Thanks for the reply. I did not understand your suggestion. Do you mean that in the firewall I have to direct the 80/443 traffic towards the PC of Guacamole? What if there is a web server on the network? There isn't, but it could be activated in the near future. In this case I would have to change the ports on Guacamole and tell users that they must use the port in the URL. Then I have to consider that the IP is dynamic and therefore I still have to use a DDNS.
Finally, it is true that there is an added complication for users, but also for an intruder who should also have access to the VPN credentials. In case I decide to use OpenVPN, can I install the OpenVPN server on the same server of Guacamole? Il giorno lun 23 mag 2022 alle ore 17:16 Michael Jumper <mjum...@apache.org> ha scritto: > On Mon, May 23, 2022, 07:53 Dark Corner <darkcorner...@gmail.com> wrote: > >> Guacamole is installed on a PC behind a Zyxel firewall. >> Users should connect to Guacamole via VPN and, once logged into >> Guacamole, log into their PC. >> However, the firewall cannot handle multiple VPNs. So, I wish to install >> OpenVPN, possibly on the same PC used for Guacamole. >> To access OpenVPN I would like to open a set of ports on the firewall to >> the Guacamole PC only, so that it is not necessary to use a VPN on the >> firewall. >> >> Do you have any suggestions in this regard? >> > > I think it would be far better to not use the VPN at all. Putting a VPN in > front of it would just add unnecessary difficulty and complexity for users. > > Part of the function of Guacamole is as a VPN replacement. It allows you > to allow users to connect to backend desktops securely and via a browser > without needing VPN at all. You should instead: > > 1) Allow direct access to the Guacamole server only, and only on ports 80 > and 443. > > 2) Set up SSL termination such that access is properly encrypted and HTTP > traffic to port 80 is redirected to HTTPS at port 443. > > 3) Ensure via your firewall and network config that Guacamole is the sole > means of access to the desktops on the private network behind Guacamole. > > You then have a single, centralized, monitored, and secured point of > entry, with access to any particular backend desktop only possible if the > admin grants that access. > > - Mike > >