Add embedded VNC server with JWT auth, DXGI capture, and dashboard integration

2026-04-27 20:56:44 +00:00 · 2026-04-14 12:31:00 +02:00
parent 3098f48b25
commit b754df1171
85 changed files with 10457 additions and 2011 deletions
--- a/shared/management/http/api/openapi.yml
+++ b/shared/management/http/api/openapi.yml
@@ -352,6 +352,33 @@ components:
          items:
            type: string
            example: ch8i4ug6lnn4g9hqv7m0
+        recording_enabled:
+          description: Enables session recording (SSH and VNC) for peers in the selected groups.
+          type: boolean
+          example: false
+        recording_groups:
+          description: Peer group IDs that have session recording enabled.
+          type: array
+          items:
+            type: string
+            example: ch8i4ug6lnn4g9hqv7m0
+        recording_max_sessions:
+          description: Maximum number of recording files to keep per peer. 0 means unlimited.
+          type: integer
+          example: 0
+        recording_max_total_size_mb:
+          description: Maximum total size in MB of recordings per peer. 0 means unlimited.
+          type: integer
+          format: int64
+          example: 0
+        recording_input_enabled:
+          description: Controls whether keyboard input is captured in SSH recordings. Defaults to true.
+          type: boolean
+          example: true
+        recording_encryption_key:
+          description: Base64-encoded public key for encrypting session recordings. When set, recordings are encrypted with a per-session AES-256-GCM key wrapped with this public key.
+          type: string
+          example: ""
        extra:
          $ref: '#/components/schemas/AccountExtraSettings'
        lazy_connection_enabled:
@@ -934,6 +961,14 @@ components:
          description: Indicates whether SSH access this peer is allowed or not
          type: boolean
          example: true
+        server_vnc_allowed:
+          description: Indicates whether the embedded VNC server is enabled on this peer
+          type: boolean
+          example: false
+        disable_vnc_auth:
+          description: Indicates whether VNC JWT authentication is disabled on this peer
+          type: boolean
+          example: false
        disable_client_routes:
          description: Indicates whether client routes are disabled on this peer or not
          type: boolean
@@ -1384,7 +1419,7 @@ components:
        protocol:
          description: Policy rule type of the traffic
          type: string
-          enum: [ "all", "tcp", "udp", "icmp", "netbird-ssh" ]
+          enum: [ "all", "tcp", "udp", "icmp", "netbird-ssh", "netbird-vnc" ]
          example: "tcp"
        ports:
          description: Policy rule affected ports
--- a/shared/management/http/api/types.gen.go
+++ b/shared/management/http/api/types.gen.go
@@ -763,6 +763,7 @@ const (
 	PolicyRuleProtocolAll        PolicyRuleProtocol = "all"
 	PolicyRuleProtocolIcmp       PolicyRuleProtocol = "icmp"
 	PolicyRuleProtocolNetbirdSsh PolicyRuleProtocol = "netbird-ssh"
+	PolicyRuleProtocolNetbirdVnc PolicyRuleProtocol = "netbird-vnc"
 	PolicyRuleProtocolTcp        PolicyRuleProtocol = "tcp"
 	PolicyRuleProtocolUdp        PolicyRuleProtocol = "udp"
 )
@@ -776,6 +777,8 @@ func (e PolicyRuleProtocol) Valid() bool {
 		return true
 	case PolicyRuleProtocolNetbirdSsh:
 		return true
+	case PolicyRuleProtocolNetbirdVnc:
+		return true
 	case PolicyRuleProtocolTcp:
 		return true
 	case PolicyRuleProtocolUdp:
@@ -808,6 +811,7 @@ const (
 	PolicyRuleMinimumProtocolAll        PolicyRuleMinimumProtocol = "all"
 	PolicyRuleMinimumProtocolIcmp       PolicyRuleMinimumProtocol = "icmp"
 	PolicyRuleMinimumProtocolNetbirdSsh PolicyRuleMinimumProtocol = "netbird-ssh"
+	PolicyRuleMinimumProtocolNetbirdVnc PolicyRuleMinimumProtocol = "netbird-vnc"
 	PolicyRuleMinimumProtocolTcp        PolicyRuleMinimumProtocol = "tcp"
 	PolicyRuleMinimumProtocolUdp        PolicyRuleMinimumProtocol = "udp"
 )
@@ -821,6 +825,8 @@ func (e PolicyRuleMinimumProtocol) Valid() bool {
 		return true
 	case PolicyRuleMinimumProtocolNetbirdSsh:
 		return true
+	case PolicyRuleMinimumProtocolNetbirdVnc:
+		return true
 	case PolicyRuleMinimumProtocolTcp:
 		return true
 	case PolicyRuleMinimumProtocolUdp:
@@ -853,6 +859,7 @@ const (
 	PolicyRuleUpdateProtocolAll        PolicyRuleUpdateProtocol = "all"
 	PolicyRuleUpdateProtocolIcmp       PolicyRuleUpdateProtocol = "icmp"
 	PolicyRuleUpdateProtocolNetbirdSsh PolicyRuleUpdateProtocol = "netbird-ssh"
+	PolicyRuleUpdateProtocolNetbirdVnc PolicyRuleUpdateProtocol = "netbird-vnc"
 	PolicyRuleUpdateProtocolTcp        PolicyRuleUpdateProtocol = "tcp"
 	PolicyRuleUpdateProtocolUdp        PolicyRuleUpdateProtocol = "udp"
 )
@@ -866,6 +873,8 @@ func (e PolicyRuleUpdateProtocol) Valid() bool {
 		return true
 	case PolicyRuleUpdateProtocolNetbirdSsh:
 		return true
+	case PolicyRuleUpdateProtocolNetbirdVnc:
+		return true
 	case PolicyRuleUpdateProtocolTcp:
 		return true
 	case PolicyRuleUpdateProtocolUdp:
@@ -1498,6 +1507,24 @@ type AccountSettings struct {
 	// PeerLoginExpirationEnabled Enables or disables peer login expiration globally. After peer's login has expired the user has to log in (authenticate). Applies only to peers that were added by a user (interactive SSO login).
 	PeerLoginExpirationEnabled bool `json:"peer_login_expiration_enabled"`

+	// RecordingEnabled Enables session recording (SSH and VNC) for peers in the selected groups.
+	RecordingEnabled *bool `json:"recording_enabled,omitempty"`
+
+	// RecordingEncryptionKey Base64-encoded public key for encrypting session recordings. When set, recordings are encrypted with a per-session AES-256-GCM key wrapped with this public key.
+	RecordingEncryptionKey *string `json:"recording_encryption_key,omitempty"`
+
+	// RecordingGroups Peer group IDs that have session recording enabled.
+	RecordingGroups *[]string `json:"recording_groups,omitempty"`
+
+	// RecordingInputEnabled Controls whether keyboard input is captured in SSH recordings. Defaults to true.
+	RecordingInputEnabled *bool `json:"recording_input_enabled,omitempty"`
+
+	// RecordingMaxSessions Maximum number of recording files to keep per peer. 0 means unlimited.
+	RecordingMaxSessions *int `json:"recording_max_sessions,omitempty"`
+
+	// RecordingMaxTotalSizeMb Maximum total size in MB of recordings per peer. 0 means unlimited.
+	RecordingMaxTotalSizeMb *int64 `json:"recording_max_total_size_mb,omitempty"`
+
 	// RegularUsersViewBlocked Allows blocking regular users from viewing parts of the system.
 	RegularUsersViewBlocked bool `json:"regular_users_view_blocked"`

@@ -3287,6 +3314,9 @@ type PeerLocalFlags struct {
 	// DisableServerRoutes Indicates whether server routes are disabled on this peer or not
 	DisableServerRoutes *bool `json:"disable_server_routes,omitempty"`

+	// DisableVncAuth Indicates whether VNC JWT authentication is disabled on this peer
+	DisableVncAuth *bool `json:"disable_vnc_auth,omitempty"`
+
 	// LazyConnectionEnabled Indicates whether lazy connection is enabled on this peer
 	LazyConnectionEnabled *bool `json:"lazy_connection_enabled,omitempty"`

@@ -3298,6 +3328,9 @@ type PeerLocalFlags struct {

 	// ServerSshAllowed Indicates whether SSH access this peer is allowed or not
 	ServerSshAllowed *bool `json:"server_ssh_allowed,omitempty"`
+
+	// ServerVncAllowed Indicates whether the embedded VNC server is enabled on this peer
+	ServerVncAllowed *bool `json:"server_vnc_allowed,omitempty"`
 }

 // PeerMinimum defines model for PeerMinimum.