hbbr -k _ Volume: /mnt/user/appdata/rustdesk-server:/root Ports: 21117 ``` **Note:** The `-k _` flag enforces encrypted connections using the keypair. --- ## Security Features 1. **End-to-End Encryption:** All connections encrypted with Ed25519 keypair 2. **Key Verification:** Clients must have correct public key to connect 3. **Self-Hosted:** No third-party servers involved 4. **Encrypted-Only Mode:** Unencrypted connections rejected --- ## Maintenance ### View Logs ```bash docker logs rustdesk-hbbs --tail 50 docker logs rustdesk-hbbr --tail 50 ``` ### Restart Services ```bash docker restart rustdesk-hbbs rustdesk-hbbr ``` ### Key Rotation ```bash # Generate new keypair docker run --rm -v /mnt/user/appdata/rustdesk-server:/data rustdesk/rustdesk-server hbbs -g # Restart containers docker restart rustdesk-hbbs rustdesk-hbbr # Update all clients with new public key ``` --- ## Rollback Procedure ```bash # Stop and remove containers docker stop rustdesk-hbbs rustdesk-hbbr docker rm rustdesk-hbbs rustdesk-hbbr # Remove MikroTik NAT rules (via SSH) /ip/firewall/nat remove [find comment~RustDesk] ``` --- ## Related Documents - [00-CURRENT-STATE.md](./00-CURRENT-STATE.md) - Infrastructure overview - [04-PHASE4-REMOTE-GAMING.md](./04-PHASE4-REMOTE-GAMING.md) - Sunshine/Moonlight setup