VPS 远程桌面 — 设置与维护
部署一个无头 Ubuntu VPS,具有通过 noVNC 可访问的 XFCE 桌面,使用 Tailscale 进行安全保护。适用于非技术用户,他们通过 Telegram 进行交互,但偶尔需要桌面访问。
架构
用户浏览器 → Tailscale(加密)→ noVNC(端口 6080)→ websockify → x11vnc → Xvfb + XFCE
用户手机 → Telegram → OpenClaw 网关(端口 443/轮询)
管理员 → Tailscale → SSH(端口 2222)
前提条件
Ubuntu VPS(22.04 或更高版本,2 个或以上核心,4GB 或以上 RAM,测试于 OVH)
SSH 访问
Tailscale 账户(免费层:100 个设备,3 个用户)
域名或静态 IP(可选)
初始设置
通过 SSH 作为默认用户(例如 ubuntu)运行所有命令。
sudo apt update && sudo apt upgrade -y
sudo apt install -y python3 python3-pip python3-venv git curl
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
# 防火墙
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp # SSH(非标准端口)
sudo ufw allow 3389/tcp # RDP(可选,稍后可以删除)
sudo ufw enable
# 更改 SSH 端口
sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
# Ubuntu 24.04+ 使用 socket 激活 — 覆盖它:
sudo systemctl edit ssh.socket
# 添加到注释块之间:
# [Socket]
# ListenStream=
# ListenStream=0.0.0.0:2222
# ListenStream=[::]:2222
sudo systemctl daemon-reload
sudo systemctl restart ssh.socket
sudo systemctl restart sshd
# 禁用 root 登录
sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# 自动安全更新
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
# Fail2ban(SSH + RDP)
sudo apt install -y fail2ban
创建 /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
findtime = 600
[xrdp]
enabled = true
port = 3389
filter = xrdp
logpath = /var/log/xrdp.log
maxretry = 3
bantime = 3600
findtime = 600
创建 /etc/fail2ban/filter.d/xrdp.conf:
[Definition]
failregex = .
FAILED LOGIN.client_ip=
ignoreregex =
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo apt install -y xfce4 dbus-x11 xvfb x11vnc novnc websockify
设置 VNC 密码:
mkdir -p ~/.vnc
x11vnc -storepasswd
安装 Chrome(在虚拟显示器中效果最佳):
wget -q -O /tmp/chrome.deb https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo apt install -y /tmp/chrome.deb
在 noVNC 终端中启动 Chrome:
google-chrome --no-sandbox &
创建 /etc/systemd/system/vnc-desktop.service:
[Unit]
Description=VNC 桌面(Xvfb + XFCE + x11vnc + noVNC)
After=network.target
[Service]
Type=simple
User=ubuntu
Environment=HOME=/home/ubuntu
Environment=DISPLAY=:1
ExecStart=/bin/bash -c 'Xvfb :1 -screen 0 1920x1080x24 & sleep 2 && DISPLAY=:1 dbus-launch --exit-with-session startxfce4 & sleep 3 && x11vnc -display :1 -forever -rfbauth /home/ubuntu/.vnc/passwd -rfbport 5901 & websockify --web /usr/share/novnc 6080 localhost:5901'
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
注意:用实际用户名替换 User=ubuntu 和 HOME=/home/ubuntu。
sudo systemctl daemon-reload
sudo systemctl enable vnc-desktop
sudo systemctl start vnc-desktop
sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/dns.conf > /dev/null << 'EOF'
[Resolve]
DNS=8.8.8.8 8.8.4.4
EOF
sudo systemctl restart systemd-resolved
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
# 在浏览器中打开认证 URL,登录
tailscale ip -4
# 记录 100.x.x.x IP
锁定 noVNC 到 Tailscale 只:
sudo ufw delete allow 6080/tcp
访问桌面:
http://100.x.x.x:6080/vnc.html
安装 OpenClaw:
sudo npm install -g openclaw
openclaw --version
完整 VPS 设置(用户 systemd 修复、网关令牌、网关服务安装/启动、SSH 隧道用于仪表板、Telegram 配对):
references/openclaw-setup.md
Systemd 服务参考(遗留/低级):
references/openclaw-service.md
- (可选)在 VPS 上安装 gog(Google Workspace CLI)
如果用户需要从 VPS 进行 Gmail/Calendar/Drive 自动化,安装和认证 gog。
步骤:
references/gogcli.md
维护命令
服务管理
# 桌面服务
sudo systemctl status vnc-desktop
sudo systemctl restart vnc-desktop
sudo systemctl stop vnc-desktop
sudo journalctl -u vnc-desktop --since "10 minutes ago"
# OpenClaw 网关
openclaw gateway status
openclaw gateway restart
# Tailscale
tailscale status
sudo tailscale up
# 重新认证如果需要
Fail2ban
sudo fail2ban-client status sshd
sudo fail2ban-client status xrdp
sudo fail2ban-client
by