Archway Surgery. Archway Development & Consulting Ltd
Prison Services
NHS Organisations impacting Primary Care
Practice Based Commissioning Problems
NatPact Web Site
GP contracts

Archway Development &   Consulting Ltd
54 High Street
Herts HP3 0HJ
Tel 01442 817217
Fax 01442 879647
email here
Registered in England
Company No 3326461
Registered Office
C21 Herbal Gardens
9 Herbal Hill
London EC1R 5XB


Connecting to your Office or Home from anywhere   Part two

An experience with Reverse Tunnels and Virtual Private Networks over secured networks.

This is like my Zebedee blog.  It may simply serve to irritate the IT guru and confuse the novice.  It is based on what I found difficult to understand and get going.

This is for logging into your at work systems so that you can use the work desktops, download and upload files, and use the remote network and gateway.  I own my own office so I am only breaking my own rules by using these tunnels.    Setting up these tunnels always requires you to go into the office to put on some software such as VNC and the tunneling devices on at least one machine.  You have to be able to work on both sides of the firewalls.

Quickest and simplest solution for was Hamachi :  I can be used as a backup to get to your remote office computer network.  The disadvantage is that it can be quite slow, especially if the connection has to be relayed because of difficult firewalls, and I have found it a bit slow even in the paid-for version and is getting pricey to use

The advantage of Hamachi is that it tunnels TCP and UDP and all protocols including port 139 so you see all the shared directories of the remote machine.  It is two way.  Office will see the home files. Hamachi uses an Internet connection TUN/TAP device as do other VPN solutions, but uses a mediation server to find a path between machines.   Hamachi does what it says on the tin; it is very easy to set up and finds its way through firewalls.   It may not be very secure and you are dependent on a third party to put the tunnels together:- the servers at

Hamachi is now superseded by Softetherrvpn

Blog on SoftetherVPN is here

Details of Hamachi  in Use up to 2011:  Old and Archival!

One computer at work with Hamachi running can allow home access to all shared files at your office on other PCs or VNC to them. With Hamachi you can also reach other computers on the remote network via a single remote machine running Hamachi.   This is documented on the Hamachi forums    

Access to other machines on the remote network is achieved by adding a file called override.ini  in
C:\Documents and Settings\{user}\Application Data\Hamachi  the file 
In that file place the one line
RoutedTunneling 1
On your Hamachi machines

On your remote network Hamachi machine you will need the registry tweak to allow XP routing:

In the right pane double click on IPEnableRouter and change its value to 1

Each machine on your remote network which are not running Hamachi, but you wish to access, will need to know the routes via the Hamachi adapter machine back to you, so these machines need manual route command on each of the machines.  Route add –p to ensure it that are permanent.

You will not be able to reach the router and gateway, unless you can fiddle with the remote router config.

An easier solution to access the rest of your office network. Windows VPN over Hamachi VPN:

A somewhat clumsy and sluggish approach is to run windows VPN over a Hamachi VPN connection. The advantage is that this way you do not have to fiddle with routing tables. You can give yourself an IP of the remote office site for the Microsoft VPN connection.
Note that XP only allows for one incoming Microsoft VPN connection at a time.

To create a Microsoft VPN over Hamachi go to the remote Hamachi machine and in its Network Connections to “enable incoming connections”.  Make sure you have a log-in ticked that works with incoming connections (blank passwords fail).  Set up a small DCHP range using a different network range, but also “allow remote user to provide IP”

At the home end, create a new VPN connection in Network Properties Connection with the host name the Hamachi  5.x.x.x IP of the remote machine at the office.

Put in an unused internal IP address of your remote office network with the correct netmask used by that network in the new VPN connection networking TCP/IP properties.

At this stage it is important to untick the tcp/ip advanced general box, so as not to use remote gateway.   If you do not do so you will cut of the branch you are sitting on, and cut of Hamachi and all its connections when you connect the Microsoft VPN.

After connecting your Microsoft VPN over Hamachi, you now have an IP address at home as if on the remote network. In RUN typing  \\the-ip-of-a-remote-machine, you should see the remote shared files of a machine on the remote network, without having to fuss each machines’ routing table.  If you have remote desktop running or VNC running you can login in to any machine on the remote network.

The Ultimate Connection breaking of your firewall:
An extra tweak, totally unsupported by Hamachi, allows you to reach and use the remote gateway using Microsoft’s VPN connection over an Hamachi connection. 

Connecting to a proxy server based at work, rather than full VPN is usually better for most things such as browsing, but sometimes one needs to be on the same network hence needing full VPN and use of remote gateway by the home machine.

To use the remote office gateway from home via Hamachi one needs to add a static route pointing to Hamachi’s mediation servers on your home system, so that when the Microsoft VPN connects, the Microsoft VPN and your computer can switch to use the remote office gateway without losing Hamachi, on which it is riding.   The Hamachi client must always know the route to Hamachi servers, which is your local router/ gateway, not the remote one. The object is that the remote gateway become the default gateway your home machine when Microsoft’s VPN connects.     You need add  the route to Hamachi mediation server:

Route add –p mask  IP-of-your-local-router:  These IPs have been changed: usually the IPs of

This will lock down the route to your local network so Hamachi stay up.   Hamachi corp may of course change their IP range at any time.  

The configuration continues: on your home VPN connection settings you add the DNS of the remote system and tick “use remote gateway”.  You can now connect completely as if on the remote machine, using remote IP, remote gateway.  Your external IP at home is now that of your remote system’s external IP.  It is as if you are at work.  The connection can be sluggish, and worse if relayed.  You can authenticate yourself as if at the office.

SSH : still important.

Faster methods, or  Tunnel only what you need
A full VPN using the remote network not usually needed and can be a sledge hammer to crack a nut.  It is simpler to connect a selection of ports for things like VNC and for web browsing connect to the proxy server at the other end, such as Free Proxy

A socks proxy is flexible as it allows you to use Explorer, Firefox, and MSN via the proxy.

I had been using Zebedee to tunnel  and free proxy at my office, but recently then become converted to using SSH for the tunnel.  SSH server also a SOCKS proxy and can tunnel all ports

See   and  

I had not understood that SSH it is a whole suite of tools.  In my mind SSH was just telnet with added security. Mistake.

An advantage of Zebedee is that it can tunnel UDP connections.  SSH is entirely TCP.

The one of the problems I had with Zebedee is that is sometimes drops the line in listen mode (for reverse tunnels) which is needed when your office is behind a behind a tight firewall.  Zebedee probably needs a script to remake the connections.  For direct connections Zebedee is fast and stable.  

SSH tunneling is more secure than Hamachi and much faster.  You are not dependent on a third party.

You can install SSH on a windows machine by installing Cgwin and cut down versions for SSH alone.  and

Simplest solution is to use Bitvise server and client produts.  On Linux of course SSH server  comes with it. SSH server at home and SSH client at the office.

I use SSH server on VPS to give me a UK IP address using the socks proxy function of SSH.

Using Virtual Private Hosted servers (VPS) are now getting very cheap; to me it is well worth the £19 a month.  You mainly use it to set up your web pages and email server of course. The server is backed up.  And then you can use the VPS as your gateway to work.  Its connections are fast in both directions.  A hosted VPS gives you a UK IP when abroad if you use it as your own personal proxy or VPN when abroad. 

Most Linux VPS suppliers do NOT support Virtual Private Networks, as the root access offered does not allow you to add modules (TUn and TAP devices, although the interface provided often does (Plesk).  Webfusion only supports VPN on full servers.  But partial VPNs can be effective fast and useful with Zebedee and SSH and are entirely practical.   However I have managed to install Softervpn on both Windows and Ubuntu Linux VPS servers.

Running SSH to connect to your SSH server:
 1.  Connecting to use your remote machine as a proxy server: Useful when mobile to use your UK IP, your email servers. Firstly download Putty 
and MyEntunnel
on your home and office machines.  Put the myentunnel files inside Putty’s directory. (Bitvise better now)

You can use the portable Putty version for USB sticks and put myentunnel and putty, along with portable Firefox and  thunderbird on your USB stick.   I used Asuite  on my USB stick which is an effect a launcher;  all those programmes boot up on plugging the stick into any machine, including myentunnel.   I find that more practical than Linux on a stick.  So I have my tunnel, browser and email in and out wherever I am.

Set up your Putty to log into your SSH server.  First thing you should do is to make keys so you can be rid of password login alone.   I was confused for a while as the public key stays on the server and the private key goes on the clients which struck me as the wrong way round.   Putty’s Puttygen programme converts the private key for putty.  Create a user for your tunnel purposes and keys.  You do not need to use keys of course and could test with passwords alone, but one should use keys.

There are many instructions out there on setting up Putty to tunnel:

Configure  Putty  “Tunnels” tab with tunnel Dynamic on port 7070 say, connect and one immediately has access to your SSH server as a socks proxy.  Nothing needs doing at the piggy SSH server.

In Firefox put in the sock proxy as localhost 7070 and you will be using your SSH machine as proxy server.   Check by checking what is your IP such as  The address will be that of the remote server.   However you do not really want to have an open SSH and shell prompt session running to do this.   

This is where MyEntunnel comes into its own.   I put a link to myentunnel in startup.
Copy your key file to keyfile.ppk for meyentunell to use your key yo SSH log in    Bitvise tunerlier is even easier to set up

Enable dymanic  socks 7070 and… hey presto!   You can now use your browser using the remote server’ connection.  It runs in the background on the taskbar.  I use slow polling and disable notifications otherwise a balloon comes up every time it remakes a dropped connection

Reverse tunnels.  
Connecting to your SSH server is all very well, but you really want to connect to your office behind the firewall through this server.  I tended to use using an SSH server on the internet as a mediation server, piggy in the middle.  Use your SSH server as a pig in the middle connecting two or more machines behind their respective firewalls, but you might as well set the SSH server up on the home machine.  I had clients at home and office connecting via my SSH server on the internet.

Firewalls restrict incoming connections, but seldom restrict outgoing ones.  They seldom block ports 22, 80, or 443 outgoing.   They often block port 25 for SMTP of course.   You need your office to initialise and outgoing connection to your SSH server, and keep up the outgoing SSH connection to allow you back in.

Reverse SSH tunnel
Assume you want to connect to your remote office machine and network.  You have a proxy server running at the office (Free Proxy) and VNC or remote desktop.   Set up an http proxy on port say port 4445.  I assume you also have VNC running on the office machine on 5900

Make sure you can log into your piggy in the middle or home server or with putty. 

Then on the REMOTE panel of MyEntunnel put something like this 

This means that anything on 4446 on the SSH server end will end up on the workplace machine on port  4445, your office proxy server. Ditto 5930 will end up on your VNC port.

Check that /etc/sshd.config has "GatewayPorts yes" on the mediation Piggy SSH server machine (mine is an internet hosted VPS).  If oyu cannot  change that file you need to direct traffic coming in from your home machine to go down these paths opened up, by opening new ports to for the traffic through:
ssh –L 4445:localhost:4446 –f –N –g root@localhost
ssh –L 5931:localhost:5930 –f –N –g root@localhost

On the home machine MyEntunnel logs into the medication server piggy machine: 
In the LOCAL of MyEntunnel panel I put
5913:localhost:5913      (allows VNC to the remote machine
5930:localhost:5930       (allows VNC to the remote machine running MyEntunnel
6110:emailserver:110    (so I can use my  email server from anywhere)    (so I can use my  SMTP server from anywhere)

There is now a proxy switcher for Firefox

On that set up VNC localhost 5930 will connect to the remote behind firewall office machine. 

SSH reverse tunnels are faster and more stable and more secure then Zebedee for reverse tunnels. I use zebedee as a backup or for one way traffic.   SSH reverse tunnels are faster than Hamachi relayed VPNs, and may be more secure, and you are not dependent on thrid parties.

Bitvise installations great, easier and work well on windows.   The client also gives SFTP and a terminal window. 

Gerard Bulger                                                                                   October 2013