Remote virtual machines
Remote display (VRDP support)
VirtualBox, the graphical user interface, has a built-in server for
the VirtualBox Remote Desktop Protocol (VRDP). This allows you to see the
output of a virtual machine's window remotely on any other computer and
control the virtual machine from there, as if the virtual machine was
running locally.
VRDP is a backwards-compatible extension to Microsoft's Remote
Desktop Protocol (RDP). Typically graphics updates and audio are sent from
the remote machine to the client, while keyboard and mouse events are sent
back. As a result, you can use any standard RDP client to control the
remote VM.
With VirtualBox, the graphical user
interface, the VRDP server is disabled by default, but can easily be
enabled on a per-VM basis either in the "Display" settings (see ) or with
VBoxManage:VBoxManage modifyvm "VM name" --vrdp on
If you use VBoxHeadless (described
further below), VRDP support will be automatically enabled since
VBoxHeadless has no other means of output.
Common third-party RDP viewers
You can use any standard RDP viewer to connect to such a remote
virtual machine (examples follow below). For this to work, you must
specify the IP address of your
host system (not of the virtual machine!) as the
server address to connect to, as well as the port
number that the RDP server is using.
By default, the VRDP server uses the standard RDP TCP port
3389. You will need to change the
default port if you run more than one VRDP server, since the port can
only be used by one server at a time; you might also need to change it
on Windows hosts since the default port might already be used by the RDP
server that is built into Windows itself. Ports 5000 through 5050 are
typically not used and might be a good choice.
The port can be changed either in the "Display" settings of the
graphical user interface or with
--vrdpport option of the
VBoxManage modifyvm command. You can
specify a comma-separated list of ports or ranges of ports. Use a dash
between two port numbers to specify a range. The VRDP server will bind
to one of available ports from the
specified list. For example, VBoxManage modifyvm "VM
name" --vrdpport 5000,5010-5012 will configure the
server to bind to one of the ports 5000, 5010, 5011 or 5012. See for details.
The actual port used by a running VM can be either queried with
VBoxManage showvminfo command or seen
in the GUI on the Runtime tab of the
Session Information Dialog, which is
accessible via the Machine menu of the
VM window.
Here follow examples for the most common RDP viewers:
On Windows, you can use the Microsoft Terminal Services
Connector (mstsc.exe) that ships
with Windows. You can start it by bringing up the "Run" dialog
(press the Windows key and "R") and typing "mstsc". You can also
find it under "Start" -> "All Programs" -> "Accessories"
-> "Remote Desktop Connection". If you use the "Run" dialog,
you can type in options directly:mstsc 1.2.3.4[:3389]
Replace "1.2.3.4" with the host IP address, and 3389 with a
different port if necessary.
When connecting to localhost in order to test the connection,
the addresses localhost and
127.0.0.1 might not work using
mstsc.exe. Instead, the address
127.0.0.2[:3389] has to be used.
On other systems, you can use the standard open-source
rdesktop program. This ships with
most Linux distributions, but VirtualBox also comes with a
modified variant of rdesktop for remote USB support (see below).
With rdesktop, use a command line such as the
following:rdesktop -a 16 -N 1.2.3.4:3389
As said for the Microsoft viewer above, replace "1.2.3.4"
with the host IP address, and 3389 with a different port if
necessary. The -a 16 option
requests a color depth of 16 bits per pixel, which we recommend.
(For best performance, after installation of the guest operating
system, you should set its display color depth to the same value).
The -N option enables use of the
NumPad keys.
If you run the KDE desktop, you might prefer
krdc, the KDE RDP viewer. The
command line would look like this:krdc --window --high-quality rdp:/1.2.3.4[:3389]
Again, replace "1.2.3.4" with the host IP address, and 3389
with a different port if necessary. The "rdp:/" bit is required
with krdc to switch it into RDP mode.
VBoxHeadless, the VRDP-only server
While the VRDP server that is built into the
VirtualBox GUI is perfectly capable of
running virtual machines remotely, it is not convenient to have to run
VirtualBox if you never want to have
VMs displayed locally in the first place. In particular, if you are
running servers whose only purpose is to host VMs, and all your VMs are
supposed to run remotely over VRDP, then it is pointless to have a
graphical user interface on the server at all -- especially since, on a
Linux or Solaris host, VirtualBox comes
with dependencies on the Qt and SDL libraries, which is inconvenient if
you would rather not have the X Window system on your server at
all.
VirtualBox therefore comes with yet another front-end called
VBoxHeadless, which produces no visible
output on the host at all, but instead only delivers VRDP data.
Before VirtualBox 1.6, the headless server was called
VBoxVRDP. For the sake of backwards
compatibility, the VirtualBox installation still installs an
executable with that name as well.
To start a virtual machine with VBoxHeadless, you have two
options:
You can use VBoxManage startvm "VM name" --type vrdp
The extra --type option causes the
VirtualBox core to use VBoxHeadless
as the front-end to the internal virtualization engine.
The alternative is to use
VBoxHeadless directly, as
follows:VBoxHeadless --startvm <uuid|name>
This way of starting the VM has the advantage that you can see
more detailed error messages, especially for early failures before
the VM execution is started. If you have trouble with
VBoxManage startvm, it can help
greatly to start VBoxHeadless
directly to diagnose the problem cause.
Note that when you use
VBoxHeadless to start a VM, since the
headless server has no other means of output, the built-in VRDP server
will always be enabled, regardless of whether you
have enabled the VRDP server in the VM's settings. If this is
undesirable (for example because you want to access the VM via
ssh only), start the VM like
this:VBoxHeadless --startvm <uuid|name> --vrdp=offTo
have the VRDP server use the setting from the VM configuration, as the
other front-ends would, use this:VBoxHeadless --startvm <uuid|name> --vrdp=config
Step by step: creating a virtual machine on a headless
server
The following instructions may give you an idea how to create a
virtual machine on a headless server over a network connection. We will
create a virtual machine, establish a VRDP connection and install a
guest operating system -- all without having to touch the headless
server. All you need is the following:
VirtualBox on a server machine with a supported host
operating system; for the following example, we will assume a
Linux server;
an ISO file on the server, containing the installation data
for the guest operating system to install (we will assume Windows
XP in the following example);
a terminal connection to that host over which you can access
a command line (e.g. via telnet
or ssh);
an RDP viewer on the remote client; see above for examples.
Note again that on the server machine, since we will
only use the headless server, neither Qt nor SDL nor the X Window system
will be needed.
On the headless server, create a new virtual machine:
VBoxManage createvm --name "Windows XP" --ostype WindowsXP --register
Note that if you do not specify
--register, you will have to
manually use the registervm command later.
Note further that you do not need to specify
--ostype but doing so selects
some sane default values for certain VM parameters, for example
the RAM size and the type of the virtual network device. To get a
complete list of supported operating systems you can use
VBoxManage list ostypes
Make sure the settings for this VM are appropriate for the
guest operating system that we will install. For example:VBoxManage modifyvm "Windows XP" --memory 256 --acpi on --boot1 dvd --nic1 nat
Create a virtual hard disk for the VM (in this case, 10GB in
size) and register it with VirtualBox:VBoxManage createhd --filename "WinXP.vdi" --size 10000 --remember
Add an IDE Controller to the new VM:VBoxManage storagectl "Windows XP" --name "IDE Controller"
--add ide --controller PIIX4
Set this newly created VDI file as the first virtual hard
disk of the new VM:VBoxManage storageattach "Windows XP" --storagectl "IDE Controller"
--port 0 --device 0 --type hdd --medium "WinXP.vdi"
Register the ISO file that contains the operating system
installation that you want to install later:VBoxManage openmedium dvd /full/path/to/iso.iso
Attach this ISO to the virtual machine, so it can boot from
it:VBoxManage storageattach "Windows XP" --storagectl "IDE Controller"
--port 0 --device 1 --type dvddrive --medium /full/path/to/iso.iso
Start the virtual machine using VBoxHeadless:VBoxHeadless --startvm "Windows XP"
If everything worked, you should see a copyright notice. If,
instead, you are returned to the command line, then something went
wrong.
On the client machine, fire up the RDP viewer and try to
connect to the server (see above
for how to use various common RDP viewers).
You should now be seeing the installation routine of your
guest operating system in the RDP viewer.
Remote USB
As a special feature on top of the VRDP support, VirtualBox
supports remote USB devices over the wire as well. That is, the
VirtualBox guest that runs on one computer can access the USB devices of
the remote computer on which the RDP data is being displayed the same
way as USB devices that are connected to the actual host. This allows
for running virtual machines on a VirtualBox host that acts as a server,
where a client can connect from elsewhere that needs only a network
adapter and a display capable of running an RDP viewer. When USB devices
are plugged into the client, the remote VirtualBox server can access
them.
For these remote USB devices, the same filter rules apply as for
other USB devices, as described with .
All you have to do is specify "Remote" (or "Any") when setting up these
rules.
Accessing remote USB devices is only possible if the RDP client
supports this extension. On Linux and Solaris hosts, the VirtualBox
installation provides a suitable RDP client called
rdesktop-vrdp. RDP clients for other
platforms will be provided in future VirtualBox versions.
To make a remote USB device available to a VM, rdesktop-vrdp
should be started as follows:rdesktop-vrdp -r usb -a 16 -N my.host.addressNote
that rdesktop-vrdp can access USB
devices only through /proc/bus/usb.
Please refer to for further details on how
to properly set up the permissions. Furthermore it is advisable to
disable automatic loading of any host driver on the remote host which
might work on USB devices to ensure that the devices are accessible by
the RDP client. If the setup was properly done on the remote host,
plug/unplug events are visible on the VBox.log file of the VM.
RDP authentication
For each virtual machine that is remotely accessible via RDP, you
can individually determine if and how RDP connections are
authenticated.
For this, use VBoxManage modifyvm
command with the --vrdeauthtype option;
see for a general introduction.
Three methods of authentication are available:
The "null" method means that there is no authentication at
all; any client can connect to the VRDP server and thus the
virtual machine. This is, of course, very insecure and only to be
recommended for private networks.
The "external" method provides external authentication
through a special authentication library.
VirtualBox comes with three default libraries for external
authentication:
On Linux hosts,
VBoxAuth.so authenticates
users against the host's PAM system.
On Windows hosts,
VBoxAuth.dll authenticates
users against the host's WinLogon system.
On Mac OS X hosts,
VBoxAuth.dylib
authenticates users against the host's directory
service.
Support for Mac OS X was added in version
3.2.
In other words, the "external" method per default performs
authentication with the user accounts that exist on the host
system. Any user with valid authentication credentials is
accepted, i.e. the username does not have to correspond to the
user running the VM.
An additional library called
VBoxAuthSimple performs authentication
against credentials configured in the VM's extra data section. This is
probably the simplest way to get authentication that does not depend
on a running and supported guest (see below). In order to enable
VBoxAuthSimple, issue
VBoxManage setproperty vrdeauthlibrary "VBoxAuthSimple".
To enable the library for a VM, switch authentication to external using
VBoxManage modifyvm "VM name" --vrdpauthtype external.
Last but not least, you have to configure users and passwords. Here is an example
for the user "john" with the password "secret":
VBoxManage internalcommands passwordhash "secret"
This will give you the hash value "2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b"
which you set using
VBoxManage setextradata "VM name" "VBoxAuthSimple/users/john"
"2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b".
Finally, the "guest" authentication method performs
authentication with a special component that comes with the Guest
Additions; as a result, authentication is not performed with the
host users, but with the guest user accounts. This method is
currently still in testing and not yet supported.
In addition to the methods described above, you can replace the
default "external authentication module with any other module. For this,
VirtualBox provides a well-defined interface that allows you to write your
own authentication module; see
for details.
RDP encryption
RDP features data stream encryption, which is based on the RC4
symmetric cipher (with keys up to 128bit). The RC4 keys are being
replaced in regular intervals (every 4096 packets).
RDP provides three different authentication methods:
Historically, RDP4 authentication was used, with which the
RDP client does not perform any checks in order to verify the
identity of the server it connects to. Since user credentials can
be obtained using a man in the middle (MITM) attack, RDP4
authentication is insecure and should generally not be
used.
RDP5.1 authentication employs a server certificate for which
the client possesses the public key. This way it is guaranteed
that the server possess the corresponding private key. However, as
this hard-coded private key became public some years ago, RDP5.1
authentication is also insecure and cannot be recommended.
RDP5.2 authentication is based on TLS 1.0 with
customer-supplied certificates. The server supplies a certificate
to the client which must be signed by a certificate authority (CA)
that the client trusts (for the Microsoft RDP Client 5.2, the CA
has to be added to the Windows Trusted Root Certificate
Authorities database). VirtualBox allows you to supply your own CA
and server certificate and uses OpenSSL for encryption.
While VirtualBox supports all of the above, only RDP5.2
authentication should be used in environments where security is a
concern. As the client that connects to the server determines what type
of encryption will be used, with rdesktop, the Linux RDP viewer, use the
-4 or
-5 options.
Multiple VRDP connections
The built-in RDP server of VirtualBox supports simultaneous
connections to the same running VM from different clients. All connected
clients see the same screen output and share a mouse pointer and
keyboard focus. This is similar to several people using the same
computer at the same time, taking turns at the keyboard.
The following command enables multiple connection mode: VBoxManage modifyvm "VM name" --vrdpmulticon on
Multiple remote monitors
To access two or more remote VM displays you have to enable the
VRDP multiconnection mode (see ).
The RDP client can select the virtual monitor number to connect to
using the domain logon parameter
(-d). If
the parameter ends with @ followed by a
number, the VirtualBox RDP server interprets this number as the screen index.
The primary guest screen is selected with
@1, the first secondary screen is
@2, etc.
The MS RDP6 client does not let you specify a separate domain
name. Instead, use domain\username in
the Username: field -- for example,
@2\name.
name must be supplied, and must be the
name used to log in if the VRDP server is set up to require credentials.
If it is not, you may use any text as the username.
VRDP video redirection
Starting with VirtualBox 3.2, the VRDP server can redirect video
streams from the guest to the RDP client. Video frames are compressed
using the JPEG algorithm allowing a higher compression ratio than
standard RDP bitmap compression methods. It is possible to increase the
compression ratio by lowering the video quality.
Video streams in a guest are detected by the VRDP server
automatically as frequently updated rectangular areas. Therefore, this
method works with any guest operating system without having to install
additional software in the guest.
On the client side, however, currently only the Windows 7 Remote
Desktop Connection client supports this feature. If a client does not
support video redirection, the VRDP server uses regular bitmap
updates.
The following command enables video redirection: VBoxManage modifyvm "VM name" --vrdpvideochannel on
The quality of the video is defined as a value from 10 to 100
percent, as is common with JPEG compression. The quality can be changed
using the following command: VBoxManage modifyvm "VM name" --vrdpvideochannelquality 75
VRDP customization
Starting with VirtualBox 3.2.10, it is possible to disable display output,
mouse and keyboard input, audio, remote USB or clipboard in the VRDP server.
The following commands change corresponding server settings:
VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableDisplay" 1
VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableInput" 1
VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableUSB" 1
VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableAudio" 1
VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableClipboard" 1
To reenable a feature use a similar command without the trailing 1. For example:
VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableDisplay"
Teleporting
Starting with version 3.1, VirtualBox supports "teleporting" -- that
is, moving a virtual machine over a network from one VirtualBox host to
another, while the virtual machine is running. This works regardless of
the host operating system that is running on the hosts: you can teleport
virtual machines between Solaris and Mac hosts, for example.
Teleporting requires that a machine be currently running on one
host, which is then called the "source".
The host to which the virtual machine will be teleported will then be
called the "target"; the machine on the
target is then configured to wait for the source to contact the target.
The machine's running state will then be transferred from the source to
the target with minimal downtime.
Teleporting happens over any TCP/IP network; the source and the
target only need to agree on a TCP/IP port which is specified in the
teleporting settings.
At this time, there are a few prerequisites for this to work,
however:
On the target host, you must configure a virtual machine in
VirtualBox with exactly the same hardware settings as the machine on
the source that you want to teleport. This does not apply to
settings which are merely descriptive, such as the VM name, but
obviously for teleporting to work, the target machine must have the
same amount of memory and other hardware settings. Otherwise
teleporting will fail with an error message.
The two virtual machines on the source and the target must
share the same storage (hard disks as well as floppy and CD/DVD
images). This means that they either use the same iSCSI targets or
that the storage resides somewhere on the network and both hosts
have access to it via NFS or SMB/CIFS.
This also means that neither the source nor the target machine
can have any snapshots.
Then perform the following steps:
On the target host, configure the virtual
machine to wait for a teleport request to arrive when it is started,
instead of actually attempting to start the machine. This is done
with the following VBoxManage command:VBoxManage modifyvm <targetvmname> --teleporter on --teleporterport <port>
where <targetvmname> is
the name of the virtual machine on the target host and
<port> is a TCP/IP port
number to be used on both the source and the target hosts. For
example, use 6000. For details, see .
Start the VM on the target host. You will see that instead of
actually running, it will show a progress dialog. indicating that it
is waiting for a teleport request to arrive.
Start the machine on the source host as
usual. When it is running and you want it to be teleported, issue
the following command on the source host:VBoxManage controlvm <sourcevmname> teleport --host <targethost> --port <port>
where <sourcevmname> is
the name of the virtual machine on the source host (the machine that
is currently running),
<targethost> is the host or
IP name of the target host on which the machine is waiting for the
teleport request, and <port>
must be the same number as specified in the command on the target
host. For details, see .
For testing, you can also teleport machines on the same host; in
that case, use "localhost" as the hostname on both the source and the
target host.
In rare cases, if the CPUs of the source and the target are very
different, teleporting can fail with an error message, or the target
may hang. This may happen especially if the VM is running application
software that is highly optimized to run on a particular CPU without
correctly checking that certain CPU features are actually present.
VirtualBox filters what CPU capabilities are presented to the guest
operating system. Advanced users can attempt to restrict these virtual
CPU capabilities with the VBoxManage --modifyvm
--cpuid command; see .