How to deploy and configure xrdp on Linux

Installation requirements for xrdp

Installation requirements for xrdp vary by Linux distribution. The general approach is to use the chosen system's package manager to add the xrdp server software.

On Fedora, Red Hat Enterprise Linux or similar distros, type the following commands:

$ sudo dnf upgrade
$ sudo dnf install xrdp -y

On Ubuntu or similar systems that use apt, type the following:

$ sudo apt update
$ sudo apt install xrdp -y

Once the installation is complete, start and enable the service:

$ sudo systemctl start xrdp
$ sudo systemctl enable xrdp
$ sudo systemctl status xrdp

Results of the sudo systemctl status xrdp command should return active (running), as in Figure 1.

Linux supports many different desktop environments, but this example connects to a Linux system that already uses a GUI. Administrators connecting to a server that doesn't have a GUI should use Xfce, which is a strong option for a graphical environment.

The above steps install the xrdp server application on the Linux box. Windows computers already have Microsoft's RDP client application installed. Admins can add RDP clients to other Linux systems or macOS.

Other potential RDP clients include the following:

• FreeRDP.
• rdesktop.
• Remmina.
• KRDC.

When an admin establishes a remote connection from a Windows device, they must authenticate using a name and password the local system recognizes. As in Figure 2, use the following commands to configure that user account now if necessary:

$ sudo useradd rdpuser
$ sudo passwd rdpuser

Admins should not use the root user for this connection. Direct authentication as root, especially across network connections, is no longer approved in most environments.

Basic configuration options for xrdp

The xrdp server uses two configuration files. Admins need to manage the systemwide xrdp configuration file and maybe a user-specific session file as well.

Systemwide service configuration file

The service's configuration file is located at /etc/xrdp/xrdp.ini. Open it using any preferred text editor, as in Figure 3. The file contains four main sections:

1. Global. Defines Global xrdp server configurations.
2. Logging. Sets logging details.
3. Channels. Configures channel types.
4. Session types. Includes xrdp and VNC connectivity settings.

Use this file to change log file settings, change the default port and configure performance options.

Session configuration file

The xrdp connection requires a session manager or GUI. Admins can define it in a file stored in the home directory of the local Linux user account that needs to connect to the system. This sets the Linux desktop environment xrdp should use, and this example Linux installation needs a GUI. However, this isn't necessary if the Linux device already uses a GUI.

If necessary, use a text editor to create a .xsession file in the home directory.

Then, add the session manager information -- this varies for different GUIs. For the XFCE environment, type the following:

xfce4-session

Admins can also use a redirector to enter the information into the .xsession file:

$ echo "xfce4-session" > .xsession

Configure the firewall

Since a remote Windows system requests a network connection to this Linux server, admins need to configure the firewall to permit the connection. The default RDP port is 3389/tcp. The steps vary by distribution, but the configurations are generally the same.

On a system using the firewalld program, type the following:

$ sudo firewall-cmd --permanent --add-port=3389/tcp
$ sudo firewall-cmd reload

Using Ubuntu Uncomplicated Firewall (UFW), type the following:

$ sudo ufw allow 3389/tcp
$ sudo ufw status

On some systems, the installation and configuration process may automatically open the port, as in Figure 4. Check online documentation if the preferred distribution uses a different firewall.

On some distributions, admins may need to modify Security-Enhanced Linux to gain access to system resources over the RDP connection. The test Fedora system in this example did not require changes. If necessary, use the following two commands:

$ sudo chcon --type=bin_t /usr/sbin/xrdp
$ sudo chcon --type=bin_t /usr/sbin/xrdp-sesman

Establish an RDP connection

It's time to test the connection. Open the Remote Desktop Connection application on your Windows device, as shown in Figure 5. Use the Search function to find the application, or type mstsc in the Run menu.

Type the Linux system's hostname or IP address and the Linux user account name that connects. There isn't a prompt for a password yet -- the xrdp server software displays that prompt just before allowing the connection.

Windows may display a warning, as in Figure 6, upon first connecting, which indicates that the remote computer's identity cannot be verified. This is normal. Verify the destination system once again, and select Yes if it is accurate. Additionally, there's a checkbox to not be prompted again.

This should lead to an xrdp login prompt asking for the session name defined in the ~/.xsession file. Enter a name and password the Linux system recognizes.

The Linux server's desktop appears after entering the correct credentials. Depending on the Windows configuration, Remote Desktop may not be enabled. Open System settings, select Remote Desktop and select On if this is the case.

The same information is needed for macOS client-to-Linux server connections using xrdp. Microsoft offers a macOS Remote Desktop Connection software package. It prompts for the same information as the Windows version. Now, the admin should be ready to remotely manage the Linux system from the Windows workstation.

Configurations and other options for xrdp

There are plenty of options to tweak xrdp to suit an organization's needs. From security to performance enhancements, admins can modify the client and server sides of the connection to improve the overall experience. For example, admins could set up drive mounting, audio and microphone redirection, and a two-way clipboard for keyboard commands. They could also reconnect to existing connections if they stop working.

Security configurations

The xrdp server does require some modifications for encryption. Administrators can implement certificate-based encryption or tunnel the RDP connection over SSH. Insecure connections might be acceptable on internal LANs or home networks, but be aware of packet-sniffing attacks if the organization uses the tool this way.

Another concern is brute-force attacks against the local Linux accounts. Be particularly careful if connecting to cloud VMs running Linux.

Connecting Linux to Windows over RDP

Admins can set up a Linux RDP client-to-Windows RDP server connection -- the opposite direction that this example covered. This could be handy if an IT admin sits at a Linux computer and needs to update a Windows workstation or server.

Linux RDP clients include the following:

• Vinagre.
• Remmina.
• RustDesk.

Admins can certainly use an RDP connection for Linux-to-Linux work, too. This provides a single client and configuration for multiple connection options.

Performance adjustments

Admins can make a few performance adjustments on the Windows side of the connection. In the Remote Desktop Connection software, experiment with the settings on the Experience and Display tabs. Try these options:

• Enable bitmap caching.
• Set the connection speed to LAN (10 Mbps or higher), as in Figure 7.
• Change the color value to 16 bits per pixel.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial and CompTIA Blogs.