195 lines
5.5 KiB
Markdown
195 lines
5.5 KiB
Markdown
# Phase 5: Hardened RustDesk Self-Hosted Setup
|
|
|
|
## Status: ✅ FULLY COMPLETE
|
|
|
|
**Last Verified:** 2026-01-18
|
|
**Completion Date:** 2026-01-18
|
|
|
|
---
|
|
|
|
## Goal
|
|
Deploy a high-security, self-hosted RustDesk infrastructure with custom ID server, relay server, and end-to-end encryption using your own keypair.
|
|
|
|
---
|
|
|
|
## Current State
|
|
|
|
### Server Components
|
|
|
|
| Component | Container | Status | Ports |
|
|
|-----------|-----------|--------|-------|
|
|
| ID Server | rustdesk-hbbs | ✅ Running | TCP 21115-21116, UDP 21116, WS 21118-21119 |
|
|
| Relay Server | rustdesk-hbbr | ✅ Running | TCP 21117 |
|
|
|
|
### Configuration
|
|
|
|
| Parameter | Value |
|
|
|-----------|-------|
|
|
| Public Key | `+Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=` |
|
|
| ID Server | rustdesk.xtrm-lab.org:21116 |
|
|
| Relay Server | rustdesk.xtrm-lab.org:21117 |
|
|
| DNS | rustdesk.xtrm-lab.org → 62.73.120.142 |
|
|
| Data Path | /mnt/user/appdata/rustdesk-server |
|
|
|
|
### Registered Clients
|
|
|
|
| ID | Platform | Status |
|
|
|----|----------|--------|
|
|
| 527588949 | macOS | ✅ Working |
|
|
| 20116399 | Nobara Linux | ✅ Working |
|
|
|
|
### MikroTik NAT Rules
|
|
|
|
| Rule | Protocol | WAN Port | Destination |
|
|
|------|----------|----------|-------------|
|
|
| RustDesk NAT Test | TCP | 21115 | 192.168.31.2:21115 |
|
|
| RustDesk ID Server | TCP | 21116 | 192.168.31.2:21116 |
|
|
| RustDesk ID Server | UDP | 21116 | 192.168.31.2:21116 |
|
|
| RustDesk Relay | TCP | 21117 | 192.168.31.2:21117 |
|
|
|
|
---
|
|
|
|
## Client Configuration
|
|
|
|
To connect RustDesk clients to your self-hosted server:
|
|
|
|
### Settings
|
|
```
|
|
ID Server: rustdesk.xtrm-lab.org
|
|
Relay Server: rustdesk.xtrm-lab.org
|
|
Key: +Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=
|
|
```
|
|
|
|
### Connection String (for quick setup)
|
|
```
|
|
rustdesk.xtrm-lab.org,+Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=
|
|
```
|
|
|
|
### macOS Permissions Required
|
|
- **Accessibility** - Required for keyboard/mouse control
|
|
- **Screen Recording** - Required for screen capture
|
|
|
|
---
|
|
|
|
## Verification Checklist
|
|
|
|
### Server-Side
|
|
- [x] Keypair generated: `/mnt/user/appdata/rustdesk-server/id_ed25519*`
|
|
- [x] hbbs container running
|
|
- [x] hbbr container running
|
|
- [x] MikroTik NAT rules configured (4 rules)
|
|
- [x] DNS resolves: rustdesk.xtrm-lab.org → 62.73.120.142
|
|
- [x] Port 21116 accessible from external
|
|
- [x] Port 21117 accessible from external
|
|
|
|
### Client-Side
|
|
- [x] Nobara client connects with public key
|
|
- [x] macOS client connects with public key
|
|
- [x] Remote session works (Nobara → macOS tested)
|
|
- [x] Video streaming working
|
|
- [x] Keyboard/mouse control working
|
|
|
|
---
|
|
|
|
## Architecture
|
|
|
|
```
|
|
Internet
|
|
│
|
|
┌────────────▼────────────┐
|
|
│ MikroTik (62.73.120.142)│
|
|
│ NAT Rules: │
|
|
│ TCP 21115-21117 │
|
|
│ UDP 21116 │
|
|
└────────────┬────────────┘
|
|
│
|
|
┌──────────────────┼──────────────────┐
|
|
│ │ │
|
|
▼ ▼ ▼
|
|
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
|
|
│ hbbs (ID Server)│ │ hbbr (Relay) │ │ RustDesk Client │
|
|
│ TCP 21115-21116 │ │ TCP 21117 │ │ Your devices │
|
|
│ UDP 21116 │ │ │ │ │
|
|
│ WS 21118-21119 │ │ │ │ │
|
|
└─────────────────┘ └─────────────────┘ └─────────────────┘
|
|
```
|
|
|
|
---
|
|
|
|
## Container Details
|
|
|
|
### hbbs (ID/Rendezvous Server)
|
|
|
|
```
|
|
Image: rustdesk/rustdesk-server:latest
|
|
Command: hbbs -r rustdesk.xtrm-lab.org:21117 -k _
|
|
Volume: /mnt/user/appdata/rustdesk-server:/root
|
|
Ports: 21115, 21116 (TCP+UDP), 21118, 21119
|
|
```
|
|
|
|
### hbbr (Relay Server)
|
|
|
|
```
|
|
Image: rustdesk/rustdesk-server:latest
|
|
Command: hbbr -k _
|
|
Volume: /mnt/user/appdata/rustdesk-server:/root
|
|
Ports: 21117
|
|
```
|
|
|
|
**Note:** The `-k _` flag enforces encrypted connections using the keypair.
|
|
|
|
---
|
|
|
|
## Security Features
|
|
|
|
1. **End-to-End Encryption:** All connections encrypted with Ed25519 keypair
|
|
2. **Key Verification:** Clients must have correct public key to connect
|
|
3. **Self-Hosted:** No third-party servers involved
|
|
4. **Encrypted-Only Mode:** Unencrypted connections rejected
|
|
|
|
---
|
|
|
|
## Maintenance
|
|
|
|
### View Logs
|
|
```bash
|
|
docker logs rustdesk-hbbs --tail 50
|
|
docker logs rustdesk-hbbr --tail 50
|
|
```
|
|
|
|
### Restart Services
|
|
```bash
|
|
docker restart rustdesk-hbbs rustdesk-hbbr
|
|
```
|
|
|
|
### Key Rotation
|
|
```bash
|
|
# Generate new keypair
|
|
docker run --rm -v /mnt/user/appdata/rustdesk-server:/data rustdesk/rustdesk-server hbbs -g
|
|
|
|
# Restart containers
|
|
docker restart rustdesk-hbbs rustdesk-hbbr
|
|
|
|
# Update all clients with new public key
|
|
```
|
|
|
|
---
|
|
|
|
## Rollback Procedure
|
|
|
|
```bash
|
|
# Stop and remove containers
|
|
docker stop rustdesk-hbbs rustdesk-hbbr
|
|
docker rm rustdesk-hbbs rustdesk-hbbr
|
|
|
|
# Remove MikroTik NAT rules (via SSH)
|
|
/ip/firewall/nat remove [find comment~RustDesk]
|
|
```
|
|
|
|
---
|
|
|
|
## Related Documents
|
|
|
|
- [00-CURRENT-STATE.md](./00-CURRENT-STATE.md) - Infrastructure overview
|
|
- [04-PHASE4-REMOTE-GAMING.md](./04-PHASE4-REMOTE-GAMING.md) - Sunshine/Moonlight setup
|