I have a Windows Desktop at home which I can access from anywhere in the world just via a browser. This gives me the ability to access a familiar desktop environment with all my personal data and all my programs from wherever I am.
I use kasm which on one site can do a lot more than I require and on the other site includes (almost) everything I need. You can install kasm on a linux machine like a raspberry pi. I am running a proxmox server at home, so my windows machine and ubuntu with kasm are both virtual machines. Here you can find an installation guide for a single server instance (which is all we need in our case).
Having kasm installed you can add your windows machine as a server inside kasm, configure RDP (remote desktop) access and create a corresponding workspace. Now you should be able to access your windows machine via a browser inside your LAN. Here is a video Kasm Workspaces Windows Guide from the kasm guys themselves.
Now, how do we access it from the internet? Well, just like you make any website accessible from the internet ;)
There are many options. Because I personally put tailscale on all my devices I also installed tailscale on my kasm VM and used tailscale’s funnel feature.
1
simon@kasm:/$ sudo tailscale funnel --bg https+insecure://localhost:443
Now I can access kasm and thus my windows desktop from anywhere in the world by using a browser and visiting https://kasm.my-tailnet-name.ts.net/
Remember to enable 2FA inside kasm to make it harder for third parties to break into your kasm instance.
One big disadvantage of this method is that you have to trust the people behind tailscale to not read what is being transmitted via the funnel.
Update
After writing about the trust issue I decided to modify my setup.
I already have a virtual private server with a static public IP address which is part of my tailnet. There are already other publicly accessible services running as docker containers and managed by nginx proxy manager. So I host kasm as just another single docker container there. The public IP of the server is additionally hidden by cloudflare. For nginx proxy manager and cloudflare to work propberly together you have to set the encryption mode in cloudflare to at least ‘Full’
While the server is part of my tailnet, the kasm container is not. But to be able to access my windows VM at home kasm needs to have access to my tailnet. This is where a tailscale sidecar container comes into play. We simply route all the traffic of kasm through the tailscale container. The tailscale container itself is then part of my tailnet and also connected to my docker network for the nginx proxy manager. Inside the proxy manager I have setup a new proxy host to route to https://kasm-tailscale-1:443. To initially configure the kasm container you have to expose and access port 3000 directly. You can un-expose the port afterwards.
The flows is like this:
Browser -> kasm-domain -> DNS A-record pointing to cloudflare proxy -> cloudflare proxies to nginx proxy manager running on my virtual private server -> nginx proxy manager proxies to the tailscale container -> traffic reaches kasm -> kasm finally accesses windows through the tailscale container
It looks like this would add a lot of delay but it is not noticeable. The setup is totally usable.
Now I am in control of my TLS certificates.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
simon@vps:~$ cat kasm/compose.yaml
services:
kasm:
image: lscr.io/linuxserver/kasm:1.16.1 # latest (1.17) currently does not work
privileged: true
security_opt:
- apparmor:rootlesskit #optional
environment:
- KASM_PORT=443
- DOCKER_MTU=1500 #optional
volumes:
- ./data/opt:/opt
- ./data/profiles:/profiles #optional
- /dev/input:/dev/input #optional
- /run/udev/data:/run/udev/data #optional
#ports:
# - 3003:3000
# - 8443:443
restart: unless-stopped
network_mode: service:tailscale
depends_on:
- tailscale
tailscale:
image: tailscale/tailscale:latest
environment:
TS_AUTHKEY:
TS_STATE_DIR: /var/lib/tailscale
volumes:
- ./data/tailscale:/var/lib/tailscale
- /dev/net/tun:/dev/net/tun
cap_add:
- net_admin
- sys_module
restart: unless-stopped
networks:
- npm
networks:
npm:
name: npm
external: true