Remote Access via Raspberry Pi 4 with Pi-KVM
I've been on a mission to find an ideal way to monitor and control systems remotely. When I worked for Citigroup, the servers were from Compaq/HP and included iLO cards (Integrated Lights-Out) which are similar to Integrated Dell Remote Access Controller (iDRAC). With that setup you can access a machine remotely as if you were physically there, including being able to attach ISO media and manage BIOS settings remotely. This came in handy when we needed to completely rebuild servers and manually setup the RAID Controller for different build environments.
For connecting to systems at home in the past I've used Hamachi, Tight VNC, RDP Gateway, TeamViewer, and any other free solution I could use, including Quick Assist to help friends and family. Most recently I've been left with Google Remote Desktop which works well for Windows machines and behind NAT and supports MFA, but does require an agent to be installed on each machine.
I've always dreamed of something like a DRAC or IP-KVM for a but lower cost, because stand-alone solutions like Lantronix Spider are way too expensive ($500+) and limited (super slow Java interfaces). Which lead me to the Pi-KVM project.
Pi-KVM is a collection of packages to allow a Raspberry Pi to act like a KVM over IP device. It's based on a custom build of Arch Linux, physical Video Capture of the remote computer, and Keyboard/Mouse control via OTG to simulate HID device control. Remote access is possible by accessing an internal webserver for KVM, terminal access, macro record/playback, remote media, ATX power control, and the ability to switch inputs on a physical KVM that allows keyboard control. An added bonus is you can modify video capture settings to manage bandwidth and quality.
Total cost of a build would be about $100 depending on what you already own:
This is what the final build looks like with the case and included expansion board:
And a breakout of the different components:
The project page mentions a USB-C splitter to accommodate using the USB-C port for both power and OTG (keyboard/mouse control). The expansion board included with the case breaks out the OTG Function to a USB-A port in the back, making it easy to pull out the power pin. Removing the power pin is required when you connect USB-A to USB-A for Keyboard/Mouse control, as that will send back 5V back to your Pi but at lower power which can damage your device, hence you can remove the power pin...
领英推荐
...and still use OTG to comply with the recommended setup from the project's schematic.
Once all the hardware is setup, the rest is relatively simple, just download the Pi-KVM image from GitHub onto the Micro SD card with a tool like Rufus, plug in the USB-A to USB-A from the OTG port to the Device you want to manage remotely, along with the HDMI cable to that device, and another HDMI cable to a monitor, plug it into your network and boot up. The build is auto-configured to start the required services including DHCP, so you'll see that at the end of the bootup process. At another machine pull up the Raspberry Pi's IP address into a browser, logon with the default credentials, try out the software and don't forget to pickup your jaw from the floor :)
The Pi-KVM works best with a Raspberry Pi 4 due to improved system performance but can be supported with Pi Zero W and Raspberry Pi 2 and 3 (if you enjoy display delay torture). The developer of the project is working on an add-on board to reduce much of the manual build complexity, such as controlling Mac OS outside of OSX and having onboard connections for ATX power control.
Here's a quick video of the completed web interface:
How safe is it?
Probably your #1 question, how do you protect bad actors from reaching this device from the open internet? According to the project page you can setup Tailscale VPN to access your device directly, however I chose to configure mine with Azure AD Application Proxy using an account that is MFA and conditional access enabled, and a network configuration which only allows the proxy connector's host IP to access the Raspberry Pi.
I would love to recommend this for a corporate environment, but unfortunately the Raspberry Pi doesn't offer much in terms of security. There's no BIOS or HD Password, and anybody with physical access can remove the SD card and load whatever custom OS they want. But still, this is a very, very cool project.
A similar project to this is TinyKVM, but that project is subscription based for many of the "advanced" features that are free with Pi-KVM, plus the TinyKVM developer is leveraging the uStreamer project that was created by the Pi-KVM developer, and doesn't mention any of the MacOS caveats, workarounds, and other goodies like KVM/ATX switch control.
Global Security Engineering & Incident Response Manager | GSEC | GCIH | GCFE | GSTRT
3 年That is a very good write up. It sounds like it was a lot of fun to build.