Pi Zero as RDP Jump Host with xrdp, NeutrinoRDP Proxy and Azure Arc
Project goal and assumptions
The goal of this project is to build a small, energy‑efficient jump host that enables remote RDP access to Windows machines inside a corporate network without exposing that network directly to the Internet. Instead of forwarding port 3389 on the router (which usually results in scans and brute‑force attempts), the Raspberry Pi operates on the local network and acts as a secure intermediary: it accepts the administrator’s connection and then establishes an RDP session to the selected Windows host.
The biggest advantage is that the Raspberry Pi does not need a public IP address or any open inbound ports. Administrative access is provided through Azure Arc (SSH over Arc), which makes it possible to connect via SSH to Arc‑enabled servers without a public IP and without opening additional ports.
Why Ethernet and not Wi‑Fi?
In a jump host scenario, reliability matters more than convenience. This type of device is often used to help other users or to fix outages – exactly when “unstable Wi‑Fi” can be most disruptive. For this reason, it is best to connect the Raspberry Pi to the internal network using a wired Ethernet connection.
At the same time, Wi‑Fi plays an interesting backup/architectural role here: if the LAN (with the Windows hosts – and not only them, since SSH is also in play) has no Internet access for security reasons, the Raspberry Pi can still reach the “outside world” (Azure) over Wi‑Fi. In practice, this provides an additional benefit: you can keep the server network “isolated” while still retaining the ability to perform remote administration via Arc.
How the RDP proxy works (xrdp + NeutrinoRDP)
The RDP “jump” layer is implemented using xrdp running on the Raspberry Pi in proxy mode with NeutrinoRDP. NeutrinoRDP is part of the neutrinolabs ecosystem and is a fork of FreeRDP 1.0.1, providing the RDP client implementation used in the proxy scenario.
One important practical detail: the NeutrinoRDP proxy does not always work “out of the box” after installing xrdp from distribution packages. In many distributions, the packages do not include ready‑to‑use proxy libraries/modules, so to obtain a working module (for example libxrdpneutrinordp.so), you must compile NeutrinoRDP from source and then rebuild xrdp with NeutrinoRDP support enabled (for example ./configure –enable-neutrinordp).
Azure Arc – access without a public IP
The Raspberry Pi acts as an edge server and is onboarded to Azure Arc‑enabled servers. Thanks to this, it is possible to connect to the Pi over SSH “through Azure” (SSH over Arc), even if the Raspberry Pi is behind NAT and has no port forwarding configured. Microsoft describes this mode as SSH access to Arc‑enabled servers without exposing them directly to the Internet.
Step by Step:
sudo apt-get update sudo apt-get -y install mc build-essential git cmake libssl-dev libx11-dev libxext-dev libxinerama-dev libxcursor-dev libxdamage-dev libxv-dev libxkbfile-dev libasound2-dev libcups2-dev libxml2 libxml2-dev libxrandr-dev libgstreamer1.0-dev libgstreamer-plugins-base1.0-dev libavutil-dev libavcodec-dev libavformat-dev libswscale-dev git clone https://github.com/neutrinolabs/NeutrinoRDP.git cd NeutrinoRDP cmake -DCMAKE_BUILD_TYPE=Release -DWITH_SSE2=OFF . make if error than: sed -i '/#include <freerdp\/rail.h>/a #include <stdlib.h>' /home/mf/NeutrinoRDP/libfreerdp-utils/rail.c make clean make sudo make install sudo apt-get install -y gcc make libssl-dev libpam0g-dev libx11-dev libxfixes-dev libxrandr-dev mc autoconf automake libtool libxkbfile-dev cd ~ git clone https://github.com/neutrinolabs/xrdp.git cd xrdp ./bootstrap ./configure --enable-neutrinordp make if error: sed -i 's/self->client_info.jpeg_prop\[0\] < 0 ||//' libxrdp/xrdp_caps.c make clean make sudo make install sudo systemctl enable xrdp sudo systemctl restart xrdp.service