I have occasional requirement to connect to my companies network which consists of 4 windows and 2 Linux machines.

I have a colleague who uses GoToMyPC for windows to windows access. This method seemingly doesn't need any port forwarding on the router - so not sure how that works.

I've looked at OpenVPN and/or RDP. From what I've read I'm of the impression that if I go down the OpenVPN route to one of the Linux machines I will have to configure the router. I also understand that I would have to do this for RDP as well.

My first query is why isn't it necessary to configure the router when using GoToMyPC - how does it work?

Secondly, am I right in that if I go down the OpenVPN/RDP route it is a must to configure the router.

Thirdly, would it be safe once on the Linux machine within the network, using OpenVPN, to RDP to any of the windows machines

Thirdly, is there another way such as with zerotier or some other product.

What are the pros and cons?

Maybe not the answer to your question, but might help:

-For a remote desktop connection to windoz machines I use 2XClient
-For a linux machine, I love to use ssh
-If you prefer GUI and are OK with proprietary method there is also TeamViewer

GoToMyPC is a propitiatory application, and not one I am familiar with but if I had to hazard a guess, it probably VPNs back to the service provider and uses a Hairpin VPN there.

While a VPN is one option, it isn't the only option. It sounds like you want to set-up a single box as a bastion server? If so, perhaps something like tunneling VNC over SSH might also be an option? Then you would just have to set-up a VNC server on one of the boxes and open port 22 on the router, tho for most users a VPN might be a simpler option. VNC has to be tunneled for security reasons.

Once you are on to a bastion box, as long as the bastion box is secure, any connection to an internal network should be safe. The issue is only if the bastion get compromised.

GoToMyPC and other similar options (TeamViewer, etc) use the company's servers as a neutral 3rd party. When the remote PC launches the server program, it opens up a connection to the company's server. When you launch your client program, you also connect to the company's server, and are then patched through the tunnel that the server program had opened in order to connect to it.

You could do something similar if you aren't able to modify router settings, assuming your company's rules allow you to open reverse SSH tunnels (check on this, you don't want to get in trouble, many IT departments consider reverse SSH tunnels a security risk). You'd set up your Linux box at work to open a reverse SSH tunnel to either your home computer or a neutral 3rd party computer with external SSH access. From home you'd then connect to the Linux box at work through this existing tunnel. For example, from work:
Then from your machine at homeIP:
Would connect you through the reverse tunnel to port 22 on your work machine, where the sshd server is listening. You could of course replace 22 with any other port to connect to a different service on your work machine.

A fairly common Linux strategy is VNC.

But, because Linux uses a client/server GUI strategy, you can actually establish a GUI connection to a remote machine that doesn't even have a video card. The process is much simpler than what has to be done to approximate remote access on Windows.

I would go to the brief trouble of setting up OpenVPN between the two machines, properly secured using tls-auth and digital certificates.

(Do not use "pre-shared keys (PSKs), a.k.a. passwords." )

Now, you will have a cryptographically-strong, reliable connection between the various machines, which you can now use for any purpose. Simply "open the tunnel, and the remote subnet is 'there,'" just as if there was a wire running across the room. But all of the traffic is passing securely through the Internet between two machines that have positively identified one another. No network user perceives that the connection is, in fact, "secure." To them, "it's just a router."

(And, in fact, that's precisely what an OpenVPN tunnel is: "it's a router.")

You will soon discover that such an arrangement is very useful for many purposes, not just "remote access." You'll wonder why you didn't set up OpenVPN a long time ago.

Furthermore, just like the badges you use to get into your building, every certificate is unique, and any certificate can be selectively revoked without affecting anyone else. The set of people or machines who can connect is limited by what they possess, and by the fact that you have not revoked the one-of-a-kind thing that they (alone) possess. You know each one of them by name.

If you use UDP and tls-auth, as you should, then anyone on the Internet who is not authorized will see ... nothing ... at ... all. No "open sockets." No OpenVPN server. No nothing. If until now you've been pestered by "unauthorized access attempts," watch that count drop to zero.

You may also find that if you've a decent router then it has the ability to act as a VPN endpoint. For example Fortigate/Fortinet firewall/routers have the ability to use an SSL/VPN client to connect. I've also used these routers with IPSEC clients.

If you can terminate the VPN on the firewall/router then you can apply traffic policies at that point and filter traffic before it enters your network.

1 members found this post helpful.

One of the more interesting ways I've seen this done is the Linux box has a script triggered by postfix on receipt of a special email which sets up the VPN connection to the provided IP address. Unfortunately I don't have the script.

1 members found this post helpful.