XTRM-Unraid
b250493d5a
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
New Structure: - 01-NETWORK-MAP.md - Network topology, IPs, Docker networks, services - 02-SERVICES-CRITICAL.md - DNS, Auth, Routing (P0/P1 services) - 03-SERVICES-OTHER.md - All non-critical services - 04-HARDWARE-INVENTORY.md - Physical devices and specs - 05-CHANGELOG.md - Major events only New Folders: - docs/archive/ - Legacy docs (read-only reference) - docs/wip/ - Planned changes and ideas - UPGRADE-2026-HARDWARE.md - N5 Air + N100 migration plan - GITOPS-CONTAINERS.md - Phase 2 container GitOps Changes: - Moved all 22 legacy docs to archive/ - Consolidated container IPs, physical map, and services into single network map - Extracted critical vs non-critical service classification - Simplified changelog to major events only Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
5.5 KiB
5.5 KiB
Phase 5: Hardened RustDesk Self-Hosted Setup
Status: ✅ FULLY COMPLETE
Last Verified: 2026-01-18 Completion Date: 2026-01-18
Goal
Deploy a high-security, self-hosted RustDesk infrastructure with custom ID server, relay server, and end-to-end encryption using your own keypair.
Current State
Server Components
| Component | Container | Status | Ports |
|---|---|---|---|
| ID Server | rustdesk-hbbs | ✅ Running | TCP 21115-21116, UDP 21116, WS 21118-21119 |
| Relay Server | rustdesk-hbbr | ✅ Running | TCP 21117 |
Configuration
| Parameter | Value |
|---|---|
| Public Key | +Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8= |
| ID Server | rustdesk.xtrm-lab.org:21116 |
| Relay Server | rustdesk.xtrm-lab.org:21117 |
| DNS | rustdesk.xtrm-lab.org → 62.73.120.142 |
| Data Path | /mnt/user/appdata/rustdesk-server |
Registered Clients
| ID | Platform | Status |
|---|---|---|
| 527588949 | macOS | ✅ Working |
| 20116399 | Nobara Linux | ✅ Working |
MikroTik NAT Rules
| Rule | Protocol | WAN Port | Destination |
|---|---|---|---|
| RustDesk NAT Test | TCP | 21115 | 192.168.31.2:21115 |
| RustDesk ID Server | TCP | 21116 | 192.168.31.2:21116 |
| RustDesk ID Server | UDP | 21116 | 192.168.31.2:21116 |
| RustDesk Relay | TCP | 21117 | 192.168.31.2:21117 |
Client Configuration
To connect RustDesk clients to your self-hosted server:
Settings
ID Server: rustdesk.xtrm-lab.org
Relay Server: rustdesk.xtrm-lab.org
Key: +Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=
Connection String (for quick setup)
rustdesk.xtrm-lab.org,+Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=
macOS Permissions Required
- Accessibility - Required for keyboard/mouse control
- Screen Recording - Required for screen capture
Verification Checklist
Server-Side
- Keypair generated:
/mnt/user/appdata/rustdesk-server/id_ed25519* - hbbs container running
- hbbr container running
- MikroTik NAT rules configured (4 rules)
- DNS resolves: rustdesk.xtrm-lab.org → 62.73.120.142
- Port 21116 accessible from external
- Port 21117 accessible from external
Client-Side
- Nobara client connects with public key
- macOS client connects with public key
- Remote session works (Nobara → macOS tested)
- Video streaming working
- Keyboard/mouse control working
Architecture
Internet
│
┌────────────▼────────────┐
│ MikroTik (62.73.120.142)│
│ NAT Rules: │
│ TCP 21115-21117 │
│ UDP 21116 │
└────────────┬────────────┘
│
┌──────────────────┼──────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ hbbs (ID Server)│ │ hbbr (Relay) │ │ RustDesk Client │
│ TCP 21115-21116 │ │ TCP 21117 │ │ Your devices │
│ UDP 21116 │ │ │ │ │
│ WS 21118-21119 │ │ │ │ │
└─────────────────┘ └─────────────────┘ └─────────────────┘
Container Details
hbbs (ID/Rendezvous Server)
Image: rustdesk/rustdesk-server:latest
Command: hbbs -r rustdesk.xtrm-lab.org:21117 -k _
Volume: /mnt/user/appdata/rustdesk-server:/root
Ports: 21115, 21116 (TCP+UDP), 21118, 21119
hbbr (Relay Server)
Image: rustdesk/rustdesk-server:latest
Command: hbbr -k _
Volume: /mnt/user/appdata/rustdesk-server:/root
Ports: 21117
Note: The -k _ flag enforces encrypted connections using the keypair.
Security Features
- End-to-End Encryption: All connections encrypted with Ed25519 keypair
- Key Verification: Clients must have correct public key to connect
- Self-Hosted: No third-party servers involved
- Encrypted-Only Mode: Unencrypted connections rejected
Maintenance
View Logs
docker logs rustdesk-hbbs --tail 50
docker logs rustdesk-hbbr --tail 50
Restart Services
docker restart rustdesk-hbbs rustdesk-hbbr
Key Rotation
# Generate new keypair
docker run --rm -v /mnt/user/appdata/rustdesk-server:/data rustdesk/rustdesk-server hbbs -g
# Restart containers
docker restart rustdesk-hbbs rustdesk-hbbr
# Update all clients with new public key
Rollback Procedure
# Stop and remove containers
docker stop rustdesk-hbbs rustdesk-hbbr
docker rm rustdesk-hbbs rustdesk-hbbr
# Remove MikroTik NAT rules (via SSH)
/ip/firewall/nat remove [find comment~RustDesk]
Related Documents
- 00-CURRENT-STATE.md - Infrastructure overview
- 04-PHASE4-REMOTE-GAMING.md - Sunshine/Moonlight setup