Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] ich777 - Application Dockers

Featured Replies

  • Author
1 hour ago, 4554551n said:

It warns very specifically not to expose this to the internet, but gives few details. And I don't really see a guide for your implementation.

Please don't confuse the Web Client from Linuxserver.io with the container from me.

 

My container is just the Server and Relay Server for initiating the connection which is by default also encrypted with a Private/Public key.

The container from Linuxserver.io is just a client that connects to a server and this should not be exposed to the Internet because if you've configured it to work with your Server (Public Key) anyone would be able to connect to a machine if the ID and Password is known, it would be maybe even be possible to bruteforce it because they have your Public Key.

 

You can expose my container safely to the Internet since this is necessary to initiate (possibly also relay) and establish the connection between clients which know the Public Key from the Server.

If one without the Public Key tries to connect through your Server to another client he will be rejected because the Public Key doesn't match.

 

Hope that makes sense and clarifies most of your questions.

  • Replies 5k
  • Views 775.1k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Things have changed a little bit since I'm switched to TurboVNC. Please be sure to create the password first inside the container, to do that open up a terminal from the container (click on the c

  • If anything breaks again take a look at this: Click   Or what I would recommend: Stop the container Delete the files "Core.jar" & "JDownloader.jar" and the folders "tmp" &

  • Dockers Available so far:   DirSyncPro: very strong synchronization tool that's highly customizable and schedulable (Docker comes with WebGUI, SMB, FTP & WebDAV support and with encry

Posted Images

@ich777 Thanks for the follow up. I ended up not needing it in the end so I removed my comment. I couldn't actually get it working though

18 hours ago, ich777 said:

Please don't confuse the Web Client from Linuxserver.io with the container from me.

 

My container is just the Server and Relay Server for initiating the connection which is by default also encrypted with a Private/Public key.

The container from Linuxserver.io is just a client that connects to a server and this should not be exposed to the Internet because if you've configured it to work with your Server (Public Key) anyone would be able to connect to a machine if the ID and Password is known, it would be maybe even be possible to bruteforce it because they have your Public Key.

 

You can expose my container safely to the Internet since this is necessary to initiate (possibly also relay) and establish the connection between clients which know the Public Key from the Server.

If one without the Public Key tries to connect through your Server to another client he will be rejected because the Public Key doesn't match.

 

Hope that makes sense and clarifies most of your questions.

That really does, thank you.
Still, are there perhaps other measures I can take? Fail2ban perhaps, or geoblocking?
Also, where do I get this public key from to set it up on clients?
I'm not really seeing instructions for this container, I assume I just forward the ports in the router to the server, and then follow the bouncing ball in the rustdesk clients?
I'm just always weary of exposing things to the internet like that

Edited by 4554551n

  • Author
17 minutes ago, 4554551n said:

Fail2ban perhaps, or geoblocking?

Fail2Ban usually only works for websites? RustDesk should have a built in rate limit IIRC. If you want to do GeoBlocking it would be best to do that in your Router/Firewall.

 

18 minutes ago, 4554551n said:

I'm not really seeing instructions for this container, I assume I just forward the ports in the router to the server, and then follow the bouncing ball in the rustdesk clients?

Because you don't need any usually, just forward the ports as listed in the Docker template and that's it.

 

18 minutes ago, 4554551n said:

I'm just always weary of exposing things to the internet like that

I understand that but the application inside doesn't even runs as root and therefore it should be safe to use as is.

1 hour ago, ich777 said:

Fail2Ban usually only works for websites? RustDesk should have a built in rate limit IIRC. If you want to do GeoBlocking it would be best to do that in your Router/Firewall.

 

Because you don't need any usually, just forward the ports as listed in the Docker template and that's it.

 

I understand that but the application inside doesn't even runs as root and therefore it should be safe to use as is.

Thank you. I got it all set up, and I got the public key by opening the log window for the running docker, I assume that's where I'm supposed to get it, I don't see it anywhere else.
Is that custom generated? It's not the same key across all servers running your docker? Can I regenerate it?
Even though it doesn't run as root, the compromised container without local root elevation could still do stuff around my network,right? or am I being paranoid.
Fail2ban is anything, default use is ssh. You feed it any log file, and some regex of what to look for, and it blocks IPs based on what you configured it for. I use it for pretty much all my services. Would be nice if you could build it into the docker if it's not asking too much :P

Also, I'm running it all locally just for testing to start, baby steps. And I have a question:

 I have a primary machine running pop os, a linux mint vm, and a windows vm.
The mint and windows can connect to and control each other and my main machine, however, my main machine can connect to the other two, but cannot control their desktops.
Main machine can however restart the remote machines, just not control their desktops. All default settings, and they can connect and control each other. Would really appreciate some guidence, and thank you so much for your quick responses

Edited by 4554551n

  • Author
8 minutes ago, 4554551n said:

Is that custom generated?

It is generated on first startup form RustDesk (please note that I never use any static keys in my containers, all keys or secrets are always created on first run).

 

8 minutes ago, 4554551n said:

It's not the same key across all servers running your docker?

No, see explanation above.

 

8 minutes ago, 4554551n said:

Can I regenerate it?

Yes, just look into the directory for RustDesk in your appdata folder and delete the two id_* files, these are the Private/Public key <- however as explained above this is not necessary and is also nothing what the container does, these are created by RustDesk.

 

8 minutes ago, 4554551n said:

The mint and windows can connect to and control each other and my main machine, however, my main machine can connect to the other two, but cannot control their desktops.

The client on the Linux Desktops is probably not configured correctly, probably not ran with the correct permissions but I can't help with that since this is a client specific question and you should consult the documentation or their GitHub Issue tracker.

 

My container is just for connecting/managing the clients, as said, the issue that you are experiencing is most likely a configuration error on the client side or a checkbox or something like that that needs to be checked or unchecked.

 

Hope that helps.

2 minutes ago, ich777 said:

It is generated on first startup form RustDesk (please note that I never use any static keys in my containers, all keys or secrets are always created on first run).

 

No, see explanation above.

 

Yes, just look into the directory for RustDesk in your appdata folder and delete the two id_* files, these are the Private/Public key <- however as explained above this is not necessary and is also nothing what the container does, these are created by RustDesk.

 

The client on the Linux Desktops is probably not configured correctly, probably not ran with the correct permissions but I can't help with that since this is a client specific question and you should consult the documentation or their GitHub Issue tracker.

 

My container is just for connecting/managing the clients, as said, the issue that you are experiencing is most likely a configuration error on the client side or a checkbox or something like that that needs to be checked or unchecked.

 

Hope that helps.

You're an absolute legend and I really appreciate everything you do for the community, thank you so so much.

If you ever feel the urge to look into fail2ban and include it into your remote facing dockers, that would also be most welcome :P

  • Author
5 hours ago, 4554551n said:

If you ever feel the urge to look into fail2ban and include it into your remote facing dockers, that would also be most welcome :P

I'm not really considering that because Fail2Ban is in my opinion not very effective enough and you could configure that through other containers but the setup can get very complicated quick for non web applications.

15 hours ago, ich777 said:

I'm not really considering that because Fail2Ban is in my opinion not very effective enough and you could configure that through other containers but the setup can get very complicated quick for non web applications.

Unfortunately configuring it through other containers also means trying to pass through rustdesk container logs and locations into the other container. I was literally in the process of trying to use the swag reverse proxy container to passthrough stuff to rustdesk (cos it's got fail2ban installed), but I don't think that's going to work cos nginx and such definitely is more for web. Don't suppose you've ever put rustdesk behind a reverse proxy?

I've never made a docker, that's why I love unraid so much, pick a distributor you trust and use a bunch of their stuff (you're on the list :P) and click install. I guess just having the fail2ban software installed, and leaving it up to the user to configure would be a lot of maintenance, as new versions come out etc.

  • Author
21 minutes ago, 4554551n said:

Don't suppose you've ever put rustdesk behind a reverse proxy?

Nope, you almost never put such applications behind a reverse proxy.

 

22 minutes ago, 4554551n said:

(you're on the list :P)

Thanks. :)

 

22 minutes ago, 4554551n said:

I guess just having the fail2ban software installed, and leaving it up to the user to configure would be a lot of maintenance, as new versions come out etc.

Not only that, I don't even think it is easily possible for services which are not web based.

TBH I would have to look into that but it could be a very manual process and if I pre-configure everything it will most certainly cause a lot of support requests.

On 2/21/2025 at 4:36 PM, ich777 said:

Nope, you almost never put such applications behind a reverse proxy.

 

Thanks. :)

 

Not only that, I don't even think it is easily possible for services which are not web based.

TBH I would have to look into that but it could be a very manual process and if I pre-configure everything it will most certainly cause a lot of support requests.

No need to pre configure fail2ban, just leave it installed and that's it.
It's not just for web, it's for anything that makes a log. The default config/primary usecase is SSH

  • Author
25 minutes ago, 4554551n said:

No need to pre configure fail2ban, just leave it installed and that's it.
It's not just for web, it's for anything that makes a log. The default config/primary usecase is SSH

Sorry but just installing something that is probably not used by most users is not the way I create my containers.

 

However you could write a short bash script like on Unraid:

#!/bin/bash
apt-get update
apt-get -y install fail2ban

and mount it into the container to /opt/scripts/user.sh with a new path entry which will then be executed each container start as root, then you have fail2ban installed, everything else is up to you.

 

Sorry, but I won't change my containers and add fail2ban since it is possible for users to do that with the method above and as said I'm not a big fan from fail2ban anyways because it's not really effective.

 

May I ask if you have so many bots that are scraping RustDesk? Most bots are only specialized on web requests which RustDesk wont answer anyways.

4 minutes ago, ich777 said:

Sorry but just installing something that is probably not used by most users is not the way I create my containers.

 

However you could write a short bash script like on Unraid:

#!/bin/bash
apt-get update
apt-get -y install fail2ban

and mount it into the container to /opt/scripts/user.sh with a new path entry which will then be executed each container start as root, then you have fail2ban installed, everything else is up to you.

 

Sorry, but I won't change my containers and add fail2ban since it is possible for users to do that with the method above and as said I'm not a big fan from fail2ban anyways because it's not really effective.

 

May I ask if you have so many bots that are scraping RustDesk? Most bots are only specialized on web requests which RustDesk wont answer anyways.

Fair enough, how could I also store it's config in a persistent location?

Honestly, at the moment I'm still weary, so my process has been to open the firewall ports when I use it, and close them as soon as I'm done.
Have also been experimenting with unraid to put dockers on vlans, so I can have them on my guest network. But NAT reflection on opnsense makes things tricky because the rules that stop guest machines playing up on the network, also block access from the rest of the vlans, as the connection isn't *really* coming from the outside world and kinda loops back. But that's a whole nother thing.

  • Author
9 minutes ago, 4554551n said:

Fair enough, how could I also store it's config in a persistent location?

Just store it in DATA_DIR so to speak in /rustdesk-server

 

10 minutes ago, 4554551n said:

so my process has been to open the firewall ports when I use it, and close them as soon as I'm done.

Try to leave it open for RustDesk and see if you got any connection attempts, to bots which are used for web scraping RustDesk won't answer, you can then look every day at the RustDesk log where you would only see connections from authenticated machines, at least that's over here the case.

 

11 minutes ago, 4554551n said:

But NAT reflection on opnsense makes things tricky because the rules that stop guest machines playing up on the network, also block access from the rest of the vlans, as the connection isn't *really* coming from the outside world and kinda loops back. But that's a whole nother thing.

This is easily solvable with rules on OPNSense, you just have to allow connections to the IP address with the ports from RustDesk in the VLAN where you want to connect to RustDesk and it will work as usual <- however this is something completely OT but it works since I had it configured almost like that but I moved on and now use MikroTik and couldn't be happier that I switched. :)

Hello ich777, 

 

i wonder if it is possible for you to create a CA template for opencloud.eu (https://github.com/opencloud-eu)

It is a fork from the Henlein Group (mailbox.org) of owncloud written in go.

Best Regards

 

Hello everyone!

 

I'm using the lancache-prefill container, really useful!

Is there a way to implement an email-notification with the content of the logfile, maybe with some keywords?

 

I'd love get an email notifying me, when there were new updates the cache was filled with.

 

Greetings and thanks in advance!

  • Author
4 hours ago, Jaytie said:

I'd love get an email notifying me, when there were new updates the cache was filled with.

Please request that here:

https://github.com/tpill90/steam-lancache-prefill

 

However I don't see much value in that since this would basically mean each day a notification about updates from games. :)

  • Author
16 hours ago, Squaracas said:

i wonder if it is possible for you to create a CA template for opencloud.eu (https://github.com/opencloud-eu)

Sorry I don't create container templates from third parties anymore and since this is a multi part container I would recommend maybe using the Docker Compose plugin for that:

https://github.com/opencloud-eu/opencloud/tree/main/deployments/examples/opencloud_full

here is the documentation for that:

https://github.com/opencloud-eu/docs/blob/main/docs/admin/installation/docker-compose.md#spin-up-a-temporary-local-instance-of-opencloud-using-docker-compose

 

You could of course set up container by container, that would of course also work.

Hi friend, I'm trying to install the Portfolio-Performance template from the community apps and I'm getting this error message for authentication requirements to pull the image.

 

Any idea how I can solve this?
 

Quote

Unable to find image 'ghcr.io/ich777/portfolio-performance:latest' locally
docker: Error response from daemon: Head "https://ghcr.io/v2/ich777/portfolio-performance/manifests/latest": denied: denied.
See 'docker run --help'

 

  • Author
1 hour ago, Adenine said:

Any idea how I can solve this?

Hmmm, I can't reproduce this over here:
grafik.thumb.png.f4a9362af17379efc9c82aac80b8c9c2.png

 

Are you possibly logged in to DockerHub or better speaking did a manual login to DockerHub from the Terminal?

3 hours ago, Adenine said:

Hi friend, I'm trying to install the Portfolio-Performance template from the community apps and I'm getting this error message for authentication requirements to pull the image.

 

Any idea how I can solve this?
 

 

what do you get as output when you run 

 

curl -LH "Authorization: Bearer none" https://ghcr.io/v2/ich777/portfolio-performance/manifests/latest | jq .

in the unraid terminal?


If it looks like this
image.thumb.png.240e0384bd37e69d853cfbd879dfc1e3.png

you have to sign out of ghcr.io with 

 

docker logout ghcr.io

The docker token isnt setup to have the read:packages scope, by the looks of it


If it doesnt look like it on the screenshot, something else is going on

Edited by Mainfrezzer

Hi,

I have installed RustDeskServer-AiO  and configured the pfSense firewall to open the following ports:

21115-21119 TCP

21116 UDP

On two PCs in my local network, I installed RustDesk and configured the connection as follows:

Server ID: rustdesk.mydomain.com (I created an A record and a Host Override in pfSense to point to the Unraid server's IP)

Relay: Unraid server IP

Key: Key generated from RustDeskServer-AiO logs

Issue:

I can connect when on the same local network, and the logs show:

[src/relay_server.rs:436] Relayrequest ed6cbbed-d671-4eb1-87fa-fe81cde9748b from [::ffff:10....108]:51540 got paired INFO [src/relay_server.rs:442] Both are raw

RustDesk shows "READY", but...
I cannot connect from an external (WAN) network. The logs show:

[src/relay_server.rs:452] New relay request 7312567a-75db-4f1b-b6b9-3565036d7ae6 from [::ffff:10....82]:62231

I have checked the following:
The server is accessible within the local network
Ports are open in pfSense
No firewall rules are blocking traffic

Has anyone encountered this issue before? What else should I check?

Thanks in advance!

  • Author
1 hour ago, geogeo277 said:

Server ID: rustdesk.mydomain.com (I created an A record and a Host Override in pfSense to point to the Unraid server's IP)

You don‘t need to do that, mydomain.com is just fine if you‘ve opened the ports.

 

1 hour ago, geogeo277 said:

I cannot connect from an external (WAN) network. The logs show

Are you sure that NAT reflection (Hair pin NAT) is working properly ony our firewall?

 

1 hour ago, geogeo277 said:

Has anyone encountered this issue before? What else should I check?

Please double check that NAT reflection is working properly on your firewall.

6 hours ago, ich777 said:

You don‘t need to do that, mydomain.com is just fine if you‘ve opened the ports.

 

Are you sure that NAT reflection (Hair pin NAT) is working properly ony our firewall?

 

Please double check that NAT reflection is working properly on your firewall.

 

ping.jpg

nat.jpg

20 hours ago, geogeo277 said:

 

ping.jpg

nat.jpg

This doesn't indicate anything about NAT reflection.
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html
 

If it's anything like opnsense you can set it per rule, or globally.
Alternatively, tether to your phone, and try to get in that way to confirm. NAT reflection is probably the culptit.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.