Access your RPi's Desktop Remotely from a Windows Box via RDP - sakaki-/gentoo-on-rpi-64bit GitHub Wiki
Remotely access a desktop session on your RPi from your Windows box, using RDP, even when your Pi doesn't have a local monitor or keyboard attached!
It is often useful to be able to connect to your RPi4/3 from a (possibly geographically distant) computer, and run a remote desktop on it.
So, in this tutorial, I'll show how to set up a Remote Desktop Protocol (RDP) server on your RPi4/3, and also (briefly) review how to connect to this from a Windows box (using the built-in client).
For an alternative approach using VNC, which will work with both Windows and Linux clients, please see this note.
The process involved isn't difficult or time consuming!
For avoidance of doubt, you won't need to keep a screen, mouse or keyboard locally attached to the RPi4/3 you wish to remotely access (although you can do if you wish).
Although not shipped pre-installed with the image, the FOSS xrdp
package is available in pre-compiled form on the project's binhost.
So, to install it, running as the regular user, you need simply issue:
demouser@pi64 ~ $ sudo emaint sync --repo genpi64
demouser@pi64 ~ $ sudo emerge --verbose --noreplace net-misc/xorgxrdp
This shouldn't take long to complete. Once done, create a new TLS key/certificate pair ('keypair') for your RDP link, to allow secure, encrypted access across the Internet. In what follows, we'll specify the use of 4096-bit RSA encryption, and one year's validity (adapt as required). As this is a self-created keypair, we'll only provide some minimal identifying information (by typing . then Enter for all fields, except the Common Name
):
demouser@pi64 ~ $ sudo openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/xrdp/key.pem -out /etc/xrdp/cert.pem -days 365
Generating a RSA private key
<snip>
writing new private key to '/etc/xrdp/key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:sakaki's RPi
Email Address []:.
Obviously, adapt to your own requirements. You can fill out more detail in these fields should you wish (see e.g. these notes), or, if you have your own existing keypair (and e.g. a domain name published in DNS) you can use that instead (rather than generating your own).
Next, create a SHA1 fingerprint for the certificate; this can be used to check later that it has not been tampered with, prior to trusting it at the client end. Issue:
demouser@pi64 ~ $ sudo openssl x509 -noout -fingerprint -sha1 -inform pem -in /etc/xrdp/cert.pem
SHA1 Fingerprint=A9:92:D9:A1:42:13:67:9B:77:BA:E7:60:DF:2D:B2:8E:FB:13:9D:AB
Your displayed fingerprint will differ; make a note of the output you get.
With that done, we need to edit the server startup file, to force it to use TLS. Still as the regular user, issue:
demouser@pi64 ~ $ sudo nano -w /etc/xrdp/xrdp.ini
and then modify the following lines of that file so they read (you many need to scroll down the file a little to see these):
; security layer can be 'tls', 'rdp' or 'negotiate'
; for client compatible layer
security_layer=tls
; minimum security level allowed for client
; can be 'none', 'low', 'medium', 'high', 'fips'
crypt_level=high
; X.509 certificate and private key
; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days>
certificate=/etc/xrdp/cert.pem
key_file=/etc/xrdp/key.pem
; set SSL protocols
; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1>
ssl_protocols=TLSv1.2, TLSv1.3
; set TLS cipher suites
tls_ciphers=HIGH
Leave the rest of the file as is. Save, and exit nano
(hit Ctrlx followed by y and Enter).
Next, ensure that the xrdp
server will listen on all available interfaces, not just localhost
, for a connection. Issue:
demouser@pi64 ~ $ sudo nano -w /etc/xrdp/sesman.ini
And modify the following line (it is very near the top), so it reads:
ListenAddress=0.0.0.0
Leave the rest of the file as is. Save, and exit nano
(hit Ctrlx followed by y and Enter).
With that done, we can start the xrdp
server. Issue:
demouser@pi64 ~ $ sudo rc-service xrdp start
If you also wish for the server to be started automatically each boot, please see the additional instructions below, once you have tested that you can connect successfully etc.
That's the basic setup done!
Next, we can set up the client Windows box. In what follows, I'll assume you're using Windows 10 (a similar process may also be used on earlier Windows systems).
To begin, determine the IP address of your RPi (you can e.g. use the ifconfig
command in a terminal on your Pi for this, if both it and the Windows client box are directly connected to the same subnet).
Once done, type Remote Desktop
in the Search Windows
box, and then click on the Remote Desktop Connection icon that appears.
When the app opens, click on the Show Options button to open the full panel, then enter your RPi's IP address and user name (demouser
, for example; note that direct remote login as root
is prohibited for security):
Remember to substitute the appropriate IP address for
192.168.1.102
in the above.
Once you have filled this out, to avoid an ugly display, click on the Display tab, and then set the Colors:
dropdown to High Color (16 bit)
(at least). You can also set the resolution of the Remote Desktop window here, using the Display configuration
slider, if you wish. Then, click Connect to attempt to connect to the RPi.
At this point, a warning dialog similar to the below should appear:
The IP address and certificate name information should match that you created earlier.
Tip: to double-check you haven't been prey to a 'man-in-the-middle' attack, click on View certificate..., and check that the
Thumbprint
(shown in the Details tab) matches that computed earlier. Press OK to close the dialog, once satisfied.
Check the Don't ask me again for connections to this computer
box (as shown above), and then click Yes (this stores a single-machine, single-certificate exception).
Other approaches are possible here, but this is generally the simplest way to proceed.
If successful, you should shortly see an xrdp
login panel, similar to the below:
Enter your user's password (e.g., raspberrypi64
for demouser
, unless you have changed it) and click OK. After a short delay, you should be in:
Note that, by default, the RPi's audio output is not streamed to the client. This issue can be addressed (see for example the notes here) but is beyond the scope of this basic tutorial.
If you would like the xrdp
server to start automatically each boot, then simply issue:
demouser@pi64 ~ $ sudo rc-update add xrdp default
You need only do this once.
Tip: you may wish to assign a fixed IP address to your RPi (either via your router, or using NetworkManager) if you are going to connect to it regularly, for convenience. Also, note that wired headless systems are generally more reliable, and easier to debug, than wireless ones.
To remove the auto-start again (should you want to do so at some future point), simply issue:
demouser@pi64 ~ $ sudo rc-update del xrdp default
If you wish, you can run your target RPi4/3 with no monitor attached, and use the virtual desktop exclusively. If you do this, you can also, at your option, disable the default vc4
graphics display driver and X11 server, to save system resources. To do so (remember, this is optional!) issue:
demouser@pi64 ~ $ sudo rc-update del xdm default
then:
demouser@pi64 ~ $ sudo mousepad /boot/config.txt &>/dev/null&
If setting up the RPi over an
ssh
connection, you can use e.g.sudo nano -w /boot/config.txt
instead.
Comment out the following line in that file, so it now reads:
#dtoverlay=vc4-fkms-v3d,cma-256
Depending on your configuration, the
,cma-256
suffix may be absent; even so, that's the line you need to comment out.
Leave the rest of the file as-is. Save, and exit the editor. Make sure you have set up the xrdp
server to automatically start up on boot (as described above), then reboot your RPi.
Should you wish to re-enable a locally connected display at some point in future, simply uncomment the above line in /boot/config.txt
again, and then issue:
demouser@pi64 ~ $ sudo rc-update add xdm default
and reboot.
Have fun!