Remote Desktop on Bluefin#
GNOME Remote Desktop is a remote desktop daemon integrated into Bluefin that enables secure remote access to your desktop. Using the RDP (Remote Desktop Protocol) as its primary protocol since GNOME 42, it provides a feature-rich remote desktop experience through PipeWire-based screen capture and streaming. The service is pre-installed in Bluefin's base image and configured through GNOME Settings.
Remote desktop access is managed through Settings > System > Remote Desktop, where users can enable Desktop Sharing for view-only access or Remote Control for full interactive sessions. GNOME 46 introduced Remote Login, enabling headless remote access at the login screen without requiring an active user session. Connections can be established using GNOME Connections or any standard RDP client.
Bluefin LTS users should be aware of known issues with SELinux enforcement blocking RDP connections and a missing system user issue affecting Fedora 42-based systems. Both issues have documented workarounds. Additionally, port 3389 requires manual firewall configuration on Bluefin LTS. For secure remote access over the internet, Bluefin includes Tailscale for encrypted VPN tunneling.
GNOME Remote Desktop Overview#
Protocol Support#
GNOME Remote Desktop supports two protocols with different use cases:
RDP (Primary Protocol)
RDP became the primary remote desktop protocol in GNOME 42, offering superior security and features compared to VNC. The implementation uses port 3389 by default and supports H.264 video encoding when hardware acceleration is available, significantly reducing bandwidth usage. RDP provides TLS encryption and fingerprint verification for secure connections.
VNC (Legacy Support)
VNC remains available through command-line configuration for compatibility with legacy systems. VNC uses ports 5900 and above but is no longer recommended for new deployments due to RDP's superior security and feature set.
Architecture#
GNOME Remote Desktop operates as a systemd user service that integrates tightly with the GNOME desktop environment. The daemon uses PipeWire for efficient screen capture and streaming, enabling low-latency remote access with modern video encoding capabilities. The service communicates with GNOME Settings via D-Bus and can be managed through the grdctl command-line utility for scripting and automation.
Key Features#
Desktop Sharing enables view-only screen sharing where remote users can observe but not interact with the desktop. This mode is useful for demonstrations and monitoring.
Remote Control provides full interactive access, allowing remote users to move the cursor, launch applications, and browse files as if they were sitting at the physical machine.
Remote Login (GNOME 46+) enables headless remote access at the GDM login screen without requiring an active local user session. This feature makes Bluefin suitable for server-like deployments where systems are accessed exclusively via remote desktop. The remote display can be configured from the client side, and the system's full resources are available to remote users.
Encryption Verification allows users to compare encryption fingerprints displayed on both client and server to verify secure connection establishment and prevent man-in-the-middle attacks.
Configuration on Bluefin#
Enabling Remote Desktop#
Configure remote desktop through GNOME Settings using the following steps:
- Open Settings > System > Remote Desktop
- Enable the Desktop Sharing switch for view-only access
- Enable Remote Control if interactive access is required
- Enable Remote Login for headless access when no user is logged in
- Note the hostname, port, and credentials displayed in the Settings panel
- Connect using GNOME Connections or another RDP client
The Settings panel displays connection information including the device name, hostname, and port number (typically 3389 for RDP).
Authentication#
GNOME Settings displays the username and password required for remote connections. For command-line credential management, use the grdctl utility:
RDP Credentials
grdctl rdp set-credentials USERNAME PASSWORD
grdctl rdp clear-credentials
VNC Credentials
grdctl vnc set-password PASSWORD
grdctl vnc clear-password
TLS Certificate Configuration
grdctl rdp set-tls-cert TLS-CERT
grdctl rdp set-tls-key TLS-KEY
Client Applications#
GNOME Connections (Recommended)
GNOME Connections is pre-installed on Bluefin and provides the most integrated remote desktop experience. Simply enter the hostname or IP address and the credentials configured in Settings.
Other RDP Clients
Any standards-compliant RDP client works with GNOME Remote Desktop:
- Remmina (Linux)
- Microsoft Remote Desktop (Windows, macOS, iOS, Android)
- FreeRDP (cross-platform command-line)
VNC Clients
For systems configured to use VNC, any VNC client can connect to the configured VNC port.
Bluefin-Specific Configuration#
Firewall Configuration#
Bluefin LTS uses the FedoraWorkstation firewall zone which opens unprivileged ports 1025-65535 for both TCP and UDP traffic. Since RDP's standard port 3389 is a privileged port, it remains blocked by default and requires manual firewall configuration:
sudo firewall-cmd --zone=public --add-port=3389/tcp --permanent
sudo firewall-cmd --reload
Verify the rule was added:
sudo firewall-cmd --list-ports
Package Installation#
GNOME Remote Desktop is pre-installed as part of Bluefin's minimal GNOME package group. No additional package installation is required. The firewalld service is enabled during system setup.
Immutable System Considerations#
Bluefin's immutable architecture affects remote desktop configuration in specific ways:
Configuration Persistence
Files in /etc persist across system updates, meaning firewall rules, systemd service overrides in /etc/systemd/system/, and other configuration changes survive updates. System updates replace the entire image rather than updating individual packages.
Package Management
Local package layering is locked by default via LockLayering=true in /etc/rpm-ostreed.conf. Since GNOME Remote Desktop is pre-installed, users don't need to layer additional packages. Configuration changes should be made through GNOME Settings or by editing configuration files in /etc.
Known Issues and Workarounds#
SELinux Issue on Bluefin LTS#
Problem: RDP connections fail when SELinux is in enforcing mode on Bluefin LTS systems. The gnome-remote-desktop service logs show:
Init TPM credentials failed because Failed to initialize transmission interface context
This issue is related to an upstream Fedora bug and is expected to be fixed upstream.
Workaround:
Temporarily set SELinux to permissive mode:
sudo setenforce 0
Verify the change:
getenforce
Security Note: This workaround reduces system security by disabling SELinux enforcement. Use this only as a temporary measure and monitor upstream bug trackers for a permanent fix. Do not use this configuration on production systems exposed to untrusted networks.
Missing System User (Fedora 42)#
Problem: On Fedora 42-based Bluefin systems, the gnome-remote-desktop.service fails with a core dump. The service expects a system user named gnome-remote-desktop, but this user exists in /usr/lib/passwd but not in /etc/passwd. UID conflicts with the saslauth user may occur on upgraded systems.
Workaround 1 (Recommended):
Copy the user definition and fix ownership:
grep gnome-remote-desktop /usr/lib/passwd | sudo tee -a /etc/passwd
sudo chown -R gnome-remote-desktop: /var/lib/gnome-remote-desktop
sudo systemctl restart gnome-remote-desktop.service
Workaround 2 (Alternative):
Create a systemd service override to use an existing user:
sudo systemctl edit gnome-remote-desktop.service
Add the following content:
[Service]
User=saslauth
Save and restart the service:
sudo systemctl restart gnome-remote-desktop.service
Service Management#
If the remote desktop service doesn't start automatically after enabling it in Settings, manually enable and start the service:
sudo systemctl enable --now gnome-remote-desktop
sudo systemctl status gnome-remote-desktop
Check service logs for errors:
journalctl -u gnome-remote-desktop -n 50
Secure Remote Access with Tailscale#
Overview#
Bluefin includes Tailscale, a mesh VPN service that creates secure WireGuard tunnels between devices. This provides encrypted remote desktop access without exposing RDP to the public internet or requiring complex firewall configurations. Tailscale is free for personal use.
Setup#
- Enable Tailscale on both the Bluefin system and the client device
- Create a free Tailscale account at tailscale.com
- Both devices will appear in your Tailscale network with private IP addresses (typically in the 100.x.x.x range)
- Connect via GNOME Connections using the Tailscale IP address
- Use the credentials configured in Desktop Sharing settings
Benefits#
End-to-End Encryption: All traffic travels through encrypted WireGuard tunnels, protecting credentials and session data.
No Firewall Changes Required: Tailscale handles NAT traversal, eliminating the need to open ports or configure port forwarding on routers.
Access Control: The Tailscale admin console provides centralized access control, allowing you to revoke access or manage device permissions.
Cross-Platform: Tailscale clients are available for Windows, macOS, Linux, iOS, Android, and most other platforms.
Consult Tailscale's documentation for advanced configuration including access control lists, subnet routing, and exit nodes.
Command-Line Management#
grdctl Utility#
grdctl is the primary command-line tool for GNOME Remote Desktop, enabling scripting and automation of remote desktop configuration.
Status and Service Control
grdctl status # Check service status
grdctl rdp enable # Enable RDP service
grdctl rdp disable # Disable RDP service
grdctl vnc enable # Enable VNC service
grdctl vnc disable # Disable VNC service
Credential Management
# RDP credentials
grdctl rdp set-credentials USERNAME PASSWORD
grdctl rdp clear-credentials
# VNC credentials
grdctl vnc set-password PASSWORD
grdctl vnc clear-password
grdctl vnc set-auth-method AUTH-METHOD
View-Only Mode
# RDP view-only (screen sharing without control)
grdctl rdp enable-view-only
grdctl rdp disable-view-only
# VNC view-only
grdctl vnc enable-view-only
grdctl vnc disable-view-only
TLS Configuration
grdctl rdp set-tls-cert TLS-CERT
grdctl rdp set-tls-key TLS-KEY
Help and Documentation
grdctl --help # Display usage information
Relevant Code Files#
| File | Description | URL |
|---|---|---|
build_scripts/26-packages-post.sh | FedoraWorkstation firewall zone configuration | View on GitHub |
build_scripts/overrides/base/10-packages-image-base.sh | GNOME Remote Desktop package installation | View on GitHub |
build_scripts/40-services.sh | firewalld service enablement | View on GitHub |
/usr/lib/systemd/system/gnome-remote-desktop.service | System-wide remote desktop service unit | System file |
/etc/systemd/system/gnome-remote-desktop.service.d/ | Service override directory for user customizations | System directory |
Related Topics#
- GNOME Connections — RDP/VNC client application for GNOME
- Tailscale — Mesh VPN service for secure remote access
- PipeWire — Multimedia framework used for screen capture
- firewalld — Dynamic firewall management on Linux
- SELinux — Security-Enhanced Linux on immutable systems
- systemd User Services — Service management framework
- Bluefin Administration — System configuration and management
