Working headless RDP with GNOME Remote Desktop on Ubuntu 25.10

Setting up GNOME Remote Desktop for headless multi-user RDP access on Ubuntu 25.10 (Questing Quokka) is trickier than it should be. This guide documents a working approach using only the software shipped with Ubuntu Desktop — no extra packages required — and uses openssl to generate TLS certificates. It covers common errors and how to resolve them, and reflects what actually works in 2026.

TL:DR – Getting this right on Ubuntu 25.04 was a frustrating experience. After several hours of digging, headless multi-user RDP on 25.10 finally works reliably, and the approach below is the result of that effort.

Overview

• Configure Remote Login (multi-user, headless) and optionally Desktop Sharing (your current user) RDP certificates for GNOME Remote Desktop.
• No additional FreeRDP or winpr3-utils packages are needed — OpenSSL generates the correct certificate format.
• Remote Login authenticates via a system-wide username and password, which brings you to the graphical login screen where individual users can sign in with their own credentials.
• Desktop Sharing for your current user session is also supported alongside Remote Login.

Background: GNOME Remote Desktop in 2026

GNOME Remote Desktop has matured considerably since it first appeared as an experimental feature. By 2026, it is the default and recommended way to access an Ubuntu Desktop machine remotely, replacing the older VNC-based approach that shipped in earlier Ubuntu releases. The service runs natively on Wayland — there is no X11 involved — and speaks the RDP protocol directly, which means modern RDP clients on Windows, macOS, and mobile platforms connect cleanly without needing a translation layer.

Ubuntu 25.10 ships GNOME Remote Desktop as a first-class component. The grdctl command-line tool has gained stability and the --system flag for headless multi-user access is now well-supported. However, certificate handling and service ownership still trip people up on a clean install, particularly on hardware without a TPM chip. The steps below address exactly that scenario.

One notable shift in 2026 is that Microsoft's Windows App (formerly Remote Desktop) on macOS and iOS has become the most common client for connecting to Linux RDP servers. It handles self-signed certificates more gracefully than older versions did, though you will still be prompted to accept or ignore the certificate on first connection. Remmina remains the go-to option for connecting from another Linux machine, and GNOME Connections is a solid lightweight choice if you want something already on your Ubuntu desktop.

Try the clean-install defaults first

• Go to Settings > System > Remote Login and enable it.
• Set a device username and password — this is a system-wide credential that gets you to the login screen, not your personal account password.

• Open a terminal and run: sudo systemctl enable --now gnome-remote-desktop.service
• Reboot: sudo reboot
• After rebooting, run sudo grdctl --system status --show-credentials and confirm that Unit status shows active and Status shows enabled. The TPM message below is harmless — it simply means the service is falling back to a keyfile instead of hardware-backed storage.

sudo grdctl --system status --show-credentials
Init TPM credentials failed because No TPM device found, using GKeyFile as fallback.
Overall:
	Unit status: active
RDP:
	Status: enabled
	Port: 3389
	TLS certificate: /var/lib/gnome-remote-desktop/.local/share/gnome-remote-desktop/certificates/rdp-tls.crt
	TLS fingerprint: a4:3a:c2:ca:2b:80:15:25:36:54:84:35:68:ef:de:d2:45:31:69:a6:50:5c:e4:c7:b3:f2:a9:10:b7:60:10:07
	TLS key: /var/lib/gnome-remote-desktop/.local/share/gnome-remote-desktop/certificates/rdp-tls.key
	Username: device
	Password: weakpassword

• Try connecting with your RDP client of choice using the system username and password. If it works, you will land at the Ubuntu login screen.
• If it works: stop here. You do not need the rest of this article.

If the defaults did not work on your machine, continue below.

The Script

#!/usr/bin/env bash
set -euo pipefail

# --- Config ---
RDP_USER="${USER}"
RDP_PASS="changethistoyourpassword"
SYSTEM_CERT_DIR="/var/lib/gnome-remote-desktop"
USER_CERT_DIR="$HOME/.local/share/gnome-remote-desktop/certificates"
CERT_FILE="rdp-tls.crt"
KEY_FILE="rdp-tls.key"

echo "[+] Preparing certificate directories..."
sudo mkdir -p "$SYSTEM_CERT_DIR"
sudo chown gnome-remote-desktop:gnome-remote-desktop "$SYSTEM_CERT_DIR"/rdp-tls.key
sudo chown gnome-remote-desktop:gnome-remote-desktop "$SYSTEM_CERT_DIR"/rdp-tls.crt
mkdir -p "$USER_CERT_DIR"

# --- Generate PEM TLS certificates ---

echo "[+] Generating system PEM certificate..."
sudo openssl req -newkey rsa:2048 -nodes \
    -keyout "$SYSTEM_CERT_DIR/$KEY_FILE" \
    -x509 -days 365 \
    -out "$SYSTEM_CERT_DIR/$CERT_FILE" \
    -subj "/CN=$(hostname)"
sudo chown gnome-remote-desktop:gnome-remote-desktop "$SYSTEM_CERT_DIR/$KEY_FILE" "$SYSTEM_CERT_DIR/$CERT_FILE"
sudo chmod 600 "$SYSTEM_CERT_DIR/$KEY_FILE"
sudo chmod 644 "$SYSTEM_CERT_DIR/$CERT_FILE"

echo "[+] Generating user PEM certificate..."
openssl req -newkey rsa:2048 -nodes \
    -keyout "$USER_CERT_DIR/$KEY_FILE" \
    -x509 -days 365 \
    -out "$USER_CERT_DIR/$CERT_FILE" \
    -subj "/CN=$(hostname)"
chmod 600 "$USER_CERT_DIR/$KEY_FILE"
chmod 644 "$USER_CERT_DIR/$CERT_FILE"

# --- Enable GNOME Remote Desktop service ---
sudo systemctl enable --now gnome-remote-desktop.service

# --- Configure system RDP TLS ---
echo "[+] Configuring system RDP TLS..."
sudo grdctl --system rdp set-tls-key "$SYSTEM_CERT_DIR/$KEY_FILE"
sudo grdctl --system rdp set-tls-cert "$SYSTEM_CERT_DIR/$CERT_FILE"
sudo grdctl --system rdp enable

# --- Configure user RDP TLS and password ---
export XDG_RUNTIME_DIR="/run/user/$(id -u)"
echo "[+] Configuring user RDP TLS and password..."
grdctl rdp set-tls-key "$USER_CERT_DIR/$KEY_FILE"
grdctl rdp set-tls-cert "$USER_CERT_DIR/$CERT_FILE"
grdctl rdp set-credentials "$RDP_USER" "$RDP_PASS"
grdctl rdp enable

# --- Open firewall ---
if command -v ufw >/dev/null 2>&1; then
    echo "[+] Allowing TCP 3389 through firewall..."
    sudo ufw allow 3389/tcp
    sudo ufw reload || true
fi

# --- Ensure lingering so user session stays alive for RDP ---
sudo loginctl enable-linger "$USER"

echo
echo "[✓] GNOME Remote Desktop RDP is ready!"
echo "Connect with an RDP client to: rdp://$(hostname -I | awk '{print $1}')"
echo "Username: $RDP_USER"
echo "Password: $RDP_PASS"

Step-by-Step Explanation

1. Directories: We create /var/lib/gnome-remote-desktop for system-wide certificates and ~/.local/share/gnome-remote-desktop/certificates/ for the current user if neither exists. Correct ownership is critical — the GNOME Remote Desktop service runs as its own system user and will silently fail if it cannot read the certificate files.
2. Generating certificates: OpenSSL generates PEM-format keys and self-signed certificates. GNOME Remote Desktop requires PEM keys specifically; OpenSSH-format keys will not work and produce a BIO_new failed error. Both system and user certificates are created in one pass.
3. Permissions: System certificates must be owned by the gnome-remote-desktop user and group. User certificates must be readable by the logged-in user. Getting this wrong is the single most common reason the service appears active but connections fail.
4. Enabling the service: gnome-remote-desktop.service is enabled system-wide so RDP is available headless — that is, before any user has logged in at the physical display.
5. Configuring system RDP: grdctl --system rdp assigns the system PEM key and certificate and enables RDP on port 3389. TPM warning messages are expected and harmless on machines without a TPM chip.
6. Configuring user RDP: User certificates and credentials are assigned via grdctl without --system, targeting the per-user session service