Not Bothering

VirtualBox has a pretty good remote desktop server built in, but securing it can be a pain if you’re actually doing it properly, using Transport Layer Security (TLS) certificates and the like.

I’ve created a script to handle setting these certificates and username/password pairs, based on the VirtualBox manual, but it seems almost overkill to me for my use case.

There’s an easier way to do it if you’re not trying to set up a whole bunch of headless VirtualBox instances for many different people. The trick is to set the authentication type to Null, but only start the Remote Desktop server on localhost:

If you’re using the secure-box-rdp.sh script I wrote, this is simplified to:

./secure-vbox-rdp.sh -v virtual-machine-name -N -P remote-desktop-port

You just provide the virtual machine name and port number you’d like to use, and the script does the rest.

Then, all you have to do is set up an SSH tunnel into the virtual machine host, and none of the VMs set up this way are exposed to the outside world. Better still, it’s not clear how hard of a security audit the VirtualBox TLS implementation has gone through, but SSH is the constantly-reviewed bedrock of internet security.

Using plink on windows, it looks something like:

plink -v -ssh -l yourloginname -L 5000:localhost:5000 -C -N some.domain.com

Using ssh, it looks something like:

ssh -fCNq -L 5000:localhost:5000 yourloginname@some.domain.com

Once the tunnel is connected properly, you can just connect to the virtual machines via localhost:VRDE_PORT, and all of the tunneled traffic is automatically encrypted, for the win!

rdc

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.