Add embedded VNC server with JWT auth, DXGI capture, and dashboard integration

shared/management/client/grpc.go

@@ -941,6 +941,7 @@ func infoToMetaData(info *system.Info) *proto.PeerSystemMeta {
 			RosenpassEnabled:    info.RosenpassEnabled,
 			RosenpassPermissive: info.RosenpassPermissive,
 			ServerSSHAllowed:    info.ServerSSHAllowed,
+			ServerVNCAllowed:    info.ServerVNCAllowed,
 
 			DisableClientRoutes: info.DisableClientRoutes,
 			DisableServerRoutes: info.DisableServerRoutes,
@@ -950,6 +951,9 @@ func infoToMetaData(info *system.Info) *proto.PeerSystemMeta {
 			BlockInbound:        info.BlockInbound,
 
 			LazyConnectionEnabled: info.LazyConnectionEnabled,
+
+			DisableSSHAuth: info.DisableSSHAuth,
+			DisableVNCAuth: info.DisableVNCAuth,
 		},
 	}
 }

shared/management/http/api/openapi.yml

@@ -352,6 +352,33 @@ components:
           items:
             type: string
             example: ch8i4ug6lnn4g9hqv7m0
+        recording_enabled:
+          description: Enables session recording (SSH and VNC) for peers in the selected groups.
+          type: boolean
+          example: false
+        recording_groups:
+          description: Peer group IDs that have session recording enabled.
+          type: array
+          items:
+            type: string
+            example: ch8i4ug6lnn4g9hqv7m0
+        recording_max_sessions:
+          description: Maximum number of recording files to keep per peer. 0 means unlimited.
+          type: integer
+          example: 0
+        recording_max_total_size_mb:
+          description: Maximum total size in MB of recordings per peer. 0 means unlimited.
+          type: integer
+          format: int64
+          example: 0
+        recording_input_enabled:
+          description: Controls whether keyboard input is captured in SSH recordings. Defaults to true.
+          type: boolean
+          example: true
+        recording_encryption_key:
+          description: Base64-encoded public key for encrypting session recordings. When set, recordings are encrypted with a per-session AES-256-GCM key wrapped with this public key.
+          type: string
+          example: ""
         extra:
           $ref: '#/components/schemas/AccountExtraSettings'
         lazy_connection_enabled:
@@ -934,6 +961,14 @@ components:
           description: Indicates whether SSH access this peer is allowed or not
           type: boolean
           example: true
+        server_vnc_allowed:
+          description: Indicates whether the embedded VNC server is enabled on this peer
+          type: boolean
+          example: false
+        disable_vnc_auth:
+          description: Indicates whether VNC JWT authentication is disabled on this peer
+          type: boolean
+          example: false
         disable_client_routes:
           description: Indicates whether client routes are disabled on this peer or not
           type: boolean
@@ -1384,7 +1419,7 @@ components:
         protocol:
           description: Policy rule type of the traffic
           type: string
-          enum: [ "all", "tcp", "udp", "icmp", "netbird-ssh" ]
+          enum: [ "all", "tcp", "udp", "icmp", "netbird-ssh", "netbird-vnc" ]
           example: "tcp"
         ports:
           description: Policy rule affected ports

shared/management/http/api/types.gen.go

@@ -763,6 +763,7 @@ const (
 	PolicyRuleProtocolAll        PolicyRuleProtocol = "all"
 	PolicyRuleProtocolIcmp       PolicyRuleProtocol = "icmp"
 	PolicyRuleProtocolNetbirdSsh PolicyRuleProtocol = "netbird-ssh"
+	PolicyRuleProtocolNetbirdVnc PolicyRuleProtocol = "netbird-vnc"
 	PolicyRuleProtocolTcp        PolicyRuleProtocol = "tcp"
 	PolicyRuleProtocolUdp        PolicyRuleProtocol = "udp"
 )
@@ -776,6 +777,8 @@ func (e PolicyRuleProtocol) Valid() bool {
 		return true
 	case PolicyRuleProtocolNetbirdSsh:
 		return true
+	case PolicyRuleProtocolNetbirdVnc:
+		return true
 	case PolicyRuleProtocolTcp:
 		return true
 	case PolicyRuleProtocolUdp:
@@ -808,6 +811,7 @@ const (
 	PolicyRuleMinimumProtocolAll        PolicyRuleMinimumProtocol = "all"
 	PolicyRuleMinimumProtocolIcmp       PolicyRuleMinimumProtocol = "icmp"
 	PolicyRuleMinimumProtocolNetbirdSsh PolicyRuleMinimumProtocol = "netbird-ssh"
+	PolicyRuleMinimumProtocolNetbirdVnc PolicyRuleMinimumProtocol = "netbird-vnc"
 	PolicyRuleMinimumProtocolTcp        PolicyRuleMinimumProtocol = "tcp"
 	PolicyRuleMinimumProtocolUdp        PolicyRuleMinimumProtocol = "udp"
 )
@@ -821,6 +825,8 @@ func (e PolicyRuleMinimumProtocol) Valid() bool {
 		return true
 	case PolicyRuleMinimumProtocolNetbirdSsh:
 		return true
+	case PolicyRuleMinimumProtocolNetbirdVnc:
+		return true
 	case PolicyRuleMinimumProtocolTcp:
 		return true
 	case PolicyRuleMinimumProtocolUdp:
@@ -853,6 +859,7 @@ const (
 	PolicyRuleUpdateProtocolAll        PolicyRuleUpdateProtocol = "all"
 	PolicyRuleUpdateProtocolIcmp       PolicyRuleUpdateProtocol = "icmp"
 	PolicyRuleUpdateProtocolNetbirdSsh PolicyRuleUpdateProtocol = "netbird-ssh"
+	PolicyRuleUpdateProtocolNetbirdVnc PolicyRuleUpdateProtocol = "netbird-vnc"
 	PolicyRuleUpdateProtocolTcp        PolicyRuleUpdateProtocol = "tcp"
 	PolicyRuleUpdateProtocolUdp        PolicyRuleUpdateProtocol = "udp"
 )
@@ -866,6 +873,8 @@ func (e PolicyRuleUpdateProtocol) Valid() bool {
 		return true
 	case PolicyRuleUpdateProtocolNetbirdSsh:
 		return true
+	case PolicyRuleUpdateProtocolNetbirdVnc:
+		return true
 	case PolicyRuleUpdateProtocolTcp:
 		return true
 	case PolicyRuleUpdateProtocolUdp:
@@ -1498,6 +1507,24 @@ type AccountSettings struct {
 	// PeerLoginExpirationEnabled Enables or disables peer login expiration globally. After peer's login has expired the user has to log in (authenticate). Applies only to peers that were added by a user (interactive SSO login).
 	PeerLoginExpirationEnabled bool `json:"peer_login_expiration_enabled"`
 
+	// RecordingEnabled Enables session recording (SSH and VNC) for peers in the selected groups.
+	RecordingEnabled *bool `json:"recording_enabled,omitempty"`
+
+	// RecordingEncryptionKey Base64-encoded public key for encrypting session recordings. When set, recordings are encrypted with a per-session AES-256-GCM key wrapped with this public key.
+	RecordingEncryptionKey *string `json:"recording_encryption_key,omitempty"`
+
+	// RecordingGroups Peer group IDs that have session recording enabled.
+	RecordingGroups *[]string `json:"recording_groups,omitempty"`
+
+	// RecordingInputEnabled Controls whether keyboard input is captured in SSH recordings. Defaults to true.
+	RecordingInputEnabled *bool `json:"recording_input_enabled,omitempty"`
+
+	// RecordingMaxSessions Maximum number of recording files to keep per peer. 0 means unlimited.
+	RecordingMaxSessions *int `json:"recording_max_sessions,omitempty"`
+
+	// RecordingMaxTotalSizeMb Maximum total size in MB of recordings per peer. 0 means unlimited.
+	RecordingMaxTotalSizeMb *int64 `json:"recording_max_total_size_mb,omitempty"`
+
 	// RegularUsersViewBlocked Allows blocking regular users from viewing parts of the system.
 	RegularUsersViewBlocked bool `json:"regular_users_view_blocked"`
 
@@ -3287,6 +3314,9 @@ type PeerLocalFlags struct {
 	// DisableServerRoutes Indicates whether server routes are disabled on this peer or not
 	DisableServerRoutes *bool `json:"disable_server_routes,omitempty"`
 
+	// DisableVncAuth Indicates whether VNC JWT authentication is disabled on this peer
+	DisableVncAuth *bool `json:"disable_vnc_auth,omitempty"`
+
 	// LazyConnectionEnabled Indicates whether lazy connection is enabled on this peer
 	LazyConnectionEnabled *bool `json:"lazy_connection_enabled,omitempty"`
 
@@ -3298,6 +3328,9 @@ type PeerLocalFlags struct {
 
 	// ServerSshAllowed Indicates whether SSH access this peer is allowed or not
 	ServerSshAllowed *bool `json:"server_ssh_allowed,omitempty"`
+
+	// ServerVncAllowed Indicates whether the embedded VNC server is enabled on this peer
+	ServerVncAllowed *bool `json:"server_vnc_allowed,omitempty"`
 }
 
 // PeerMinimum defines model for PeerMinimum.

shared/management/proto/management.proto

@@ -200,6 +200,8 @@ message Flags {
   bool enableSSHLocalPortForwarding = 13;
   bool enableSSHRemotePortForwarding = 14;
   bool disableSSHAuth = 15;
+  bool disableVNCAuth = 16;
+  bool serverVNCAllowed = 17;
 }
 
 // PeerSystemMeta is machine meta data like OS and version.
@@ -387,6 +389,9 @@ message NetworkMap {
 
   // SSHAuth represents SSH authorization configuration
   SSHAuth sshAuth = 13;
+
+  // VNCAuth represents VNC authorization configuration
+  VNCAuth vncAuth = 14;
 }
 
 message SSHAuth {
@@ -404,6 +409,20 @@ message MachineUserIndexes {
   repeated uint32 indexes = 1;
 }
 
+// VNCAuth represents VNC authorization configuration for a peer.
+message VNCAuth {
+  // UserIDClaim is the JWT claim to be used to get the users ID
+  string UserIDClaim = 1;
+
+  // AuthorizedUsers is a list of hashed user IDs authorized to access this peer via VNC
+  repeated bytes AuthorizedUsers = 2;
+
+  // MachineUsers maps OS user names to their corresponding indexes in the AuthorizedUsers list.
+  // Used in session mode to determine which OS user to create the virtual session as.
+  // The wildcard "*" allows any OS user.
+  map<string, MachineUserIndexes> machine_users = 3;
+}
+
 // RemotePeerConfig represents a configuration of a remote peer.
 // The properties are used to configure WireGuard Peers sections
 message RemotePeerConfig {
@@ -433,6 +452,17 @@ message SSHConfig {
   bytes sshPubKey = 2;
 
   JWTConfig jwtConfig = 3;
+
+  // Session recording settings (shared for SSH and VNC)
+  bool enableRecording = 4;
+  int32 recordingMaxSessions = 5;
+  int64 recordingMaxTotalSizeMb = 6;
+  bool recordInputEnabled = 7;
+
+  // Recording encryption: DER-encoded public key for hybrid AES-GCM encryption.
+  // If set, recordings are encrypted with a per-session AES-256 key, which is
+  // itself encrypted with this public key and stored in the recording header.
+  bytes recordingEncryptionKey = 8;
 }
 
 // DeviceAuthorizationFlowRequest empty struct for future expansion