Alex - stock.adobe.com

Tip

How to deploy and configure xrdp on Linux

When organizations run Linux, they may need to link those systems to Windows via Remote Desktop Protocol. Learn how to set this up and what configuration options there are.

Whether administrators manage cloud servers, maintain on-premises devices or support end-user workstations, they are more likely than ever to run into some combination of Windows, Linux and macOS. In this cross-platform world, it can be difficult to connect these disparate systems.

One answer is Microsoft's Remote Desktop Protocol (RDP), which can work for plenty of OSes and not just Windows. While Secure Shell (SSH) remains the standard way of connecting to remote Linux systems, it's not user-friendly enough for many people, and it doesn't provide a direct GUI experience. RDP-based connections offer access to a comfortable GUI that is much easier to use.

Whether admins need to connect to a Raspberry Pi IoT device, access a cloud administration jump box or spend a little time working on a Python project, they're likely using a Linux system. The xrdp server also satisfies use cases involving cloud-based Linux VMs.

IT administrators may want to install the xrdp server on a Linux system and connect to it from a Windows client using RDP to perform some of the following tasks:

  • Edit configuration files.
  • Manage services.
  • Check performance information.
  • View log files.
  • Edit user files.
  • Connect to and manage cloud VMs.

Admins have privileges to access these files and functions based on their Linux credentials. The xrdp server is straightforward to set up and free of charge.

Installation requirements for xrdp

Installation requirements for xrdp vary by Linux distribution. The general approach is to use the chosen system's package manager to add the xrdp server software.

On Fedora, Red Hat Enterprise Linux or similar distros, type the following commands:

$ sudo dnf upgrade
$ sudo dnf install xrdp -y

On Ubuntu or similar systems that use apt, type the following:

$ sudo apt update
$ sudo apt install xrdp -y

Once the installation is complete, start and enable the service:

$ sudo systemctl start xrdp
$ sudo systemctl enable xrdp
$ sudo systemctl status xrdp

Results of the sudo systemctl status xrdp command should return active (running), as in Figure 1.

The xrdp service showing that it is installed and active.
Figure 1. The command output showing that the xrdp service is installed and active

Linux supports many different desktop environments, but this example connects to a Linux system that already uses a GUI. Administrators connecting to a server that doesn't have a GUI should use Xfce, which is a strong option for a graphical environment.

The above steps install the xrdp server application on the Linux box. Windows computers already have Microsoft's RDP client application installed. Admins can add RDP clients to other Linux systems or macOS.

Other potential RDP clients include the following:

  • FreeRDP.
  • rdesktop.
  • Remmina.
  • KRDC.

When an admin establishes a remote connection from a Windows device, they must authenticate using a name and password the local system recognizes. As in Figure 2, use the following commands to configure that user account now if necessary:

$ sudo useradd rdpuser
$ sudo passwd rdpuser
The username and password check for xrdp on the local system.
Figure 2. The authentication process for xrdp with credentials that the local system recognizes

Admins should not use the root user for this connection. Direct authentication as root, especially across network connections, is no longer approved in most environments.

Basic configuration options for xrdp

The xrdp server uses two configuration files. Admins need to manage the systemwide xrdp configuration file and maybe a user-specific session file as well.

Systemwide service configuration file

The service's configuration file is located at /etc/xrdp/xrdp.ini. Open it using any preferred text editor, as in Figure 3. The file contains four main sections:

  1. Global. Defines Global xrdp server configurations.
  2. Logging. Sets logging details.
  3. Channels. Configures channel types.
  4. Session types. Includes xrdp and VNC connectivity settings.
The segment of the system configuration file of the xrdp system.
Figure 3. The Globals section of the xrdp system configuration file

Use this file to change log file settings, change the default port and configure performance options.

Session configuration file

The xrdp connection requires a session manager or GUI. Admins can define it in a file stored in the home directory of the local Linux user account that needs to connect to the system. This sets the Linux desktop environment xrdp should use, and this example Linux installation needs a GUI. However, this isn't necessary if the Linux device already uses a GUI.

If necessary, use a text editor to create a .xsession file in the home directory.

Then, add the session manager information -- this varies for different GUIs. For the XFCE environment, type the following:

xfce4-session

Admins can also use a redirector to enter the information into the .xsession file:

$ echo "xfce4-session" > .xsession

Configure the firewall

Since a remote Windows system requests a network connection to this Linux server, admins need to configure the firewall to permit the connection. The default RDP port is 3389/tcp. The steps vary by distribution, but the configurations are generally the same.

On a system using the firewalld program, type the following:

$ sudo firewall-cmd --permanent --add-port=3389/tcp
$ sudo firewall-cmd reload
The xrdp connection showing that it has an active firewall.
Figure 4. A message verifying that the firewall is already active via the RDP port

Using Ubuntu Uncomplicated Firewall (UFW), type the following:

$ sudo ufw allow 3389/tcp
$ sudo ufw status

On some systems, the installation and configuration process may automatically open the port, as in Figure 4. Check online documentation if the preferred distribution uses a different firewall.

On some distributions, admins may need to modify Security-Enhanced Linux to gain access to system resources over the RDP connection. The test Fedora system in this example did not require changes. If necessary, use the following two commands:

$ sudo chcon --type=bin_t /usr/sbin/xrdp
$ sudo chcon --type=bin_t /usr/sbin/xrdp-sesman

Establish an RDP connection

It's time to test the connection. Open the Remote Desktop Connection application on your Windows device, as shown in Figure 5. Use the Search function to find the application, or type mstsc in the Run menu.

Type the Linux system's hostname or IP address and the Linux user account name that connects. There isn't a prompt for a password yet -- the xrdp server software displays that prompt just before allowing the connection.

The main screen of the Microsoft Remote Desktop Connection tool.
Figure 5. The interface of the Remote Desktop Connection utility

Windows may display a warning, as in Figure 6, upon first connecting, which indicates that the remote computer's identity cannot be verified. This is normal. Verify the destination system once again, and select Yes if it is accurate. Additionally, there's a checkbox to not be prompted again.

A warning from Remote Desktop Connection verifying the destination computer.
Figure 6. A warning pop-up that may occur in Remote Desktop Connection regarding the identity of the connecting computer

This should lead to an xrdp login prompt asking for the session name defined in the ~/.xsession file. Enter a name and password the Linux system recognizes.

The Linux server's desktop appears after entering the correct credentials. Depending on the Windows configuration, Remote Desktop may not be enabled. Open System settings, select Remote Desktop and select On if this is the case.

The same information is needed for macOS client-to-Linux server connections using xrdp. Microsoft offers a macOS Remote Desktop Connection software package. It prompts for the same information as the Windows version. Now, the admin should be ready to remotely manage the Linux system from the Windows workstation.

Configurations and other options for xrdp

There are plenty of options to tweak xrdp to suit an organization's needs. From security to performance enhancements, admins can modify the client and server sides of the connection to improve the overall experience. For example, admins could set up drive mounting, audio and microphone redirection, and a two-way clipboard for keyboard commands. They could also reconnect to existing connections if they stop working.

Security configurations

The xrdp server does require some modifications for encryption. Administrators can implement certificate-based encryption or tunnel the RDP connection over SSH. Insecure connections might be acceptable on internal LANs or home networks, but be aware of packet-sniffing attacks if the organization uses the tool this way.

Another concern is brute-force attacks against the local Linux accounts. Be particularly careful if connecting to cloud VMs running Linux.

Connecting Linux to Windows over RDP

Admins can set up a Linux RDP client-to-Windows RDP server connection -- the opposite direction that this example covered. This could be handy if an IT admin sits at a Linux computer and needs to update a Windows workstation or server.

Linux RDP clients include the following:

  • Vinagre.
  • Remmina.
  • RustDesk.

Admins can certainly use an RDP connection for Linux-to-Linux work, too. This provides a single client and configuration for multiple connection options.

Performance adjustments

Admins can make a few performance adjustments on the Windows side of the connection. In the Remote Desktop Connection software, experiment with the settings on the Experience and Display tabs. Try these options:

  • Enable bitmap caching.
  • Set the connection speed to LAN (10 Mbps or higher), as in Figure 7.
  • Change the color value to 16 bits per pixel.
The Remote Desktop Connection interface showing the option to set a connection speed.
Figure 7. The option to set a specific connection speed for the remote session

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial and CompTIA Blogs.

Dig Deeper on Virtual and remote desktop strategies