RustDesk Server - Hardened Remote Desktop Relay
por Lynxroute
RustDesk Server - CIS Level 1 hardened remote desktop relay on Ubuntu 24.04 LTS with SBOM.
What is RustDesk Server
RustDesk Server is the self-hosted backend for the RustDesk remote-desktop client - a pair of Rust binaries (hbbs rendezvous service and hbbr relay service) that coordinate peer-to-peer connections between RustDesk desktop and mobile clients without going through any public infrastructure. The rendezvous service assigns peer IDs, exchanges public keys, and brokers NAT hole-punching; the relay service forwards the encrypted session when direct connections fail. End-to-end encryption is signed by an Ed25519 keypair generated per VM, so clients can verify they are talking to your server and not a public one. Compatible with all official RustDesk clients on Windows, macOS, Linux, Android, iOS, and Web. AGPL-3.0 license - community alternative to TeamViewer and AnyDesk SaaS, all session metadata stays inside your tenant.
Why self-host RustDesk Server
Self-hosting RustDesk gives you full control over peer registration and session metadata - your client IDs, IP addresses, and connection patterns never touch a third party. Ideal for teams with data residency requirements, organisations seeking a cost-predictable remote support stack, or MSPs that need to keep customer remote support traffic inside their own infrastructure.
What this VM image adds
Security hardening:
- Ed25519 keypair generated per instance - unique server identity, generated at first boot, never shared between deployments
- hbbs and hbbr run as non-root - dedicated rustdesk system user, no shell, locked home directory
- SQLite database owned by rustdesk user - prevents privilege escalation through the peer registration store
- CVE scan - every image is scanned for vulnerabilities with Trivy before release
- UFW firewall - only RustDesk ports open (21115, 21116 TCP+UDP, 21117), SSH on 22 only
- fail2ban - SSH brute-force protection
- AppArmor - mandatory access control
OS hardening (CIS Level 1):
- CIS Level 1 hardened - CIS Ubuntu 24.04 LTS Level 1 Benchmark via ansible-lockdown
- auditd - system call auditing for critical paths
- SSH hardening - PasswordAuthentication disabled, key-only access
- Kernel hardening - SYN cookies, ASLR, rp_filter, TCP BBR
- /tmp as tmpfs - nosuid, nodev, noexec
- Azure IMDS endpoints - egress rules pre-configured (169.254.169.254, 168.63.129.16)
Compliance artifacts (inside the VM):
- SBOM - CycloneDX 1.6 at /etc/lynxroute/sbom.json
- CIS Conformance Report - OpenSCAP HTML at /etc/lynxroute/cis-report.html
- Tailored CIS profile - /usr/share/doc/lynxroute/CIS_TAILORED_PROFILE.md
- Server credentials file - /root/rustdesk-server-credentials.txt with public IP, ports, and Ed25519 public key
Quick Start
- Deploy VM from Azure Marketplace (Standard_D2s_v3 or larger recommended)
- Open NSG: TCP 21115, TCP+UDP 21116, TCP 21117 from your client networks - SSH 22 from your management IPs only
- SSH: ssh -i key.pem <username>@<PUBLIC_IP> (username set during VM creation, default: azureuser)
- Read connection details: sudo cat /root/rustdesk-server-credentials.txt - contains public IP, ports, and Ed25519 public key
- In RustDesk client: Settings - Network - ID Server: <PUBLIC_IP>:21116, Relay Server: <PUBLIC_IP>:21117, Key: <public key from credentials file>
UDP 21116 is mandatory - without it clients cannot register their ID and all sessions will fail. Open it in your NSG even if other RustDesk traffic is allowed.
