5.3 KiB
5.3 KiB
Phase 5: Hardened RustDesk Self-Hosted Setup
Status: ✅ SERVER-SIDE COMPLETE
Last Verified: 2026-01-18
Goal
Deploy a high-security, self-hosted RustDesk infrastructure with custom ID server, relay server, and end-to-end encryption using your own keypair.
Current State
Server Components
| Component | Container | Status | Ports |
|---|---|---|---|
| ID Server | rustdesk-hbbs | ✅ Running | TCP 21115-21116, UDP 21116, WS 21118-21119 |
| Relay Server | rustdesk-hbbr | ✅ Running | TCP 21117 |
Configuration
| Parameter | Value |
|---|---|
| Public Key | +Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8= |
| ID Server | rustdesk.xtrm-lab.org:21116 |
| Relay Server | rustdesk.xtrm-lab.org:21117 |
| DNS | rustdesk.xtrm-lab.org → 62.73.120.142 |
| Data Path | /mnt/user/appdata/rustdesk-server |
MikroTik NAT Rules
| Rule | Protocol | WAN Port | Destination |
|---|---|---|---|
| RustDesk NAT Test | TCP | 21115 | 192.168.31.2:21115 |
| RustDesk ID Server | TCP | 21116 | 192.168.31.2:21116 |
| RustDesk ID Server | UDP | 21116 | 192.168.31.2:21116 |
| RustDesk Relay | TCP | 21117 | 192.168.31.2:21117 |
Port Connectivity (Verified)
| Port | Protocol | Status |
|---|---|---|
| 21116 | TCP | ✅ Accessible |
| 21117 | TCP | ✅ Accessible |
Client Configuration
To connect RustDesk clients to your self-hosted server:
Settings
ID Server: rustdesk.xtrm-lab.org
Relay Server: rustdesk.xtrm-lab.org
Key: +Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=
Connection String (for quick setup)
rustdesk.xtrm-lab.org,+Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=
Verification Checklist
Server-Side (Complete)
- Keypair generated:
/mnt/user/appdata/rustdesk-server/id_ed25519* - hbbs container running
- hbbr container running
- MikroTik NAT rules configured (4 rules)
- DNS resolves: rustdesk.xtrm-lab.org → 62.73.120.142
- Port 21116 accessible from external
- Port 21117 accessible from external
Client-Side (Pending User Testing)
- Client connects with public key
- Remote session works between two clients
- Relay works when direct P2P fails
Architecture
Internet
│
┌────────────▼────────────┐
│ MikroTik (62.73.120.142)│
│ NAT Rules: │
│ TCP 21115-21117 │
│ UDP 21116 │
└────────────┬────────────┘
│
┌──────────────────┼──────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ hbbs (ID Server)│ │ hbbr (Relay) │ │ RustDesk Client │
│ TCP 21115-21116 │ │ TCP 21117 │ │ Your devices │
│ UDP 21116 │ │ │ │ │
│ WS 21118-21119 │ │ │ │ │
└─────────────────┘ └─────────────────┘ └─────────────────┘
Container Details
hbbs (ID/Rendezvous Server)
Image: rustdesk/rustdesk-server:latest
Command: hbbs -r rustdesk.xtrm-lab.org:21117 -k _
Volume: /mnt/user/appdata/rustdesk-server:/root
Ports: 21115, 21116 (TCP+UDP), 21118, 21119
hbbr (Relay Server)
Image: rustdesk/rustdesk-server:latest
Command: hbbr -k _
Volume: /mnt/user/appdata/rustdesk-server:/root
Ports: 21117
Note: The -k _ flag enforces encrypted connections using the keypair.
Security Features
- End-to-End Encryption: All connections encrypted with Ed25519 keypair
- Key Verification: Clients must have correct public key to connect
- Self-Hosted: No third-party servers involved
- Encrypted-Only Mode: Unencrypted connections rejected
Maintenance
View Logs
docker logs rustdesk-hbbs --tail 50
docker logs rustdesk-hbbr --tail 50
Restart Services
docker restart rustdesk-hbbs rustdesk-hbbr
Key Rotation
# Generate new keypair
docker run --rm -v /mnt/user/appdata/rustdesk-server:/data rustdesk/rustdesk-server hbbs -g
# Restart containers
docker restart rustdesk-hbbs rustdesk-hbbr
# Update all clients with new public key
Rollback Procedure
# Stop and remove containers
docker stop rustdesk-hbbs rustdesk-hbbr
docker rm rustdesk-hbbs rustdesk-hbbr
# Remove MikroTik NAT rules (via SSH)
/ip/firewall/nat remove [find comment~RustDesk]
Related Documents
- 00-CURRENT-STATE.md - Infrastructure overview
- 04-PHASE4-REMOTE-GAMING.md - Sunshine/Moonlight setup