Apache Guacamole
Docker Compose deployment guide for Apache Guacamole on Ubuntu.
Apache Guacamole is a clientless remote desktop gateway that allows access to servers and desktops through a web browser. It supports SSH, RDP, VNC, and Telnet connections without requiring additional client software.
Official project:
What I Use Guacamole For
I primarily use Guacamole to access my homelab servers remotely via SSH.
Typical uses include:
- Remote server administration
- Docker maintenance
- Troubleshooting
- Checking backups
- Running updates
- Accessing systems when travelling
Because everything runs inside a browser, I can securely access my servers from almost any device without needing a dedicated SSH client.
Why I Like Guacamole
Guacamole offers several advantages:
- Browser-based access
- No client software required
- SSH support
- RDP support
- VNC support
- User management
- Two-factor authentication support
- Self-hosted
- Easy Docker deployment
For homelab use, it provides a convenient central portal for managing multiple systems.
Create the Project Folder
mkdir -p /opt/docker/guacamole
cd /opt/docker/guacamole
Create the Docker Compose File
Create:
/opt/docker/guacamole/docker-compose.yml
Paste:
services:
guacamole:
image: jwetzell/guacamole
container_name: guacamole
ports:
- "8080:8080"
volumes:
- ./guacamole:/config
restart: unless-stopped
Start Guacamole
From the project directory:
docker compose up -d
Verify the container is running:
docker ps
You should see:
guacamole
Initial Access
Open:
http://SERVER-IP:8562
You will be presented with the Guacamole login screen.
Follow the container documentation to create your initial user account and configure connections.
Enabling Two-Factor Authentication
One of the reasons I use this container image is its built-in support for TOTP-based two-factor authentication.
This is enabled through:
EXTENSIONS: "auth-totp"
After configuration, users must provide:
- Username
- Password
- One-time authentication code
This adds an additional layer of protection when accessing servers remotely.
Creating SSH Connections
After logging in, create a new connection.
Typical SSH connection settings:
Protocol: SSH
Hostname: 192.168.x.x
Port: 22
Username: your_username
You can optionally store credentials within Guacamole or enter them manually during login.
For security reasons, I prefer not to store SSH passwords whenever possible.
Reverse Proxy Configuration
I strongly recommend placing Guacamole behind a reverse proxy such as Caddy.
Example:
guacamole.yourdomain.com {
reverse_proxy 192.168.1.100:8562
}
If you are new to reverse proxies, see:
Security Considerations
Because Guacamole provides remote access to your infrastructure, security should be taken seriously.
My recommendations:
- Use HTTPS
- Enable two-factor authentication
- Use strong passwords
- Keep Docker images updated
- Restrict access where possible
- Disable unused accounts
With HTTPS and TOTP enabled, Guacamole can be a secure way to access a homelab remotely.
Updating Guacamole
Pull the latest image:
docker compose pull
Recreate the container:
docker compose up -d
Remove unused images:
docker image prune -f
Backups
The important data is stored in:
/opt/docker/guacamole/guacamole
This contains:
- User configuration
- Connection settings
- Authentication configuration
- Extension data
Include this folder in your normal backup routine.
For details, see:
Folder Structure
My deployment uses:
/opt/docker/guacamole
├── docker-compose.yml
└── guacamole/
This keeps everything contained within a single project folder.
Advanced Example (Reference Only)
This is the configuration I currently use in my own homelab.
services:
guacamole:
container_name: guacamole
stop_grace_period: 60s
image: jwetzell/guacamole
restart: unless-stopped
ports:
- 8562:8080
volumes:
- ./guacamole:/config:rw
environment:
TZ: America/Santo_Domingo
EXTENSIONS: "auth-totp"
This example enables:
- TOTP two-factor authentication
- Custom timezone settings
- Persistent configuration storage
Final Thoughts
Apache Guacamole has become one of the most useful services in my homelab.
It provides a convenient browser-based gateway to multiple systems and allows me to access servers remotely without installing additional client software.
Combined with HTTPS and two-factor authentication, it offers a secure and practical way to manage a homelab from almost anywhere.