Xpra: Ticket #1022: Xpra Client in Listen Mode

It would be nice to have those two additional options (--listen, --client) e.g.

Xpra_cmd.exe attach [ssh/tcp]: EMPTY --listen=[IP:PORT] (Waits for server ready msg, with optional timeout. IP is provided in case a machine has more than 1 active address, otherwise not needed)

xpra --start :XX --start-child=CMD  --client=IP:PORT

Once server is initiated successfully, it sends a triggering tcp msg to the client containing USER@SERVER :XX to be used by the client to initiate ssh/tcp connection. One useful option with client listen mode is continues listing, so that it exec clients once server msg received and keeps listing for more servers as they become ready, instead of launching clients manually for each application

Thank you,

Tue, 03 Nov 2015 08:48:37 GMT - Antoine Martin: owner, type, description, milestone changed

As per this original mailing list thread: Xpra Client in Listen Mode Enquiry

I think it would be better, safer and more useful to simply reverse the connection so that the server connects to the client: no need for passing the user+host to connect to using a new magic message to trigger yet another connection. (with the inherent security risks every time - and new connections cannot traverse NAT back to the server).

The "listen" mode should probably be a new subcommand, rather than overloading "attach", ie:

xpra listen tcp:host:port

I really don't see much point at all in the listen via SSH option: if you can SSH to the client, you might as well start the client command via SSH, which is also much safer.


@adarrab: if you can take a look at the comments above and maybe even play with the code a little bit, I should be able to take a look at this for the next release

Tue, 03 Nov 2015 09:38:00 GMT - adarrab:

Sorry for the confusion, client doesn't listen through SSH, the [SSH/TCP] in the command line is to instruct the client to use [SSH/TCP] connection to the server (like attach [ssh/tcp]:....), once the server is ready. Listening is going to be always over tcp, since clients mostly do not run ssh server.

Wed, 16 Mar 2016 07:00:59 GMT - Antoine Martin: milestone changed

Mon, 04 Apr 2016 06:19:08 GMT - Antoine Martin:

May be related / useful for #983 since vsock connections go from guest to host only. (AFAICT)

Edit: that was incorrect.

Tue, 12 Jul 2016 16:52:22 GMT - Antoine Martin: milestone changed

Milestone renamed

Wed, 07 Sep 2016 10:13:06 GMT - Antoine Martin: milestone changed

I don't have time for this.

Sun, 26 Nov 2017 14:24:45 GMT - Antoine Martin: owner, status, milestone changed

Should be easy enough to implement.

There are security implications.. I don't think we want to resurrect #1660

Sun, 07 Jan 2018 05:49:51 GMT - Antoine Martin: milestone changed

Actually not that easy to implement, and no real need for it. Re-scheduling.

Sun, 27 Jan 2019 15:17:14 GMT - Antoine Martin:

See also #2125, #1590.

Sun, 08 Sep 2019 17:50:51 GMT - Antoine Martin: attachment set

add listen mode for client

Sun, 08 Sep 2019 17:51:49 GMT - Antoine Martin:

Helped by the refactoring from ticket:2125#comment:11, the patch above makes it possible for the client to wait for a connection on sockets specified using the usual --bind-tcp syntax.

Sun, 08 Sep 2019 18:24:51 GMT - Antoine Martin:

See #2406 for generic client bind options.

Tue, 10 Sep 2019 06:30:15 GMT - Antoine Martin: attachment set

working patch

Tue, 10 Sep 2019 06:31:58 GMT - Antoine Martin: milestone changed

The patch above works as long as one uses "socat" to join the server and client socket together:

I may still merge this just as a POC.

Tue, 10 Sep 2019 12:23:22 GMT - Antoine Martin: owner, status changed

Merged in r23767. As of r23770, the client can also be told where to connect, instead of just expecting a server connection:

xpra listen --bind-tcp=
echo tcp:// | socat - TCP:localhost:10001

The client will print:

closing tcp socket
connecting to tcp://

Then proceeds as if it had been started with attach tcp://


(so if the connection fails at that point, the client will just exit)

Will follow up in #2412

@adarrab: does that work for you?

Tue, 10 Sep 2019 17:23:33 GMT - adarrab:

@adarrab: does that work for you?

First of all, many thanks for putting the time to implement this feature, really appreciated!

The very basic scenario does work, but you would need a port for each client, which makes it annoying in situations where firewall is restricted to limited number of opened ports (which is the case in many places). I was hoping to have the client in listening mode acts like a proxy server where it listens on a single port, and upon receiving a connection from xpra servers, it spawns clients and forward traffic to them.

At least this is what I ended up doing couple of years ago: a listener service on a specific port which spawns xpra clients (ssh connection & key authentication) to the ready server (once server is ready it sends a message similar to your approach). The only downfall to this is that the client takes up to 5 seconds to initialize and establish the ssh connection, despite disabling many of the features like speaker, microphone, tray ...etc. Your approach with tcp binding (when the client is ready in listening mode) it shows the received application almost instantaneous upon receiving the signal from the server.

Wed, 11 Sep 2019 03:33:05 GMT - Antoine Martin: status changed; resolution set

I was hoping to have the client in listening mode acts like a proxy server where it listens on a single port, and upon receiving a connection from xpra servers, it spawns clients and forward traffic to them.

You should be able to achieve this with minimal code by spawning enough clients in advance in listen mode on a unix domain socket, then have a very simple tcp listener that dispatches to them. This could be helped by #2406: by creating your unix domain sockets in a pre-defined location, the dispatcher could just use xpra info on them to know which ones are still free. (and potentially pre-spawn more as needed)

Sat, 23 Jan 2021 05:12:45 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1022