Easy Remote Access?

TinyApps asks: "How do Slashdot readers make remote connections through firewalls and NAT routers when assisting friends/family/customers? Reverse VNC connection are relatively easy to setup, but there is also the free LogMeIn and WebEx's new free service that startstarted, this week. Do you all have any other ideas?"

Im First Wow

[ghinckley68]

vnc works fine. i usally do a linux firewall and vnc in to it and then on to whatever i need on the network not pretty but it works

ssh

[GreyWolf3000]

Tunnel X through ssh.

Re:ssh

[Curien]

I always use SSH to get in, but I don't necessarily tunnel X. In my experience, VNC and RDP handle medium-bandwidth connections (upstream capped) connections better.

Re:ssh

[tha_mink]

You SSH into your friends, clients, and family's machines? They ALL run SSH? Hrm. I can never get my mom run SSH on her windows 98 machine.

Re:ssh

[Curien]

I don't know anyone that runs anything older than Win2K. And yes -- everyone that I need to access remotely runs SSH.

Re:ssh

[Atzanteol]

Install "cygwin" on her machine sometime. Then you can ssh to it...

Re:ssh

You deserve an informative mod for that one. If my company's corporate office'll let me do this (I telecommute from a different country) - you just solved many of my problems.

The old fashioned way...

[tibike77]

...use a (cell)phone and talk to the user in front of the other computer :P

A joke ? In some cases, yes (I meant the other user, har har).
Secure ? Depends on the user on the other end too ;)

Re:The old fashioned way...

it's the only way when neither of you have routable IP addresses (apart from using an intermediary).

Re:The old fashioned way...

[Alex+Belits]

I call it "voice telnet".

And it sucks.

Remote assistance

[Dr.Opveter]

On XP Remote assistance works well, you instruct them to go Start -> Help & Support -> Ask for assistance.
On other windows platforms i've been able to help people out with Netmeeting as well.
Otherwise VNC works fine..

Re:Remote assistance

[Cyberop5]

If you have Windows XP Professional, Microsoft Terminal Services is awesome, even over some slower connections. You can map the drives and printers to the computer you're on you can access any of your local files remotely or print remote files to a closer printer.

You can activate it by enabling remote desktop from the System Properties dialog and adding whichever users you want to be able to use it. It uses port 3389 so you'll need to open it with whatever firewall you're using. Any windows XP machine has the client by default. Simply go to start, run, and type mstsc. Linux has a client called rdesktop, although its not as great as Microsoft's last I checked. Other Windows versions can run the client off the XP install CD or downloadable from microsoft. I keep a copy on my thumb drive.

Also, netmeeting is still avaible on windows XP by running the program conf.exe. It'll start the netmeeting wizard then launch the program subsequently.

Re:Remote assistance

[Dr.Opveter]

You're quite right about the Terminal Services. I use them to admin some of my own Windows XP machines all the time. It does indeed feel speedy even on dial-up connections usually.

So if your friend/family/customer runs Windows XP Professional and you foresee future remote access to the machine will be needed, set up the Terminal Services for them. You don't even have to run it over port 3389 if that's a problem, you can configure it to run on any free port (except i think port 21 didn't work well for some reason, port 22, or a really high port number if you're worried about portscanners, works fine.
Many people in the friends/family cateogry have XP Home though, so then Remote Assistance or Netmeeting works like a charm.

Re:Remote assistance

[Firehawke]

I use an SSH tunnel to push my RDP connection through my work's firewall so that I can access my work machine from home, and since I have a similar arrangement at home, (Linux-based firewall on a cheap Poweredge 350) I can pretty much do the same the other way as well.

Let me tell you, that's a real life saver on occasion.

Though, I'm curious-- does anyone know if Mac OS X supports RDP? Not as a client, I mean, but is there a RDP server built-in? I've been looking at the Mac Mini, and it'd be really nice to be able to access it just the same as I do my other machines. I know there's always VNC, but RDP just feels a lot more responsive over a medium-bandwidth connection.

Re:Remote assistance

[3waygeek]

Though, I'm curious-- does anyone know if Mac OS X supports RDP? Not as a client, I mean, but is there a RDP server built-in?

Unfortunately, there's no RDP server available for the Mac (and I've looked pretty hard for one). I have a G3 that I use as an HD PVR, and I use VNC to access it -- like you, I'd much rather use RDP.

Re:Remote assistance

[harrkev]

Forgive me for asking a complete noob question, but here goes...

Does Terminal Services allow two separate users to run two separate sessions, or are the local and remote users stuck staring at the same screen?

If the local and remote sessions are different, is the client and server both free, or do you have to pay M$ some $$$?

If the local and remote sessions are the same, what is the cheapest (preferably free) alternative to allow local and remote users to work separately? Does VNC do this (I suspect not, but my experience with VNC is limited).

Once again, sorry for the noob quesions, but I have a new beefy XP box at home, and an old Win98 box. It would be nice to have the 98 box be a thin client for the XP machine.

And, yes. I know that this sort of thing is trivial in Linux.

Re:Remote assistance

[outcast36]

There are actually 3 versions of Terminal Services

1. Terminal Server: This requires a server OS (W2K Server, W2K3, NT Server), and a license server. You can have as many sessions as you have licenses. (either per user or per seat).

2. Terminal Services for Administration. This comes with the Server OS. You are limited to the console session and two remote sessions.

3. Remote Desktop. Comes with XP Pro. You can have a remote session if it is the same as the logged in user. Otherwise, the logged in user will be logged out when you remote in. If you are the only user doing this stuff, this approach shouold work fine.

Re:Remote assistance

[harrkev]

Bummer. I only have XP pro. I was hoping that I could have myself and my wife work at the same time on the same computer (me on the machine, my wife on a thin client)

Does anybody know the cheapest way to accomplish this (preferably free)?

Re:Remote assistance

[topham]

OS X has built in support for VNC.
Amazing, but true.

Go to Sharing in preferences and enable Apple Remote Desktop
Choose "Access Privledges" and set the VNC may control screen with password.

Then connect with a VNC client.

Re:Remote assistance

[bhtooefr]

Option one: Buy a Jetway MiniQ MagicTwin SFF rig, and throw XP on it. Plug two sets of monitors, keyboards, and mice in, and voila, you've got a 2-user XP rig.

Option two: Ditch XP, and (free if you don't want Windows Update) grab a copy of Server 2003. Install it on the XP box. Use the other box as a thin client.

Option three: Ditch XP, and use Linux. Unfortunately, you're screwed if you want to use many Windows apps.

Re:Remote assistance

[homer_ca]

Yup, terminal services works great. Just remember to set a strong password on the accounts allowed to remote in. Home users are notoriously lax about choosing passwords. I just wish those home broadband routers could restrict incoming connections by source IP for a little extra security.

Re:Remote assistance

[gothzilla]

The terminal services server combined with roaming profiles works pretty well. I say pretty well because roaming profiles in w2k server has some quirks to it.
A few of my users work from home when they're on call. Roaming profiles + terminal services means they get the exact same desktop/icons/email settings/bookmarks/etc at home that they do at work. Each user gets their own screen that cannot be viewed by any other remote user or even from the server itself. They can even print to their printer at home from an app in terminal services.
An old crappy computer works fine as well since all work is being done by the server while their home machine is just making the connection. I think the minimum requirements are 166mhz cpu and 16 meg ram or something rediculous. This was nice for one really good reason. We had employees practically demanding that the owner buy them computers at home for this. There is no way in hell he was going to buy everyone a computer for home, but since this was work related he knew he had to do something. Of course, we just upgraded our pc's at work so I had all these 350mhz machines laying around...
I made the boss happy that day.

Re:Remote assistance

[DA-MAN]

You can get WinConnect Server XP. It allows Winders XP to have more than user active. You can have up to 21 RDP connections and still be using the desktop. It may not be fast or usable with that much load, but it can be done.

Re:Remote assistance

[WonderSnatch]

How about: http://www.apple.com/remotedesktop/

Re:Remote assistance

[harrkev]

Thanks for the info. But that version is $299. I might as well get an eMachine for that type of money.

I am surprised that nobody makes one for $49.99 (plus the free Ginsu knives and bamboo steamer).

Hint: Great business opportunity for one very skilled coder with too much time!

Re:Remote assistance

[DA-MAN]

There is also a registry hack somewhere that lets you use 1 remote and one local connection. I came across this once. Might want to google

Re:Remote assistance

[DA-MAN]

Go here:
http://sig9.com/articles/concurrent-remote- desktop

Get this file:
http://sig9.com/files/termserv.zip

Multiple Users for free on XP Pro!!!

Re:Remote assistance

[conna01]

This might work http://profiles.indesolutions.com/paul/tech/archiv es/000064.html

Re:VNC

[jessecurry]

why not just turn off ask slashdot for yourself?

Trust

[tonsofpcs]

I use VNC. I do not trust those companies that offer the service of allowing you to log into your own pc remotely, using a password that is stored in their database. But hey, I'm paranoid in that I don't like big corporations having a way to get into my pc.

Re:Trust

[digitalchinky]

I use tightvnc (www.tightvnc.com) - works good over a modem connection.

Re:Trust

[addaon]

Works well, not good. And indeed it does.

Re:Trust

[Dr.Opveter]

You tunnel it with ssh though right? I don't trust network users with my VNC session either.

Re:Trust

[X0563511]

Theres a big problem with VNC on windows.

The password is encrypted in the registry, but the problem is the key is always constant - you can simply do a google search and find the source.

Browse to the key, type it into the program, and it spits the VNC password out.

I don't think versions for other OSes have this issue, but i have tested it both with tightVNC and the latest VNC that you pay for.

All i need is read access to the registry and i got you. When your sitting down at the machine in question (and you know all the others would use the same password) its not hard to nab it.

So, if you use VNC at work on windows machines, look into this problem ASAP.

Re:Trust

[tod_miller]

Yeah tell that to my DSL to DSL this morning. I tried to tightVNC home and check on my torrents, and....

Oh, torrents... I see... as in... raping my bandwidth...

Yeah move along... :-)

tightVNC is cool, and you can access it from a pocketPC vnc client also.

Re:Trust

[tonsofpcs]

For internet-open machines, yes. For local-network machines (firewall blocks incoming data to them on the associated ports), I have no need to.

Re:Trust

[tonsofpcs]

Or you can build from source and put the key where you want it [encrypted even]. But also, if the user has access to the machine to look in the registry, what good is password protecting a remote access routine going to do?

Run VNC over a VPN. (Acronyms!)

[Futurepower(R)]

Set up a VPN, which you need anyway to automate the transfer of files and do automated registry maintenance on Windows computers.

Then run VNC, such as TightVNC or UltraVNC over the VPN. If the VPN is secure, and remote network is not suspect, then VNC over the VPN is secure.

Beware, however, of Netgear's VPN routers. In my experience they are quirky and the technical support is very, very poor.

I have questions myself. What is the best way to form a VPN? What is the best VNC?

If you don't like the story, why comment?

Why do angry people read and post comments to Slashdot stories they don't like?

Do these people complain about having to read the supermarket tabloids just because they are there?

TightVNC 1.3dev6 development version works fine.

[Futurepower(R)]

The article referenced by the Slashdot article, Reverse VNC connection, recommends TightVNC version 1.2.9. However, the TightVNC 1.3dev6 development version is a release candidate, and in my experience works fine.

Read the TightVNC Windows Documentation.

How to do it

1) Compile up a custom UltraVNC server that reads the initial settings (which should be pretty much disabling all listening and ability to accept connections, etc) out of an ini so that it does not prompt the user for a bunch of confusing settings and instead immediately throws up the 'add new client' dialog box (with the form prefilled of course). Also, your custom compile should use the RC4 crypto plugin with some pregenerated keys. It's a little insecure but better than nothing. Bonus points to regenerate the keys on a per-week/day/user basis.

2) Package the whole thing up into one exe with pebundle and upx it for size.

3) Send to your users!

RADMIN always works

[jptechnical]

It isnt free but it ALWAYS works. You can even run it with only 2 files without an install. All you need is r_server.exe and adm(something).dll.

Myself and some other IT workers (different companies) use it constantly. One of the nice features is you can connect through one computer with the open port and bounce to the others in the local lan.

If you haven't tried it you should at least download and install it. It has a 30 day trial and is $35 per 2 computers. You can even install the serial number remotely... when expired it prompts you to enter the install key.

It is so popular it has been featured in worms to make zombies. So when it asks for a password... you better use one! famatech.com

MS Remote Desktop does not allow logging out?

[Futurepower(R)]

Another point: I understand that Microsoft's Remote Desktop does not allow you to log in as another user. Logging out breaks the RD connection. So, you can't log in as administrator, but must ask someone at the remote computer to do that, meaning they must sit there in boredom while you work.

VNC does not have that limitation.

Re:MS Remote Desktop does not allow logging out?

[Curien]

Use the Terminal Services Client (also uses RDP). It allows you to actually log into the machine (starting with a login screen) in a window.

Also, you have heard of runas, right?

Re:MS Remote Desktop does not allow logging out?

[jhoffoss]

You can log in as another user. If the user is not an Admin, s/he must be specified as allowed to connect remotely, done from the same location where you enable the service.

And contrary to what you say, if someone at the console logs in, it logs your remote session out, and vice-versa.

The best alternative for support is the "remote help" functionality of remote desktop. The user requests help, IMs/emails you a file/link that lets you (on an XP workstation) connect remotely and view their session, and they can then give you control. They can interact with the system at the same time, you both have a small chat window, you can show them what you need to, and all they have to do to boot you is hit escape.

Handy for support with folks who don't know computers well and say "what?" when you tell them go to start->settings->control panel.

Not many posts yet...

[windex82]

but no one seems to understand the question.

I'll try to make this as easy to understand as possible. Imagine this scenario...

Your |insert computer illiterate relation| needs help fixing something that VNC'ing into their box would easily fix. However, because you recommended that they put their windows box behind a firewall, which oddly enough they did, leaves you without the ability to easily connect to their machine without yet another couple steps, mainly setting up their firewall to allow you to connect to their machine.

How do some of you make the task of connecting through this firewall easy without the more daunting task of walking them through re-configuring their firewall to forward your request to their desktop. Since, if your walking them through that you could have probably just walked them through the other problem they had, like not knowing whether or not they wanted to continue or cancel what they had been doing. ;)

Re:Not many posts yet...

sounds like the guy who locked his keys and his family inside his car...

Re:Not many posts yet...

[l0rd]

Format c: ?

The level of these ask slashdot questions seem to be dubmed down more and more every week.....

Re:Not many posts yet...

[hbo]

I understand the question, The reverse VNC deal meets the criterea you state. The only tricky part is having them install the server. If you preinstall VNC on the user's machine, then it's a piece of cake, for them: "Double-click on the VNC icon. Type this IP address" and you are done. The tricky stuff is on your end, under your control: forwarding the VNC port through your firewall and setting up the listening VNC client. That's pretty easy, too.

What this lacks is security over the Internet. Adding an SSH tunnel from your family member's machine into your network might be something you could script in advance, but setting it up on the fly would be difficult.

So let's see, I have cygwin on my Mom's machine. I write a script to estalish the tunnel, prompting for the IP address. She's got to type a passphrase for the key, or else I only open up the particular port when I know I'm going to be working with her. The script then fires off the VNC server with the localhost address and port for the forwarded tunnel. I could probably even write a graphical perl script to do the work. (I have a Visual Basic-free household.) That's the ticket, I think.

Re:Not many posts yet...

[jonadab]

> Your |insert computer illiterate relation| needs help fixing something
> that VNC'ing into their box would easily fix. However, because you
> recommended that they put their windows box behind a firewall, which
> oddly enough they did, leaves you without the ability to easily connect
> to their machine without yet another couple steps, mainly setting up
> their firewall to allow you to connect to their machine.

Oooh, let me answer this one. This one's easy:

Since the firewall is an old Pentium 90 running *nix, which I installed and
administer (when it needs any administering, which is not so terribly often),
I just ssh into the firewall, and from there do whatever I need to do across
the LAN.

Re:Not many posts yet...

[stealthyburrito]

You can also add a couple more steps to this to make things easier.

0. Configure TCP/5500 on your firewall to forward to your machine
1. Setup a DynDNS account (or equiv.) to resolve your dynamic IP
2. Walk them through installing RealVNC (just click Next on everything)
3. Manually have them do a reverse VNC connection
4. Once you are connected, create a batch file called "Connect to " on their desktop (right next to the VNC Server icon)

$PATH\winvnc4.exe -connect yourhostname.dyndns.org

5. Now, anytime they need to make a connection, they just click VNC Server, then click "Connect to the Big Eye" or whatever.

Re:Not many posts yet...

[hbo]

I don't want to forward port 5500 to my home box, even on an incident by incident basis. I want my mom to start an encrypted tunnel and enter a passphrase. It's OK if she writes it down, but not OK if she stores it on the computer. With scripting, that makes the process one of launching the Perl/Tk script that prompts for the hostname and/or IP address, and for the passphrase. That's two more pieces of information than your scheme using mydyndns, and one more than the original reverse VNC proposal. But for that I get:

1. No need to open a port in my firewall. (SSH already goes through)
2. End-to-end encryption
3. The ability to make this happen at work.

No, I don't control the firewall at work, but they have an ssh gateway, controlled by hardware token password. So I get on the phone with Mom, and give her the OTP, and bingo!

Actually, I'd just nx back to my home net. No sense in misusing work resources for this.

And the solution is not fully general. Since I'll be forwarding port 5500 over the ssh tunnel to a specific host inside my firewall, that host will have to be known to the script. I could make it easily configurable, though.

SSHTunnel

[malachid69]

I use Putty to make an SSH tunnel for VNC.

SSH is your friend

[agm]

All of my remote access needs are satisfied using ssh. I use NXClient for GUI stuff (when a GUI is needed) and plain old ssh when a GUI is not needed (like when doing a remote "emerge world").

NXClient will do remote X (with or without a remote desktop), RDP, VNC all wit hvery good performance (as long as the latency of the link is low enough).

+1 Funny, insightful

[Curien]

Ghetto moderation in effect.

Since we're being picky...

[Curien]

It should be, "Works 'well', not 'good'," not "Works well, not good."

Re:Since we're being picky...

[digitalchinky]

Is 'well' better than 'good'?

Re:Since we're being picky...

[bryanp]

Is 'well' better than 'good'?

'Well' is grammatically correct in that sentence. Good is not.

Re:Since we're being picky...

[Hell+O'World]

Well, their both gooder then bad.

Re:Since we're being picky...

[R.Caley]

That's all well and good, but what are we going to do about it.

Re:Since we're being picky...

[an_mo]

whatever, ULTRAvnc is better

Re:Since we're being picky...

[fm6]

According to who? (Whom?)

(We need a new mod: -1 language nitpicking. Though maybe "offtopic" covers it.)

GoToMyPC

[freitasm]

Everyone talking about Remote Desktop, Terminal Services, VNC - but these solutions require a port open on the server and firewall.

LogMeIn and GoToMyPC only need an outgoing connection.

I use GoToMyPC, and with a keyphrase plus a one time password automatically generated.

Re:GoToMyPC

[wowbagger]

Everyone talking about Remote Desktop, Terminal Services, VNC - but these solutions require a port open on the server and firewall.

LogMeIn and GoToMyPC only need an outgoing connection.

Which they use to create the same result - a way an incoming connection can be established to your PC.

The only difference is that instead of opening a port on your firewall that you can pick (allowing you to use a non-standard port to raise the bar above the heads of the script kiddies), you use somebody else's computer to control your security.

Somebody you cannot audit.

Somebody who can screw up and comprimise your computer.

Somebody who is a high-profile high-value target for an attacker.

Were I a system administrator, I would null route all of these services at the firewall, and would log any attempt to access them from within my network and kill the connection of the PC that attempted them - then proceed to LART the user that did so in a fashion that would make the BOFH wince. Their main purpose is to allow stupid lusers to do an end-run around the "meeny stupid-head network admin who won't let me access MY computer" (because he is doing his job of maintaining network security).

Folks, any remote access solution involves cracking a hole in your firewall - bar none. You can either admit that to yourself and realise that you must take increased security precautions, or you can delude yourself and ride for a fall.

Radmin doubts

[Futurepower(R)]

I bought 5 copies of Radmin and used them for a while. However, I got nervous because Radmin would leave icons in the system tray when it was not supposed to be running.

Famatech is a Russian company, apparently. What would keep them from installing a back door? Granted, Russians haven't been killing Iraqis, but Russia is a relatively unlawful country.

A back door might be justified by management as a way of insuring that you are using legal copies. A back door might mean that Famatech had access to any password that you used while using Radmin. A back door might mean that a Famatech employee could withdraw funds from your customer's bank account using your customer's computer. I don't have those worries with an open source product like TightVNC.

Also, I found that, as with most companies, the Famatech technical support is poor. They will be glad to give you the easy answers. Ask them something requiring thinking, and they will finesse the question.

An advantage with Famatech is that the technical support is by Russians, and not in India.

Recently I called Famatech recently and got the message, "This service has been temporarily suspended." Two people at Famatech said the service had been restored, but I got the same message again, several times.

However, I found that Radmin did work. But so does the free TightVNC.

Radmin has encryption, TightVNC doesn't. However, that is not a problem if you are running TightVNC over a VPN, which is a very convenient way to do remote maintenance.

It's the old story. Commercial software companies want to limit their quality as a way of maximizing their profits. Open source software just keeps on truckin'.

Runas gets tiring...

[Futurepower(R)]

Runas gets tiring when you have a lot of work to do.

Re:Runas gets tiring...

[Curien]

runas /user:admin cmd
c:\>start iexplore

Now you've got a command prompt and an explorer shell both with admin priveleges. The only thing you've lost versus actually logging in is the Start menu.

Not free, but...

[jbarr]

The Workstation edition of Remotely Anywhere is a VERY solid application. It costs about a hundred bucks, and is for Windows, but it offers excellent remote features including file transfer, remote computer management of resources and services, and full remote desktop control that in my opinion surpasses Microsoft Remote Desktop in speed and function. It uses either Active X, Java, or plain HTML for remoe access providing you maximum flexibility.

It is highly configurable and full of "geekiness" that should please most Windows-based /.ers. It also doesn't blank the host screen or lock the keyboard by default, though it can.

Also, it only works with one host per license, which can be expensive if you manage multiple hosts, but if you are looking for a remote access solution, this is a solid one. It's certainly not a cheap solution, but if you want rock-solid and secure access, Remotely Anywhere is worth a look.

Not affiliated with the company, just using Remotely Anywhere and certaily enjoying it.

Re:Not free, but...

[jbarr]

One thing that I just discovered is that it turns out that LogMeIn.com is owned by 3am Labs who also owns Remotely Anywhere, so they are using the same technology. The free version of Logmein.com provides simple, secure remote connectivity to one host. The "pro" version (which costs a monthly fee) allows full remote control of one host as well as other nice features such as full file transfer capabilities, remote printing, and other features. You can add additional hosts for a reduced fee.

My advice is that if you re-assign the hosted PC frequently, or if you don't need the file transfer or remote printing capabilities, or have a dynamic IP address, then you may want to use the free version of LogMeIn.com, but if you use a dynamic DNS service (such as MyServer.org) and want to manage things yourself, then consider investing in Remotely Anywhere. Unless you are expensing it or can afford it, I don't think I can recommend the fee-based service because the full Remotely Anywhere package will cost you less within a year.

How about dial-up?

[antdude]

Are any of these mentioned softwares suitable for slow dial-up modem connections that average about 3 KB/sec?

I know text mode like SSH, telnet (insecured), etc. is fine, but how about GUI based?

tunneling throught two NATs?

[F�an�ro]

These sollutions all seem to work only if only one side is behind a nat, or if a dedicated third party server is available that both sides can use.

From my rudimantary understanding of tcp/ip, I am wondering if the following would work too:

A and B are behind a NAT or a firewall that blocks all incomming connections.

Asuming A and B have some (inefficient) way to communicate, like email:

- A and B agree on a TCP sequence number and a time per mail.

- Both A and B send a SYN with that number at the defined time. Both SYNs are blocked by the firewall on the other end.

- Both A and B send a ACK with the correspondending sequence number, as if they had received each others SYN. The ACK should not get blocked by the firewall, since it is a response to a previous SYN.

- Both A and B send a SYN/ACK as usual.

Now A and B should have an open TCP connection between them (or two, but since they have the same sequence no. they might be indistinguishable)

As long as they keep it open, it should allow them to communicate despite the firewalls.

Re:tunneling throught two NATs?

[Sexy+Bern]

VNC works perfectly even if both parties are behind a NAT device.

I prefer to set up a shortcut on the start menu for my rels where the command is:

"c:\program files\ultravnc\winvnc.exe" -connect my.dyndns.hostname

My firewall port-forwards TCP/5500 to my desktop PC, where UltraVNC view is running in "Listen mode".

The rel just clicks on "start", then "remote control - bern". Works every time.

Also, I have a few clients/rels where I have an TCP-based OpenVPN tunnel (manual server at my end, service-based client at theirs). I start the server end as/when I know they need assistance. The UltraVNC connection is then "... -connect 192.168.1.2", where 192.168.1.2 is my end of the OpenVPN tunnel. Again, works perfectly every time.

Re:tunneling throught two NATs?

[jonadab]

It's easier to just tunnel through one of the firewalls. From system A, ssh
into the firewall on system B's end, then from there do whatever you need to
do over the LAN to system B. Alternatively, if you're sitting at system A,
shell into your own firewall and temporarily forward a port back to yourself,
which system B can use to connect to you. This can be reasonably secure if
you 1: use a nonstandard port to ward off automated attacks, script kiddies,
and worms, 2: use ssl or somesuch so the traffic is hard to sniff, 3: require
system B to use a password to get into system A, and 4: turn off the port
forwarding when you're not using it, to keep the window of opportunity narrow
for any potential attacker. If you're really paranoid, use one-time passwords.

Re:tunneling throught two NATs?

[gothzilla]

If the syn is blocked by the firewall, then the pc won't know that it ever existed. The ack will look like it came from out-of-the-blue. That is, if the ack makes it through the firewall as well.

Re:tunneling throught two NATs?

[F�an�ro]

If A sends a SYN, it will be blocked by B's firewall, but thats why they have to agree bevorehand about the sequence number and the time to send the ACK.

The following ACK from B should not get blocked, since B'S firewall does not block outgoing packets (Assuming standard nat, and no additional blocks), and A's firewall will see it as the response to the previous SYN from A.

At least that is how i figure it.

Re:tunneling throught two NATs?

[F�an�ro]

But what if you do not have any control over either firewall?
Say, A is you at work, or at a public access point that only offers nat, and B is the person you want to help who has no idea how to configure his router.

UltraVNC - SC

[nafrance]

I had been searching for this for a long time myself, and found...
http://gotovnc.dynalias.com/

Totally recommended. Rudi there has made a package of UltraVNC that is a single exe, no-install system.

Basically, you download a zip file with some configs and bitmaps in, and customise them.
I got a free dyndns alias to use for this purpose.
Then you upload the files, and you get back a 160KB .exe that you can send you your client/brother/friend etc.

They run it, and it establishes a reverse-vnc connection to the server you specify. You have to be running vncviewer in listen mode, natch.

It works a treat, and even has optional encryption and file transfer. A brilliant tool.

I christened mine 'lifejacket' ;)

That is someone's personal scheme.

[Futurepower(R)]

That is someone's personal scheme. It is not connected with Sourcforge, although there is a link to Sourceforge. It is not connected with UltraVNC, apparently.

In this scheme, you give away the password to your UltraVNC sessions, and send the password over the Internet. If you change your IP address, you must go back to that website and disclose again how you plan to connect.

SSH Tunnel how-to

[linuxkrn]

I have two One-way NAT firewalls and a way to get around them. Of course, this requires a machine with a public IP and ssh account to work...

http://www.linuxlogin.com/linux/admin/sshtunnels.p hp

I then use a cron script to check the tunnel at home, if it's down it reconnects so I can always get back into my network at home. I use ssh-keys with ssh-agent to keep my passphrase. The box can then login without a password.
You can foward as many ports as you like and don't need to change your firewall rules. Works great for me!

Tip: use a port number > 1024 so you don't need root access. :)

Note to mods, this isn't redundant since it actually has the how-to in it and not just another "use ssh tunnels."

English grammar

[hummassa]

well: adverb, ie, the kind of word that modifies an adjective or a verb. In casu, the verb is "to work": Something works well. Spanish: "bien"; in casu, "algo funciona bien".

good: adjective, ie, the kind of word that modifies a noun. E.g.: She is a good friend. Spanish: "buen", "bueno", "buena"; "ella es una buena amiga".

Ok?

isn't this hugely risky though?

[RMH101]

opening up the RDP service to the internet? i'm sure you could use ssh etc etc but what'd be really useful is being able to connect to an non-tech savvy users' pc without extra installs on their end...just opening up the ports for RDP on the firewall sounds pretty dangerous...

Free remote admin tools

[stinkydog]

I have my family connect their Windows machines directly to the Internet and to not bother with those pesky security updates. Within an hour, the internet installs all the remote access tools I need. Ftp servers, irc bots and keystroke loggers are just some of the handy tools that come through this way. I have to go, I just got an email about Snow White and I can't wait to check out the attachment.

SD

SSH, VPN, VNC, Remote Desktop, and FreeNX oh my!

[Noksagt]

First, my universal advice: DON'T get in the habit of fixing remote systems for free. It is a huge time-sink & it would be better if you don't foster that dependence. I sometimes fix problems over email or in person for friends/family, but I also usually weasel some free beer out of the deal.

That being said, many have to remotely administer machines for OTHER reasons. Oftentimes, a shell is all that is needed & having OpenSSH is good enough. It is available for win32 too. This can also be used for port forwarding if other daemons are needed.

If you don't need SSH/SFTP & do need a secure connection, setup a VPN. OpenVPN is great:cross-platform, secure, and easy to install. IPSec is still the standard, but I don't bother with it unless I have to (like when my company would buy a hardware implementation). I try to avoid PPTP. It works OK on windows. Not so well on other platforms (poptop does a pretty fair job, though). It also believe it has some known (but, I again believe, still unexploited) security weaknesses.

You hooked on the GUI? I use VNC over VPN or stunnel. I don't really like remote desktop, but if you have to support it put RDesktop on your *nix box. FreeNX is, in many ways, better than both. I like it a lot, but I haven't used it under windows (it can be done & someone might have made it quick-and-easy, but I try to avoid supporting windows machines).

I use TightVNC...

[Slashdot+Junky]

I use TightVNC for remote connectivity, and it works great. All you have to do is initially install, configuure, and place an icon on the desktop for it. You would also need to forward a port(5900 is the default) on the person's firewall to their computer if one is in use. This could enabled and disabled with extra work if you weren't okay with leaving it open. As long the TightVNC server wasn't running, nothing would be listening on the port 24/7 anyway.

In order to connect, you would need to know the user's public IP, and there are different ways to do this. I refer my family members to a webpage I have that displays this. They give it to you on the phone, and I then tell the person to double-click the icon. Out through NAT and back in through NAT works fine for me. It's much easier to drive than to tell the person how to over a phone.

-Slashdot Junky

Re:Run VNC over a VPN. (Acronyms!)

[cloudmaster]

The new (devlopment, IIRC) TightVNCs can transfer files as well as doing the standard "view my desktop" thing.

Other GoTo products better suited

[Anonymous+Commando]

Our company started using GoToMeeting (same company and technology as GoToMyPC), and we're extremely happy with it. We're using it for tech support, training, software installation assistance, sales product demos... oh, and even actual meetings (between our American and Canadian offices, between our office and our "road warrior" sales reps, etc.).

The software allows you to pass screen sharing, keyboard/mouse control, etc. from participant to participant. For our customers, it's a quick download that uninstalls itself after the meeting is over - I believe it tunnels through port 80, I don't think we've run into an instance of a firewall blocking the connection. All the customer needs to know is www.gotomeeting.com and the meeting ID (a 10-digit number, easy to read over the phone, send via e-mail, etc.).

The subscription model (at least at the time we signed up, about 6 months ago now) was on a per-organizer basis ("organizer" being the person who sets up and controls the meeting), with no limits on how many meetings each organizer can hold, or how many participants can be in each meeting. We were originally looking at GoToAssist (same company again, of course), but found GoToMeeting was much more flexible.

If I had one complaint about the service, it would be the speed/latency of the connection - it's about the same as VNC, quite acceptable when everyone involved is on a broadband connection, but somewhat frustrating when working with someone on a dial-up or satellite connection.

Hope that helps.

I dont

I dont assist them because they refuse to ever take my advice:
Jerk: My computer isn't working. Will you fix it?
Me: *sigh* Okay.
(Removes a metric tonne of spyware.)
Me: Dont use IE. Dont install stuff you find on the internet. If you get an email with what looks like a cute or funny app on it, dont run it.
Jerk: *sigh* Okay.
(Two weeks later)
Jerk: My computer isn't working. Will you fix it?

Remote-Anything from TWD Industries

[Sayang]

We evaluated several "remote control" solutions over the last few months and found that Remote-Anything from TWD Industries provided an affordable and easy to use solution. After we configured our server component, clients are able to download a 90k "slave" execuatable when they need help. When executed the slave .exe just runs...there is no install process for the user to go through. We set it up so that it uses port 443 and it seems to work fine through NAT and firewalls on both sides

Re:Run VNC over a VPN. (Acronyms!)

[DustMagnet]

Too many VNCs. I found an FAQ that lists more than I evern knew existed with a short description of each.

NX is your friend!

[Mad_Rain]

The NX software is absolutely wonderful - I could log in to my home linux box in California from my parent's dial-up connection across the country, and the GUI was usable, beautiful, and secure.

However, when I'm behind a bunch of firewalls at work, 20 minutes away, I have a difficult time getting the connection going - So I have a few reservations about fully recommending it for everyone. As soon as I figure out WTH I can do about it, I think it should quickly conquer the world. ;)

Tradeoffs

[fm6]

So instead of trusting a remote-access server company, you trust a vendor of remote access software. If that vendor happens to be Microsoft, that's way more trust than most of us are willing to give. That's not Microsoft-bashing, that's a reasonable response to their shitty record on security issues.

I agree that setting up your own remote access infrastructure, as you describe, is the most secure method -- if you have the expertise to do it right. (Using the method you describe, or something similar.) You do it wrong, and some script kiddie will use your mistakes to take over your computer.

But we're talking about technically-challenged home users seeking help from friends and family members. If they had that kind of expertise, they wouldn't need somebody looking over their shoulder in the first place. For people like that, trusting a company like GoToMyPC or LogMeIn, with a proven track record for good security and respect for privacy, is a reasonable tradeoff. It's not the most security theoretically possible, but its as much security as you'll get without making the application impractical.

Best VPN? OpenVPN

[Noksagt]

I have questions myself. What is the best way to form a VPN?

MS makes their own PPTP VPN fairly easy to work with. But it isn't well-supported on other platforms (things like poptop work OK) & the encryption they use has known weaknesses (though, I don't think there are any exploits out there). I would never use it.

IPSec is probably the "standard." Most hardware implementations use this. There are client/servers on all platforms & encryption doesn't have the same weaknesses. Depending on the implementation, this can be either tedious or non-free to setup.

I like OpenVPN, which uses SSL, is VERY portable, and very easy to use. Plays well with both NAT and dynamic addresses. The only reason to use IPSec, in my opinion, is if there are hardware devices in the way. But OpenVPN is beginning to be found on some devices too.

VPNs

[Ash-Fox]

I let them connect to my VPN server, and then I connect to them based upon what software they got, be it remote desktop, VNC, X etc...

Blocking GoToMyPC

[Nonesuch]

Were I a system administrator, I would null route all of these services at the firewall, and would log any attempt to access them from within my network and kill the connection of the PC that attempted them - then proceed to LART the user that did so in a fashion that would make the BOFH wince. Their main purpose is to allow stupid lusers to do an end-run around the "meeny stupid-head network admin who won't let me access MY computer" (because he is doing his job of maintaining network security).

Although not a replacement for null-routing, GoToMyPC offers a free service where a company can register their Internet address blocks with GoToMyPC as not being permitted to register with the service.

Any attempts to connect to the poll.gotomypc.com server are refused, and queries are redirected to the appropriate contact inside your company.

LogMeIn doesn't have an equivalent free service, they do provide something called "LogMeIn Scout" which claims to scan your network for remote access apps.

Thanks.

[Futurepower(R)]

Interesting.

By keeping their systems unpatched

[malcomvetter]

<attemptedHumour>

Remote connectivity to manage a neighbor's, ahem, family member's machine? Simple. Tell them they don't need those software update thingies. Then overflow their buffer with say the MS04-011 or something of the like, appending desired code to make desired changes, and ... Presto Change-o. It works.

</attemptedHumour>

Re:Run VNC over a VPN. (Acronyms!)

I've been using UltraVNC. It's as fast as TightVNC, and supports the Java downloadable client.

When used with it's own client, you get file transfer as well (over the VNC connection so no additional ports). You can also run it as a service on NT/2K/XP and connect to the remote machine when logged off, reboot and log back in if needed, etc.

Re:Run VNC over a VPN. (Acronyms!)

[maquaro]

I run secure vnc connections over SSH proto version 2 local port redirections.

ssh -L {localport}:{remote machine name/ip address inside netowork}:{remote port} username@firewall's.internet.name

ssh -L 5700:192.168.0.2:5900 sshuser@sshhost.com

It then opens a terminal session on the host running sshd. Keep the window open. Open your vncviewer software client and connect to localhost at port 5700. Viola!.

After the session is finished. Close vncviewer, then type 'exit' in the terminal session.

This gives you the flexiblity to use any port inside your office/offsite network without opening every port under the sun.