A web-based RDP client built with Go WebAssembly and grdp

(github.com)

92 points by mariuz9 hours ago

9 comments

notepad0x9027 minutes ago
This is cool. If it adds session recording and SSO auth support, it can be used as an RDP jumphost.I've used Azure bastion to do just this, you auth to the azure portal using whatever authentication regime is configured for your tenant, then you rdp into virtual machines from your browser using the local vm login. it handles things like files and clipboards great. But it also supports console sessions in the browser.I haven't used it with windows/rdp (if it even is supported), but in GCP, their in-browser SSH is the best I've seen so far.Even for Linux, I've found xrdp to be better than alternatives at times.The main problem I see this solving (one of many) is the decoupling of the management interface for virtual machines and servers from their service interfaces. not having your web server's management services on the same IP/domain/interface as the http server is a big improvement. Lots of security screw-ups happen because of this entanglement.
- hdgvhicv8 minutes ago
 I use apache guacamole for this with our OIDC proxy for this purpose
the_data_nerd4 hours ago
clipboard is the boring nightmare of browser-RDP. the wire protocol negotiates fine. the browser side has the clipboard API gated behind permissions plus a user-gesture requirement for writes. on the read side most browsers prompt the user every single time. so you either rebuild a custom in-page clipboard buffer (loses OS integration, defeats the point) or accept that paste-INTO-RDP works smoothly while paste-OUT-of-RDP needs a click each time. neither matches what people expect when they hear "web RDP client." worth checking the project's behavior on chrome vs firefox before assuming feature-parity with native mstsc.
- maxloh3 hours ago
 > ...on the read side most browsers prompt the user every single time.I don't think that is the case. Google Docs, Office 365, and Notion all function without requiring repeated user permissions.
 - jerrythegerbil3 hours ago
 I can assure you they’ve correctly described the problem and are correct regarding buffering and user gesture requirements.The platforms you listed are all primarily text-based and the interaction lives in the DOM with happy paths defined. Still, you will find that clipboard media with a MIME type will prompt you with a Google provided modal to paste a very specific way to get around the permissions model in Google Docs etc…An RDP interface is not a text box with features on top, the standing expectations for those existing behaviors do not apply. Namely clipboard, and any I/O for that matter. For example, the linked repo uses a protocol bridge (I/O) to support the RDP protocol from a browser, because “the browser speaks protocols” is a true general statement, but absolutely doesn’t apply when you actually need to get something non-trivial done.At its core, when someone points to the Google Chrome desktop icon and says “that’s the internet” there’s really no point in discussing the nuance in most cases, because anything non-trivial immediately invalidates that understanding of the world and reaching that point organically is far more important than it being explained to them preemptively.They are correct, because the nuance applies. Welcome to the un-happy path!
 - hawk_3 hours ago
 There's something about keyboard shortcuts - they work. But somehow right-click and copy requires add-ons.
solarkraft8 hours ago
Looks very interesting, but i’m a bit surprised the most important feature isn’t mentioned: How well does clipboard sharing work?
- wcrossbow7 hours ago
 Im not a big fan of Windows but copy pasting a file across 3 nested RDP sessions feels magical every time
 - hypercube333 hours ago
 It actually doesn't it feels horrible. you can't paste files from a samba share or large ones take so long to copy that they ultimately fail.
 - ktpsns6 hours ago
 To be honest, three nested RDPs sound like a terrible hack. In an ideal world, this would be two port forwardings and one RDP (thinking about ssh, which is still underrepresented in windows world). In an even more ideal world, this would be an IPv6 direct access ;-)
 - everforward6 hours ago
 There are legit reasons, at least for two nested sessions. A production network that’s airgapped except for a bastion host that acts as a gateway. It’s better than port forwarding because you have to auth to the bastion host before the RDP chaining, and it often takes separate credentials for the second RDP session.It’s a semi-common setup for higher security environments, and when you have a network of stuff that has known vulnerabilities you can’t patch for whatever reason. Traffic in and out is super carefully firewalled. It’s not great, but it’s better than a 25 year old MySQL with a direct public IP.
 - embedding-shape5 hours ago
 > airgapped except for a bastion host that acts as a gatewayFirst time I've heard of an airgapped system you could access remotely. Doesn't that kind of defeat the label "airgapped"? I think I'd just call that "isolated" at that point instead.
 debarshri4 hours ago
 This concept is related to PAM. You often have to do ops on infra and need some DMZ to do the ops. In regulated industry you have to record every operations done by the person and have to follow principle of least privilege. This what should happen in an ideal world.
 embedding-shape4 hours ago
 > You often have to do ops on infra and need some DMZ to do the ops.This makes sense, "bastion" hosts and similar things is fairly common too. What's not common is calling those "airgapped", because they're clearly not.
 hnlmorg3 hours ago
 I agree. They’re network enclaves. Which isn’t the same thing as an air gapped network.
 zcw10037 minutes ago
 You can have a network enclave in an air gapped network.
 debarshri4 hours ago
 Airgapped is a different concept altogether.
 SigmundA5 hours ago
 Logically air gapped :)<a href="https://docs.aws.amazon.com/aws-backup/latest/devguide/logicallyairgappedvault.html" rel="nofollow">https://docs.aws.amazon.com/aws-backup/latest/devguide/logic...</a>
 dijit2 hours ago
 AWS likes to redefine things.Air gapped means... there is nothing except air in the gap between systems.A physical tether would defeat it.Now, I pedant could start talking about wifi, but air-gapping is a concept older than the internet. (It stems from plumbing where there's air that prevents back leakage of contamination).<a href="https://en.wikipedia.org/wiki/Air_gap_(networking)" rel="nofollow">https://en.wikipedia.org/wiki/Air_gap_(networking)</a>
 rzzzt5 hours ago
 The moat!
 - orisho5 hours ago
 It's probably there not as a way to connect networks, but as a way to keep them separate, only allowing RDP between specific computers on different networks.
 - debarshri4 hours ago
 I am not sure if you have tried broadcasting feature in terminals, thats magical too.
- debarshri4 hours ago
 We have a custom RDP client [1]. So i have some experience building something like this. We do some an implementation similar to this.Clipboard sharing, uploading and downloading via shared drive is a freerdp feature that should be readily available.We also have sessions recording which is non-negotiable in PAM.[1] <a href="https://adaptive.live" rel="nofollow">https://adaptive.live</a>
- d3Xt3r7 hours ago
 And desktop scaling. And multi-monitor support. And file transfers. And drive redirection. And peripheral redirection. And...
 - rvz6 hours ago
 ...A test suite, And security audits, And most importantly benchmarks.What it does have is a license which it is GPLv3. So if anyone adds all those changes, they have to make the source code available with the same software license.
 - pixel_popping5 hours ago
 In this era tho, licenses (I don't agree with this, but this is what it is) are a matter of "tokens", I speak for a fact knowing multiple relatively-big companies just gobbling GPLv3 projects and rewriting them entirely, some do publish them as well.
igtztorrero2 hours ago
Does Alt-Tab inside the Browser Tab can be hooked to the rdp client ???That was the main problem in guacamole rdp in browser.
yamapikarya4 hours ago
is it work for opening rdp file from cyberark pam?
jqpabc1238 hours ago
Interesting from a technical perspective but with native RDP clients readily available on just about every platform, I don't see the need for it.
- le-mark6 hours ago
 When it’s in a browser you don’t need to install anything on the local machine. I used to use Apache guacamole to access my machine at home from work when I was stuck in a cube all day.<a href="https://guacamole.apache.org/" rel="nofollow">https://guacamole.apache.org/</a>
- stephbook4 hours ago
 1 contributor, 1 commit, new project... gives me vibe-coding feels.
 - zcw10032 minutes ago
 If you have factual observations to make that's fine but can we stop with the "smells like vibe coding" attacks? It's like an AI version of an ad-hominem attack.
- pixel_popping5 hours ago
 Browsers are sandboxes, your native client often isn't, there is definitely a huge advantage, portability and embeddability as well, it's also simpler to sniff traffic (and MITM it).
 - jqpabc1233 hours ago
 Doesn't this limit your ability to share resources and transfer data?
 - pixel_popping2 hours ago
 Why would it? You have access to your entire filesystem via the browser.
- tom_alexander3 hours ago
 Perhaps as a web client for the remote desktop on the BMC chips?
- boredishBoi7 hours ago
 Not many good MFA options for native RDP/RDG. Putting it in the browser lets you wrap the whole thing with OAUTH/passkeys etc
 - hnlmorg3 hours ago
 Having just implemented OAUTH into a Go app this week, I can assure you that it’s surprising easy to do so without making your entire application a website.
sebakubisz6 hours ago
[dead]
xiaod3 hours ago
[dead]
johnwhitman5 hours ago
[dead]