LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-17-2017, 10:17 AM   #1
aikempshall
Member
 
Registered: Nov 2003
Location: Bristol, Britain
Distribution: Slackware
Posts: 896

Rep: Reputation: 152Reputation: 152
Remote access


I have occasional requirement to connect to my companies network which consists of 4 windows and 2 Linux machines.

I have a colleague who uses GoToMyPC for windows to windows access. This method seemingly doesn't need any port forwarding on the router - so not sure how that works.

I've looked at OpenVPN and/or RDP. From what I've read I'm of the impression that if I go down the OpenVPN route to one of the Linux machines I will have to configure the router. I also understand that I would have to do this for RDP as well.

My first query is why isn't it necessary to configure the router when using GoToMyPC - how does it work?

Secondly, am I right in that if I go down the OpenVPN/RDP route it is a must to configure the router.

Thirdly, would it be safe once on the Linux machine within the network, using OpenVPN, to RDP to any of the windows machines

Thirdly, is there another way such as with zerotier or some other product.

What are the pros and cons?
 
Old 03-17-2017, 11:00 AM   #2
jl2035
LQ Newbie
 
Registered: Dec 2012
Posts: 14

Rep: Reputation: Disabled
Maybe not the answer to your question, but might help:

-For a remote desktop connection to windoz machines I use 2XClient
-For a linux machine, I love to use ssh
-If you prefer GUI and are OK with proprietary method there is also TeamViewer
 
Old 03-17-2017, 11:22 AM   #3
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
GoToMyPC is a propitiatory application, and not one I am familiar with but if I had to hazard a guess, it probably VPNs back to the service provider and uses a Hairpin VPN there.

While a VPN is one option, it isn't the only option. It sounds like you want to set-up a single box as a bastion server? If so, perhaps something like tunneling VNC over SSH might also be an option? Then you would just have to set-up a VNC server on one of the boxes and open port 22 on the router, tho for most users a VPN might be a simpler option. VNC has to be tunneled for security reasons.

Once you are on to a bastion box, as long as the bastion box is secure, any connection to an internal network should be safe. The issue is only if the bastion get compromised.
 
Old 03-17-2017, 03:16 PM   #4
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142
GoToMyPC and other similar options (TeamViewer, etc) use the company's servers as a neutral 3rd party. When the remote PC launches the server program, it opens up a connection to the company's server. When you launch your client program, you also connect to the company's server, and are then patched through the tunnel that the server program had opened in order to connect to it.

You could do something similar if you aren't able to modify router settings, assuming your company's rules allow you to open reverse SSH tunnels (check on this, you don't want to get in trouble, many IT departments consider reverse SSH tunnels a security risk). You'd set up your Linux box at work to open a reverse SSH tunnel to either your home computer or a neutral 3rd party computer with external SSH access. From home you'd then connect to the Linux box at work through this existing tunnel. For example, from work:
Code:
ssh -R 9999:127.0.0.1:22 user@homeIP -N
Then from your machine at homeIP:
Code:
ssh -p 9999 user@localhost
Would connect you through the reverse tunnel to port 22 on your work machine, where the sshd server is listening. You could of course replace 22 with any other port to connect to a different service on your work machine.
 
Old 03-22-2017, 11:50 AM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,555
Blog Entries: 4

Rep: Reputation: 3888Reputation: 3888Reputation: 3888Reputation: 3888Reputation: 3888Reputation: 3888Reputation: 3888Reputation: 3888Reputation: 3888Reputation: 3888Reputation: 3888
A fairly common Linux strategy is VNC.

But, because Linux uses a client/server GUI strategy, you can actually establish a GUI connection to a remote machine that doesn't even have a video card. The process is much simpler than what has to be done to approximate remote access on Windows.

I would go to the brief trouble of setting up OpenVPN between the two machines, properly secured using tls-auth and digital certificates.

(Do not use "pre-shared keys (PSKs), a.k.a. passwords." )

Now, you will have a cryptographically-strong, reliable connection between the various machines, which you can now use for any purpose. Simply "open the tunnel, and the remote subnet is 'there,'" just as if there was a wire running across the room. But all of the traffic is passing securely through the Internet between two machines that have positively identified one another. No network user perceives that the connection is, in fact, "secure." To them, "it's just a router."

(And, in fact, that's precisely what an OpenVPN tunnel is: "it's a router.")

You will soon discover that such an arrangement is very useful for many purposes, not just "remote access." You'll wonder why you didn't set up OpenVPN a long time ago.

Furthermore, just like the badges you use to get into your building, every certificate is unique, and any certificate can be selectively revoked without affecting anyone else. The set of people or machines who can connect is limited by what they possess, and by the fact that you have not revoked the one-of-a-kind thing that they (alone) possess. You know each one of them by name.

If you use UDP and tls-auth, as you should, then anyone on the Internet who is not authorized will see ... nothing ... at ... all. No "open sockets." No OpenVPN server. No nothing. If until now you've been pestered by "unauthorized access attempts," watch that count drop to zero.

Last edited by sundialsvcs; 03-22-2017 at 11:57 AM.
 
Old 03-22-2017, 12:12 PM   #6
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,441

Rep: Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546
You may also find that if you've a decent router then it has the ability to act as a VPN endpoint. For example Fortigate/Fortinet firewall/routers have the ability to use an SSL/VPN client to connect. I've also used these routers with IPSEC clients.

If you can terminate the VPN on the firewall/router then you can apply traffic policies at that point and filter traffic before it enters your network.
 
1 members found this post helpful.
Old 03-22-2017, 12:49 PM   #7
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 4,112

Rep: Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256
One of the more interesting ways I've seen this done is the Linux box has a script triggered by postfix on receipt of a special email which sets up the VPN connection to the provided IP address. Unfortunately I don't have the script.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Disable remote root access but allow local root access-- possible? bskrakes Linux - Security 4 02-21-2019 05:02 PM
Debian Squeeze - remote access vs. local access permissions ?? billbrach Linux - Server 2 09-26-2012 05:29 PM
[SOLVED] How to access an ongoing process (initiated thru remote access) SkM007 Linux - Newbie 4 05-16-2012 05:36 PM
Remote access Japi Linux - Software 1 02-12-2006 02:57 PM
remote access linuxmandrake Linux - Software 1 09-27-2005 05:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration