this post was submitted on 27 Feb 2024
48 points (88.7% liked)

Selfhosted

40438 readers
436 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

So I've been using Rustdesk with a self hosted server for business and personal use now for some time. However, it is definitely the sketchiest foss software I've used. It seems to be based in China but the developers keep lying and saying its in Singapore.

Here is a list if everything I've found:

https://www.reddit.com/r/selfhosted/comments/14kjvkg/community_consensus_on_rustdesk_with_all_the/

https://github.com/rustdesk/rustdesk/discussions/1159

https://www.reddit.com/r/rustdesk/comments/y230hf/my_rustdesk_client_try_to_communication_with/

https://www.reddit.com/r/selfhosted/comments/10ppntj/reminder_about_the_shadyness_of_rustdesk/

https://www.reddit.com/r/selfhosted/comments/109tn1i/rustdesk_server_117_supports_ipv6_now_selfhosted/j42pf4m/

https://www.reddit.com/r/selfhosted/comments/uurta8/_/

https://www.reddit.com/r/selfhosted/comments/y80sw1/as_someone_that_knows_nothing_about_virtualremote/isxvib2/

https://youtu.be/JIAdEGX_sIU

It seems that now the clients and OSS server are completely foss which is good. They also no longer have public servers in China according to them. In the client itself it also now has better defaults so you are less at risk of getting attacked.

It still is sketch but it now is slightly less sketch I guess? Either way its not ideal.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 13 points 9 months ago

Was using AnyDesk (until it went to shit), then Teamviewer (before they went to shit) and a ton of other VNC and remote desktop options, but did finally land on self-hosting RustDesk.

It's been VERY solid and reliable for me, but what you just brought up concerns me.

I checked my filter log (from Adguard on Windows) to see if Rustdesk is calling home, and I'm not seeing anything after multiple connections and several hours of use. I guess these things aren't a concern with the self-hosted deployment?

[–] [email protected] 8 points 9 months ago (2 children)

If you have a custom DNS, be sure to block all the relay domains they use and block the respective ports from external access. Even if you disable the settings to avoid relays, they don't acknowledge them and continue to try and phone home somewhere. Just checked the latest version on my phone, which has no relay setting configured, before commenting on this and sure enough, still true. Just logged an entry to rs-ny.rustdesk.com on my DNS, which of course was blocked. Desktop app has an option to disable them if I recall, but it never worked for me.

That out of the way, it is a very good local network software for remote access. Way faster than the alternatives I've tried.

[–] [email protected] 1 points 9 months ago (1 children)

Was this on a self-hosted install?

I'm not seeing any calls to *.rustdesk.com when I'm starting, stopping, or using a self-hosted version on Windows.

Or is it calling from home via the docker container?😵

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (1 children)

Noticed it with the android install (via fdroid) and I think I had the appimage on Linux (not at my machine to check, so going by my memory). I connected to a windows machine that had no internet connectivity so can't speak to the windows installs working and ignoring relays or not, but Linux and android do phone the relay servers at least. I'll see if I can pull some screenshots or details tomorrow when I get a moment! I'll update the appimage too just in case (since I only validated the DNS call being made on my phone yesterday)

Either way, if I had to choose between it and TeamViewer for what I use it for, Rustdesk is still a clear winner lol.

[–] [email protected] 1 points 9 months ago

Okay hopefully attaching images work on this app, never tried on Lemmy lol. I blocked the domain on my network firewall and then unblocked it from the DNS to confirm... and yes, the latest rustdesk appimage still calls out. I guess my memory of trying to disable the relay server was to try and force it to localhost in the settings. Could have swore there was a checkmark setting in there, but maybe that was some other software. The fields are default blank I believe.

However... I just tried to put 127.0.0.1 in ALL the fields (unlike the screenshot, which was when I checked what I had in there before), and it appears to now to call localhost. Either I goofed before, or it was fixed recently, because I am pretty sure I did try that before. It doesn't get you around the very first call made when running the software of course... Opt out, not opt in, lol. But hey at least it's possible now? I just tried on mobile and it worked there to when filling everything in with 127.0.0.1.

load more comments (1 replies)
[–] [email protected] 8 points 9 months ago (1 children)

I never ran it since i got scared by the shit they done with 'wayland support' which smells like really bad code practices. Patch

But i still somewhat want to use it since it seems much less hassle then teamviewer and anydesk these days.

[–] [email protected] 4 points 9 months ago (1 children)

I don't believe it does that anymore and the flatpak never did that. On Reddit they did admit to it being a terrible design.

[–] [email protected] 1 points 9 months ago (3 children)

It does not matter to me if it is still there or not. The point that this was in a release makes me question their code and release practices.

[–] huskypenguin 4 points 9 months ago

They apologized and admitted that it was a dumb thing to do.

[–] [email protected] 3 points 9 months ago

I very much agree. I think it would be best to at least get some third party to verify releases. Maybe if it gets on Flathub that will happen.

[–] [email protected] 1 points 9 months ago

Well, vote with your choices, I suppose.

I've seen enough poor practices go unacknowledged and buried, or simply forgotten (lemmy user count +1 is kindof a minor but hilarious 'fix' for divide-by-zero), that I just like or when an organization acknowledges it and makes a change. I don't need rustdesk, but I wouldn't mind using them.

[–] [email protected] 5 points 9 months ago (1 children)

Do you have the same hangup of 7zip being from Russia?

load more comments (1 replies)
[–] [email protected] 4 points 9 months ago* (last edited 9 months ago) (1 children)

It has way better performance than TeamViewer and AnyDesk but is also as feature rich and can be self hosted, I love it!

[–] [email protected] 2 points 9 months ago

Me too, I hope that they will become more transparent.

[–] [email protected] 3 points 9 months ago (12 children)

So your point is that a FOSS application made in China is sketchy by default or what exactly?

Damn, you Americans are really brainwashed that everything that originates from China is bad.

You know you are free to use TeamViewer or Anydesk and no one is forcing you to use Rustdesk.

[–] [email protected] 6 points 9 months ago (3 children)

Software and hardware from China is known to be compromised on arrival. The CPP is a dangerous authoritarian government and they heavily influence private business in very nasty ways.

As for Team viewer and Anydesk, they are proprietary and can not be trusted. At least Rustdesk is Libre. The most concerning part about Rustdesk is that they delete issues that question the source of the software or Rust desk's potential to be influenced by the CPP.

[–] [email protected] 13 points 9 months ago* (last edited 9 months ago) (4 children)

The US government is a dangerous authoritarian government and they heavily influence private business in very nasty ways.

[–] [email protected] 4 points 9 months ago (1 children)

If I am remembering correctly, Australia also has laws that allow the government to force private companies to build backdoors. I think it was the Ass Access Act.

[–] [email protected] 4 points 9 months ago (1 children)

Oh yeah I'm not denying that.

I'm just saying its short sighted to take any shots at China when the west are authoritarian themselves.

[–] [email protected] 1 points 2 months ago

The difference is that there is SOME accountability in the West and we can, to an extent, influence who leads us, especially in Europe.

So if flagrant misuse does appear, there’s a much higher risk of it being discovered and of heads rolling in the west.

Think of the number of exposed scandals in the West and compare that to China.

And I’m not throwing shit China’s way and thinking the West infallible. I’ve been to China plenty and worked with awesome Chinese people plenty. There’s a lot to love in China.

But let’s not get lost in whataboutisms. Where would you rather raise your children?!

load more comments (3 replies)
[–] [email protected] 8 points 9 months ago* (last edited 9 months ago) (1 children)

The most concerning part about Rustdesk is that they delete issues that question the source of the software or Rustdesk's potential to be influenced by the CPP.

Seriously, if you make the effort to create a big piece of software and then you open source it and then someone opens a ticket in GitHub asking you those questions, how would you feel?

Because neither "what is the source of the software" nor "potential influence by the CPP" has anything to do with the software itself.

You are free to conduct a security audit of the project and based on the results you can open this thread but saying that they have deleted issues opened on their GitHub page that have nothing to do with the software itself is a pure form of witch hunt and I am genuinely surprised how many people have agreed with you.

[–] [email protected] 1 points 9 months ago

Deleting issues shouldn't even be allowed. You can just close the issues are irrelevant and ignore them.

[–] MaliciousKebab 6 points 9 months ago (1 children)

I mean the same thing can be said about the USA, also if there are that many problems why don't you just check the code, it's one of the main strengths of open source software.

[–] [email protected] 1 points 9 months ago (1 children)

The USA isn't nearly as bad as China. I can access or create any news source for example. You also don't see people posting about GNU being compromised by the NSA.

Its always good to verify though.

[–] MaliciousKebab 3 points 9 months ago (1 children)

Yeah you are right on that but there still are many backdoors on plenty of applications that are made by American companies. We also know that some agencies wanted to put backdoors on linux kernel etc. In that case why would you not trust an open source app, and trust a closed source one just because of the nationality of developers

[–] [email protected] 1 points 9 months ago

The problem is that China is very bad about backdoors. Free software and transparency is really the only answer to not having backdoors.

As an example China put backdoors in some Chips though Huawei https://www.wired.com/story/huawei-backdoors-us-crypto-ag/

My concern is that the people behind Rustdesk are kind of a mystery. Many projects with have a publicly known dev where you can track the origin and current developments behind a project. Rustdesk just has a user called "rustdesk" for the most part. The people behind that are not known. What complicates the matter is reports of them removing issues that question the integrity of the code authors. It would make me much happier if they ran a security audit on Rustdesk. Hopefully as it gets more popular someone will either find that it is mostly fine or that it is a security nightmare.

I use it because there aren't a lot of options. Maybe someone else will create something more transparent.

[–] [email protected] 6 points 9 months ago (1 children)

It sound like you are personally offended by this because you are Chinese, but as an European, I share your sentiment. I don't trust either Chinese, nor American solutions. After all, after Snowden, we know American solutions are systematically compromised.

[–] [email protected] 11 points 9 months ago (1 children)

I am not Chinese, I am born and raised in the EU and I am Caucasian.

I am just irritated that FOSS software is being questioned just because it might have been developed by Chinese programmers.

And for the record you can't be sure that any commercial software isn't compromised or it doesn't have backdoors, it just makes detecting those backdoors a lot harder.

[–] fruitycoder 5 points 9 months ago

Foss from places with known APTs are more secure than non-foss too personally. It would be daytime robbery compared to an inside job to implement spyware. It's been done and should be monitored for though.

[–] [email protected] 6 points 9 months ago (1 children)

It's literally a third-party service that let's others control your desktop. Doesn't matter how FOSS the clients and end servers are, one also needs to trust the intermediate servers. If those running them are caught dishonest about which country they're located, the trust evaporates. China or not.

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago) (1 children)

I'm not too well versed in rustdesk, but it seems that they use end to end encryption (is it good? Idk).

https://github.com/rustdesk/rustdesk/discussions/2239#discussioncomment-5647075

I have experience with a similar software that uses relays, syncthing. With syncthing, everything is e2ee, so there's no concern about whether or not the relay's are trustworthy, and you can even host your own public relay server.

I find it hard to believe that rustdesk, another relay based software, wouldn't have a similar architecture.

edit: typo

[–] [email protected] 2 points 9 months ago

I run syncthing with my own relay and I trust that setup. Owning me through syncthing would basically require backdooring the software, something that'd be likely to go noticed by the syncthing community.

Rustdesk is a backdoor by functionality and it's already using infra I don't control. I don't feel comfortable using that.

[–] [email protected] 5 points 9 months ago

Even in FOSS, parts can be so cryptically written, that no one really understands the code. There is even a tournament about that. When the shady person is the maintainer, it is even easier to implement a backdoor that way.

(Not saying there is or is not)

load more comments (8 replies)
[–] huskypenguin 3 points 9 months ago

I love it, it works. Running a server is super easy and the speed is quite nice for a free piece of software.

[–] [email protected] 1 points 9 months ago

Here is an alternative Piped link(s):

https://piped.video/JIAdEGX_sIU

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] [email protected] 1 points 9 months ago (6 children)

I wouldn't touch it with a stick. The whole thing is just shady to say the least. Nothing trustworthy whatsoever.

MeshCentral needs to get better. We need it.

load more comments (6 replies)
[–] [email protected] 1 points 9 months ago (1 children)

I’ve found using software meant for gaming often works better for this application. My personal choice is moonlight. I run it behind Tailscale so my connections never leave my devices. Even over cellular it’s snappy enough for non gaming tasks, and if I need to check on my dailies in a game or something similar, it handles that much better than any Remote Desktop product. I messed around with rust desk and could never get it quite working and didn’t feel comfortable using the public servers at the time. So I swapped to moonlight and it serves me well.

Games on Whales is a containerized version of moonlight that I struggled to get working as well, but I thinks that’s because I’m a docker beginner.

[–] [email protected] 1 points 9 months ago (1 children)

How did you get it to work without auto login?

[–] [email protected] 1 points 9 months ago

As of now I ran moonlight on Windows, so I might not be able to help a ton. I just started my own Arch (by the way) install that I plan to revisit getting moonlight running on, but I’m not even at a desktop environment yet.

load more comments
view more: next ›