This is an experimental library under active development. It is intended for research, learning, and personal projects. The API is subject to change!
GhostLink is an all-in-one remote access and support platform engineered for security-driven teams, MSPs, and IT departments. Written in Rust, GhostLink merges a modern zero trust relay, a powerful web management portal, and ultra-fast cross-platform agents—all in a single, self-hosted server.
🎉 v0.2.0 Status: Foundational components implemented and compiling successfully!
- Core Agent Architecture: Client agent orchestrator with session management and heartbeat system
- Cross-Platform Screen Capture: Enum-based abstraction supporting Wayland, X11, Windows, and macOS
- Input Control System: Platform-specific input handling with async trait implementations
- Relay Message Protocol: WebSocket-based communication between client and server
- Session Management: Multi-session support with type-based routing (Console, Backstage, Adhoc)
- Connection Management: Robust WebSocket connection handling with reconnection logic
- Configuration System: Flexible TOML-based configuration for client and server
- Hardware Encoding Support: Framework for NVENC, QSV, and VideoToolbox (stubs implemented)
- Complete capture loop implementation (lifetime management for async tasks)
- Server-side session coordination and device management
- Web portal integration with backend services
- Hardware-accelerated encoding implementations
- Authentication and device registration
- Web portal UI improvements
- Database integration
- Deployment and containerization
- Testing and documentation
-
Unified Server
- One container or binary: Web Portal + Relay
- Easy deployment and scaling
- Authenticate every device and session
- Certificate-based device identity
- Encrypted relay communications
-
High-Performance Remote Access
- RustDesk-level performance with screen capture
- WebSocket-based real-time communication
- Hardware-accelerated encoding when available
-
ScreenConnect-Like Experience
- Browser-based management portal (Leptos + WASM)
- Persistent agent/client service
- Launch sessions directly from web interface
- Device management and monitoring
-
Self-Hosted & Enterprise Ready
- Single binary deployment
- Docker containerization
- Nginx reverse proxy configuration
- Database integration for user management
GhostLink follows a ScreenConnect-inspired architecture with modern performance:
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Admin Web │────▶│ nginx Reverse │────▶│ GhostLink │
│ Interface │ │ Proxy │ │ Server │
│atlas.cktechx.com│ │ │ │ (Port 8443) │
└─────────────────┘ │ │ │ │
│ │ │ ┌─────────────┐ │
┌─────────────────┐ │ │ │ │ Web Portal │ │
│ Client Agents │────▶│ │────▶│ │ (Leptos) │ │
│relay.cktechx.com│ │ │ │ └─────────────┘ │
└─────────────────┘ └─────────────────┘ │ ┌─────────────┐ │
│ │ Relay │ │
│ │ Component │ │
│ └─────────────┘ │
└─────────────────┘
-
GhostLink Server (
server/)- Embedded Leptos web frontend (WASM)
- WebSocket relay for client connections
- REST API for device management
- Session orchestration
-
GhostLink Client (
client/)- Persistent agent/service
- Cross-platform screen capture
- Secure communication with server
- Auto-reconnection and recovery
-
Nginx Configuration
atlas.cktechx.com→ Web GUI accessrelay.cktechx.com→ Client relay endpoint- SSL termination and security headers
# Build the server image
docker build -t ghostlink-server .
# Run with docker-compose
docker-compose up -d# Install cargo-leptos for building web frontend
cargo install cargo-leptos
# Build the server
cd server
cargo leptos build --release
# Run the server
./target/release/ghostlink-serverCopy the provided nginx configurations:
# Copy relay configuration
sudo cp nginx/relay.cktechx.com.conf /etc/nginx/sites-available/
sudo ln -s /etc/nginx/sites-available/relay.cktechx.com.conf /etc/nginx/sites-enabled/
# Copy web GUI configuration
sudo cp nginx/atlas.cktechx.com.conf /etc/nginx/sites-available/
sudo ln -s /etc/nginx/sites-available/atlas.cktechx.com.conf /etc/nginx/sites-enabled/
# Test and reload nginx
sudo nginx -t
sudo systemctl reload nginx# Download and install as service
.\ghostlink-client.exe install --server wss://relay.cktechx.com# Install as systemd service
sudo ./ghostlink-client install --server wss://relay.cktechx.com# Run directly (for testing)
./ghostlink-client start --server wss://relay.cktechx.com- Access Web Portal: Navigate to
https://atlas.cktechx.com - View Connected Devices: See all online agents in the dashboard
- Launch Sessions: Click "Connect" to start remote control
- File Transfers: Drag and drop files between devices
- Multi-User Support: Multiple admins can manage devices
[server]
host = "0.0.0.0"
port = 8443
database_url = "sqlite:./data/ghostlink.db"
[security]
jwt_secret = "your-secret-key-here"
session_timeout = 3600
max_concurrent_sessions = 100
[relay]
heartbeat_interval = 30
connection_timeout = 300
max_clients = 1000Clients auto-configure on first connection, but you can override:
# Custom device name
ghostlink-client start --name "Production-Server-01"
# Different server endpoint
ghostlink-client start --server wss://relay.example.com- Rust 1.75+ (edition 2024)
- cargo-leptos for web frontend
- Node.js (for additional tooling)
# Install tools
cargo install cargo-leptos trunk wasm-pack
# Build server with web frontend
cd server
cargo leptos build
# Build client
cd ../client
cargo build --release
# Run development server
cargo leptos watch- Frontend: Leptos with WebAssembly for near-native performance
- Backend: Axum web framework with WebSocket support
- Database: SQLx with PostgreSQL/SQLite support
- Security: Ring cryptography, JWT authentication
- Networking: Tokio async runtime, rustls for TLS
- Zero Trust Architecture: Every connection authenticated and encrypted
- Certificate Pinning: Clients validate server certificates
- End-to-End Encryption: Screen data encrypted in transit
- Session Isolation: Each remote session is cryptographically isolated
- Audit Logging: All connections and actions logged
- Role-Based Access: Admin, Operator, and Viewer roles
GhostLink is designed for high performance:
- Rust Performance: Near-zero overhead async runtime
- Efficient Encoding: Hardware-accelerated screen capture when available
- WebAssembly Frontend: 60fps UI with minimal bandwidth
- Connection Pooling: Reuse connections for multiple sessions
- Adaptive Quality: Dynamic adjustment based on network conditions
Licensed under the MIT License. See LICENSE file for details.
- Documentation: [Coming Soon]
- Issues: GitHub Issues
- Community: [Discord/Slack - Coming Soon]
-
End-to-End Encryption
- All traffic and file transfers encrypted by default
-
Persistent Agents & Instant Access
- Lightweight agent for 24/7 unattended or on-demand remote access
-
Modern Web Portal
- Manage endpoints, users, sessions, RBAC, and audit logs in-browser
-
Wayland & X11 Support
- Native for all major Linux desktops
-
Fast File Transfer & Clipboard Sync
- Secure, efficient, cross-platform
-
Multi-Factor Authentication
- Supports MFA, SSO, OIDC, and SAML
-
Proxy Friendly
- Deploy behind NGINX, Traefik, or HAProxy
- Security-First: Zero trust, E2E encryption, full auditability
- Enterprise & MSP Ready: Role-based access, multi-tenant options, SSO
- Linux-Native: Real support for Wayland and X11 (not an afterthought)
- Simple Deployment: Single binary or container for full stack
GhostLink Server (Web Portal + Relay) handles:
- Client relay connections
- User authentication
- Web-based management
GhostLink Agents run on endpoints (Windows, macOS, Linux).
- Mobile clients (iOS/Android)
- Headless Linux agent (CLI)
- Branding/white-label support
- API and webhooks
-
Prerequisites
# Install Rust 2024 edition curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh rustup default stable # Install PostgreSQL # Ubuntu/Debian: apt install postgresql postgresql-contrib # macOS: brew install postgresql # Or use Docker: docker run --name postgres -e POSTGRES_PASSWORD=password -p 5432:5432 -d postgres:16
-
Clone and Build
git clone <your-repo> cd ghostlink # Copy example config cp config.toml.example config.toml # Edit config.toml with your database settings # Build and run cargo build --release cargo run
-
Access Web Portal
- Open http://localhost:8080 in your browser
- WebSocket relay available at ws://localhost:8080/api/v1/relay
# Clone repository
git clone <your-repo>
cd ghostlink
# Set environment variables
export DB_PASSWORD=your-secure-password
export JWT_SECRET=your-super-secret-jwt-key
# Start services
docker-compose up -d
# Access via Nginx reverse proxy
# Web portal: http://localhost
# API: http://localhost/api/v1-
Build the server
cargo build --release
-
Setup Nginx
# Copy Nginx configurations sudo cp nginx/ghostlink.conf /etc/nginx/sites-available/ sudo cp nginx/ghostlink-common.conf /etc/nginx/conf.d/ # Enable site sudo ln -s /etc/nginx/sites-available/ghostlink.conf /etc/nginx/sites-enabled/ # Test and reload Nginx sudo nginx -t sudo systemctl reload nginx
-
Run AtlasConnect Server
# Create systemd service (optional) sudo cp scripts/ghostlink.service /etc/systemd/system/ sudo systemctl enable ghostlink sudo systemctl start ghostlink
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Web Browser │ │ GhostLink │ │ PostgreSQL │
│ │ │ Server │ │ Database │
│ - Dashboard │◄──►│ │◄──►│ │
│ - Session UI │ │ - Web API │ │ - Users │
│ │ │ - WebSocket │ │ - Agents │
└─────────────────┘ │ - Relay │ │ - Sessions │
└─────────────────┘ └─────────────────┘
│
│ WebSocket
▼
┌─────────────────┐
│ GhostLink │
│ Agents │
│ │
│ - Windows │
│ - macOS │
│ - Linux │
└─────────────────┘
The native clients will connect to the WebSocket relay endpoint and implement:
- Agent Registration: Register with server and maintain heartbeat
- Screen Capture: Efficient screen capture and compression
- Input Handling: Mouse/keyboard input relay
- File Transfer: Secure file transfer capabilities
- Session Management: Handle session requests from web portal
POST /api/v1/auth/login- User authenticationGET /api/v1/agents- List connected agentsPOST /api/v1/sessions- Create new sessionGET /api/v1/status- Server status
Authenticate- Client authenticationAgentRegister- Agent registrationSessionRequest- Request new sessionScreenFrame- Screen capture dataScreenControl- Input events
Key configuration options in config.toml:
[server]
host = "127.0.0.1"
port = 8080
[database]
url = "postgresql://user:pass@localhost/ghostlink"
[security]
jwt_secret = "your-secret-key"
session_timeout_minutes = 480
[relay]
max_relay_connections = 1000
heartbeat_interval_seconds = 30- Zero Trust Architecture: Every connection authenticated and encrypted
- End-to-End Encryption: All session data encrypted with unique keys
- JWT Authentication: Secure token-based authentication
- Role-Based Access Control: Granular permissions system
- Audit Logging: Complete audit trail of all activities
- Rate Limiting: Protection against abuse via Nginx
GhostLink — Secure, modern remote access. Built for the era of zero trust.