Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




104 posts

Master Geek


#59786 12-Apr-2010 16:19
Send private message

Hiya,

I have been investigating how to get remote access setup on machines that are outside of our network, and within our clients.

Key points are:

1. All clients at our end are Windows XP
2. Almost all remote machines are Ubuntu 9.04
3. Most, if not all, of these machines are on a small network with dynamic IP
4. Because of 3. Most, if not all of these machines are behind a router, and the public IP is that of the router, NOT the target machine. (Some clients will have multiple machines we need access two with the same IP)
5. In most cases, we do not have access to internal firewalls and routers at the customer end, and our customer's usually lack the know-how to administer them anyway.

I have been through a lot of info online. Especially regarding VNC and using DynDNS. However unless I'm missing something, this approach is impossible due to 4. above.

We have used Logmein for windows based machines in the past and this is the flawless solution since all it requires is a small client on to be installed (and running) on the target machine, forming a constant connection with the server. Alas, there is no Linux support for this client software.

Can anyone think of a way of gaining remote access to multiple machines behind a router that is given a dynamic IP from any given ISP?

Cheers
Aaron



Create new topic
332 posts

Ultimate Geek


  #317416 12-Apr-2010 17:02
Send private message

Hi

I think the way to go is using a VPN to access the remote network. Not only you can easily access the remote PCs as if you were in the same LAN, but also the security is hugely increased. I would recommend OpenVPN, as it can be easily installed in Linux routers (i.e. Linksys routers with DD-WRT firmware). Also you may give a shot to the Hamachi VPN network, but probably the free solution is not enough for your needs.



104 posts

Master Geek


  #317424 12-Apr-2010 17:19
Send private message

Thanks for your reply. But:

Aaryn015: 

Key points are:

...

5. In most cases, we do not have access to internal firewalls and routers at the customer end, and our customer's usually lack the know-how to administer them anyway.

...

We have used Logmein for windows based machines in the past and this is the flawless solution... Alas, there is no Linux support for this client software.


 
 
 
 


8035 posts

Uber Geek

Trusted

  #317437 12-Apr-2010 17:46
Send private message

If you do not have access to firewalls and routers at the customer end you will probably have to use a reflector service like hamachi that works over https port 80

Hamachi does have a linux client but the GUI isn't as good as on Windows. There are open source front ends for it though.

Go Hawks!
1017 posts

Uber Geek

Trusted
Subscriber

  #318095 13-Apr-2010 21:49
Send private message

Aaryn015: Thanks for your reply. But:

Aaryn015: 

Key points are:

...

5. In most cases, we do not have access to internal firewalls and routers at the customer end, and our customer's usually lack the know-how to administer them anyway.

...

We have used Logmein for windows based machines in the past and this is the flawless solution... Alas, there is no Linux support for this client software.



You could use the Ubuntu machine to "phone home".  I.e. configure the VPN's to dial from the client site back to your office.

You don't mention what you require access to the machines for?  Text or Graphical based applications?
  



104 posts

Master Geek


  #318263 14-Apr-2010 11:05
Send private message

Ragnor: If you do not have access to firewalls and routers at the customer end you will probably have to use a reflector service like hamachi that works over https port 80

Hamachi does have a linux client but the GUI isn't as good as on Windows. There are open source front ends for it though.


Well, I don't know what to tell ya. I have a Hamachi Logmein account. I am able to deploy the clients to Windows machines with ease, but when I send a download link to a Ubuntu machine and open it, it says:

"Your operating system is not supported by Logmein Hamachi"

Ideally, virtual desktop is required, but we could probably get away with CLI access. 

8035 posts

Uber Geek

Trusted

  #318294 14-Apr-2010 11:52
Send private message

Sounds like your only option then is VPN over HTTP, eg: OpenVPN and then your remote control/destkop client of choice over the vpn.


29 posts

Geek


  #319141 16-Apr-2010 00:15
Send private message

wazzageek: You could use the Ubuntu machine to "phone home"


This is a very good idea. Briefly, here's how you'd go about it:
1) Set up an SSH server at your end listening on $YOUR_PUBLIC_IP:22, and create a locked down user 'client_name' on this machine. On a Linux server, this would involve disabling logon, setting the user's shell to /bin/false etc. Alter the setup as appropriate if you've got a Windows-specific SSH server, or install Cygwin/ OpenSSH server. The standard precautions for running an SSH server on a public IP address apply: disable password based logon (ssh keys only), disable root access, restrict access to only specific users/ from specific IP addresses, etc.

2) Set up an SSH server on your client's computer(s) listening on localhost:22. Create an account 'remote_access_name' for yourself on this machine with whatever privileges you need (member of admin with access to sudo etc.)

3) Your client issues the following command on their machine. If you need to, you can script this for the client:
$ ssh -N -R 2222:localhost:22 client_name@$YOUR_PUBLIC_IP

4) On the machine running the SSH server at your end, you can issue the following command:
$ ssh -p 2222 remote_access_name@localhost

You now have ssh access to your client's machines without needing to punch a hole through their firewall. If you'd prefer VNC access instead, alter step 2 to provide a VNC server running on the client machine, bound to localhost. This method is also secure from the client's point of view, as you can't connect to their machine without them first connecting to you. If you want to connect to multiple client machines at once, simply choose different port numbers for each machine in step 3.

The only drawback I can think of is that you're running a TCP connection through a TCP tunnel. This can be difficult on high latency connections if the flow control windows for each TCP connection get out of sync. Unless you have a wireless internet connection (Vodafone/ Telecom etc.), this shouldn't be a problem.

 
 
 
 


Go Hawks!
1017 posts

Uber Geek

Trusted
Subscriber

  #319190 16-Apr-2010 07:57
Send private message

Rubicon:
wazzageek: You could use the Ubuntu machine to "phone home"


This is a very good idea. Briefly, here's how you'd go about it:


(removed the bit about the ssh tunnel).

I would highly recommend using a VPN over ssh tunnels, *unless* access is used extremely rarely.

We used to use ssh tunnels for remote working and the difference in using a VPN (openVPN in this case) is extremely noticable - no more worries about connecting to certain ports and as soon as you have more than one access requirement, ssh tunneling becomes a bit of a pain.

On top of that, workers from both NZ and Australia are experiencing much better speeds working through the VPN than they ever did with the VPN.  (sftp / ssh, database connections, X Windows sessions are all being handled in this fashion.

The biggest difference here is that the VPN's will be in "reverse" (client calling you, rather than you calling the client)

You can also set the VPN to "stay up" - i.e. the client needs to do absolutely nothing to have you access the servers.

I'm also running on the assumption that access to the client machines is from a "central" location (or rather, all from the same network) as then you can route the IP range chosen for the PPP connections (effectively that's what the VPN does for you) and then statically assign the clients.

Setup a DNS range within the office for this, and ssh access to the client "Acme" might be as easy as ssh remoteuser@acme.clients

If a web based control panel (webmin?) is installed, then in your browser: https://acme.clients:10000/

If the VPN connection is down, you'll get the standard TCP timeouts.

 The only drawback I can think of is that you're running a TCP connection through a TCP tunnel. This can be difficult on high latency connections if the flow control windows for each TCP connection get out of sync. Unless you have a wireless internet connection (Vodafone/ Telecom etc.), this shouldn't be a problem.


This will only affect realtime applications though, right? I'm thinking VoIP / Video.  SSH/Xwindows/RDP will become sluggish to respond (and it really poor networking connections, drop) - but generally I would expect that the end user won't notice this ...

Create new topic




News »

Freeview On Demand app launches on Sony Android TVs
Posted 6-Aug-2020 13:35


UFB hits more than one million connections
Posted 6-Aug-2020 09:42


D-Link A/NZ extends COVR Wi-Fi EasyMesh System series with new three-pack
Posted 4-Aug-2020 15:01


New Zealand software Rfider tracks coffee from Colombia all the way to New Zealand businesses
Posted 3-Aug-2020 10:35


Logitech G launches Pro X Wireless gaming headset
Posted 3-Aug-2020 10:21


Sony Alpha 7S III provides supreme imaging performance
Posted 3-Aug-2020 10:11


Sony introduces first CFexpress Type A memory card
Posted 3-Aug-2020 10:05


Marsello acquires Goody consolidating online and in-store marketing position
Posted 30-Jul-2020 16:26


Fonterra first major customer for Microsoft's New Zealand datacentre
Posted 30-Jul-2020 08:07


Everything we learnt at the IBM Cloud Forum 2020
Posted 29-Jul-2020 14:45


Dropbox launches native HelloSign workflow and data residency in Australia
Posted 29-Jul-2020 12:48


Spark launches 5G in Palmerston North
Posted 29-Jul-2020 09:50


Lenovo brings speed and smarter features to new 5G mobile gaming phone
Posted 28-Jul-2020 22:00


Withings raises $60 million to enable bridge between patients and healthcare
Posted 28-Jul-2020 21:51


QNAP integrates Catalyst Cloud Object Storage into Hybrid Backup solution
Posted 28-Jul-2020 21:40



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.