New Features 🚀

• Monitoring Alerts: You can now trigger alerts sent via email or custom scripts based on monitoring data.

• Optional external IP Address determination on the client side by using external IP APIs

Improvements 🔩

• SSH fingerprint backwards compatibility

Fixes 🪛

• Fixed broken metadata management.

• Fixed wrong date on reports for scheduled scripts.

• The dark theme has been removed while it's being reworked.

Release Notes of RPort Server 1.1.2, RPort Client 1.1.2 and RPort Front End/Web UI 1.1.2-2

Release date: December 2024

RPort Server and RPort Client

No changes from 1.1.0. Only aligning release version numbers.

RPort Front End/Web UI

New Features 🚀

• None

Improvements 🔩

• Upgraded 3rd party packages for security.

Fixes 🪛

• Command / Script tags now saved properly.

• Prevent UI freeze when choosing fields for client groups and when no existing tags.

Known Limitations 🪛

• As per .

RPort - an all-in-one remote management suite for heterogeneous environments. RPort addresses three basic needs of a sysadmin:

1. Fast and secure remote access from everywhere

2. script execution from a central dashboard

3. and automation of common tasks

RPort makes efficient automation doable for everyone.

RPort is an RMM software from RealVNC for remote access, remote management and automation of heterogeneous IT infrastructures. From public cloud-based to entirely protected and private.

With RPort you get remote access to all your servers, desktops and devices. Via remote desktop, SSH, VNC, and every other remote access protocol.

RPort is also excellent in automation of common tasks, like installing software, or applying updates. Just execute or schedule the right script from the built-in library. That allows you to execute even complex tasks quickly. You can fully automate tasks like software provisioning or operating system updates.

RPort's remote access function meets the highest security standards. Securely log in to the central dashboard using two-factor authentication.

The dashboard gives you a comprehensive overview of your entire infrastructure. You can access any remote machine from everywhere instantly. A VPN, a public IP address or port forwarding is not necessary. With RPort you can also access remote browser-based user interfaces as if they were on your local network. Tunnels will make remote ports available securely. These tunnels are protected by access control lists, so only you can access them.

All connectivity is achieved through a tiny client agent. RPort comes ready-to-use on Windows, macOS, and Linux. It’s ideal for accessing and controlling any type of device. No matter how small.

You can on your own hardware, public or hybrid cloud. Stop sharing sensitive data with strangers!

RPort - an all-in-one remote management suite for heterogeneous environments. RPort addresses three basic needs of a sysadmin:

1. Fast and secure remote access from everywhere

2. script execution from a central dashboard

3. and automation of common tasks

Release 1.0.4 was not released as a public release.

New Features 🚀

• The rport server is now released as a Debian and RPM package. Add our repository to your package manager.

• On multi-client command and script execution, you can now set a batch size.

• The licence status is displayed on the UI.

Improvements 🔩

• Improved pagination on long item lists in all areas

• Display of command and script results (single and multi-client)

• Client filtering now much more reliable

Fixes 🪛

• Broken determination of external IP addresses on Windows fixed

• Broken TLS min switch in server configuration file fixed

• Creating tunnels from the list of stored tunnels on fixed public ports fixed

• OS dark theme detection on documentation pages fixed

• RPort 1.0.1, 2023-10-25

• RPort 1.0.2, 2023-11-07

• RPort 1.0.3, 2024-01-05

• , non-public release

• , June 2024

• , August 2024

• RPort 1.1.1, non-public patch release

• RPort , December 2024

Select where you want to install your RPort server.

Some notes on sizing

Release Notes of RPort Server 1.1.0, RPort Client 1.1.0 and RPort Front End/Web UI - 1.1.0-5

Release date: August 2024

RPort Server and RPort Client

New Features 🚀

Prerequisites

We have created a fully automated installer, that converts any cloud-based virtual machine into a high-secure RPort server that is suitable for productive use.

To use the installer, you must fulfil the following prerequisites:

• A valid is required.

• You have an account at one of the supported cloud providers (if not, read below).

• You are familiar with SSH key-based authentication, and you know how to connect to a Linux-based virtual machine via SSH. Further knowledge of the Linux operating system is not needed.

🚀 Get started

It's quick and easy to launch your RPort server. Just two steps: Launch a new instance and fire the installer. That's it.

Select your cloud provider:

New to cloud computing?

Using virtual machines in the cloud is a no-brainer. Select one of the following providers. They are easy to manage for beginners. Unless company policies force you, we do not recommend starting cloud computing with AWS, Azure, or Google Compute. These are highly complex systems with advanced concepts. Getting started is anything but easy. On top, they are pricier. Our three recommended providers are a perfect choice to run a highly secure RPort server at a low price.

Create a new instance (virtual machine)

• On the Vultr desktop, select Products and click on the instance tab.

• Use the Plus sign on the right side to create a new instance. Click on "Deploy new server".

• Select "Cloud Compute" as server.

• Select a region near you.

• Select "Debian 11 x64" as server type.

• Choose the smallest size available, that will cost you 5$USD per month.

• Do not add any additional features.

• If you haven't uploaded your public SSH key yet, do so. Vultr does not support log in via password.

• Finally, enter "Rport Server" into the hostname input field and click the blue button Deploy now.

Log in via SSH

After the instance has been deployed, grab the public IP address from the list of instances.

Log in to the instance using SSH and the root user, for example, ssh [email protected].

Prepare the instance

Vultr installs the Exim Email-Server by default. It's not needed for RPort. 🧹 Keep your system tidy and uninstall it with apt purge -y exim4-*.

Create a Firewall

• On the main products' dashboard, select the firewall tab and click on Add Firewall Group.

• Name the firewall group RPort Server and click on "Add Firewall Group".

• On the ipv4 rules, use the plus sign to add rules.

Finally, click on Linked Instances, select the rport server and link it to the new firewall by clicking the plus sign.

Install the RPort server

👉 Now proceed to

Release Notes of RPort Server 1.0.5, RPort Client 1.0.5 and RPort Front End/Web UI - 1.0.5-7

Release date: June 2024

RPort Server and RPort Client

New Features 🚀

• The server will now prevent users who have only been granted run scripts only permission from saving new scripts or updating existing scripts.

• RPort clients now have the possibility to use alternative connection profiles. See the rport.example.conf for more information.

Improvements 🔩

• Non-Admin users who have audit permissions will only see changes for clients that they have permission to handle. By default they will also only see audit logs for changes that they made. The new server setting show_all_audit_logs_for_permitted_clients will allow users to see changes made by other users for clients that they manage. See the rportd.example.conf for more information.

• The RPort Plus Plugin has been completely removed and all the related code migrated to the main rportd server code base. The plugin is no longer required to run the RPort server.

• It is now possible to set default timeouts for command and script execution separately. These defaults will also be provided to the RPort Front End which makes them the default when using the scripts and commands execution panels. See the

Fixes 🪛

• The server no longer returns an error when the notification_scripts directory does not exist. Instead it returns an empty list.

• RPort client installs will no longer try to start the client before a valid config file is available.

• Uploading files is more reliable.

• When running jobs on Windows clients, processes are terminated cleanly if they exceed their allowed run time.

RPort Front End/Web UI

New Features 🚀

• It is now possible to give permissions to users that only allows them to run scripts. Scripts can be loaded, viewed and run but not modified. This is implemented for both individual client and multi-client script execution. There is no change to the existing commands functionality.

Improvements 🔩

• The server configuration has been extended to allow default timeouts for both script and command execution. The RPort Front End will now use those defaults in both the command and script execution panels for both individual client and multi-client jobs.

• The start animation when first logging into RPort has been removed and the message displayed is now much simpler (just indicating whether no clients available or no clients selected).

• The width of the client connection status indicator has been increased to make it easier to see when a scrollbar is present on the client navigation panel.

Fixes 🪛

• When saving multi-client scripts and commands, it is now possible to save jobs where tags have been specified.

• When changing a password due to an enforced password change, the validation messages are now clearly displayed. Additionally, the password length is validated against the server configured minimum password length.

• When editing documents, the documents list is correctly refreshed after deleting a document.

• Fixed a minor issue with selecting columns when using multi-client execution.

New features 🚀

• Alerting on monitoring data can be switched off at server level, resulting in a significant lower memory consumption.

Fixes 🪛

• The Log-out button works reliably now.

• All monitoring alerting rules can be deleted now.

• Timeouts on script execution are no longer ignored, which now makes the execution of scripts with an infinite duration possible.

• Suggested user passwords are now aligned with the server settings specified in the

Improvements 🔩

• Real-time command and scripts response streaming on multi-client execution. The UI streams results while the scripts are still running.

• UX improvements on alerting rule management.

• The inventory view is now using the entire page width, giving you a more comprehensive overview.

This is a list of all available and upcoming features of RPort.

The current version is 1.0.5 released in June 2024.

Remote Access

Starting with RPort-Server 0.6.0 the Guacamole Server and a pure JavaScript client is included into the RPort server. You directly connect to a remote desktop or terminal server from your browser. No desktop app is needed.

Using RDP via browser, your RDP connection fully encrypted.

If you have upgraded your RPort server from an older version, you might need to install the Guacamole proxy manually. We provide tiny Debian/Ubuntu packages for fast and easy resolving of the dependency. .

Before installing RPort Server, take five minutes to watch this video. Good preparation will save you a lot of time later.

The video covers

In this video you will get a recommendation for the best practises so that you can test RPort quickly and easily.

• We will compare a cloud installation with an on-premises installation.

We collected frequently asked questions.

Starting with RPort-Server 0.6.0 the NoVNC proxy and the NoVNC JavaScript client is included into the server. You directly connect to a remote VNC server from your browser. No VNC viewer is needed.

Using the NoVNC integration makes your VNC connection fully encrypted, even if the remote VNC server does not support encryption. The VNC "signal" is sent to the encrypted tunnel of rport from your remote machine to the rport server. The server transforms the signal into HTTPS.

Required VNC server settings

Accessing a server via NoVNC requires a VNC server running on the remote host. On Windows, any VNC server is suitable. On Ubuntu Linux, the built-in VNC server called Vino is known to be incompatible with RPort.

After installing a VNC server, activate the following settings:

• Turn off encryption. On TightVNC, encryption is not included, but others might have it. Encryption will be added via the RPort tunnel, the VNC server must accept unencrypted connections.

• Allow connection from localhost. Most VNC servers by default do not allow connection from localhost. Some call it loop back connection.

Using VNC® Server from RealVNC®

If you want to connect to RealVNC servers in a browser, this is supported with the release of noVNC 1.4.0. RealVNC system authentication is supported, and session encryption is achieved via the RPort tunnel.

To use this capability, please change the VNC Server “Encryption” to Prefer On. Either use the VNC Server UI or change the registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver\Encryption to PreferOn. No further adjustments are required.

To access a RealVNC Server from the browser, select VNC as tunnel type, not RealVNC, and Enable NoVNC (VNC via Browser).

VNC Viewer and the Rport URL integration is required for Multifactor authentication, High-Speed Streaming, Audio and connecting to Virtual mode/Virtual Mode Daemon.

Create a tunnel

To log in to a remote system located behind a firewall or NAT router, you need a tunnel.

Select the client you want to access, and click on the green button ADD TUNNEL. Depending on the operating system, the dialogue is prefilled with defaults you very likely would like to use. For Windows, an RDP tunnel is suggested, and for Linux SSH is used as default. The tunnel will be protected with an access control list that gives access only to your current IP address. This ACL is a second layer of security. Valid login credentials are still required.

By clicking ADD TUNNEL the connection is created instantly. Now click on the LAUNCH TUNNEL icon and your default application for RDP or SSH opens the connection. From now on, use the username and password of the system you already have.

For RDP, a configuration file for the remote desktop client is generated and downloaded. Look at the downloads of your browser and double-click.

What are those tunnels?

Preface

The rport server has a built-in key-value store based on an encrypted sqlite database. A passphrase – the so-called master key – is needed for encryption and decryption. This master-key resides only in the memory of the rport server and is not stored on the hard disk or any other permanent storage.

Only the values of the key-value store are encrypted. Keys are stored plain text.

Initialize the vault

After a fresh installation, the vault needs to be initialized.

In this video, you will learn how to use rport remote access for Linux and Windows systems.

This video covers

• First, remote access to a Windows PC using the local remote desktop client.

• Second, remote access to a Linux system.

• Third, remote access to Windows using the built-in browser-based remote desktop client.

• And in the fourth example, you will learn how to use a tunnel with any application, demonstrated with an FTP client accessing a remote filesystem over SSH.

DNS Setup

To use RPort with Cloudflare, you must set up two DNS records.

1. One, let's say rport.example.com for the API and the UI/dashboard

2. And one for accessing the tunnels, let's say tunnels.rport.example.com

The first will point to the Cloudflare Proxy, and Cloudflare handles the certificate. Set up your firewall properly so access without Cloudflare is denied. Otherwise, you wouldn't benefit from the Cloudflare DOS protection.

The second record, tunnels.rport.exmaple.com points directly to your rport server.

RPort server configuration

With the above DNS setup, you can generate a Let's encrypt certificate on the rport server.

You might need to stop rportd during the certificate request because certbot needs to bind to port 80 for the verification process.

Use the created .

Make sure tunnels . By default, tunnels, and the API/UI use the same FQDN.

This video will show you how to connect your remote devices to the R-Port server.

In this video, we’ll look at all the components of rport and how they communicate with each other.

The video covers

• What ports are used for what?

• What needs to be allowed on your firewall?

• How does remote access over tunnels work?

• What port forwarding do you need if you are using a router with Network Address Translation?

We will start with an RPort server with a directly attached public IP address.

In the second part, I’ll explain how the setup changes if you run the rport server behind network address translation, where the public IP address is bound to the router.

Create a new instance

• From the Compute Menu on the left side, select "Instances".

• Click on the green Plus sign to create a new instance.

To change between the different two-factor-authentication methods, you must open the configuration file locate on your rport server at /etc/rport/rportd.conf with a text editor.

Scroll down and look for the examples of TOTP. Remove the comment (hash) signs so your configuration looks like the sample below:

👉 Very likely, you will have some other 2fa default method enabled. You must disable it. Look for the line two_fa_token_delivery = 'smtp' or two_fa_token_delivery = '/usr/local/bin/2fa-sender.sh'. Put a comment (hash sign) at the beginning of the line to disable it.

After having done the changes, restart the rport server by executing systemctl restart rportd.

Now open the user interface in your browser and login in with username and password. You will be prompted to scan the QR code with your authenticator app, or you can copy the secret to your desktop app. The secret is displayed just once.

Starting with RPort 0.7.0 a centralized cron-like scheduler has been introduced.

Prerequisites

Both, the server and the clients must run at least version 0.7.0 of Rport to use the scheduler. Updating all your clients is not necessary as long as you don't want to run scheduled scripts on them.

Starting with version 0.7.0 it's possible to upload files directly to remote clients and store them anywhere on the remote file system.

Prerequisites

Both, the server and the clients must run at least version 0.7.0 of Rport to use the file copy function. Updating all your clients is not necessary as long as you don't want to use this feature on them.

Command execution

Enabling script and command execution is not global and it is not an either/or decision. You can control which commands are allowed and which are not on a fine-grained level. See the example below.

How does RPort work?

Client-Server that overcomes NAT

RPort is based on a client-server principle. There is a central server. The clients connect to this server. This ensures that the server can always reach its clients, even if they change their IP address or are behind a NAT.

Preparation

For a mass deployment of clients, where each client shall use its own client_id and password, proceed as follows:

1. Generate an API key with scope

Starting with RPort version 0.9.0 an integration with VNC® Viewer from RealVNC® is built-in.

Prerequisite

VNC® Viewer from RealVNC® desktop app version 6.22.826 or newer must be installed on your desktop. Download the latest version from .

Older versions do not implement a URI handler. For older versions, you can still use a copy and paste fallback approach. .

Built-in and optional security measures

• Transport Layer Security (TLS): RPort utilizes TLS encryption to secure all communication between the server and managed devices. TLS encrypts data in transit, preventing eavesdropping and data tampering. The administrator can enforce the usage of TLS 1.2 or 1.3.

The video covers

The video shows how to install the R-Port server on a fresh virtual machine dedicated to running only the R-Port server.

The virtual machine needs a direct connection to the Internet via its own public IP address.

For installation on servers behind network address translation, please see the dedicated video.

This tutorial is suitable for a server installation on

Backup script

Run the following script from cron to perform a backup of all relevant data needed to recover a rport server.

Prerequisites

Copying files to a remote system over scp or sftp requires an SSH server running on the remote side. On almost all Linux systems SSH is installed and active.

Create a tunnel for SSH access to the remote server. The tunnel will end on a random port on your rport server. Remember the port number.

The video covers

In this video, I’ll show you how to install the rport server on a virtual machine that is behind network address translation. The goal of the installation is to make the web interface available securely over the Internet using HTTPS. In addition, all your remote machines will be able to connect to the RPort server from anywhere. The video covers the server installation and the necessary router changes.

Inspect the log file

If your server doesn't start, look at the main server log file /var/log/rport/rportd.log first. This can be done with a text editor or with the tail command. For example, tail -n 200 /var/log/rport/rportd.log shows the last 200 lines.

Sometimes critical errors occur before the rport server can write log to its log file. These errors are usually logged through systemd. Use journalctl -u rportd.service -e --no-pager to inspect them.

On Linux

To remove the RPort client and all logs and the configuration, execute the following command.

On Windows

What is the "id" and why must it be unique?

All clients are identified by an id. During the client installation, the id is written to the rport.conf file. This id can be any string. Operating system create a worldwide unique id for each system during the installation process.

The rport pairing script takes the id of the operating system and inserts it to the rport.conf file.

On Linux the id is taken from /etc/machine-id or a hash of all mac addresses is created, if the machine-id file is missing.

On Windows the computer system UUID is used. Get-CimInstance -Class Win32_ComputerSystemProduct).UUID

Re-using existing identifiers creates a consistent view of your inventory. But you can use other identifiers if you want.

What causes duplicate ids?

Duplicate ids are almost always caused by system cloning. Either you have cloned a system with the rport client already installed, or after cloning, you have not created a new machine-id.

You will get an error like the below in the rport.log.

client: Connection error: client id "1234abc" is already in use

☝️ The problem is largely limited to Linux because Windows identifies it has been cloned, and a new UUID is created automatically.

How to solve the issue?

😬 Quick and dirty

You can edit the rport.conf with an editor and insert a . Restart the client and it will connect flawlessly.

🧡 Properly

Having systems with duplicate machine-ids on a local network is not a good idea. It can cause other issues. First reset the machine id of the operating system, reboot and copy the new id from /etc/machine-id and insert it into the rport.conf.

📖 📖 📖

Problem

If you try to update labels are tags over the API or the user interface, you might get the “error client error: attributes file path not set”.

Updating attributes remotely requires that you enable this feature once in the rport.conf file on the client. This can't be done remotely.

Solution

Make sure the client runs rport version 0.9.12 or higher.

Log in to the client via SSH or Remote Desktop and open /etc/rport/rport.conf on Linux or C:\Program Files\rport\rport.conf on Windows with a text editor.

Inside the [client] section, insert or activate the following lines. Depending on the version, the lines are already present but disabled.

Make sure one of the line starting with attributes_file_path is active (no hash sign # in front of it). Make sure the line starting with tags is disabled by putting a hash sign.

Restart the rport client after making the changes. Use service rport restart on Linux or restart-service on Windows.

The difference between commands and scripts

The command’s tab is indented to be used to execute a single command. Entering multiple commands is possible, but if you want to implement complex logic, it's better to use a script.

Why not use scripts always? Security is the reason.

Both command and script execution must explicitly be allowed in the rport client configuration. For the commands, you can create a list of allowed commands and a list of disallowed commands. This fine-grained filtering is not possible with scripts.

[remote-commands]
  ## Enable or disable execution of remote commands sent by server.
  ## Defaults: true
  #enabled = true

  ## Allow commands matching the following regular expressions.
  ## The filter is applied to the command sent. Full path must be used.
  ## See {order} parameter for more details how it's applied together with {deny}.
  ## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
  #allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']

See and more .

If you feel it were better not to give full control over the clients to the RPort server, you should script execution of.

The restrictions for command and scripts always apply regardless of whether it's executed for a single client or many clients concurrently.

Single run vs. concurrency

Both – command and scripts – can be executed on a single client or on many clients in parallel. Selecting a client on the left side gives you access to the command or scripts tab for a single client.

Selecting commands or scripts on the top navigation gives you access to the parallel execution.

Create a droplet

1. On the top right corner click the green "Create" button and click on "Droplets". You are asked some questions about your new droplet.

2. On "Distributions" select "Debian 10 x64".

3. For the plan select "Basic".

4. For the CPU options select "Regular Intel with SSD". (We don't need a high-performance droplet.)

5. Select the smallest VM (1GB/1CPU(25GB SSD(100GB transfer) ~$5/Month

6. Do not add extra block storage.

7. Select a data center region near you.

8. Don't change the default settings of the VPC network.

9. Either select an SSH Key for the authentication or choose authentication by a password.

10. Enter RPort-Server as the hostname for the new droplet.

11. Optionally add tags or assign the new droplet to a project.

Install the RPort server on your new droplet

From the list of droplets grab the public ipv4 address of your newly created instance.

Connect over SSH to the instance using the root user. Usually, you must specify the private key created for the instance or the region. For example ssh [email protected]

After the login, install the curl command because it's a prerequisite for all further steps.

👉 Now proceed to

At a glance

Tacoscript is a declarative scripting language for the easy automation of tasks. It uses human-readable YAML as input files. The interpreter consists of a single static binary available for almost any operating system. .

Install Tacoscript

Only for Rport versions before 0.5.0 tacoscript is not installed by default. You must install it manually. But you can use the RPort script execution to perform the installation from the RPort web interface.

RPort 0.9.12 and newer

RPort 0.9.12 has introduced a command line interface to set password of existing users.

Log in via SSH to your RPort server. Switch to the rport user account by executing su - rport -s /bin/bash. 🙅‍♂️ Do not perform the next steps from the root user account!

To change a password of a user, execute:

You will be asked interactively for the new password.

RPort 0.9.5 and older

Step 1 – log in via SSH

To reset a lost password, login to your RPort server via SSH and become the root user. If you have installed the RPort server with the script, a sqlite3 database is used for authentication.

If you are not sure what is the underlying storage for users and passwords, open the configuration file with a page, for example, less /etc/rport/rportd.conf and scroll down to the [api] section.

Step 2 – create a new hash

If you are using a static pair of username and password – option number 1 in the above screenshot – just change it and restart the rport server.

If users and passwords are stored in a json-file or in a database, all passwords are stored as brypt hashes. Create a new hash and store it in the variable PASSWD_HASH.

Step 3 – update the password

On a json file

If you are using a json file, open it with a text editor, go to the line of the user you want the password to be updates, and replace the password hash by the one previously created.

Restart the rport server using systemctl restart rport and you are done.

On a sqlite database

Check who is in there.

Update the password hash of a user

This will update the password of the user admin with the previously created hash. 💪 You are done. You don't need to restart the rport server.

While the built-in pairing option does not provide an option to install the RPort client on macOS, RPort does support macOS. To connect your macOS device to your RPort server, follow these instructions.

Collect your configuration data

To install and connect a device manually to RPort you will need the following data:

1. The connect URL: It equals your server FQDN. This is usually the URL used to access the RPort user interface, but without the https:// part and without and path. Using the IP address of your server is possible too. If the rport server doesn't use port 80 for the client connection, append the port number with a colon to the server FQDN. Example: rport.example.com:8080 Do not append the port used for the web user interface, typically 443. Adding a scheme such as http:// is optional and only required if the connection is not using http.

2. The client ID and password: Copy this data from Settings->Client Access. The client ID and password are case-sensitive.
3. The fingerprint of your server. Go to Settings->Info

Install on macOS

With all the information at hand, you can download the installation script and execute it.

1. Click on the install_rport_macos.sh link below at the end of the article and save the script somewhere, for example in your default downloads folder.

2. Open a terminal and change the directory to where you have downloaded the script.

3. Execute the script as follows: sudo sh install_rport_macos.sh --url <connect_url> --clientid <ID> --password <password> --fingerprint <fingerprint>

Adapt the configuration to your needs

With the above steps, you only get a very basic installation using the minimal defaults. Tunnels will be enabled, but command and script execution not.

Open the file /etc/rport/rport.conf with an editor and change to your needs. Only root can edit this file, so use sudo open /etc/rport/rport.conf to open it. Save your changes and restart rport to apply them using sudo launchctl stop rport; sudo launchctl start rport.

Create users and user groups

From the user administration, you can create new users and user groups. A new group is created by typing in the group name while creating or updating a user. A new user group comes without any permissions.

Assign clients to users

By default, a user who's not a member of the Administrators group can't do anything with rport. From the inventory, you can assign a host to none-admin users. This enables the users to execute any action on the host.

Starting with RPort version 0.9.0 assigning a client to a user will not give only minimal rights such as searching for clients and viewing their inventory. For any further action like creating tunnels or executing scripts, group permission is needed.

Assign permissions to user groups

RPort version 0.9.0 has introduced user group permissions. To allow certain actions, you must give permission to a user group.

If two or more groups are assigned to a user and groups have contra dictionary permissions, the authorization wins over the denial.

Example: If a user is a member of the groups Red and Blue, and Red allows script while Blue denies it, script will be allowed.

Keep in mind, that client permission is also needed. If a user is a member of a group with scripts unlocked, the user can execute scripts only on the assigned clients.

Starting with RPort version 1.0.0 extended user group permissions are enabled always, and they can't be turned off. That means, enabling tunnels or commands permissions for a user group provides optional configuration on the tunnels or command tab. Checking the tunnels or commands check box on the base tab will give unrestricted permissions to tunnels or commands because the default permissions for both are to allow everything.

Commands permissions

Having the command's checkbox enabled will enable command execution for the user group. By default, all commands are allowed. By enabling the toggle, fine-grained command permissions can be set up for a user group.

The Allow and Deny-List consists of regular expressions. Deny rules are checked first. If the deny rules are empty, any command that matches the allow rule will be allowed.

The below example means:

1. The user group can execute the exact command sudo reboot.

2. The group can restart any service.

3. The group can execute any command that contains the keyword hostname.

Tunnels permissions

Having the tunnels checkbox enabled will enable tunnel creation. By default, all tunnels are allowed. Optionally, you can create advanced rules that apply to the tunnel creation. Navigate to the Tunnels tab and enable the toggle. Any value that you enter will become a mandatory setting for the user group when trying to create a tunnel.

Not filling one of the input fields means not restrictions apply. E.g., if you leave “Bind port on the rport server …” blank, the user group is allowed to create tunnels using any port.

With the settings shown in the below example, the user group is only allowed to create tunnels for RDP and SSH on the TCP ports 22 and 3389. Any other tunnel that's not matching these rules will be refused.

Create a group

To create a client group, navigate to Settings, and select Client Groups. Click on the button ADD GROUP.

Enter the ID of the new group. (This will be the group name). This ID will appear in the client list on the left side. We will use the id "Fileservers" in this example. Spaces are not allowed in the group ID. Optionally, you can enter a description for the group.

Next is adding at least one filter on the members tab, that determines which clients are the members of the group. You can use many criteria. The most command one is the client name.

You can add individual clients to the group by ticking on the checkboxes. Using wildcards is also supported. So, a filter could be "Hostname is E*"

With the above example, any new client whose name stars with "E" or "F" and whose IP address starts with "10" will automatically become a member of the group.

Preface

You can execute scripts on a per-client basis directly on the clients page. By selecting "scripts" on top navigation, you can execute scripts on many clients in parallel.

On Windows

Learn, from this video, how to execute PowerShell scripts on Windows machines (servers or desktop) – on a single machine and on multiple targets in parallel.

The video show how to install 7zip and notepad++ fully unattended with RPport using the following lines of PowerShell.

On Linux

Type in the content of a script. You can use a regular shebang as first line like #!/bin/bash or #!/usr/bin/env python3.

Custom script interpreters

Starting with version 0.6.0 you can execute your scripts with an interpreter.

Either enter the full path to the interpreter, or register available interpreters in the client's rport.conf file.

To register a script interpreter on the rport.conf file on the client and append a list of available interpreters. After restarting the client, they get available on the user interface.

✋ Continue reading, only if the above hint regarding the built-in ACME doesn't apply to your setup.

If your RPort server runs with Let's encrypt certificates, the certificates need to be renewed before they expire. On Debian and Ubuntu Linux certbot comes with an auto-renewal job. But this job requires some fine-tuning to work properly.

Check the scheduler

On Debian and Ubuntu, the certbot package should have installed a systemd time that checks all certificates for renewal twice a day. Check the file /lib/systemd/system/certbot.timer exists. The command systemctl list-timers should tell you, when certbot.timer run for the last time.

Create hook files

With the default settings, certbot cannot renew your certificates. The auto-renewal needs to be confirmed by a so-called . Certbot must bring up a temporary web server on port 80. The policies of Let's encrypt don't allow using a different port. Usually RPort is using the port 80 and therefore certbot cannot renew. You must teach certbot how to stop RPort before the renewal and how to start RPort again.

Execute the below script on your rport sever from the root account to create the hooks.

From now on, certbot will renew the certificates automatically.

Get your API Token

To use the API, you must get your personal API token. A token belongs to a user, and all user-rights (or limits) are applied to each transaction executed with the token.

From the settings menu in the top-right corner, select "API Token". Generate a new token. The token is displayed only once. If you lose the token, it can't be recovered. So store the token in a safe place.

Test the token

The base URL of the API is https://<server-domain>/api/v1. You must use HTTP basic authentication using your username and the API token as password.

Test the API connection by fetching the server status. Example:

Full API documentation

You can read the API documentation online .

Enable Update supervision

On Linux

To enable update supervision you must have the following line in the [client] section of your /etc/rport/rport.conf file.

A refresh of the update status can be requested through the API and the user interface independently of the specified update interval. Going faster than 4 hours is usually not need and not recommended.

⚠️ Debian, Ubuntu and SuSE Linux need a sudo rule to fetch the update status. Create a file /etc/sudoers.d/rport-update-status with the following content.

• Preparation before installing the RPort server, 🎦 Start Video

• RPort Server installation on premises, 🎦 Start Video

• RPort Server installation on cloud, 🎦 Start Video

• RPort Client installation,

• Remote access to Windows and Linux systems,

• RPort network communication explained,

What are the defaults?

Using the pairing method, you are not asked to give the client a name. The installer uses the local short hostname of the operating system to create the initial configuration.

Furthermore, a client gets two tags by default. The current country and city taken from the current public IP address. This might not be accurate and you may want to delete or change it.

Changing the client name and tags

If you want to change the name of a system, you must do this in the rport client configuration file. The configuration files is /etc/rport/rport.conf on Linux C:\Program Files\rport\rport.conf on Windows

Open the file with a text editor. Scroll done some lines. You will find the setting name = "<SOME-NAME>". Change the name to your needs.

Just a few lines below the name, you'll find the tags. Change them to your needs and save the changes.

Restart the RPort client

After any changes to the configuration file, you need to restart the client.

On Linux, execute systemctl restart rport.

On Windows use the service manager or from a PowerShell console execute: restart-service rport. If you prefer the old cmd.exe console, use net stop rport and net start rport.

Create a virtual machine

• On the Google Cloud Platform dashboard go to Compute Engine/VM instances.

• Click the "CREATE INSTANCE" button.

SSH Link handler for Windows

RPort and your browser will open links to ssh://[email protected] with the default application for that URL scheme. Windows does not have any default application assigned. To do so, follow the guide below.

Why 2FA and which to choose?

The more devices you manage with RPort the more powerful the RPort server becomes. If an unauthorized person get access to it, this person might take over partial or full control over your infrastructure. Getting access to your machines via RDP or SSH always requires login credentials of the operating system. But if you have scripts and command enabled, full control might be possible from the RPort dashboard.

Enabling two-factor authentication is therefore recommended. It prevents unauthorized usage of the RPort server if you or your teammates use weak passwords or passwords are stolen.

With 2FA enabled, you will receive a one-time token after the regular log in.

Create a virtual server

• Log in to your .

Client-side failover

Inside the RPort client configuration, you can specify a primary and a list of secondary rport servers. If the client loses the connection to the primary server, it automatically connects to the first secondary server from the list, going through the list until a connection to one secondary is established.

While the client is connected to a secondary server, a background process is constantly probing the primary server. If the primary server is available again, the client switches back.

Below an excerpt of the rport client configuration showing the fallback options.

Preface

While the preferred way to install the client is the pairing service, this option might not be feasible on devices with very limited resources. A shell like bash or many of the command line tools used for the automated creation of the configuration are very likely not available on devices likes routers, switches or NAS.

To run the client, you need two files.

Security notice

The execution of commands must be allowed in the rport client configuration file /etc/rport/rport.conf on Linux or C:\Program Files\rport\rport.conf on Windows.

You can create a list of allowed commands and a list of disallowed commands. This allows fine-grained filtering.

See and more .

Before you start your installation, make yourself familiar with the ports used by rport and their functions. It helps you to design your setup properly right from the beginning.

The port explanation below contains information how to change the ports inside the rportd.conf file and how to install the server with custom ports right from the beginning.

Install the RPort Server automatically

The server installer script will do all the tedious work for you. In no time, you'll have a perfect server that meets your exact requirements.

Alternatively, read the help message of the installer script.

Pure intranet installation and operation

This example assumes you and your managed devices are located inside a local network (yellow area).

🧨 Caution You must enter a valid email address that will be used for the two-factor authentication. The email is stored only in your local database. The FQDN of the server must exist on your local DNS or at least enter it to /etc/hosts before you start the installation.

💁 Insider tip Use --totp instead of --email <EMAIL> to use two-factor authentication with mobile apps like Google or Mircosoft authenticator.

Security advice: Exporting your licence key to an environment variable via the export command can be insecure because the key could be extracted from the process list by currently logged in none-root users. To prevent this, create a text file, e.g. rportd-license-key.txt that contains the line export RPORTD_LICENSE_KEY=<YOUR-KEY>. Load the environment variables from the file with . ./rportd-license-key.txt and delete the file securely afterwards, e.g. using shred rportd-license-key.txt.

After the installation, you must import the root certificate of the rport server into your browser and operating system.

Intranet installation with internet operation

This example assumes the server is behind the firewall without a public IP address. The managed clients and the users are on the internet, accessing the server by the public FQDN of the router. Port forwarding is needed for TCP 80,443,20000-20050.

💁 Insider tip The default http(s) ports 80 and 443 are used. If you create the DNS record and the port forwarding before you start the installation, Let's encrypt certificates are automatically generated.

Supported operating systems

The server installer only support the following Linux versions.

• Debian 10 & 11

• Rasbian 9 or newer

• Ubuntu 20.04 LTS or 22.04 LTS (⚠️ do not use none-LTS)

• RedHat, CentOS, Alma, Rocky, Oracle Linux 8

For all supported operating systems, the following architectures are supported: armv6, armv7, aarch64, X86_64.

CentOS Stream 9 is not yet supported due to a missing certbot package.

Ports used and their functions

1. Client connection port, [server] address = "<IP>:<PORT>" in the rportd.conf. The rport clients aka agents will connect to the server on this port. We suggest using port 80 because corporate networks usually do not block outgoing traffic on port 80. Plain HTTP is used, no certificates are needed. The encryption happens on application level and client and server handle it autonomously based on the SSH protocol over HTTP. You are welcome to use any other port, if firewalls allow outgoing connections over this port or if you plan to run the server and all clients on the same intranet. 🔅Use the server installer with --client-port <INT> to install your rport server on a different port than 80.

2. Client connection URL, [server] url = "http://<HOST>:<PORT>". This is an optional setting, only used to generate the pairing script for fast and easy client installation. The

Hostname and certificates

As already mentioned, we strongly advise using HTTPs even inside your local intranet. The installer will generate valid certificates for you. You won’t have a hassle with it. But to establish an HTTPs connection without warnings, 👉you must access the user interface or the API by hostname, and not by IP address. If you want to access the rport server from outside your local network, you need a public hostname. Almost all routers support a variety of dynamic DNS services to register a public hostname for you.

The server installer tries to first generate certificates using Let’s encrypt. The user interface can be opened from any browser anywhere without certificate errors. To use Let’s encrypt, two measures must be performed before you install the rport server.

1. Your public hostname must be registered, and it must resolve to the public IP address of your router.

2. A port forwarding for port 443 must be active. The external port 443 of the router must be forwarded to the port 443 of the rport server. That’s a requirement of Let’s encrypt. They deny issuing certificates if the validation is not performed over standard ports.

💡The installer has a self-signing fallback. If you prefer not to create port a forwarding on port 443 because perhaps the port is already in use, don’t worry. The installer will create a certificate authority just for Rport and a self-signed certificate is issued. You just need to import the CA into your OS or browser. .

Port forwarding

Which port forwarding you must create depends on your use case. If you plan to manage clients anywhere outside your local network, but you will access the user interface and the tunnels only from inside your intranet, a port forwarding for the client access port is sufficient.

✋Do not mess port mappings. It’s not recommended to use different ports externally and internally. The User interface and the client installer generate links and scripts based on the values of portd.conf. If you run the client connection port internally on 80, but you map it to the external port 8080, client connections will fail, unless you change the port manually in the client configuration file.

Start the installer 🪄

Now it's time to let the magic happen.

This is the simplest way to execute the installer. All default ports (read above) are used.

The help message indicates how to change the ports.

Manage certificates

Import the root certificate authority (root CA)

If the server installer can not use Let's encrypt to obtain certificates, a certificate authorities was created automatically. It's all stored in /etc/rport/ssl/ca/export. All users must import this root CA into their operating system and optionally directly into Firefox.

Transfer the Root CA file to your desktop. If scp is not an option, you can do an insecure download from http://<RPORT-SERVER-IP>:<PORT>/rport-ca.crt. The installer created a symbolic link, so the certificate is reachable via the built-in web server.

Import CA on Windows

Open PowerShell 7 and import the certificate. Chrome and Edge need to be re-opened afterwards. On PowerShell < 7, download the file with a browser and just to the import step.

Import CA on macOS

Import CA on RedHat-based Linux

Import CA on Debian-based Linux

Check the connection

Grab the address and port of your RPort sever.

Open the configuration file /etc/rport/rport.conf or C:\Program Files\rport\rport.conf with a text editor and look for the line that contains your RPort sever address. Or grab it directly from the console using grep "server =" /etc/rport/rport.conf on Linux or find "server =" "C:\Program Files\rport\rport.conf" on Windows.

The server settings consist of the FQDN or IP Address and the port, divided by colon. Optionally there is a protocol prefix http://.

Example: server = "v0e0vj4l5j1m.users.rport.io:80" The server address is v0e0vj4l5j1m.users.rport.io and the port is 80.

On Linux, execute echo > /dev/tcp/<SERVER>/<PPORT> && echo "All good"||echo "Server not reachable".

On Windows, use the PowerShell and execute Test-NetConnection -ComputerName <SERVER> -Port <PORT>.

If the above check fails, a firewall is blocking the outgoing connections.

Observe the logs

If the client is not connecting, you should look at the logs.

From a Windows PowerShell execute Get-Content "C:\Program Files\rport\rport.log"| Select-Object -Last 100.

From a Linux console execute tail -n 100 /var/log/rport/rport.log.

You might get a hint why the client is not connecting.

Check for transparent proxies

Some networks have implemented a so-called transparent proxy. All outgoing connection targeting a remote port 80 are intercepted and redirected through an HTTP proxy. Usually, this is done for automatic virus scanning or blockage of malicious websites. Because RPort uses encryption on application layer, a proxy cannot scan the packets send by the rport client. Most proxies deny the connection if they can't consider them as harmless.

How to solve such issues?

Create an exemption rule in the scanning engine of the proxy and exclude your rport server address from all scanning.

Use multiple ports for client connections

If the above is not possible, try using a different port than 80. If only a few clients are affected, do not change the client connections port of your RPort server. Just bring a second port that can be used as an alternative to the main port. The fastest way for doing this, is using rinetd. Install it by executing apt-get install rinetd, and create a config in /etc/rinetd.conf like the example below.

Restart with service rinetd restart.

If you have numerous clients connecting through rinetd, you might get an error like socket(): Too many open files. On most distributions, the old system-v-inet is used to manage rinetd. Check systemctl status rinetd . If you get Loaded: loaded (/etc/init.d/rinetd; generated)the modern and de-facto standard, Systemd is not used.

Create a file /etc/systemd/system/rinetd.service with the following content:

Pay attention to line 11 and 12. Now you have increased the limits to its maximum. To activate the new systemd service file, execute

Start a new instance

Because RPort has almost no dependencies, it will run flawlessly on any halfway modern Linux. We recommend using Debian 11 Bullseye. Debian is lightweight and secure.

• Log in to your AWS console, go to ECS and select your preferred region.

• Click "Launch Instances" and type Debian Bullseye into the search bar.

• Click on "N results in AWS Marketplace"

The RPort server doesn't require a lot of CPU, disk, or memory resources. Selecting a t2.micro instance is perfect. ✋Do not launch the instance yet. Click "Next: Configure Instance Details".

On "Step 3: Configure Instance Details" you don't have to change anything. Take over all the pre-selected defaults. Click "Next: Add Storage".

On "Step 4: Add Storage" you don't have to change anything. 8 GiB is fairly enough disk storage. Take over all the pre-selected defaults. Click "Next: Add Tags".

On "Step 5: Add Tags" you don't have to change anything. But feel free to add tags to keep your ECS instance well organized. Click "Next: Configure Security Group".

On "Step 6: Configure Security Group" setting up the security group is crucial. Enter the following settings.

After creating the security group click "Review and launch".

Now click "Launch" to launch the instance. On the last step select which SSH keys to use. The decision is up to you. Finally, launch the instance.

Install the RPort server on your new ECS2 instance

From the list of instances, grab the public ipv4 address of your newly created instance.

Connect over SSH to the instance using the admin user. Usually, you must specify the private key created for the instance or the region. For example, ssh -i .ssh/ec2-ohio.pem [email protected]

After the login, change to the root account by typing in sudo -i.

👉 Now proceed to

Problem

You want to restart the rport client, but you are connected via a tunnel (RDP, VNC or SSH). If you just execute a restart command, you will kill the current connection and the restart is also killed halfway. The client will not reconnect.

Solution

You must restart the client with a small delay from a background process. This is done best from the rport script interface.

On Linux

On Linux, execute the following script:

Make sure, you enable sudo.

On Windows

On Windows, a few more lines of PowerShell are required to execute a task in the background. Execute the following script to safely restart rport.

Make sure you execute the script with PowerShell.

Create and use a tunnel

Use tunnels to access remote servers and devices over SSH, remote desktop or any other TCP-based protocol. The tunnels are reverse tunnels initiated by the remote side. That means the IP address of the remote system doesn't matter and the remote side doesn't open any additional ports. The tunnel is created through the HTTP protocol. As long as the remote client is allowed to access the internet via HTTP, you can create tunnels.

The more clients you manage with RPort the more important it is to constantly monitor the faultless operation of the server. You must get notified quickly if errors occur.

If you have a monitoring solution in place, integrate your rport server there. If you run the rport server on a cloud service like AWS or Azure, you can use their monitoring.

A basic monitoring should supervise:

1. The uptime of the server itself (ICMP Ping)

2. Check if the port for the clients connections, 80 by default, is up.

Use push messages for 2FA

RPort supports sending one-time tokens to mobile phones via . Pushover is a very tiny and versatile app available for and .

Create your DNS record

If you want to change the FQDN of a RPort server installed via the cloud-installer the first step is to create a DNS A Record that points to the IP address of your virtual machine.

The free DNS service of RPort will delete unused hostnames automatically, and your CNAME-record would become orphaned.

We will use rport-server.example.com as an example for the new hostname of your RPort server.

Login to the console of your rport-server using SSH and verify the new DNS record has been set up properly. Execute the following two commands. Both must print the same IP address – the IP address of your RPort server.

Generate new SSL certificates

If you already have certificates for the new FQDN, you can skip this step.

Stop the RPort server first. To generate new free certificates via Let's Encrypt, execute the following commands.

Change the rportd configuration

Change the ssl key and cert

With the new certificates generated, or with your own certificates, open the configuration file /etc/rport/rportd.conf with an editor. Scroll down to the lines where certificates are configured. Certificates are registered twice. In the [server] and [api] section. Change it as shown.

Before (with random *users.rport.io FQDN)

After (example with your FQDN)

Change the client connect url

The rportd.conf file contains a setting url =, that indicates clients who is their server. You must change this setting to the new hostname. If the client url contains a hostname, you must change it. If it contains an IP address, no changes are needed.

Before (with random *users.rport.io FQDN)

After (example with your FQDN)

Change the tunnel host

If your rport server runs behind a reverse proxy, can be your own or a service like CloudFlare, pay attention to the . Usually, you must specify an alternative hostname that points directly to your rport server, bypassing all reverse proxies.

Change the server URL for sending two-factor tokens via email

If your RPort server is using the default script to send two-factor tokens via email, you must enter the new URL of your server in /usr/local/bin/2fa-sender.sh too.

Open the script with an editor and enter the URL of your RPort server.

Before:

-F url=https://*.users.rport.io 2>&1)

After (example with your FQDN):

-F url=https://rport-server.example.com 2>&1)

Wildcards are not supported for custom domain names.

Chang the Totp name

Also consider changing the . When using TOTP as the second login factor, this field is filled. If you chose the FQDN of the server as the value for this field, this value should be changed in line with the new FQDN.

Start RPortd

Finally, start the rport server again with systemctl start rportd. Type in the new https://<NEW_FQDN> into your browser and check. 🎉

Remove unneeded certificates

After rportd is running again and uses the new certificates for the new FQDN, the old certificated should be removed. Otherwise, certbot would try to renew them too, at worst running into DNS resolution errors since the old FQDN doesn't exist any more. A proper clean-up can be achieved by running certbot delete and selecting the old cert via the corresponding number key.

Create a virtual machine

Basic Settings

• From the Azure Service select "Virtual Machines".

• Click on Create > Virtual Machine

• Select an existing resource group or create a new one. If don't know what resource groups are, create a new one called rport.This avoids conflicts with existing resource groups.

• Enter rport-server as the name for the virtual machine.

• Select a region near you.

• Select "No infrastructure redundancy required" for the availability options.

• From the Image drop-down select Debian 11 "Bullseye" - Gen 1.

  You might need to click on "See all images" and type in "debian bullseye" into the search field.

• On the size-drop-down click "See all sizes" to get access to the cheap options. It's a bit challenging to find cheap VMs. Use the filters to display only VMs with 1-2 CPUs and 0-2GB RAM. Select a B1 or B1ls series (~3-7€/month)

• If you have SSH key pair, use it. Otherwise, select "Password" as the authentication type.

• Select a username other than root or admin. For example, superuser.

• Enter a strong password, if you are not using SSH keys.

Networking

On the networking setup, select "Advanced" for the NIC network security group" and click "Create New" to create a new security group.

When creating the new network security group, add the following new inbound rules.

Now proceed to all the next steps without changing the pre-filled defaults.

Finally, create the new virtual machine.

After the machine has been created, click on "Go to resource" to get access to all details of the virtual machine.

Install the RPort server on your new Azure Virtual Server

From the details of the newly created virtual machine, grab the public IP address.

Connect over SSH to the instance using the username you specified during the VM creation. For example, ssh [email protected]. After the login, type in sudo -i to change to the root account.

👉 Now proceed to