12.12.2023

Administration

How to Install and Configure XRDP on Ubuntu 22.04

XRDP is an open-source implementation of Microsoft's Remote Desktop Protocol (RDP) server for Linux. It enables any RDP-compatible client — including Windows Remote Desktop Connection, Remmina, and FreeRDP — to establish a full graphical desktop session on a remote Linux machine. On Ubuntu 22.04, XRDP acts as a bridge between the RDP client and an underlying X11 or Xorg display session, delivering a responsive, encrypted remote desktop experience without requiring VNC or proprietary software.

This guide covers the complete installation, SSL certificate configuration, firewall hardening, desktop environment integration, and connection procedure for XRDP on Ubuntu 22.04 LTS — including edge cases and post-install pitfalls that most tutorials omit.

What Is XRDP and How Does It Work

XRDP operates on a client-server model. The xrdp daemon listens on TCP port 3389 and handles the RDP handshake, session negotiation, and transport encryption via TLS. Internally, it spawns an xrdp-sesman session manager that authenticates users via PAM (Pluggable Authentication Modules) and launches an X11 session through a configurable backend — typically Xvfb (virtual framebuffer) or a direct Xorg session.

The key architectural components are:

xrdp daemon — handles RDP protocol negotiation and TLS termination
xrdp-sesman — manages user session lifecycle and PAM authentication
X11 backend — provides the graphical framebuffer (Xvfb, Xorg, or X11rdp)
chansrv — handles clipboard sharing, audio redirection, and drive mapping

This architecture means XRDP does not replace your display manager — it runs alongside it, creating isolated graphical sessions per authenticated user.

XRDP vs. Alternatives: Protocol and Feature Comparison

Feature	XRDP (RDP)	x11vnc (VNC)	NoMachine (NX)	TeamViewer
Protocol	RDP (Microsoft standard)	VNC/RFB	NX protocol	Proprietary
Native Windows client	Yes (built-in MSTSC)	No (requires client)	No (requires client)	No (requires client)
TLS encryption	Yes (native)	Optional (via stunnel)	Yes	Yes
Multi-session support	Yes	No (single display)	Yes	Yes
Clipboard sharing	Yes	Yes	Yes	Yes
Audio redirection	Yes (via PulseAudio)	Limited	Yes	Yes
Performance on WAN	Good	Poor	Excellent	Good
Open source	Yes (Apache 2.0)	Yes	Partial	No
Port	3389	5900	4000	5938

For teams already using Windows infrastructure, XRDP is the most operationally efficient choice because it requires zero additional client software on Windows machines.

Prerequisites

Before proceeding, ensure the following:

A running Ubuntu 22.04 LTS server or desktop instance
A user account with sudo privileges
A desktop environment installed (GNOME, XFCE, or MATE — details below)
SSH access to the server for initial configuration
UFW or iptables available for firewall management

If you are running a headless VPS without a desktop environment pre-installed, you must install one before XRDP can deliver a graphical session. A minimal XFCE installation is strongly recommended for remote desktop use due to its low memory footprint.

Step 1 — Update System Packages

Always synchronize your package index and apply pending upgrades before installing new software. This prevents dependency conflicts and ensures you receive the latest patched version of XRDP.

sudo apt update && sudo apt upgrade -y

Reboot if a kernel update was applied:

sudo reboot

Step 2 — Install a Desktop Environment (Headless Servers Only)

If your Ubuntu 22.04 instance has no GUI, install a lightweight desktop environment. XFCE4 is the most reliable choice for XRDP on headless servers — GNOME sessions over XRDP on Ubuntu 22.04 have known rendering issues related to Wayland/GDM3 conflicts.

sudo apt install xfce4 xfce4-goodies -y

Alternatively, for MATE:

sudo apt install ubuntu-mate-desktop -y

Critical note for GNOME users: Ubuntu 22.04 defaults to a Wayland session. XRDP does not support Wayland natively. If you intend to use GNOME, you must force Xorg sessions by editing /etc/gdm3/custom.conf and uncommenting WaylandEnable=false. Even then, GNOME over XRDP on 22.04 frequently produces a black screen on login — XFCE eliminates this class of problem entirely.

Step 3 — Install XRDP

Install XRDP from the official Ubuntu repositories:

sudo apt install xrdp -y

The package manager will install xrdp along with its dependency xorgxrdp, which provides the Xorg-based display driver backend. Installation typically completes in under two minutes on a standard VPS with cPanel or bare-metal server with a stable internet connection.

Step 4 — Enable and Start the XRDP Service

Enable XRDP to start automatically at boot, then start it immediately:

sudo systemctl enable xrdp
sudo systemctl start xrdp

Verify the service is active and listening:

sudo systemctl status xrdp

Expected output includes Active: active (running) and a line confirming the process is listening. To explicitly confirm the port binding:

sudo ss -tlnp | grep 3389

You should see output similar to:

LISTEN  0  10  0.0.0.0:3389  0.0.0.0:*  users:(("xrdp",pid=XXXX,fd=12))

If the port is not bound, check /var/log/xrdp.log for startup errors before proceeding.

Step 5 — Configure SSL Certificate Permissions

During installation, XRDP creates a dedicated system user named xrdp. The daemon uses the certificate key at /etc/ssl/private/ssl-cert-snakeoil.key for TLS session encryption. By default, this file is owned by the ssl-cert group, and the xrdp user does not belong to it — causing TLS handshake failures or fallback to unencrypted sessions.

Add the xrdp user to the ssl-cert group:

sudo usermod -a -G ssl-cert xrdp

Restart XRDP to apply the group membership change:

sudo systemctl restart xrdp

Production note: The ssl-cert-snakeoil certificate is a self-signed certificate generated by the ssl-cert package. For production environments or any server exposed to the internet, replace it with a valid certificate from a trusted CA. If your server has a public domain, you can use a certificate from your SSL Certificates provider and configure XRDP to reference it via the certificate and key_file directives in /etc/xrdp/xrdp.ini.

To use a custom certificate:

sudo nano /etc/xrdp/xrdp.ini

Locate and update these lines:

certificate=/etc/ssl/certs/your-domain.crt
key_file=/etc/ssl/private/your-domain.key

Step 6 — Configure the Desktop Session for XRDP

XRDP reads a per-user session configuration file at ~/.xsession or ~/.Xclients to determine which desktop environment to launch. Without this file, many Ubuntu 22.04 configurations produce a gray or black screen after authentication.

For XFCE, create the session file for your user:

echo "xfce4-session" > ~/.xsession
chmod +x ~/.xsession

For MATE:

echo "mate-session" > ~/.xsession
chmod +x ~/.xsession

If you are configuring this for multiple users on a Dedicated Server, automate this step with a shell loop or configuration management tool such as Ansible.

Step 7 — Configure the Firewall

XRDP listens on TCP port 3389. You must explicitly allow this port through UFW. However, exposing RDP directly to the internet on 0.0.0.0 is a significant security risk — RDP is one of the most actively brute-forced services on the internet.

Recommended approach: restrict access to a specific IP range or VPN subnet.

Allow access from a specific trusted subnet only:

sudo ufw allow from 192.168.1.0/24 to any port 3389

If you are connecting from a single known IP address:

sudo ufw allow from YOUR.IP.ADDRESS to any port 3389

If you must allow broader access temporarily (not recommended for production):

sudo ufw allow 3389/tcp

Reload and verify the firewall rules:

sudo ufw reload
sudo ufw status verbose

Security hardening recommendations:

Change the default port: Edit /etc/xrdp/xrdp.ini and set port=33890 (or any non-standard port), then update your UFW rule accordingly. This dramatically reduces automated scanning noise.
Use fail2ban: Install and configure fail2ban with the xrdp jail to block IPs after repeated failed authentication attempts.
Tunnel over SSH: For maximum security, bind XRDP to 127.0.0.1 only and access it through an SSH tunnel. This eliminates direct internet exposure entirely.

To bind XRDP to localhost only:

sudo nano /etc/xrdp/xrdp.ini

Set:

address=127.0.0.1

Then connect via SSH tunnel from your client:

ssh -L 3389:127.0.0.1:3389 user@your-server-ip -N

Point your RDP client to 127.0.0.1:3389.

Step 8 — Connect to the XRDP Remote Desktop

From Windows

Press Win + R, type mstsc, and press Enter to open Remote Desktop Connection.
In the Computer field, enter the IP address of your Ubuntu server (e.g., 203.0.113.45).
Click Connect.
At the XRDP login screen, select the session type (typically Xvnc or Xorg), enter your Ubuntu username and password, and click OK.

From Linux (Remmina)

Open Remmina and create a new connection profile.
Set the protocol to RDP.
Enter the server IP, your username, and password.
Set the color depth to True color (32 bpp) for best visual quality.
Connect.

From macOS

Use Microsoft Remote Desktop from the Mac App Store — it supports RDP natively and works seamlessly with XRDP.

Troubleshooting Common XRDP Issues on Ubuntu 22.04

Black Screen After Login

This is the most common issue on Ubuntu 22.04. Causes and fixes:

Missing ~/.xsession file: Create it as shown in Step 6.
Wayland session conflict: Disable Wayland in /etc/gdm3/custom.conf.
Stale X lock file: Delete /tmp/.X*-lock files and restart XRDP.

Authentication Failure Despite Correct Credentials

Verify PAM is not blocking the xrdp-sesman process: check /var/log/xrdp-sesman.log.
Ensure the user account is not locked: sudo passwd -S username.
Confirm the user is not required to change their password on next login.

Poor Performance or High Latency

Reduce color depth in the RDP client settings (16-bit instead of 32-bit).
Enable RemoteFX or H.264 codec in /etc/xrdp/xrdp.ini if your client supports it.
Switch from Xvnc to Xorg backend in the XRDP session selector for better performance on servers with hardware acceleration.

Port 3389 Not Reachable

Confirm XRDP is running: sudo systemctl status xrdp
Confirm UFW is not blocking: sudo ufw status
Check cloud provider security groups or network ACLs — many VPS providers have an additional firewall layer at the hypervisor level that is independent of UFW.

Advanced Configuration Options

Enabling Clipboard Sharing

Clipboard redirection between the RDP client and the remote desktop requires the xrdp-chansrv channel service. It starts automatically with the session, but if clipboard is not working, verify the process is running:

ps aux | grep xrdp-chansrv

If it is not running, check for errors in ~/.xrdp/ log files within the user's home directory.

Enabling Audio Redirection

Install the PulseAudio RDP module:

sudo apt install pulseaudio-module-xrdp -y

Log out and reconnect. Audio output from the remote desktop will be redirected to your local client speakers.

Multi-User Concurrent Sessions

XRDP supports multiple simultaneous sessions out of the box. Each authenticated user receives an isolated X11 session. To verify active sessions:

sudo xrdp-seslist

For environments with many concurrent users — such as developer workstations or training environments — a Dedicated Server provides the CPU and RAM headroom necessary to sustain multiple graphical sessions without contention.

Key Takeaways and Decision Checklist

Before deploying XRDP in production, verify each of the following:

Desktop environment installed and ~/.xsession configured per user (XFCE recommended)
xrdp user added to ssl-cert group — skipping this causes TLS errors
Wayland disabled if using GNOME (/etc/gdm3/custom.conf)
Firewall rules restrict port 3389 to trusted IPs only — never expose RDP to 0.0.0.0 on a public server
Self-signed certificate replaced with a valid CA-issued certificate for production deployments
fail2ban configured with an XRDP jail to mitigate brute-force attacks
SSH tunnel considered as an alternative to direct port exposure for high-security environments
Hypervisor-level firewall checked — cloud provider security groups are independent of UFW
Log files monitored at /var/log/xrdp.log and /var/log/xrdp-sesman.log for session errors

Frequently Asked Questions

Does XRDP support Ubuntu 22.04 with Wayland?

No. XRDP requires an X11/Xorg session. Ubuntu 22.04 defaults to Wayland under GNOME. You must either disable Wayland in /etc/gdm3/custom.conf or use a desktop environment that defaults to Xorg, such as XFCE or MATE.

What is the difference between the Xvnc and Xorg session types in XRDP?

The Xvnc backend creates a virtual framebuffer using VNC internally, which is compatible with most configurations but has higher CPU overhead. The Xorg backend uses the xorgxrdp driver for direct Xorg rendering, offering better performance and hardware acceleration support. Use Xorg when available.

Can multiple users connect to XRDP simultaneously?

Yes. XRDP creates a separate, isolated X11 session for each authenticated user. Sessions are independent and do not interfere with one another, making XRDP suitable for multi-user remote access on a single server.

Is it safe to expose XRDP port 3389 directly to the internet?

No. RDP is one of the most heavily targeted protocols for brute-force and exploitation attacks. Always restrict port 3389 to known IP addresses via firewall rules, use fail2ban, and consider tunneling XRDP over SSH for any internet-facing deployment.

How do I uninstall XRDP from Ubuntu 22.04?

Run sudo apt purge xrdp -y && sudo apt autoremove -y. This removes the XRDP packages and their dependencies. Also delete residual configuration files with sudo rm -rf /etc/xrdp and remove the UFW rule with sudo ufw delete allow 3389/tcp.

Save 15% on All Hosting Services