-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Tips and FAQ
RDP stands for Remote Desktop Protocol. It's the protocol developed by Microsoft and used in Windows. The protocol specification is open and can be found at Microsoft's site. The most basic part is named [MS-RDPBGCR] (RDP Basic Connectivity and Remoting Graphics). Many other extensions can be found by name prefixed MS-RDP.
xrdp, usually spelled in lowercase, is an open-source implementation of the RDP server.
If you're using a systemd-based distro, you will have noted that if you're logged in on the system graphical console, you can't use the same user to log in over xrdp successfully. Similarly, a user logged in over xrdp will have trouble logging in on the system graphical console.
On systemd-based systems, multiple sessions for the same user share a single instance of the session D-Bus. This allows systemd to support long-lived services for the user, but causes confusion for desktop services which are not expecting to be shared.
This has been raised with systemd - see https://github.com/systemd/systemd/issues/24932, but a possible solution has been rejected.
Issue #2491 is looking into either possible workarounds or enforcing a single session per user on systemd-based systems.
Currently, if your use-case requires the same user to have multiple graphical sessions on one machine you will need to use a distro which does not use systemd.
You may also see prompts to enter a privileged password when using xrdp which you don't see on the machine console.
Most, if not all, Linux desktops use a sub-system called polkit to authorize operations. polkit treats remote users differently from local users, and this is likely the root cause of the differences you are experiencing between local GUI sessions and xrdp sessions.
Linux is used in many different environments, and so some things which are reasonable to do when sat in front of a machine may not be permitted by default when logged in remotely. As an example, consider a non-privileged user. Shutting down the system may be reasonable for this user when sitting in front of the machine, but shouldn't be permitted on a multi-user system by default as this would inconvenience other users. By default, polkit doesn't allow this.
A good description of polkit can be found on the Arch Linux wiki (as with so many other things):-
https://wiki.archlinux.org/title/Polkit
To the best of our knowledge no-one has produced an easy-to-use interface to configure polkit. It all needs to be done by the user using text files.
Bear in mind that there are two flavours of polkit in current use:-
- polkit version 0.105 (official docs)
- later versions of polkit (official docs)
Find out which version your distribution uses. The links above contain more information on your version.
This is a commonly requested feature. Before going down this root however, be aware that doing this is dangerous. If an unauthorized user gains access to your machine over xrdp, they will effectively have total access to it.
A test tool has been produced by one of the xrdp developers which generates the required actions to accomplish this.
https://github.com/matt335672/pk-local
This tool is not intended for production environments. By using it in a test environment however, you can work out a subset of the polkit actions you need to configure which are compatible with you use case(s) and your security posture.
Before using the tool, take the trouble to understand what it is doing, and be mindful of the warnings it generates.
Here's a detailed description of this problem.
Short answer; no
Long answer; The RDP protocol has a long history of being hacked by brute force or credential stuffing. You shouldn't expose any kind of RDP server to an unsafe network.
If you want to connect to xrdp over the Internet, consider setting up a VPN. For a small system, Wireguard is a good option. This will allow you to export other services securely as well.
If you're running through a corporate firewall, you may notice that when you minimise an xrdp session and leave it for some minutes, the connection gets dropped.
The reason for this is that when an xrdp session is minimised, the RDP client asks the server not to send any display updates. This can result in no traffic at all being sent from the xrdp server to the client. Some corporate firewalls will drop connections if they see no traffic.
Connection drops are either explicit (firewall sends a TCP RST to both sides) or silent (firewall drops the connection). Silent connection drops can be bad news, as current versions of xrdp don't realise the client has gone. Consequently they can struggle when the client reconnects - see issue #1188.
There is at present no direct solution within xrdp for this, but there are two workarounds:-
-
Windows client only. Set
HKEY_LOCAL_MACHINE\Software\Microsoft\Terminal Server Client\RemoteDesktop_SuppressWhenMinimizedto 2 on a Windows client. This will prevent display updates being suppressed. It can however result in a lot more traffic being passed through the corporate firewall. -
(Linux xrdp server) Set up a short TCP keepalive. TCP keepalive is a TCP feature which can be used to send a small amount of data on idle TCP connections. The main purpose of this is to detect dead connections. By default, data is not sent until at least 2 hours have elapsed with no data being sent. It is however possible to set this default to a much smaller value. This can prevent corporate firewalls from dropping idle connections.
Procedure is as follows:-
-
enable
tcp_keepalivein/etc/xrdp/xrdp.ini -
restart xrdp
-
Use these commands to set the system keepalive timer to 5 minutes
echo 300 | sudo tee /proc/sys/net/ipv4/tcp_keepalive_time ;# Set keepalive timer to 5 minutes echo 10 | sudo tee /proc/sys/net/ipv4/tcp_keepalive_intvl ;# 10 seconds between probes echo 3 | sudo tee /proc/sys/net/ipv4/tcp_keepalive_probes ;# 3 probes max
Despite the names above, these settings apply to both IPv4 and IPv6.
If 5 minutes is too long a time, change the value which is written to
tcp_keepalive_time.If this works for you, you may wish to make these values permanent. The best way to do this will vary from system to system. As an example, on Debian/Ubuntu/CentOS/Rocky/AlmaLinux, create a file
/etc/sysctl.d/10-tcp-keepalive.confwith the following contents:-net.ipv4.tcp_keepalive_time = 300 net.ipv4.tcp_keepalive_intvl = 10 net.ipv4.tcp_keepalive_probes = 3If your system does not have
/etc/sysctl.d/, consult the system documentation for the best way to set kernel variables at system startup time. -
Xvnc is the original backend. It supports most features, and is adequate for many use cases. In this mode, xrdp works as a bridge between the RFB(VNC) and RDP protocols. Xorg is an internal Xorg module implemented by xorgxrdp. Because it doesn't need data to be transferred from the Xvnc server over VNC, performance is almost always better, although a few users on high latency WAN links find Xvnc works better. Most new development targets this module first. Using this module does however introduce a dependency on the X server internal interfaces, so system upgrades which change this can occasionally require a new version of xorgxrdp to be provided. [matt335672]
This affects most PI versions using xorgxrdp before v.0.10.2 (i.e. Debian 12, Ubuntu 24.04, Armbian 24.8.1 and earlier).
By default, these platforms have two problems with xrdp:-
- The platforms try to use the DRI acceleration built into the kernel for xrdp sessions. Although this acceleration works well on the local console desktop, it turns out it doesn't work at all for remote sessions. To run xrdp on these platforms, you will need to disable DRI acceleration for xrdp sessions. This will not affect your local console at all.
- The configuration used by the PI tries to pull the graphics device for the local console into the xrdp configuration.
Both of these can be addressed by editing the file /etc/X11/xrdp/xorg.conf
-
Find this line:-
Option "DRMDevice" "/dev/dri/renderD128"Comment it out, and replace it with a line with no value:-
#Option "DRMDevice" "/dev/dri/renderD128" Option "DRMDevice" "" -
Find the section starting with the line `Section "ServerFlags". Addd this line to the end of the section if it isn't already present:-
Option "AutoAddGPU" "off"
References
| Issue | Fixed in |
|---|---|
| 1 | neutrinolabs/xorgxrdp#322 |
| 2 | neutrinolabs/xorgxrdp#241 |
Clipboard transfer(sharing) supports the following types of data in both directions (server to client, client to server).
- text
- image
- file
Set RestrictOutboundClipboard to true in sesman.ini and restart xrdp-sesman. See also man sesman.ini(5).
It is possible since v0.9.15. Set EnableFuseMount to false in sesman.ini and restart xrdp-sesman. See also man sesman.ini(5).
If EnableFuseMount is set to false, also drive redirection will be disabled at the same time. These cannot be controlled separately.