# Graphical remote access over Tailscale

This session established a clean, reproducible pattern for giving a Linux host a GUI over Tailscale using XRDP.

## When to use
- The user wants a graphical remote desktop, not just SSH.
- Tailscale is already installed or will be used as the transport.
- The machine is Ubuntu/Debian-like and can use apt.

## Known-good pattern
1. Install XRDP and a lightweight desktop session:
   - `sudo apt-get update`
   - `sudo apt-get install -y xrdp xfce4 xfce4-goodies xorgxrdp`
2. Ensure services are enabled and running:
   - `systemctl status xrdp`
   - `systemctl status xrdp-sesman`
3. Point the user session at XFCE by creating `~/.xsession` containing:
   - `xfce4-session`
4. Verify the listener:
   - `ss -ltnp | grep 3389`
5. Verify the Tailscale address:
   - `tailscale ip -4`
6. Connect from another machine with any RDP client to:
   - `<tailscale-ip>:3389`

## Practical notes
- XFCE is usually the least troublesome choice for XRDP.
- If the host is already on Tailscale, no extra VPN setup is needed for the RDP transport.
- If the firewall is active, allow TCP 3389 only from the Tailscale interface or tailnet range, not from the public internet.
- If the display manager is present but no desktop session is configured for the user, `~/.xsession` is the quickest fix.

## Verification checklist
- `xrdp` and `xrdp-sesman` active
- `3389/tcp` listening
- `~/.xsession` contains `xfce4-session`
- RDP client connects successfully over the Tailscale IP