Comprehensive plan to implement a Virtual Desktop Infrastructure (VDI) that fulfills the following requirements: - Should be possible to run Windows and Linux machines/user logins/thin-clients - Should be possible to control internet access to these users based on corporate policies. Different access levels and what one can access based on their roles and needs - Simultaneous, multiple-user login on a few Windows machines - Open-Source and free technologies preferred over paid, commercial solutions --- ### **Option 1: Proxmox VE with SPICE and Open-Source Tools** #### **Proxmox VE as the VDI Platform** - Proxmox VE is an open-source virtualization platform that supports Linux and Windows virtual machines. - Use SPICE (Simple Protocol for Independent Computing Environments) for high-performance remote access. - Thin clients can connect via SPICE or RDP. #### **Features** 1. **Windows and Linux Machines/User Logins**: Proxmox can host both Windows and Linux VMs. Set up templates for user-specific configurations. 2. **Internet Access Control**: - Use pfSense or OPNSense as a firewall and proxy. - Implement Squid Proxy for URL filtering and access control based on roles. 3. **Simultaneous Multiple-User Logins on Windows**: - Enable Remote Desktop Services (RDS) on Windows Server. - Use `RDPWrap` for enabling multi-user login on Windows 10 (not officially supported but works in many cases). 4. **Economical and Open Source**: Proxmox VE and associated tools like SPICE, pfSense, and Squid are open-source. #### **Steps to Set Up** 1. **Install Proxmox VE** on a server with adequate CPU, RAM, and storage. 2. **Create VMs** for Windows/Linux with user-specific configurations. 3. **Integrate SPICE** for thin-client access. 4. **Configure pfSense** for internet access control. 5. **Enable Role-Based Access Control (RBAC)** using Proxmox's user management or integrate LDAP/Active Directory. 6. **Use RDPWrap** for Windows multi-user logins. #### **Relevant Links** - [Proxmox VE Documentation](https://pve.proxmox.com/wiki/Main_Page) - [pfSense Documentation](https://docs.netgate.com/pfsense/en/latest/) - [SPICE Project](https://www.spice-space.org/) --- ### **Option 2: Apache Guacamole for Clientless Remote Desktop** #### **Apache Guacamole** - A clientless remote desktop gateway that supports RDP, VNC, and SSH via a browser. - Completely open-source and lightweight. #### **Features** 1. **Windows and Linux Access**: Seamless access to VMs or physical desktops over RDP/SSH. 2. **Thin Clients**: Access through any browser; no software required on the client side. 3. **Internet Access Control**: - Integrate with Squid Proxy for URL filtering. - Use LDAP for role-based restrictions. 4. **Multi-User Logins**: Use RDPWrap for Windows or a Windows Server with RDS. #### **Steps to Set Up** 1. Deploy a Proxmox VE or other hypervisor for hosting VMs. 2. Install Apache Guacamole on an Ubuntu server. 3. Configure Guacamole to connect to Windows and Linux VMs. 4. Implement internet access control via pfSense and Squid Proxy. 5. Integrate LDAP for role-based access. #### **Relevant Links** - [Apache Guacamole Documentation](https://guacamole.apache.org/doc/) - [RDPWrap GitHub](https://github.com/stascorp/rdpwrap) --- ### **Option 3: oVirt with Thin Clients** #### **oVirt as the VDI Platform** - Open-source virtualization platform similar to Proxmox. - Includes features for hosting and managing VMs, thin-client access, and multi-user setups. #### **Features** 1. **Windows and Linux Support**: Host VMs with RDP or SPICE access. 2. **Internet Access Control**: - Use oVirt's network management to route traffic through a proxy (like Squid). - Role-based controls via oVirt user management. 3. **Simultaneous Multi-User Logins**: - Use RDS for Windows Server. - Set up Linux VMs with multi-seat or SSH access. 4. **Open Source**: oVirt is open-source with enterprise-grade features. #### **Steps to Set Up** 1. Install oVirt on a dedicated server. 2. Create VM templates for Windows and Linux. 3. Configure SPICE or RDP for thin-client access. 4. Deploy pfSense or Squid Proxy for access control. 5. Integrate LDAP or FreeIPA for user management. #### **Relevant Links** - [oVirt Documentation](https://www.ovirt.org/documentation/) - [Squid Proxy](http://www.squid-cache.org/) --- ### **Option 4: Hybrid Approach with Kubernetes** #### **KubeVirt on Kubernetes** - Use KubeVirt to run VMs within a Kubernetes cluster. - Containerize applications for Linux users and use VMs for Windows. #### **Features** 1. **Scalability**: Kubernetes provides auto-scaling for resources. 2. **Internet Access Control**: - Use Calico or Cilium for network policies. - Deploy an ingress controller with role-based filtering. 3. **Simultaneous Multi-User Logins**: - Implement RDS for Windows VMs. - Use Kubernetes RBAC for Linux containers. #### **Relevant Links** - [KubeVirt](https://kubevirt.io/) - [Calico Networking](https://projectcalico.docs.tigera.io/) --- ### *Known Risks* - RDPWrap - RDPWrap hooks into the Remote Desktop Services (`termsrv.dll`) to enable multiple simultaneous user sessions on non-server editions of Windows, such as Windows 10 or 11 Professional. - Compatibility depends on the `termsrv.dll` version. For recent Windows updates, you may need to check for an updated `rdpwrap.ini` configuration file. - Further, Microsoft makes periodical changes to `termsrv.dll` including fixing loopholes. So lognetivity of a working solution cannot be guaranteed - **Security Concerns**: Using RDPWrap may violate Microsoft's licensing terms and could have security implications if not configured properly (e.g., ensuring proper authentication and firewall rules). --- ### **Hardware Recommendations** - Use a server with at least: - 64+ cores CPU - 256 GB RAM - Ent. SSD storage for better IOPS - 10 Gbps internet bandwidth - Alternatively, explore a cluster of machines