VNC Terminal

To setup working VNC connections, you need to setup a proxy server that will tunnel to your Proxmox host.

There are multiple options and I want to explain two of them:

  1. Running a seperate container
  2. Running the required software on the same server as the system.

While option 1 might be easier to setup, it obviously comes with the downside of requiring one extra IP-Adress which can only be used for this service. Since prices for IPs are rising, it might be desirable to setup on the same host as the system.

Installation in a separate container

First you need to navigate to your Proxmox storage, where you are storing the LXC templates. There is a button “Download from URL”, which will open a Dialog:

proxmox_template_upload.png

Here, you can enter the URL to the template-file, which we host in our CDN here: https://cdn.bennetgallein.de/products/ProxmoxCP/templates/. There is also a .md5 file which holds an MD5-Checksum which you can use to validate the integrity of the file after it is downloaded.

After the template is downloaded, continue as usual by creating a new container. Unless you expect hundreds of concurrent VNC users, 1 core and 512 MiB of memory should be sufficient.

After the container is started, login to it via the GUI or over SSH (Note, root login via password is not permitted, so unless you supplied an SSH-Key during creation you will not be able to use SSH).

We need to modify 2 files, the first being the /etc/redis/redis.conf, which I open with nano /etc/redis/redis.conf. Now we need to search for requirepass, which will hold some random string for now. You will need to replace that string with your own secure password.

- requirepass yGdg3Y5B59EiUUxD45Ez4ADbaVC7ABxClH92XsuCSguohPlkR4
+ requirepass 5wHA5tQmNGG6oopbZpMfxqbQuK9MVTmZPyK5Xbw0fBRZ9

Safe and exit the file.

Next, open the /etc/systemd/system/websockify.service file. In line 9 is the “ExecStart” command, which we will need to modify. Replace the random string with your own password here (the same you’ve set in the redis.conf above) and run the following commands:

systemctl daemon-reload
systemctl restart websockify.service
systemctl restart redis-server.service

Now, navigate to the general settings in the Control Panel and enter the IP and Password of your container in the VNC-Configuration section.

vnc_settings.png

If you did not modify the port in the redis configuration file you don’t need to change it here.

If you have setup TLS on your webpage, the browser will force a wss connection instead of a normal websocket connection, which means that you need a trusted certificate in your proxy server. You can place the files anywhere in the container and reference them in the "ExecStart" command via the "--cert" and "--key" option. The cert-file should contain the server-certificate at first and all required intermediate certificates after that.

Installation on the same server as the system

We will need to install some software, for which you can use the following command if you are on a Debian-based system: sudo apt-get install redis-server python3 python3-pip python3-redis git.

After that, open the redis configuration located in /etc/redis/redis.conf, and modify the following settings:

- # bind 127.0.0.1 ::1
+ bind 0.0.0.0 ::0

- # requirepass
+ requirepass <random-password>

replace <random-password> with a long, secure string. After that, restart the redis-service by running systemctl restart redis-server.service.

Next, we need to create a new folder, I will choose my home-directory, which is /home/bennet, make sure to replace the path everywhere.

mkdir -p /home/bennet/websockify

After that, use the following command to clone websockify into that folder: git clone https://github.com/bennetgallein/websockify.git /home/bennet/websockify. Navigate into that folder using cd /home/bennet/websockify and run the following command to install all the required dependencies: python3 setup.py install.

Create a systemd service-file by running sudo nano /etc/systemd/system/websockify.service and copy over the following content:

[Unit]
Description=websockify systemd unit file
After=network.target
Wants=network-online.target

[Service]
Restart=always
Type=simple
ExecStart=/home/bennet/websockify/run 0.0.0.0:5400 --token-plugin TokenRedis --token-source localhost:6379::yGdg3Y5B59EiUUxD45Ez4ADbaVC7ABxClH92XsuCSguohPlkR4 --
Environment=

[Install]
WantedBy=multi-user.target

Pay special attention to the ExecStart line, which will contain the password you’ve set above, as well as the host and port for the redis-server. Now you can start the service by running systemctl enable websockify.service && systemctl start websockify.service. Make sure all services are running by using systemctl status websockify.service redis-server.service.

Now, navigate to the general settings in the Control Panel and enter the IP and Password of your container in the VNC-Configuration section.

vnc_settings.png

If you did not modify the port in the redis configuration file you don’t need to change it here.

If you have setup TLS on your webpage, the browser will force a wss connection instead of a normal websocket connection, which means that you need a trusted certificate in your proxy server. You can place the files anywhere in the container and reference them in the "ExecStart" command via the "--cert" and "--key" option. The cert-file should contain the server-certificate at first and all required intermediate certificates after that.

SSL/HTTPS

If you serve your Panel over HTTPS and a domain, you need to also serve the websocket connection from websockify over https. Let’s say you have your Panel on the domain control.bennetg.de and you want to deploy websockify on the domain console.bennetg.de. For this example I will be using a installation in a seperate container, but the steps can be applied to any setup.

First, install the websockify software as mentioned in the steps above. Next, install certbot with the command apt-get install certbot. After the installation finished, execute the following command to request a certificate:

# sudo certbot certonly --standalone --preferred-challenges http -d console.bennetg.de

You will be promped to enter a E-Mail and to accept the ToS as well as accept/deny statistical data.

After that, you should see something like this: terminal_ssl_success.png

This tells us that our certificate was successfully received and we can now edit the websockify service to include the certificate. The service file is /etc/systemd/system/websockify.service if you remember from above.

We can simply add the --cert and --key option here. You can copy the file-paths from the certbot command output: Screenshot_20240207_204512.png

After this, reload the daemon and restart websockify: sudo systemctl daemon-reload && sudo systemctl restart websockify.service. Now, lets just update the VNC Host in the settings to the domain you set the certificate for (for me console.bennetg.de) and you should have a functioning and secure terminal.

Thanks to certbot the certificate should auto-renew so you don’t need to worry about it expiring.

support

Do you require help?

Wether you have encountered a Bug, ran into a problem setting something up or require generall assistance using some of the features, we want to help you with that.

On our Discord-Server you can ask for help of any kind, suggest new ideas for our products or just hangout and chat!

Open Discord