Use the browser to access the remote desktop
Starting with RPort-Server 0.6.0 the Guacamole Server and a pure JavaScript client is included into the RPort server. You directly connect to a remote desktop or terminal server from your browser. No desktop app is needed.
Using RDP via browser, your RDP connection fully encrypted.
If you have upgraded your RPort server from an older version, you might need to install the Guacamole proxy manually. We provide tiny Debian/Ubuntu packages for fast and easy resolving of the dependency. Read more.
Use the browser for VNC connections
Starting with RPort-Server 0.6.0 the NoVNC proxy and the NoVNC JavaScript client is included into the server. You directly connect to a remote VNC server from your browser. No VNC viewer is needed.
Using the NoVNC integration makes your VNC connection fully encrypted, even if the remote VNC server does not support encryption. The VNC "signal" is sent to the encrypted tunnel of rport from your remote machine to the rport server. The server transforms the signal into HTTPS.
Accessing a server via NoVNC requires a VNC server running on the remote host. On Windows, any VNC server is suitable. On Ubuntu Linux, the built-in VNC server called Vino is known to be incompatible with RPort.
After installing a VNC server, activate the following settings:
Turn off encryption. On TightVNC, encryption is not included, but others might have it. Encryption will be added via the RPort tunnel, the VNC server must accept unencrypted connections.
Allow connection from localhost. Most VNC servers by default do not allow connection from localhost. Some call it loop back connection.
If you want to connect to RealVNC servers in a browser, this is supported with the release of noVNC 1.4.0. RealVNC system authentication is supported, and session encryption is achieved via the RPort tunnel.
To use this capability, please change the VNC Server “Encryption” to Prefer On. Either use the VNC Server UI or change the registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver\Encryption to PreferOn. No further adjustments are required.
To access a RealVNC Server from the browser, select VNC as tunnel type, not RealVNC, and Enable NoVNC (VNC via Browser).
VNC Viewer and the Rport URL integration is required for Multifactor authentication, High-Speed Streaming, Audio and connecting to Virtual mode/Virtual Mode Daemon.
VNC® Server from RealVNC® should ony be used for RPort's browser-based VNC remote access if the RPort Server has noVNC 1.4.0 included. Older versions of NoVNC only supports old (open source) versions of the RFB protocol. RealVNC® has added a number of enhancements to the RFB protocol including encryption and additional authentication mechanisms not supported by NoVNC. ⛔ It is not recommended to make any configuration changes to VNC® Server from RealVNC® to achieve NoVNC 1.3.0 compatibility, like disabling security, using “VNC Password” authentication and setting protocol version to 3.8. 👉 Using the RPort/VNC® Viewer from RealVNC® integration is recommended. .
Log in to any server from everywhere via SSH or Remote Desktop
To log in to a remote system located behind a firewall or NAT router, you need a tunnel.
Select the client you want to access, and click on the green button ADD TUNNEL. Depending on the operating system, the dialogue is prefilled with defaults you very likely would like to use. For Windows, an RDP tunnel is suggested, and for Linux SSH is used as default. The tunnel will be protected with an access control list that gives access only to your current IP address. This ACL is a second layer of security. Valid login credentials are still required.
ADD TUNNEL the connection is created instantly. Now click on the LAUNCH TUNNEL icon and your default application for RDP or SSH opens the connection. From now on, use the username and password of the system you already have. For RDP, a configuration file for the remote desktop client is generated and downloaded. Look at the downloads of your browser and double-click.
Get access to any remote TCP port
Use tunnels to access remote servers and devices over SSH, remote desktop or any other TCP-based protocol. The tunnels are reverse tunnels initiated by the remote side. That means the IP address of the remote system doesn't matter and the remote side doesn't open any additional ports. The tunnel is created through the HTTP protocol. As long as the remote client is allowed to access the internet via HTTP, you can create tunnels.
Select a client on the left side, and click on it. Select the tunnels tab.
Click the Add Tunnel button.
Select the service you want to access on the remote client.
After the tunnel has been created, you can use it in different ways. The fastest and easiest way is clicking on the "Launch Tunnel" icon.
Depending on the selected protocol (scheme) your browser will launch the application registered as default application (handler) for that scheme. For example, on Linux and Mac desktops, all links with a ssh:// scheme will be opened in a terminal that automatically starts the ssh client. You can achieve this behavior on Windows too. .
Remote desktop connections will not directly open from the browser. Clicking on the "Launch Tunnel" button triggers the download of an RDP configuration file. This file contains all details for the connection. Just double-click on it. On Windows and Mac the Microsoft Remote Desktop opens and connects you. On Linux should open. If not, make Remmina the default application for *.rdp files.
A tunnel consists of two ends. On the remote side, it ends on TCP port of a rport client. (Read below if the tunnel should not end on the rport client.) The other end of the tunnel ends on the rport server on an arbitrary port, either randomly selected or specified manually. But generally the tunnel does not end on the default ports assigned to the protocol, like 22 for SSH or 3389 for RDP.
On the above example, a tunnel is created to the SSH port of a remote Linux server. The rport server has tied the other end of the tunnel to the port 29304. Let's say your RPort server has the FQDN rport.example.com. To access the remote Linux server via SSH use ssh -p 29304 [email protected].
If you want to connect the remote desk client to the public end of a tunnel, specify the port after the server name, separated by a colon.
A so-called service forwarding allows you to access resources on a remote network where the rport client is not installed or cannot be installed. A typical use case is getting access to configuration of routers, switches and printers. But a service forwarding is also used to access SSH or RDP on servers, where the rport client cannot run. Any rport client can act as a bridge, creating a service forwarding to external TCP ports.
Look at the example to understand how it works.
The rport client runs on a host called ITXC located in a 192.168.249.0/24 subnet.
The tunnel will create a service forwarding for the RDP port to a neighbor server with the IP address 192.168.249.33.
The service forwarding will be stored in the library. Using this feature, you and your teammates can re-launch the service forwarding with a single click, without entering all the details again.
Starting with RPort 0.5.0 the rport server comes with a built-in HTTP reverse proxy. This reverse proxy can be activated for all tunnels using the http or https scheme.
A typical use case is accessing web-based configurations inside an intranet. You could access any TCP port without a proxy with previous versions, but the new proxy option brings two significant advantages:
All communication from your browser to the end of the tunnel on the rport server is encrypted using HTTPS with valid certificates that doesn't confuse users with warnings.
If the tunnel points to an HTTPS target with invalid certificates, the proxy puts valid certificates on top, avoiding warnings and unsecure communication.
RPort servers >= 0.5.0 installed with the and the have the reverse proxy function enabled by default. If you have upgraded from older versions, the function.
❗The proxy will always listen on a secure HTTPS port on the public side. Using the proxy without encryption is not supported.
On the creation of a tunnel, just activate Enable HTTP Reverse Proxy. 👀Pay attention to the optional host-header. Many web servers use so-called virtual hosts. If the connection does not specify the right host – the name of the site you want to access – the connection might fail, or you land on some default site. Use the domain that you would use to access the site without a tunnel as host-header.
The below example shows how to access the web-based configuration of a router through a tunnel. Because without a tunnel, you would access the router by its internal host name fritz.box this name is used as host-header.
After the tunnel is created, the "exposed port" is where the proxy listens. All requests are forwarded to the end of the tunnel. Clicking the "Launch Tunnel" icon will open a new browser windows or tab on the exposed port.
Starting with RPort-Server 0.6.0 the NoVNC proxy and the NoVNC javascript client is included into the server. You directly connect to a remote VNC server from your browser. No VNC viewer is needed.
Use the VNC® Viewer from RealVNC® desktop app to connect to VNC® Server from RealVNC® or any VNC server
Starting with RPort version 0.9.0 an integration with VNC® Viewer from RealVNC® is built-in.
VNC® Viewer from RealVNC® desktop app version 6.22.826 or newer must be installed on your desktop. Download the latest version from here.
Older versions do not implement a URI handler. For older versions, you can still use a copy and paste fallback approach. See below.
On the remote side, the VNC® Server from RealVNC® must be licensed with a VNC Connect Enterprise subscription with Use for more information on VNC Connect, or to take a 14 day Enterprise free trial. NOTE: RealVNC® Cloud connections cannot currently be used by RPort.
On the "Add tunnel" dialogue, select "RealVNC". Port 5900 is used by default. Change only if needed. Start the tunnel with the ADD TUNNEL button.
Once the tunnel has been created, click on the Launch Tunnel icon.
If you do this for the first time, your browser will ask for a confirmation. You must approve the browser shall open a desktop app. Click Open. If you plan to use VNC® Viewer from RealVNC® often, also activate the checkbox "Always allow ..."
Done! VNC® Viewer from RealVNC® should open and connect you to the remote system.
If your version of VNC® Viewer from RealVNC® does not support browser integration, start VNC® Viewer from RealVNC® manually. On the list of tunnels, click the Copy to clipboard icon. Put your cursor in the address bar of the viewer and paste from the clipboard. Hit enter to start the connection.
Learn how to copy files through a tunnel using scp or sftp
Copying files to a remote system over scp or sftp requires an SSH server running on the remote side. On almost all Linux systems SSH is installed and active.
Create a tunnel for SSH access to the remote server. The tunnel will end on a random port on your rport server. Remember the port number.
To copy a file to the remote system over the tunnel via scp use
scp -P <PORT> <LOCAL-FILE> <USER>@<RPORT-SERVER>:<DESTINATION>
For example:
scp -P 22708 /etc/hosts [email protected]:/tmp/
Doing the same over rsync
rsync -e "ssh -p 22708" /etc/hosts [email protected]:/tmp/
Open the site manager of Filezilla.
Create a new site using the "SFTP- SSH File Transfer Protocol.
Enter the name of the rport server as "Host".
Enter the port of the tunnel as port for the Filezilla connection
Usually, only you intend to use the tunnel. Therefore, your current public IP address is prefilled into the access control list (ACL). If you intend to enable public access to a web server inside an intranet, for example, you can switch of the ACL completely.
If you would like to keep tunnels alive, even they are not actively used, unselect the "Close tunnel after inactivity of N minutes" option.
Optionally, you can close (destroy) the tunnel even if it's still in use after a given period.
Learn how to open SSH connections directly from the browser
RPort and your browser will open links to ssh://[email protected] with the default application for that URL scheme. Windows does not have any default application assigned. To do so, follow the guide below.
Make sure you have OpenSSH installed on Windows 10. Open a terminal (cmd.exe or PowerShell) and type in shh -V. You should get an output similar to
If the ssh command is missing, execute the following command on a PowerShell.
More info
An ssh link follows this syntax, ssh://<username>@<host>:<port> but open ssh expects a different format. Download the PowerShell script ssh-protocol-handler.ps1 to some directory, for example to %LOCALAPPDATA%\ssh-protocol-handler.ps1.
You can do this on the PowerShell with the following commands.
Test the script by executing .\ssh-protocol-handler.ps1 ssh://[email protected]:22. It doesn't matter if you have a local SSH server. It's just for testing the URI gets translated into the correct PowerShell command.
Download the ssh-protocol-handler.reg registry setting file. Adding it to the registry will register the above script as a protocol handler for ssh:// links.
You can do this in the PowerShell with the following commands.
If you download the script manually, replace <LOCALAPPDATA> by the path where you stored ssh-protocol-handler.ps1
Open the windows settings. Go to "Apps & feature -> Default Apps", scroll down and click on "Choose default apps by protocol".
Now type in an SSH Url into the URL bar of any browser, for example ssh://[email protected]:2222. A PowerShell windows should open trying to connect you.
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0$url = "https://gist.githubusercontent.com/thorstenkramm/b25a2c09ca7414595d48d1db581833fc/raw/1fecf170378390eebe778209a8b88972d6893657/ssh-protocol-handler.ps1"
$file = "$env:LOCALAPPDATA\ssh-protocol-handler.ps1"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri $url -OutFile $file$url = "https://gist.githubusercontent.com/thorstenkramm/b25a2c09ca7414595d48d1db581833fc/raw/1fecf170378390eebe778209a8b88972d6893657/ssh-protocol-handler.reg"
$file = "$env:LOCALAPPDATA\ssh-protocol-handler.reg"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri $url -OutFile $file
(Get-Content -path $file -Raw) -replace '<LOCALAPPDATA>', "$( [regex]::escape($env:LOCALAPPDATA) )"| Set-Content -Path $file
get-Content $file
reg import $file
rm $file
