SSH Tunnel to Linux Box then VNC to Windows Boxes

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

SSH Tunnel to Linux Box then VNC to Windows Boxes

Nemo-21
I installed TightVNC on the handful of computers at a church office.  I can sit at one and control any of the others.  Since I live half-an-hour away, I'm looking to do the same from home.  Is there a way to SSH tunnel into a Linux box inside the firewall then forward VNC to any of the Windows boxes on the office network.  I want to open just one port on the firewall to the Linux box.  I'm trying to not use LogMeIn or some-such.
 
Thanks,

NemoM

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

Re: SSH Tunnel to Linux Box then VNC to Windows Boxes

Rohit Patil
NemoM, You can forward a port on the router to the ssh server on the Linux box inside the firewall. Then, you can set up an appropriate ssh_config on your VNC client machine to forward ports thro' the ssh tunnel thro' the Linux box inside the firewall to the machines in that network. Be sure to secure your sshd_config on the Linux box.

-Rohit.

On Tue, Dec 11, 2012 at 7:41 PM, Nemo <[hidden email]> wrote:
I installed TightVNC on the handful of computers at a church office.  I can sit at one and control any of the others.  Since I live half-an-hour away, I'm looking to do the same from home.  Is there a way to SSH tunnel into a Linux box inside the firewall then forward VNC to any of the Windows boxes on the office network.  I want to open just one port on the firewall to the Linux box.  I'm trying to not use LogMeIn or some-such.
 
Thanks,

NemoM

------------------------------------------------------------------------------

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

RE: SSH Tunnel to Linux Box then VNC to Windows Boxes

Bob McConnell
From: Rohit Patil

> NemoM, You can forward a port on the router to the ssh server on
> the Linux box inside the firewall. Then, you can set up an appropriate
> ssh_config on your VNC client machine to forward ports thro' the ssh
> tunnel thro' the Linux box inside the firewall to the machines in that
> network. Be sure to secure your sshd_config on the Linux box.
>
> -Rohit.
> On Tue, Dec 11, 2012 at 7:41 PM, Nemo <[hidden email]> wrote:
>> I installed TightVNC on the handful of computers at a church office.  I
>> can sit at one and control any of the others.  Since I live half-an-hour
>> away, I'm looking to do the same from home.  Is there a way to SSH
>> tunnel into a Linux box inside the firewall then forward VNC to any of
>> the Windows boxes on the office network.  I want to open just one
>> port on the firewall to the Linux box.  I'm trying to not use LogMeIn
>> or some-such.
 
Does the firewall itself have an option to set up a VPN connection? It is sometimes called a PPTP port. Otherwise, there are a number of tools available to run a VPN server inside the firewall and as Rohit suggests, simply forward one port through the firewall to the machine running that server. But either set it up with pre-shared keys, or use a very good password and change it periodically. Once the open port is discovered, there will be many, many attempts to penetrate it.

Bob McConnell


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

Re: SSH Tunnel to Linux Box then VNC to Windows Boxes

Dave Ihnat
In reply to this post by Nemo-21
Once, long ago--actually, on Tue, Dec 11, 2012 at 09:41:00PM CST--Nemo ([hidden email]) said:
> I installed TightVNC on the handful of computers at a church office. I
> can sit at one and control any of the others. Since I live half-an-hour
> away, I'm looking to do the same from home. Is there a way to SSH tunnel
> into a Linux box inside the firewall then forward VNC to any of the
> Windows boxes on the office network. I want to open just one port on
> the firewall to the Linux box. I'm trying to not use LogMeIn or some-such.

Others have made recommendations, but I might suggest slightly different
approaches.

First, I don't encourage just setting up one box to receive connections,
and forwarding from that.  You end up "cascading" through two machines,
which--especially depending on your connection speed--can result in a
much-less-than-optimal experience.

First, as a prequisite for setting any of these models up, you have
to know the addresses of target machines on the LAN.  If you've a DNS
server on the target network, you can use the FQDN if you're connecting
through a properly configured VPN; otherwise either assign static IP
adddresses, or if your router/firewall supports it--most do--you can
set each box up for DHCP (except servers) and reserve the IP address that
will be handed out to them.

In order of preference, then, I suggest:

  o Get a business-class firewall appliance that can support VPN--either
    IPSEC or SSL--natively.

This minimizes the complexity and implementation effort, but costs more
than a consumer-grade appliance.  A good example would be something
like a WatchGuard XTM 25.  You could expect to spend on the order of
$400 for such a device.  I've not found any acceptable retail-grade devices
that have worked acceptably, but (of course) new ones are coming on the
market all the time.

The setup then would be to VPN into the firewall, and then run VNC directly
to each device by internal network IP address or FQDN (if supported and
properly set up.)

  o Set up a Linux box as a firewall with OpenSSL.

This reduces the cost--you can use almost any recycled machine to run a
version of Linux--but the complexity is much greater.  You need to install
and configure a Linux distro, configure the server for DHCP, DNS, OpenSSL,
etc.  However, if your time and skill set is adequate, this can save you
several hundred dollars.  Setup and utilization would be the same as for
the dedicated appliance approach described above.

  o Set up a retail-grade box that doesn't support VPN

I've done this quite often, as I support clients, family and friends
who can't afford a business-class appliance, and for whatever reason
can't/won't run a Linux server on site.  It's a bit more tricky, but not
hard.

All retail-grade boxes I've worked with in the past few years allow you to
set up DHCP reservations, or you can assign static IP addresses.
In either case, you forward the port to be used for SSH on each box to its
destination box, which will have to be running a version of SSH.

I recommend you download and install Cygwin (http://www.cygwin.com) on any
Windows-based box; if you've Linux or Apple boxes, you should either
already have SSH installed, or (in the case of Linux) you can install it
from repositories.  (Some will tell you that this is overkill, and for just
doing this, yes, it is.  But especially compared to almost any Windows
package, the full Cygwin distribution is small; the setup program is easy
to use, and makes keeping up-to-date extremely easy; and you have a huge
range of tools available for system maintenance if you wish to use them.
Or you can ignore them.)

Incidentally, I strongly urge you to NOT ever use the default SSH port
22--while some may call it security through obscurity, it's a fact that
almost all scriptkiddie attacks only try that port.  You'll greatly
reduce the number of attacks.  Since you already need to use multiple
ports to support different destination machines, this isn't really a
problem anyway, and all versions of SSH allow you to tell them what port
to listen on.  Select ports that won't be used by anything else on the
machine(s).

So, in this model, let's assume you have 5 machines, MACH1-5.  Set up SSH
on each machine; as an example (that would work), say:

  MACH1: 3221, MACH2: 3222, MACH3: 3223, MACH4: 3224, MACH5: 3225

Forward that port on the firewall to the machine's IP address.

Finally, when you establish the SSH connection, tunnel port 5900 from the
localhost to the same port on the destination.  If you're using a Windows
machine to connect in, get PuTTY:

  http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

It supports setting this up in a menu-driven dialog.  Set up a connection
for each machine.  If you're using Linux, you'll want to create a script
or scripts to do the tunnel setup.

It sounds more complicated than it really is in practice.  Please feel
free to E-Mail me for any clarification or assistance on setting up any
of these approaches.

Cheers,
--
        Dave Ihnat
        President, DMINET Consulting, Inc.
        [hidden email]

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

Re: SSH Tunnel to Linux Box then VNC to Windows Boxes

Mauricio Tavares-2
In reply to this post by Bob McConnell
On 12/12/12 8:34 AM, Bob McConnell wrote:

> From: Rohit Patil
>
>> NemoM, You can forward a port on the router to the ssh server on
>> the Linux box inside the firewall. Then, you can set up an appropriate
>> ssh_config on your VNC client machine to forward ports thro' the ssh
>> tunnel thro' the Linux box inside the firewall to the machines in that
>> network. Be sure to secure your sshd_config on the Linux box.
>>
>> -Rohit.
>> On Tue, Dec 11, 2012 at 7:41 PM, Nemo <[hidden email]> wrote:
>>> I installed TightVNC on the handful of computers at a church office.  I
>>> can sit at one and control any of the others.  Since I live half-an-hour
>>> away, I'm looking to do the same from home.  Is there a way to SSH
>>> tunnel into a Linux box inside the firewall then forward VNC to any of
>>> the Windows boxes on the office network.  I want to open just one
>>> port on the firewall to the Linux box.  I'm trying to not use LogMeIn
>>> or some-such.
>
> Does the firewall itself have an option to set up a VPN connection? It is sometimes called a PPTP port. Otherwise, there are a number of tools available to run a VPN server inside the firewall and as Rohit suggests, simply forward one port through the firewall to the machine running that server. But either set it up with pre-shared keys, or use a very good password and change it periodically. Once the open port is discovered, there will be many, many attempts to penetrate it.
>
> Bob McConnell
>
        How is vnc running on those windows machines? Can you connect to their
vnc from within the church's internal network? If so, you could do
something like

ssh -p port-to-linux-box -L 5911:xp1.lan.church.net:5900 -L
5912:xp2.lan.church.net:5900 -L 5913:xp3.lan.church.net:5900 [hidden email]



------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

Re: SSH Tunnel to Linux Box then VNC to Windows Boxes

Mauricio Tavares-2
In reply to this post by Bob McConnell
On 12/12/12 8:34 AM, Bob McConnell wrote:

> From: Rohit Patil
>
>> NemoM, You can forward a port on the router to the ssh server on
>> the Linux box inside the firewall. Then, you can set up an appropriate
>> ssh_config on your VNC client machine to forward ports thro' the ssh
>> tunnel thro' the Linux box inside the firewall to the machines in that
>> network. Be sure to secure your sshd_config on the Linux box.
>>
>> -Rohit.
>> On Tue, Dec 11, 2012 at 7:41 PM, Nemo <[hidden email]> wrote:
>>> I installed TightVNC on the handful of computers at a church office.  I
>>> can sit at one and control any of the others.  Since I live half-an-hour
>>> away, I'm looking to do the same from home.  Is there a way to SSH
>>> tunnel into a Linux box inside the firewall then forward VNC to any of
>>> the Windows boxes on the office network.  I want to open just one
>>> port on the firewall to the Linux box.  I'm trying to not use LogMeIn
>>> or some-such.
>
> Does the firewall itself have an option to set up a VPN connection? It is sometimes called a PPTP port. Otherwise, there are a number of tools available to run a VPN server inside the firewall and as Rohit suggests, simply forward one port through the firewall to the machine running that server. But either set it up with pre-shared keys, or use a very good password and change it periodically. Once the open port is discovered, there will be many, many attempts to penetrate it.
>
> Bob McConnell
>
        How is vnc running on those windows machines? Can you connect to their
vnc from within the church's internal network? If so, you could do
something like

ssh -p port-to-linux-box -L 5911:xp1.lan.church.net:5900 -L
5912:xp2.lan.church.net:5900 -L 5913:xp3.lan.church.net:5900 [hidden email]



------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

RE: SSH Tunnel to Linux Box then VNC to Windows Boxes

Bob McConnell
In reply to this post by Dave Ihnat
I would avoid cygwin at all costs. It contains far more problems than solutions.

If you want a good firewall, without spending a lot of money, get an older Pentium grade computer with two NICs and install m0n0wall on it. It does everything suggested, and it has the VPN option built in. I use it at home, although Time-Warner makes it very difficult to access from other segments of their business. I can reach it from the office, but not from my grandchildren's home. All three sites are on T-W.

Bob McConnell

> -----Original Message-----
> From: Dave Ihnat [mailto:[hidden email]]
> Sent: Wednesday, December 12, 2012 10:22 AM
> To: Nemo
> Cc: [hidden email]
> Subject: Re: SSH Tunnel to Linux Box then VNC to Windows Boxes
>
> Once, long ago--actually, on Tue, Dec 11, 2012 at 09:41:00PM CST--Nemo
> ([hidden email]) said:
> > I installed TightVNC on the handful of computers at a church office. I
> > can sit at one and control any of the others. Since I live half-an-hour
> > away, I'm looking to do the same from home. Is there a way to SSH tunnel
> > into a Linux box inside the firewall then forward VNC to any of the
> > Windows boxes on the office network. I want to open just one port on
> > the firewall to the Linux box. I'm trying to not use LogMeIn or some-such.
>
> Others have made recommendations, but I might suggest slightly different
> approaches.
>
> First, I don't encourage just setting up one box to receive connections,
> and forwarding from that.  You end up "cascading" through two machines,
> which--especially depending on your connection speed--can result in a
> much-less-than-optimal experience.
>
> First, as a prequisite for setting any of these models up, you have
> to know the addresses of target machines on the LAN.  If you've a DNS
> server on the target network, you can use the FQDN if you're connecting
> through a properly configured VPN; otherwise either assign static IP
> adddresses, or if your router/firewall supports it--most do--you can
> set each box up for DHCP (except servers) and reserve the IP address that
> will be handed out to them.
>
> In order of preference, then, I suggest:
>
>   o Get a business-class firewall appliance that can support VPN--either
>     IPSEC or SSL--natively.
>
> This minimizes the complexity and implementation effort, but costs more
> than a consumer-grade appliance.  A good example would be something
> like a WatchGuard XTM 25.  You could expect to spend on the order of
> $400 for such a device.  I've not found any acceptable retail-grade devices
> that have worked acceptably, but (of course) new ones are coming on the
> market all the time.
>
> The setup then would be to VPN into the firewall, and then run VNC directly
> to each device by internal network IP address or FQDN (if supported and
> properly set up.)
>
>   o Set up a Linux box as a firewall with OpenSSL.
>
> This reduces the cost--you can use almost any recycled machine to run a
> version of Linux--but the complexity is much greater.  You need to install
> and configure a Linux distro, configure the server for DHCP, DNS, OpenSSL,
> etc.  However, if your time and skill set is adequate, this can save you
> several hundred dollars.  Setup and utilization would be the same as for
> the dedicated appliance approach described above.
>
>   o Set up a retail-grade box that doesn't support VPN
>
> I've done this quite often, as I support clients, family and friends
> who can't afford a business-class appliance, and for whatever reason
> can't/won't run a Linux server on site.  It's a bit more tricky, but not
> hard.
>
> All retail-grade boxes I've worked with in the past few years allow you to
> set up DHCP reservations, or you can assign static IP addresses.
> In either case, you forward the port to be used for SSH on each box to its
> destination box, which will have to be running a version of SSH.
>
> I recommend you download and install Cygwin (http://www.cygwin.com) on
> any
> Windows-based box; if you've Linux or Apple boxes, you should either
> already have SSH installed, or (in the case of Linux) you can install it
> from repositories.  (Some will tell you that this is overkill, and for just
> doing this, yes, it is.  But especially compared to almost any Windows
> package, the full Cygwin distribution is small; the setup program is easy
> to use, and makes keeping up-to-date extremely easy; and you have a huge
> range of tools available for system maintenance if you wish to use them.
> Or you can ignore them.)
>
> Incidentally, I strongly urge you to NOT ever use the default SSH port
> 22--while some may call it security through obscurity, it's a fact that
> almost all scriptkiddie attacks only try that port.  You'll greatly
> reduce the number of attacks.  Since you already need to use multiple
> ports to support different destination machines, this isn't really a
> problem anyway, and all versions of SSH allow you to tell them what port
> to listen on.  Select ports that won't be used by anything else on the
> machine(s).
>
> So, in this model, let's assume you have 5 machines, MACH1-5.  Set up SSH
> on each machine; as an example (that would work), say:
>
>   MACH1: 3221, MACH2: 3222, MACH3: 3223, MACH4: 3224, MACH5: 3225
>
> Forward that port on the firewall to the machine's IP address.
>
> Finally, when you establish the SSH connection, tunnel port 5900 from the
> localhost to the same port on the destination.  If you're using a Windows
> machine to connect in, get PuTTY:
>
>   http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
>
> It supports setting this up in a menu-driven dialog.  Set up a connection
> for each machine.  If you're using Linux, you'll want to create a script
> or scripts to do the tunnel setup.
>
> It sounds more complicated than it really is in practice.  Please feel
> free to E-Mail me for any clarification or assistance on setting up any
> of these approaches.
>
> Cheers,
> --
> Dave Ihnat
> President, DMINET Consulting, Inc.
> [hidden email]
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> __________________________________________________________
> _
> TightVNC mailing list, [hidden email]
> To change your subscription or to UNSUBSCRIBE, please visit
> https://lists.sourceforge.net/lists/listinfo/vnc-tight-list

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

Re: SSH Tunnel to Linux Box then VNC to Windows Boxes

Dave Ihnat
Once, long ago--actually, on Wed, Dec 12, 2012 at 10:03:59AM CST--Bob McConnell ([hidden email]) said:
> I would avoid cygwin at all costs. It contains far more problems
> than solutions.

That's your opinion, and you're entitled to it, of course.  I'm just
countering that, as a professional with over 35 years experience, I've
found it invaluable and haven't encountered any problems utilizing it.

Several years ago, there were some issues with the OpenSSH implementation
on installation, but I've not encountered that for quite some time.

It is predicated on understanding Unix/Linux-like configuration files and
conventions, but (as with most such) there are a *lot* of tutorials and
guides.  And setting up the SSH is pretty straightforward.

Finally, it's free, and easy to remove if you decide it's not for you.  It
doesn't integrate with Windows, except for installed services (e.g., ssh).
Removal is as simple as "sc delete sshd" and remove the directory.

As always, people can weigh our opinions, do some googling, and make
their decision.

> If you want a good firewall, without spending a lot of money, get
> an older Pentium grade computer with two NICs and install m0n0wall on
> it. It does everything suggested, and it has the VPN option built in.

Not a bad solution--fits into the second option set I mentioned.
One comment--it's FreeBSD-based, but they've totally abandoned traditional
Unix administration, so it's going to be unfamiliar to any Unix admin if
you need to work "under the sheets".  Hopefully, of course, that won't
be necessary.

> I use it at home, although Time-Warner makes it very difficult to
> access from other segments of their business. I can reach it from
> the office, but not from my grandchildren's home. All three sites are
> on T-W.

Hmm...are they blocking IP segments, or just certain ports?

Cheers,
--
        Dave Ihnat
        President, DMINET Consulting, Inc.
        [hidden email]

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

Re: SSH Tunnel to Linux Box then VNC to Windows Boxes

Nemo-21
In reply to this post by Dave Ihnat
Thanks for all the help.

I have a router Linux box with ClearOS on it at home.  It has OpenVPN as an option.  Took a couple minutes to install and configure.  Now, once I fire up the client on my work computer, I can VNC into any of the computers on my home network.  I'll test it a bit more before deploying to the church office.

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list