Connecting to your Office or Home from anywhere Part two
An experience with Reverse Tunnels and Virtual Private Networks over secured networks.
This is like my Zebedee blog. It may simply serve to irritate the IT guru and confuse the novice. It is based on what I found difficult to understand and get going.
This is for logging into your at work systems so that you can use the work desktops, download and upload files, and use the remote network and gateway. I own my own office so I am only breaking my own rules by using these tunnels. Setting up these tunnels always requires you to go into the office to put on some software such as VNC and the tunneling devices on at least one machine. You have to be able to work on both sides of the firewalls.
Quickest and simplest solution for was Hamachi : I can be used as a backup to get to your remote office computer network. The disadvantage is that it can be quite slow, especially if the connection has to be relayed because of difficult firewalls, and I have found it a bit slow even in the paid-for version and is getting pricey to use
The advantage of Hamachi is that it tunnels TCP and UDP and all protocols including port 139 so you see all the shared directories of the remote machine. It is two way. Office will see the home files. Hamachi uses an Internet connection TUN/TAP device as do other VPN solutions, but uses a mediation server to find a path between machines. Hamachi does what it says on the tin; it is very easy to set up and finds its way through firewalls. It may not be very secure and you are dependent on a third party to put the tunnels together:- the servers at Hamachi.cc
Hamachi is now superseded by Softetherrvpn http://www.softether.org/
Details of Hamachi in Use up to 2011: Old and Archival!
One computer at work with Hamachi running can allow home access to all shared files at your office on other PCs or VNC to them. With Hamachi you can also reach other computers on the remote network via a single remote machine running Hamachi. This is documented on the Hamachi forums https://forums.hamachi.cc/
other machines on
the remote network is
achieved by adding a file called override.ini
On your remote network Hamachi machine you will need the registry tweak to allow XP routing:
Each machine on your remote network which are not running Hamachi, but you wish to access, will need to know the routes via the Hamachi adapter machine back to you, so these machines need manual route command on each of the machines. Route add –p to ensure it that are permanent.
You will not be able to reach the router and gateway, unless you can fiddle with the remote router config.
An easier solution to access the rest of your office network. Windows VPN over Hamachi VPN:
somewhat clumsy and sluggish approach is to run
windows VPN over a Hamachi
VPN connection. The advantage is that this way you
do not have to
fiddle with routing tables. You can give yourself an IP of the remote
office site for
the Microsoft VPN connection.
To create a Microsoft VPN over Hamachi go to the remote Hamachi machine and in its Network Connections to “enable incoming connections”. Make sure you have a log-in ticked that works with incoming connections (blank passwords fail). Set up a small DCHP range using a different network range, but also “allow remote user to provide IP”
At the home end, create a new VPN connection in Network Properties Connection with the host name the Hamachi 5.x.x.x IP of the remote machine at the office.
Put in an unused internal IP address of your remote office network with the correct netmask used by that network in the new VPN connection networking TCP/IP properties.
At this stage it is important to untick the tcp/ip advanced general box, so as not to use remote gateway. If you do not do so you will cut of the branch you are sitting on, and cut of Hamachi and all its connections when you connect the Microsoft VPN.
After connecting your Microsoft VPN over Hamachi, you now have an IP address at home as if on the remote network. In RUN typing \\the-ip-of-a-remote-machine, you should see the remote shared files of a machine on the remote network, without having to fuss each machines’ routing table. If you have remote desktop running or VNC running you can login in to any machine on the remote network.
The Ultimate Connection breaking
of your firewall:
Connecting to a proxy server based at work, rather than full VPN is usually better for most things such as browsing, but sometimes one needs to be on the same network hence needing full VPN and use of remote gateway by the home machine.
To use the remote office gateway from home via Hamachi one needs to add a static route pointing to Hamachi’s mediation servers on your home system, so that when the Microsoft VPN connects, the Microsoft VPN and your computer can switch to use the remote office gateway without losing Hamachi, on which it is riding. The Hamachi client must always know the route to Hamachi servers, which is your local router/ gateway, not the remote one. The object is that the remote gateway become the default gateway your home machine when Microsoft’s VPN connects. You need add the route to Hamachi mediation server:
Route add –p 126.96.36.199 mask 255.255.254.0 IP-of-your-local-router: These IPs have been changed: usually the IPs of bibi.hamachi.cc
This will lock down the route to your local network so Hamachi stay up. Hamachi corp may of course change their IP range at any time.
The configuration continues: on your home VPN connection settings you add the DNS of the remote system and tick “use remote gateway”. You can now connect completely as if on the remote machine, using remote IP, remote gateway. Your external IP at home is now that of your remote system’s external IP. It is as if you are at work. The connection can be sluggish, and worse if relayed. You can authenticate yourself as if at the office.
SSH : still important.
Faster methods, or Tunnel only what you
A socks proxy is flexible as it allows you to use Explorer, Firefox, and MSN via the proxy.
I had been using Zebedee to tunnel http://www.winton.org.uk/zebedee/ and free proxy at my office, but recently then become converted to using SSH for the tunnel. SSH server also a SOCKS proxy and can tunnel all ports
I had not understood that SSH it is a whole suite of tools. In my mind SSH was just telnet with added security. Mistake.
An advantage of Zebedee is that it can tunnel UDP connections. SSH is entirely TCP.
one of the problems I had with Zebedee is that is sometimes drops the
line in listen mode (for reverse tunnels) which is needed when your
office is behind a
behind a tight firewall. Zebedee
probably needs a
script to remake the connections. For
direct connections Zebedee is fast and stable.
SSH tunneling is more secure than Hamachi and much faster. You are not dependent on a third party.
You can install SSH on a windows machine by installing Cgwin http://www.cygwin.com/ and cut down versions for SSH alone. http://www.securityforest.com/wiki/index.php/SSH_Daemon_-_Setup_with_Cygwin and http://ist.uwaterloo.ca/~kscully/CygwinSSHD_W2K3.html
Simplest solution is to use Bitvise server and client produts. On Linux of course SSH server comes with it. SSH server at home and SSH client at the office.
I use SSH server on VPS to give me a UK IP address using the socks proxy function of SSH.
Using Virtual Private Hosted servers (VPS) are now getting very cheap; to me it is well worth the £19 a month. You mainly use it to set up your web pages and email server of course. The server is backed up. And then you can use the VPS as your gateway to work. Its connections are fast in both directions. A hosted VPS gives you a UK IP when abroad if you use it as your own personal proxy or VPN when abroad.
Most Linux VPS suppliers do NOT support Virtual Private Networks, as the root access offered does not allow you to add modules (TUn and TAP devices, although the interface provided often does (Plesk). Webfusion only supports VPN on full servers. But partial VPNs can be effective fast and useful with Zebedee and SSH and are entirely practical. However I have managed to install Softervpn on both Windows and Ubuntu Linux VPS servers.
Running SSH to connect to your SSH
You can use the portable Putty version for USB sticks and put myentunnel and putty, along with portable Firefox and thunderbird on your USB stick. I used Asuite http://sourceforge.net/projects/asuite on my USB stick which is an effect a launcher; all those programmes boot up on plugging the stick into any machine, including myentunnel. I find that more practical than Linux on a stick. So I have my tunnel, browser and email in and out wherever I am.
Set up your Putty to log into your SSH server. First thing you should do is to make keys so you can be rid of password login alone. I was confused for a while as the public key stays on the server and the private key goes on the clients which struck me as the wrong way round. Putty’s Puttygen programme converts the private key for putty. Create a user for your tunnel purposes and keys. You do not need to use keys of course and could test with passwords alone, but one should use keys.
are many instructions out there on setting up Putty to tunnel: http://linux.justbegun.net/pdf/VNC.pdf
Configure Putty “Tunnels” tab with tunnel Dynamic on port 7070 say, connect and one immediately has access to your SSH server as a socks proxy. Nothing needs doing at the piggy SSH server.
Firefox put in the sock proxy as localhost 7070 and you will be using
your SSH machine as proxy server.
by checking what is your IP such as http://www.ipaddressworld.com/
The address will be that of the remote server.
where MyEntunnel comes into its own.
put a link to myentunnel in startup.
Enable dymanic socks 7070 and… hey presto! You can now use your browser using the remote server’ connection. It runs in the background on the taskbar. I use slow polling and disable notifications otherwise a balloon comes up every time it remakes a dropped connection
Firewalls restrict incoming connections, but seldom restrict outgoing ones. They seldom block ports 22, 80, or 443 outgoing. They often block port 25 for SMTP of course. You need your office to initialise and outgoing connection to your SSH server, and keep up the outgoing SSH connection to allow you back in.
Reverse SSH tunnel
Make sure you can log into your piggy in the middle or home server or with putty.
on the REMOTE panel of MyEntunnel put something
This means that anything on 4446 on the SSH server end will end up on the workplace machine on port 4445, your office proxy server. Ditto 5930 will end up on your VNC port.
that /etc/sshd.config has "GatewayPorts yes" on the mediation Piggy SSH
server machine (mine
is an internet hosted
VPS). If oyu cannot change that file you need
to direct traffic coming in from your home machine to go down these
up, by opening new ports to for the traffic through:
the home machine MyEntunnel logs into the medication server piggy
There is now a proxy switcher for Firefox https://addons.mozilla.org/en-US/firefox/addon/125
On that set up VNC localhost 5930 will connect to the remote behind firewall office machine.
SSH reverse tunnels are faster and more stable and more secure then Zebedee for reverse tunnels. I use zebedee as a backup or for one way traffic. SSH reverse tunnels are faster than Hamachi relayed VPNs, and may be more secure, and you are not dependent on thrid parties.
Bitvise installations great, easier and work well on windows. The client also gives SFTP and a terminal window.
Gerard Bulger October 2013