Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


104 posts

Master Geek


Topic # 59786 12-Apr-2010 16:19
Send private message

Hiya,

I have been investigating how to get remote access setup on machines that are outside of our network, and within our clients.

Key points are:

1. All clients at our end are Windows XP
2. Almost all remote machines are Ubuntu 9.04
3. Most, if not all, of these machines are on a small network with dynamic IP
4. Because of 3. Most, if not all of these machines are behind a router, and the public IP is that of the router, NOT the target machine. (Some clients will have multiple machines we need access two with the same IP)
5. In most cases, we do not have access to internal firewalls and routers at the customer end, and our customer's usually lack the know-how to administer them anyway.

I have been through a lot of info online. Especially regarding VNC and using DynDNS. However unless I'm missing something, this approach is impossible due to 4. above.

We have used Logmein for windows based machines in the past and this is the flawless solution since all it requires is a small client on to be installed (and running) on the target machine, forming a constant connection with the server. Alas, there is no Linux support for this client software.

Can anyone think of a way of gaining remote access to multiple machines behind a router that is given a dynamic IP from any given ISP?

Cheers
Aaron



Create new topic
257 posts

Ultimate Geek
+1 received by user: 83


  Reply # 317416 12-Apr-2010 17:02
Send private message

Hi

I think the way to go is using a VPN to access the remote network. Not only you can easily access the remote PCs as if you were in the same LAN, but also the security is hugely increased. I would recommend OpenVPN, as it can be easily installed in Linux routers (i.e. Linksys routers with DD-WRT firmware). Also you may give a shot to the Hamachi VPN network, but probably the free solution is not enough for your needs.



104 posts

Master Geek


  Reply # 317424 12-Apr-2010 17:19
Send private message

Thanks for your reply. But:

Aaryn015: 

Key points are:

...

5. In most cases, we do not have access to internal firewalls and routers at the customer end, and our customer's usually lack the know-how to administer them anyway.

...

We have used Logmein for windows based machines in the past and this is the flawless solution... Alas, there is no Linux support for this client software.


8025 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 317437 12-Apr-2010 17:46
Send private message

If you do not have access to firewalls and routers at the customer end you will probably have to use a reflector service like hamachi that works over https port 80

Hamachi does have a linux client but the GUI isn't as good as on Windows. There are open source front ends for it though.

Go Hawks!
862 posts

Ultimate Geek
+1 received by user: 46

Trusted
Subscriber

  Reply # 318095 13-Apr-2010 21:49
Send private message

Aaryn015: Thanks for your reply. But:

Aaryn015: 

Key points are:

...

5. In most cases, we do not have access to internal firewalls and routers at the customer end, and our customer's usually lack the know-how to administer them anyway.

...

We have used Logmein for windows based machines in the past and this is the flawless solution... Alas, there is no Linux support for this client software.



You could use the Ubuntu machine to "phone home".  I.e. configure the VPN's to dial from the client site back to your office.

You don't mention what you require access to the machines for?  Text or Graphical based applications?
  



104 posts

Master Geek


  Reply # 318263 14-Apr-2010 11:05
Send private message

Ragnor: If you do not have access to firewalls and routers at the customer end you will probably have to use a reflector service like hamachi that works over https port 80

Hamachi does have a linux client but the GUI isn't as good as on Windows. There are open source front ends for it though.


Well, I don't know what to tell ya. I have a Hamachi Logmein account. I am able to deploy the clients to Windows machines with ease, but when I send a download link to a Ubuntu machine and open it, it says:

"Your operating system is not supported by Logmein Hamachi"

Ideally, virtual desktop is required, but we could probably get away with CLI access. 

8025 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 318294 14-Apr-2010 11:52
Send private message

Sounds like your only option then is VPN over HTTP, eg: OpenVPN and then your remote control/destkop client of choice over the vpn.


29 posts

Geek


  Reply # 319141 16-Apr-2010 00:15
Send private message

wazzageek: You could use the Ubuntu machine to "phone home"


This is a very good idea. Briefly, here's how you'd go about it:
1) Set up an SSH server at your end listening on $YOUR_PUBLIC_IP:22, and create a locked down user 'client_name' on this machine. On a Linux server, this would involve disabling logon, setting the user's shell to /bin/false etc. Alter the setup as appropriate if you've got a Windows-specific SSH server, or install Cygwin/ OpenSSH server. The standard precautions for running an SSH server on a public IP address apply: disable password based logon (ssh keys only), disable root access, restrict access to only specific users/ from specific IP addresses, etc.

2) Set up an SSH server on your client's computer(s) listening on localhost:22. Create an account 'remote_access_name' for yourself on this machine with whatever privileges you need (member of admin with access to sudo etc.)

3) Your client issues the following command on their machine. If you need to, you can script this for the client:
$ ssh -N -R 2222:localhost:22 client_name@$YOUR_PUBLIC_IP

4) On the machine running the SSH server at your end, you can issue the following command:
$ ssh -p 2222 remote_access_name@localhost

You now have ssh access to your client's machines without needing to punch a hole through their firewall. If you'd prefer VNC access instead, alter step 2 to provide a VNC server running on the client machine, bound to localhost. This method is also secure from the client's point of view, as you can't connect to their machine without them first connecting to you. If you want to connect to multiple client machines at once, simply choose different port numbers for each machine in step 3.

The only drawback I can think of is that you're running a TCP connection through a TCP tunnel. This can be difficult on high latency connections if the flow control windows for each TCP connection get out of sync. Unless you have a wireless internet connection (Vodafone/ Telecom etc.), this shouldn't be a problem.

Go Hawks!
862 posts

Ultimate Geek
+1 received by user: 46

Trusted
Subscriber

  Reply # 319190 16-Apr-2010 07:57
Send private message

Rubicon:
wazzageek: You could use the Ubuntu machine to "phone home"


This is a very good idea. Briefly, here's how you'd go about it:


(removed the bit about the ssh tunnel).

I would highly recommend using a VPN over ssh tunnels, *unless* access is used extremely rarely.

We used to use ssh tunnels for remote working and the difference in using a VPN (openVPN in this case) is extremely noticable - no more worries about connecting to certain ports and as soon as you have more than one access requirement, ssh tunneling becomes a bit of a pain.

On top of that, workers from both NZ and Australia are experiencing much better speeds working through the VPN than they ever did with the VPN.  (sftp / ssh, database connections, X Windows sessions are all being handled in this fashion.

The biggest difference here is that the VPN's will be in "reverse" (client calling you, rather than you calling the client)

You can also set the VPN to "stay up" - i.e. the client needs to do absolutely nothing to have you access the servers.

I'm also running on the assumption that access to the client machines is from a "central" location (or rather, all from the same network) as then you can route the IP range chosen for the PPP connections (effectively that's what the VPN does for you) and then statically assign the clients.

Setup a DNS range within the office for this, and ssh access to the client "Acme" might be as easy as ssh remoteuser@acme.clients

If a web based control panel (webmin?) is installed, then in your browser: https://acme.clients:10000/

If the VPN connection is down, you'll get the standard TCP timeouts.

 The only drawback I can think of is that you're running a TCP connection through a TCP tunnel. This can be difficult on high latency connections if the flow control windows for each TCP connection get out of sync. Unless you have a wireless internet connection (Vodafone/ Telecom etc.), this shouldn't be a problem.


This will only affect realtime applications though, right? I'm thinking VoIP / Video.  SSH/Xwindows/RDP will become sluggish to respond (and it really poor networking connections, drop) - but generally I would expect that the end user won't notice this ...

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.