[SOLVED] Remote desktop access between two different networks

JKostaRibeiro · 06-07-2015, 12:03 PM

Sometimes I have to help my momma with her linux operating system.
Everything was simple if I could access her computer.
The computers are in two different networks.
Is this possible?

Alien Bob · 06-07-2015, 01:27 PM

Quote:

Originally Posted by JKostaRibeiro

Sometimes I have to help my momma with her linux operating system.
Everything was simple if I could access her computer.
The computers are in two different networks.
Is this possible?

Her computer is probably behind an internet router. You need to ensure that this router is configured with port-forwarding. Then you can forward a port (for instance: 22222) on your mother's Internet IP address to the SSH port of her computer (port 22).
That enables you to setup a ssh connection to your mother's computer. You can use that SSH session to tunnel any traffic, for instance a graphical X session. Myself, I install VNC (for instance tigervnc) on computers that I need to manage remotely and then I make sure a VNC server is running on that remote computer. The VNC viewer runs on my own computer and the VNC traffic is tunneled through the SSH connection.

JKostaRibeiro · 06-08-2015, 12:09 PM

Her router is already configured with port-forwarding for ssh (port 22) and vnc (port 5900). Mine too.
If I start krdc on my computer and I try to connect through vnc with private ip, 192.168.x.xxx, I get this message: "Server not found".
On the other hand, if I insert public ip, I am successful.
Is this the right behaviour of krdc since the two computers are in different networks or should I be able to connect by private ip too?

bassmadrigal · 06-08-2015, 12:43 PM

Private IPs are just that, private. They are not accessible on a public network and are reserved for private (read: internal). You'll never find a public facing computer/router that has the address starting with 192.168.*.* since it is one of the reserved addresses (172.16.*.* - 172.31.*.*, and 10.*.*.* are also private ranges).

Private IPs are typically given out by a router and are only accessible to computers that are connected to that router. For any connection from outside that network, the correct port forwarding would need to be set up in the router, and then you'd use the public IP to connect to the router, and then the router will forward that connection to the correct private IP.

JKostaRibeiro · 06-08-2015, 12:51 PM

Understood.

Thanks to Alien Bob and bassmadrigal

Alien Bob · 06-08-2015, 04:37 PM

Exposing the VNC server port on the internet is never a good thing. VNC traffic is unencrypted, you should be tuneling it through SSH. Please disable the portforwarding of that VNC traffic.
Also, if you are portforwarding SSH, the port on the public IP address should not be 22, or you'll be swamped by brute force crackers trying to break into every public SSH server.

Better is to use a different public port, like 22222, and forward that to port 22 on your mother's computer.

Suppose your mother's IP address is 1.2.3.4 and port 22222 is forwarded to the SSH port of her computer. She is running VNC server on port 5901 on that computer (only Windows VNC servers are listening on 5900 usually).

First, login from your OWN computer to your mother's computer using SSH while at the same time creating a tunnel for VNC traffic:

$ ssh -p 22222 -L 5991:localhost:5901 yourname@1.2.3.4

Now your SSH tunnel is listening at port 5991 on your OWN computer's loopback address. Connect your VNC viewer to it:

$ vncviewer localhost:91

And voil! You are connecting to your mother's VNC server through a SSH-secured encrypted INternet tunnel.

JKostaRibeiro · 06-10-2015, 10:13 AM

Now, I can't establish any connection to my momma's computer. Not with krfb/krdc or with ssh or with telnet.

On my mother's computer I allowed ssh, telnet and vnc.
I did the same on mine.

Some output:

krfb/krdc:

I get "server not found".

SSH:

Code:

[user@hostname ~]$ ssh -p 22222 -L 5991:localhost:5900 myuser@my_momma's_public_ip_adress
ssh: connect to host my_momma's_public_ip_adress port 22222: Connection timed out

Tigervnc:

Code:

[user@hostname ~]$ vncviewer localhost:91

TigerVNC Viewer 64-bit v1.4.3
Built on: 2015-04-13 23:04
Copyright (C) 1999-2014 TigerVNC Team and many others (see README.txt)
See http://www.tigervnc.org for information on TigerVNC.

Wed Jun 10 16:00:33 2015
 CConn:       unable connect to socket: Connection refused (111)
[user@hostname ~]$ sudo vncviewer localhost:91
[sudo] password for user: 

TigerVNC Viewer 64-bit v1.4.3
Built on: 2015-04-13 23:04
Copyright (C) 1999-2014 TigerVNC Team and many others (see README.txt)
See http://www.tigervnc.org for information on TigerVNC.

Wed Jun 10 16:00:46 2015
 CConn:       unable connect to socket: Connection refused (111)

Telnet:

Code:

 $ telnet my_momma's_public_ip_adress
Trying my_momma's_public_ip_adress...
telnet: Unable to connect to remote host: Connection refused

bassmadrigal · 06-10-2015, 10:30 AM

Have you verified her public IP? Many internet providers will change them after a few days. If this is the case, it might be worth setting up a dynamic dns, like http://duckdns.org, which has a quick line you can add to your cron jobs which will check the public ip, and then, if needed, update duckdns's server. You could choose your own subdomain name for free... something like http://moms-public-ip.duckdns.org

Alien Bob · 06-10-2015, 10:31 AM

You did forward the external port 22222 on your mother's Internet router to the port 22 of your mother's computer?

And where you typed "my_momma's_public_ip_adress" you are actually substituting her public IP address in the command?

The ssh command contains "-L 5991:localhost:5900" but on Linux the vncserver will not be listening on port 5900 but on 5901 (the first available port) because X.Org will be in the way. The Windows vncserver does not have that problem... Windows does not run X.Org. There will not be a vncserver listening on that remote port 5900 on your mother's computer.

Also the sudo is not needed at all.

JKostaRibeiro · 06-10-2015, 10:32 AM

bassmadrigal,

I checked her public ip with herself, before trying to establish connection.

Alien Bob,

I'm at home. Later I will go to my momma's home and I will double check this.

Gerard Lally · 06-10-2015, 12:40 PM

@JKostaRibeiro

Connections refused and connections timing out indicate that the firewall on your mother's computer and/or the packet filter on her router are not configured to allow SSH and VNC connections. You need to set up port forwarding on her router; you also need to allow SSH connections to pass through the router and her computer's external network adapter. It's better not to allow public VNC connections. Do what Eric said: route VNC through a SSH tunnel.

In brief, this is how you set up a standard SSH tunnel:

1) allow SSH through the firewall on your mother's router;
2) allow SSH through the firewall on your mother's computer;
3) set up port forwarding on your mother's router so that SSH is forwarded from the external interface of the router to her computer.

There are some third-party alternatives which make all this easier - Teamviewer for example - but if you're like me you might prefer not to have these remote sessions routed through a middleman. I have another way of setting up tunneling VNC through SSH if you can't get this working. The advantage of this method is that it is done in reverse: you configure the firewalls and port forwarding at your end. Your mother doesn't have to go near any of this.

The above is a standard SSH tunnel setup; below is how you set up VNC through a reverse SSH tunnel:

1) set up an account on your own computer slackware01 for your mother, and create a public/private key pair with ssh-keygen so that she can log in to your computer securely. (If the remote user is reasonably competent they can create the public/private key pair themselves and send the public key to you by email. - this is the preferred way of doing it.)

Code:

root@slackware01# useradd -m momma && passwd momma

Code:

jkosta@slackware01$ su - momma

Code:

momma@slackware01$ ssh-keygen -t rsa -b 4096

Save the private key as momma_rsa and the public key as momma_rsa.pub.

2) Add the public key to her authorized_keys file in /home/momma/.ssh/

Code:

momma@slackware01$ mkdir ~/.ssh && cat momma_rsa.pub >> ~/.ssh/authorized_keys && chmod 0600 ~/.ssh/authorized_keys

3) Configure the firewall on your router and on your computer slackware01 to allow SSH to pass. Enable port forwarding on your router to forward SSH to slackware01. To minimize confusion I am going to assume you configure sshd on slackware01 to listen on 22022 instead of the standard port 22. This is specified in /etc/ssh/sshd_config. Make sure you adjust the firewall on the router and slackware01 accordingly; in other words, make sure your router allows traffic on port 22022 to pass and forwards this traffic to your computer. Make sure as well that netfilter/iptables on your computer is not blocking port 22022.

4) If you created the public/private key pair on your computer then transfer the private key momma_rsa to a USB memory stick or CD; don't leave it on your own computer. Bring it to your mother next time you visit; under no circumstances should you email it to her or send it over the public wire by any other means. Make sure you can log in to momma on slackware01 from your mother's computer slackware02, using the private key:

Code:

momma@slackware02$ mv /media/usb_drive/momma_rsa /home/momma/.ssh/ && chmod 0400 ~/.ssh/momma_rsa

Code:

momma@slackware02$ ssh -vv -p 22022 -i ~/.ssh/momma_rsa momma@slackware01

OK - that's the first part; you should now have public/private key SSH working and you should be able to log in to your home computer slackware01 from your mother's computer slackware02 without a password. If you can, then it is advisable to disable password authentication on your home computer slackware01, and while you're at it, disable Root logins as well:

Code:

# vi /etc/ssh/sshd_config

# PermitRootlogin Yes
PermitRootLogin No
# PasswordAuthentication Yes
PasswordAuthentication No

Code:

/etc/rc.d/rc.sshd restart

5) Now for the second part: connecting securely from a VNC client on your computer to a VNC server on your mother's computer by adding reverse tunneling to this SSH setup. First, install a VNC server on your mother's computer: I have always had success with TightVNC.

6) Create the following small script on momma's computer slackware02:

Code:

#!/bin/sh

# script name: support.sh

ssh -R 55901:localhost:5901 -i ~/.ssh/mommma_rsa -p 22022 -vv momma@slackware01-ip-address

######################################
#
# -R creates a reverse SSH tunnel
#
# 55901 is the port on slackware01 she will open when she runs this
# script
#
# 5901 is the port on slackware02 that the TightVNC server will be
# listening on
#
# -i specifies the identity file we created earlier. This allows
# your mother to log in to slackware01 securely.
#
# 22022 is the port sshd is listening on at slackware01; there is no
# need for a SSH server on slackware02
#
# -vv adds some verbosity so that if there are errors you can see
# where it's failing
#
# slackware01-ip-address is your own IP address; it might be easier
# for your mother if you just set up dynamic DNS if your public IP
# address is not static
#
#####################################

7) Make the script executable:

Code:

momma@slackware02$ chmod +x support.sh

8) Now when you return home this is what your mother has to do:

open a terminal and start the VNC server; no need for 24 or 32 bit colour.

Code:

momma@slackware02$ vncserver -kill :1 && vncserver -depth 15

This should kill any lingering vncserver sessions at :1 and create a new session at :1 (port 5901)

Then she runs the support.sh script

Code:

momma@slackware02$ ./support.sh

This will create a SSH tunnel to your computer and open port 55901 there. You can then open a VNC client at your end and connect to this port on localhost. The reverse SSH tunnel created by your mother means you will be routed to the VNC server listening on port 5901 at your mother's end.

Code:

jkosta@slackware01$ vncviewer -compresslevel 0 -quality 0 -depth 15 127.0.0.1:55901

It looks complicated but take it one step at a time and it will work for you. The beauty of this method is that the person at the remote end doesn't need to know anything about port forwarding or firewall configuration. Just find a way of getting the private key to them securely, set up the scripts on their PC and you handle all the awkward port forwarding and firewall stuff at your end.

allend · 06-10-2015, 04:19 PM

An additional finesse would be to have a cron job, run as root, on momma's computer that periodically runs this script.

Code:

#!/bin/sh

# Script to start a reverse ssh tunnel to a remote host
# It is intended that this script runs periodically as a cron job.

# $REMOTE_USER is the user name on the remote system
REMOTE_USER=<remote user name>
# $REMOTE_HOST is the name of the remote system
REMOTE_HOST=<remote host name>
# command to get REMOTE_HOST IP - Internal DNS can be slow to update
REMOTE_HOST_IP=$(dig @8.8.8.8 $REMOTE_HOST +short)
# $REMOTE_CONNECT_PORT is the port number to connect to on the remote system
REMOTE_CONNECT_PORT=<port on remote host that accepts SSH connection>
# $REMOTE_LOGIN_PORT is the remote port number that will be used to tunnel
# back to this system
REMOTE_LOGIN_PORT=<port on local host that accepts remote SSH connection>
# $ID_FILE is the identity file on local host to use to authenticate
ID_FILE="/path/to/id_file"

# $COMMAND is the command used to create the reverse ssh tunnel
COMMAND="ssh -q -N -f -p $REMOTE_CONNECT_PORT -R :$REMOTE_LOGIN_PORT:localhost:22
COMMAND=$COMMAND" -o ServerAliveInterval=60 -o TCPKeepAlive=no"
COMMAND=$COMMAND" -i $ID_FILE $REMOTE_USER@$REMOTE_HOST_IP"

# Is the tunnel up? Perform two tests:

# 1. Check for relevant process ($COMMAND)
pgrep -fx "$COMMAND" || $COMMAND

# 2. Test tunnel by looking at "netstat" output on $REMOTE_HOST
ssh -p $REMOTE_CONNECT_PORT -i $ID_FILE $REMOTE_USER@$REMOTE_HOST_IP 'netstat -atn' 2>&1 \
  | grep "tcp.*:$REMOTE_LOGIN_PORT.*LISTEN" \
  > /dev/null
if [ $? -ne 0 ] ; then
   pkill -fx "$COMMAND"
   $COMMAND
fi

For this to work you will need to do the key exchange as pointed out by gezley. (This is the ID_FILE in the script).
Your home computer (the REMOTE_HOST in the script) will need a URL that can be looked up by DNS. I happily use a dynamic DNS address from https://freedns.afraid.org/.
Your home modem/router will need to forward the incoming port (the REMOTE_CONNECT_PORT in the script) to your home computer.

The above script is useful to me as it will try to maintain an open tunnel.
If your home IP address changes, you can easily update the dynamic DNS address.
If the tunnel goes down due to an enforced IP address change by your ISP, you may need to stop and then restart the sshd daemon on your home computer so that the tunnel will re-establish.

JKostaRibeiro · 06-10-2015, 06:27 PM

Here is port forwarding on my momma's router:

Code:

Local Host	       Protocols	            Status	
	
HOST	          SSH - TCP 22222 -> 22	            Active	
	 	
	
HOST	          VNC - TCP 5901 -> 59001           Active

There is no firewall in my momma's computer.

Then I run:

Code:

$ ssh -p 22222 -L 5991:localhost:5901 user@momma's_public_ip

And I get:

Code:

ssh: connect to host momma's_public_ip port 22222: Connection timed out

Once I establish connection with:

Code:

Local Host	       Protocols	            Status	
	
HOST	          SSH - TCP Any -> 22	            Active
           
HOST	          VNC - TCP 5901 -> 59001           Active

But this is not safe, is it?

Gerard Lally · 06-10-2015, 07:51 PM

Quote:

Originally Posted by JKostaRibeiro

Here is port forwarding on my momma's router:

Code:

Local Host	       Protocols	            Status	
	
HOST	          SSH - TCP 22222 -> 22	            Active	
	 	
	
HOST	          VNC - TCP 5901 -> 59001           Active

There is no firewall in my momma's computer.

Then I run:

Code:

$ ssh -p 22222 -L 5991:localhost:5901 user@momma's_public_ip

And I get:

Code:

ssh: connect to host momma's_public_ip port 22222: Connection timed out

Once I establish connection with:

Code:

Local Host	       Protocols	            Status	
	
HOST	          SSH - TCP Any -> 22	            Active
           
HOST	          VNC - TCP 5901 -> 59001           Active

But this is not safe, is it?

OK let's go back to basics here, because I am not sure you have a clear picture of what is supposed to be happening. Your VNC forwarding seems to be backwards, from what I can see.

If you want to establish a standard SSH tunnel, not a reverse tunnel, to your mother's computer, and route a VNC connection through that tunnel, here's what you need to do:

1) Configure her router's firewall so that traffic on port 22222 is allowed to pass.

2) Configure her router so that traffic arriving at port 22222 on the router is forwarded to port 22 on her computer. If the internal IP address of her router is 192.168.1.1 and her computer's address is 192.168.1.100 then you need to forward port 22222 on the router to port 22 at 192.168.1.100. It goes without saying she needs the SSH daemon running on her own computer and listening at port 22. You say there is no firewall on her computer so that part can be ignored.

3) Get your mother to start a VNC server but don't open VNC ports on her router. It is insecure and there is no need. The first time she starts a VNC server it will usually bind to port 5901; if she starts a second VNC instance it will bind to 5902; and so on.

4) Establish the SSH tunnel to her computer from your own computer, and make sure VNC traffic is routed through this tunnel:

Code:

ssh -vv -p 22222 -L 55901:127.0.0.1:5901 user@momma-public-ip

What this does is it creates an encrypted tunnel to her computer. Her router is now allowing traffic on port 22222 to pass and it is also handling the forwarding of this traffic from port 22222 on its public IP address to port 22 on her computer's internal IP address, so all you need to worry about is making a connection to her public IP address at port 22222 and the router will take care of the rest. While her router looks after this forwarding, SSH itself looks after the VNC forwarding: by creating the forwarding rule above you are telling SSH on your own computer to accept connections on local port 55901 and forward them to port 5901 on the remote computer, where a VNC server is waiting. In other words, you should not configure VNC ALLOW or FORWARD rules on her router; just let SSH handle VNC.

5) Finally, connect to the VNC server on her computer, through the SSH tunnel you created above:

Code:

vncviewer 127.0.0.1:55901

Your VNC client will connect to port 55901 on your own computer, where SSH is now listening. SSH will understand that this traffic should be forwarded to port 5901 on the remote computer, where VNC is listening. Bingo, we have lift-off.

Loomx · 06-11-2015, 03:40 AM

@gezley - that is a great, step-by-step description of ssh tunnelling! Nicely done :-)