Re: VPN connection question

On 09/27/2007 06:06 PM, Patton Echols wrote:



If Patton simply wishes to connect into his home PC from his wireless he
can use a VNC connection. That can be plain or encrypted - I do it all
the time. But if he wants to create an ipsec VPN connection into the
BEFSX41 he'll need to have an ipsec client on the remote side.



Truth is I didn't think much about this possibility. If I wanted to do
just a VNC, how would I do that? Set the Router for port forwarding to
the appropriate machine? Don't I still need an encryption solution?

I guess I'm a bit reluctant for two reasons:
First, since the machines inside are WinXP boxes, I'd need a VNC server
on each one I want to access (Just one more thing) But the Terminal
Service Client on my laptop connects natively to the Remote Desktop
built into XP

Second, again since the machines are XP, I don't really want to have
random port scans forwarded to my XP box. I'm not sure I trust Gates
and Co. to protect those machines. I think (though I suppose I really
don't know) that the VPN opening in my router will be much harder to
crack than my XP desktop.


You could eliminate all of the hassles by just buying a BEFxx41 and
using at home. That way you let the routers do their work on each end.
Again, make sure that the routers firmware is fully up to date.

For roaming & VNC:

On most XP machines I set up a VPN tunnel into them. However in
instances where that might be difficult here is what I do for VNC:

1. Download & install UltraVNC on the XP's. See: http://www.uvnc.com/ (I
dont' recommend the beta, just use 1.0.2. Set up the VNC as a service,
that way you'll be able to reboot them and log back in remotely. When
you go home at night, leave the machine on, but at the login screen,
when finished reboot/logout so that it goes back to the login screen, or
shut down so that the machine isn't up and happily chatting away to
anyone else.

2. Set a strong password for the UltraVNC's and change the port numbers
from 5900 and 5800 to some arbitrary non-well known port that is not
used for any particular service and/or trojan. See:
http://isc.sans.org/port.html?port=5900 and
http://www.iana.org/assignments/port-numbers
This will help to avoid the common scrip kiddies that scan well known
ports. It won't stop someone finding the ports, but in combination with
your router firewall it will make it harder. You'll just need to
remember to enter the port number when you VNC into the machine.

3. Set your router to allow connections on that port from a specic FQDN
only.

4. If the BEFSX41 is connected to a dynamic IP, then go to dyndns.org
(http://www.dyndns.com/ - http://www.dyndns.com/services/dns/dyndns/)
and set up a free DDNS. Put that into the DDNS settings in your router
so that you can find your router from home. Do the same for your home
router/machine. You'll need this even when setting up the VPN as well.

5. Download and install UltraVNC client (not server) on your Ubuntu
machine via WINE. The interface is somewhat kludgy under WINE, but
you'll find this handy as UltraVNC has a very nice file transfer
capability that you can use to transfer files back and forth between the
Ubuntu machine and the XP machines. For standard stuff I use the Krdc
interface on the Ubuntu machine and use the UltraVNC interface for file
transfer & chat.

You can experiment with UltraVNC's encryption and or use SSL via the web
on the alternate of the 5800 port if you wish. But if you use some good
sense, change the port numbers (and change them on a regular basis), and
set up your BEFSX41 firewall properly you should be OK for standard
in/out sessions without much worry.

I'm sure that other folks will have some good/better suggestions with
SSH/SSL, but that's what I use & so far I've been pretty happy with it.
I much prefer the router-to-router VPN, but VNC works well when I don't
have that setup.

BTW: I'm still planning on doing the kvpnc & racoon testing when I get
access to the remote machine (which I'll krdc/VNC into to do the
testing:-) & I'll definitely post back the results.

Gary




--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • Re: Using Remote Desktop From an SBS Domain
    ... when you tried to RDP while attached directly to a port on your router? ... So if 3389 needs forwarded on the client end too then that is what the ... Hopefully next week I can attempt a connection while my ISP watches the ...
    (microsoft.public.windows.server.sbs)
  • Re: Using Remote Desktop From an SBS Domain
    ... when you tried to RDP while attached directly to a port on your router? ... Internet to initiate an IP conversation with your computer. ... This situation is different than if you ran your own NAT connection sharing ...
    (microsoft.public.windows.server.sbs)
  • Re: Setting up Home Network w/ 2 Routers
    ... successfully got my 2Wire, Netgear, and Linksys playing nicely. ... Connected the LAN port #1 of 2Wire to the WAN port of the Netgear. ... connection type and all for me. ... If you add another router to the mix, just make sure to disable the ...
    (microsoft.public.windowsxp.network_web)
  • How did they get past my NAT?
    ... kicked in on my VNC server - my desktop background image disappeared ... this point I panicked and shutdown the VNC service ASAP. ... My question is how the attacker got to my VNC port! ... the internet through the router. ...
    (comp.security.firewalls)
  • How did they get behind my NAT?
    ... this point I panicked and shutdown the VNC service ASAP. ... My question is how the attacker got to my VNC port! ... the internet through the router. ... client connection using local port number 5900 (which was also being ...
    (alt.computer.security)