Remote Access Terminal

From Sea of Fate
Jump to navigationJump to search

Introduction

There are two Windows 11 pro desktop Virtual Machines setup hostnames Walnut and Wahoo on the Terminals network, There is also a Linux Ubuntu desktop VM, Lychee, on the same network. These three will be used by RDP over the VPN. The two Win 11 VMs RDP have been tested initially against each other and later from the desktop grape(192.168.0.10) outside Pfsense as straight RDP. I have set them to use the basic security but I am less than confident that the simple basic security would be good enough for use on the WWW so I will be setting up the VPN on Vanilla. Update Lychee has been moved to the Production Network as it will be playing a more active role in the AI development and it will be lending more of it's services to support the webservers on Production.

Remote Access

The sole reason for these VMs is to give access to a desktop machine from a remote location. As there are two different platforms with different strengths it seems reasonable that we will need different remote access protocols. RDP would seem the logical choice for the Windows 11 VMs but NoMachine seems like a solution better suited to Linux desktop VM/s. Both of these connection methods do offer some sort of security it will be assumed that the remote access will be over a VPN link. A major part of the reason is that Cloudflare will only proxy port 443 so any port other than that will have to be a DNS only on Cloudflare's control pannel. If we need to be DNS only we will need to have confidence in the remote access protocol in use and we know that while RDP has some encryption it has a few vulnerabilities, NoMachine is also supposed to have encription built in but it is not known how good it is. An easy method of being sure that we are communicating securely is to connect to a VPN and have all of the remote access go through that which makes everything easier in that we will have the laptop pre configured to connect to both Wireguard VPN on Vannila or OpenVPN on Voavanga and setup any other VPN clients as needed. As an added benefit to securing the remote access connections The VPN/s will allow other less secure protocols to be used like SMB or NFS and while it will not add much to security SSH / SCP operations are a bit simpler, we could even use FTP if we wanted to but there seems little point when SFTP is almost as easy.

Remote Access (RDP) to Windows 11 Desktops

There are two Windows 11 desktops setup on the terminals network Walnut and Wahoo. Both can be accessed directly by RDP from the LAN at the WAN address of Pfsense using the ports xxxx0 for walnut and xxxx1 for wahoo (as a reminder this would be the lower number). If wireguard VPN is active the hostname or local IP address needs to be used as WG allows win 11 to use the ctns1 DNS server eg walnut or wahoo, the .net could also be used but is untested with WG active. However, if OpenVPN is active the local DNS will not be used by the win 11 desktops by default so the full local DNS name has to be used (.local appears to have special meaning to Windows) ie walnut.seaoffate.local and wahoo.seaoffate.local. NB Tt should be noted that the RDP port has not been changed on the Virtual Machines only in the port forward.

Remote Access(NoMachine) to Lychee

RDP would work to a linux host like Lychee but it would not work particularly well so No Machine has been installed. By default NoMachine works on port 4000 and as there is only one Virtual Machine using it there seemed little point in setting up extra firewall rules for it so there is a basic fwd rule on Pfsense that works within the LAN and Grape has a Nomachine connection profile for use through Pfsense and another connection profile that works with Wireguard VPN active. It has been easier to access Lychee through the normal Proxmox/Spice veiwer while in front of the desktop but the NoMachine would be sort of ok at a pinch.

Updated Information

The state of play has changed since the network was first set out. The original plan was to have a few terminals that could be used from remote locations but while that is still a possible requirementit is not the sole use of these terminals and as there are only a few licences for Windows 11 they need to be used a bit more carefully than the Linux VMs. The other point that has become apparent is that if the terminals are to be used as remote desktops they will nee to use a reasonable amount of resources. With these constraints in mind the use of the desktops will be extended.

Update for Walnut (GPU and Jellyfin)

GPU Passthrough

The PCIE Passthrough for the AMD Ryzen GPU didn't work as Pear would not allow it to be released so it never got completely passed to any Virtual Machine, this was a failure caused by AMD and Proxmox combined, AMD because they never released any drivers that would work reliably and Proxmox because it will not allow suspect packages to be installed and break the Proxmox host OS. Anyway it was a failed project and only an outside chance of working from the start and far better that the GPU passthrough fails than the Proxmox host fails.

The AMD GPU will be sold as it has no use anymore. As a replacement and to further the experiment into PCIE passthrough a low end Nvidia GPU was obtained in the form of a 5060 GPU from MSI. The Passthrough operation worked with some effort but worked none the less.

The PCIE Passthrough with the MSI 5060 GPU went well and it was working as well as could be expected but as it is expected that we will be doing more AI operations and experiments another GPU has been obtained. This time we have a 5070 from Palit it also passed through without incident. It is not certain that this will be kept past the 30 days amazon return period as it is already become apparent that it may not have enough VRAM for some of the AI work. So it should ideally be returned and a slower 5060ti GPU with 16gb VRAM be obtained. It will not be the end of the world if the window is missed as it does have 12 GB VRAM but it would be better for AI work if it had 16GB. The other possibility is a datacentre style GPU that are more expensive but have better compatibility.

Jellyfin

So with a working GPU to Walnut it was a good time to setup Jellyfin on it. It must be said that the Jellyfin install on the win11 VM went easily but unfortunately no notes were taken, on the positive side though if it ever has to be done again on a Win11 machine it will not need a lot of effort.

Update for Lychee

It would be better to have a Linux Virtual Machine for remote access because most facilities that I will use a Windows 11 desktop for will already be present on a remote machine like my laptop so it will be more likely it would be used. However, the availability of Linux in remote locations is less common so if Linux services are needed it would make the remote Linux Virtual Machine more attractive. There is also the point that Linux is usually less resources hungry than Windows 11. These features are likely to make Lychee more useful than either of the Windows 11 Virtual Machines. To facilitate the increased use of Lychee the os hard drive size has been increased to 256 GB

GPU Passthrough

The 5070 GP was tested to be passed through to Lychee and while the move from Walnut was quite straight forward the drivers that Nvidia released did not work that includes both the tested drivers an the beta drivers. more details of the process can be found here.

Docker Installation with N8N & NPM

Even though the GPU switch over has been delayed the Docker installation of N8N has been completed and to allow https access NPM has also been installed. Further details can be found ' here;.

Jellyfin

As there are no useable drivers available the Jellyfin switch over to lychee has been delayed. However, The VM does have a 2TB hard drive added from PearPool to allow for storage of any videos

Retrieved from "https://wiki.seaoffate.net/index.php?title=Remote_Access_Terminal&oldid=510"