jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
19b9d0193e071935974df582d34b886ebed90482
infrastructure/docs/05-PHASE5-RUSTDESK.md
jazzymc 62a6267026
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Add infrastructure documentation
2026-01-18 16:57:25 +02:00

188 lines
5.3 KiB
Markdown
Raw Blame History

# Phase 5: Hardened RustDesk Self-Hosted Setup
## Status: ✅ SERVER-SIDE COMPLETE
**Last Verified:** 2026-01-18
---
## Goal
Deploy a high-security, self-hosted RustDesk infrastructure with custom ID server, relay server, and end-to-end encryption using your own keypair.
---
## Current State
### Server Components
| Component | Container | Status | Ports |
|-----------|-----------|--------|-------|
| ID Server | rustdesk-hbbs | ✅ Running | TCP 21115-21116, UDP 21116, WS 21118-21119 |
| Relay Server | rustdesk-hbbr | ✅ Running | TCP 21117 |
### Configuration
| Parameter | Value |
|-----------|-------|
| Public Key | `+Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=` |
| ID Server | rustdesk.xtrm-lab.org:21116 |
| Relay Server | rustdesk.xtrm-lab.org:21117 |
| DNS | rustdesk.xtrm-lab.org → 62.73.120.142 |
| Data Path | /mnt/user/appdata/rustdesk-server |
### MikroTik NAT Rules
| Rule | Protocol | WAN Port | Destination |
|------|----------|----------|-------------|
| RustDesk NAT Test | TCP | 21115 | 192.168.31.2:21115 |
| RustDesk ID Server | TCP | 21116 | 192.168.31.2:21116 |
| RustDesk ID Server | UDP | 21116 | 192.168.31.2:21116 |
| RustDesk Relay | TCP | 21117 | 192.168.31.2:21117 |
### Port Connectivity (Verified)
| Port | Protocol | Status |
|------|----------|--------|
| 21116 | TCP | ✅ Accessible |
| 21117 | TCP | ✅ Accessible |
---
## Client Configuration
To connect RustDesk clients to your self-hosted server:
### Settings
```
ID Server: rustdesk.xtrm-lab.org
Relay Server: rustdesk.xtrm-lab.org
Key: +Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=
```
### Connection String (for quick setup)
```
rustdesk.xtrm-lab.org,+Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=
```
---
## Verification Checklist
### Server-Side (Complete)
- [x] Keypair generated: `/mnt/user/appdata/rustdesk-server/id_ed25519*`
- [x] hbbs container running
- [x] hbbr container running
- [x] MikroTik NAT rules configured (4 rules)
- [x] DNS resolves: rustdesk.xtrm-lab.org → 62.73.120.142
- [x] Port 21116 accessible from external
- [x] Port 21117 accessible from external
### Client-Side (Pending User Testing)
- [ ] Client connects with public key
- [ ] Remote session works between two clients
- [ ] Relay works when direct P2P fails
---
## Architecture
```
Internet
┌────────────▼────────────┐
│ MikroTik (62.73.120.142)│
│ NAT Rules: │
│ TCP 21115-21117 │
│ UDP 21116 │
└────────────┬────────────┘
┌──────────────────┼──────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ hbbs (ID Server)│ │ hbbr (Relay) │ │ RustDesk Client │
│ TCP 21115-21116 │ │ TCP 21117 │ │ Your devices │
│ UDP 21116 │ │ │ │ │
│ WS 21118-21119 │ │ │ │ │
└─────────────────┘ └─────────────────┘ └─────────────────┘
```
---
## Container Details
### hbbs (ID/Rendezvous Server)
```
Image: rustdesk/rustdesk-server:latest
Command: hbbs -r rustdesk.xtrm-lab.org:21117 -k _
Volume: /mnt/user/appdata/rustdesk-server:/root
Ports: 21115, 21116 (TCP+UDP), 21118, 21119
```
### hbbr (Relay Server)
```
Image: rustdesk/rustdesk-server:latest
Command: hbbr -k _
Volume: /mnt/user/appdata/rustdesk-server:/root
Ports: 21117
```
**Note:** The `-k _` flag enforces encrypted connections using the keypair.
---
## Security Features
1. **End-to-End Encryption:** All connections encrypted with Ed25519 keypair
2. **Key Verification:** Clients must have correct public key to connect
3. **Self-Hosted:** No third-party servers involved
4. **Encrypted-Only Mode:** Unencrypted connections rejected
---
## Maintenance
### View Logs
```bash
docker logs rustdesk-hbbs --tail 50
docker logs rustdesk-hbbr --tail 50
```
### Restart Services
```bash
docker restart rustdesk-hbbs rustdesk-hbbr
```
### Key Rotation
```bash
# Generate new keypair
docker run --rm -v /mnt/user/appdata/rustdesk-server:/data rustdesk/rustdesk-server hbbs -g
# Restart containers
docker restart rustdesk-hbbs rustdesk-hbbr
# Update all clients with new public key
```
---
## Rollback Procedure
```bash
# Stop and remove containers
docker stop rustdesk-hbbs rustdesk-hbbr
docker rm rustdesk-hbbs rustdesk-hbbr
# Remove MikroTik NAT rules (via SSH)
/ip/firewall/nat remove [find comment~RustDesk]
```
---
## Related Documents
- [00-CURRENT-STATE.md](./00-CURRENT-STATE.md) - Infrastructure overview
- [04-PHASE4-REMOTE-GAMING.md](./04-PHASE4-REMOTE-GAMING.md) - Sunshine/Moonlight setup
Reference in New Issue View Git Blame Copy Permalink