Connecting to your Office or Home from anywhere
I learnt the hard way as how to set up connections between our homes and offices. This detailed instruction set outlines my difficulties in getting to grips with the problems in doing so. This may help some people starting similar projects. It may irritate those who know a lot and confuse those who do not.....
There are many ways to connect home and office and to control remote machines.
My first method was to make tunnels with Zebedee. I think I have got my head around its features. And it is free, fast and pretty secure (especially if you set up your own private keys). It transmits encrypted data in a tunnel port of your choice. It secures and tunnels VNC and real VNC so you can control your office computer, as if in front of it, from home. You do not need logmein to do that. It is fast and secure. It can work in reverse mode so that you can connect through tight office firewalls.
Logmein.com bought VPN product called Hamachi which is was an excellent mini VPN tool. However Logmein have been damaging it ever since, and upgrades and new pricing structures makes it loose its appeal. You are dependent on their mediation server, and connections can be terribly slow.
There is no need to deploy Hamachi now, I leave the paragraphs about it below as archive
Hamachi with VNC means that you no longer need the original logmein product. You can upload and download files as well as control the remote desktop. It is very useful as the backdoor to allow you to set up faster direct alternatives such as zebedee or SSh tunnels.
If you have access to routers at both home and office it is easier to set up a direct Zebedee connection, of for that matter other VPNs. The more usual scenario is that you can control your home firewall but cannot control your office firewall. Zebedee copes with both scenarios. Hamachi was much simpler to set up, but will not offer such a fast service.
The disadvantages of the logmein.com products is that it can cost you if you want access your files (although Hamachi was until Softethervpn the best of them and was free) and they can be little slow, and can be clunky. You are dependent on a third party and commercial company. Hamachi/logmein were excellent backup systems that allow you to control your PC if your other entry points fail, or if you needed to switch something on, such as Zebedee in its listen mode if you have firewall problems. Logmein remains a useful tool that allows you to set up and configure both ends of your Zebedee tunnel without wasting petrol. Once Zebedee was running you will not use logmein products much at all, but now Softhervpn is simply less bother all round.
Zebedee : Neil Winton’s instructions on his wonderful little programme (just 600kb) are good, but horrid for novices as he does not mention the obvious (although obvious to him and others). I set this out as a supplement to his instructions. My instructions are not complete, and may not be accurate, so you are warned. They just emphasise the points that it took me a while appreciate. I am a doctor (GP) not an IT guru.
What it does: stating the obvious: Zebedee presents to the inside your home machine IP ports which are then used to transmit data across the internet, securely. The command Zebedee.exe 23:myofficeinlondon.dynu.com:23 sets the local home machine is listening to itself on port 23 (aka telnet) locally and will send the data over the internet on port 11965 in an encrypted manner to your office machine. You connect to your office machine by sending data to ports on your LOCAL home machine. The tunnel does what it says. Telnet localhost: up pops your remote login (assuming Zebedee and telnet is running at the other end!). Zebedee wraps up whatever you send and whatever ports you specify, encrypts it, sends it over the internet on port 11965 and unwraps it at the other end.
Router and firewalls: In this blog I call use the word "home" meaning where you are sitting (client in the jargon) and Office (server) meaning the place you want to connect to. For standard connections your "office" router needs to allow port 11965 through to your office machine that has Zebedee in server mode running, but you can chose another port for Zebedee to use to get through firewalls. Zebedee’s default is to send data across the internet on port 11965. You can set Zebedee to use any port number you like to transmit the data providing it does not clash with your other used ports and you can fix the firewall at the office to accept it. You can change the port Zebedee uses over the internet by using the –T option (or serverport if using a config file)
Zebedee –T 2712 23: 23:myofficeinlondon.dynu.com:23 will transmit the data using port 2712 and the other end router must let port 2712 through to the right machine running Zebedee in server mode. You never want to open port 23 on the firewall or indeed any ports below 1057. In the above example Zebedee is listening for traffic inside your home machine on port 23 and spits out port 23 at the other end. The router only needs to pass a port such as 2712 (or 11965) through to your office machine which has Zebedee running in server mode.
At the office end Zebedee needs to be serving, waiting remote connections.
Zebedee -s –T 2712 internal-ip-addess-of-office-machine-you-wish-to-use:23
You can list ports and range of ports which are to be tunnelled. You can change ports, listening to one port and spitting the data out on another.
Proxy Server and port changes: Zebedee 8080:my-office-in-london-by-IP-or domain-name:6588 would listen on port 8080 locally and transmit data to my office (on port 11965 as that is the default transmission port aka server port). You can use this as a proxy server: You can set your browser to use proxy server called localhost, or set the browsers proxy to the local IP of your home machine, the same thing, and for the browser to use port 8080. It would reach your real proxy server on your office machine on port 6588. Zebedee itself can connect to the outside world via proxy servers using another command, see Winton's instructions.
Redirection: Zebedee's server mode (receiving: at the office) can send data on to other machines anywhere (and are not running Zebedee). Zebedee -s –T 2712 internal-ip-addess-of-office:23 means just that: you can redirect port 23 (now unencrypted at office end) to any machine anywhere from your office machine; once it has got there. So either you put in the server command line the IP address of the office machine itself: Zebedee –s –T 2712 localhost:23, or you put in any machine or domain name you want that you want it to reach usually within your office network: Zebedee -T 2712 the-local-ip-address-of-the-machine-in-the-next-door-room:23 That will now be ordinary non-encrypted data on your office network on port 23. As far as the destination in the room next door is concerned it will look as if the data on port 23 arose from the local network- from the machine with Zebedee running on it, not from the remote home machine or internet. So no clever routing is required to get to another machine on your office network.
At home, the command (with Zebedee running in the background) Telnet localhost does the following: Telnet programme uses port 23, the outgoing is accepted by Zebedee locally listening on port 23, which is transmitted over the internet on port 2712 to my office router. My office router directs that port 2172 to a windows machine which has Zebedee in server mode waiting on port 2712. The office windows Zebedee then redirects port 23, my telnet traffic, to my office UNIX machine another room at the office. On home machine up pops my remote UNIX server’s login prompt. Meanwhile Mr Gibson at www.grc.com finds my firewall perfect and "stealth".
If you want information on encryption keys and IP checking read Neil Winton’s instructions!
Multiple instances: Zebedee can be run many times on the same machine. A single Zebedee instance can redirect different ports to different machines. I found that rather confusing, so I am not inclined to use that feature, preferring to have different instances of Zebedee using different “transmission ports"(serverports (-T)) when redirecting ports or to different machines. That way one can redirect identical ports to different machines. It may be wasteful doing it that way, but the one machine in the office with Zebedee server instances running is not doing much else apart from running my mail server.
Command line or config files: Zebedee can ether use command line instructions or use a file instruction set, called up by Zebedee – f . In Windows you do not usually need the –f as the installation programme of Zebedee makes windows recognise .zbd extension as Zebedee. You make/edit config files ending with .zbd and it will run when clicked or left in startup. To edit a .zbd file you then have to right click or shift right click to open with wordpad. I find the -f commans useful when using Zebedee on a USB stick with ASUITE
For some reason I often set up home machines to use command line instructions and the server end use Zebedee config files. Two server.zbd shortcuts sits in startup in the office machine so they run as the machine reboots. You can also setup Zebedee as a service.
Start playing: It is best when first playing with Zebedee to open a command prompt window and sit in C:\program files\zebedee and type in your Zebedee commands or run .zbd files with "detached false, and verbosity 5. You will see the errors. Once you have the command syntax right and it works, create a shortcut to Zebedee on your desktop using your working syntax. Edit the properties of your shortcut, after the inverted commas to put in the command parameters. You can then copy the working shortcut to program files\startup. Here is an example of the target line in properties of a shortcut: "C:\Program Files\Zebedee\zebedee.exe" -b 172.21.204.229 -T 2712 20-23,1024,3000-3010,3306,139:myofficeatwork.dnsalias.net:20-23,1024,3000-3010,3306,139
That means force Zebedee to listen only to local IP 172.21.204.229 (in fact a loopback adapter) transmit over the internet on port 2712, and listen locally (172.21.204.229) to those listed ports, and spit them out at the other end as the same port numbers as went in.
VNC and Zebedee. Neil’s instructions are clear. I set a different transmission (serverport, -T), instance and name for Zebedee (a copy of Zebedee) for VNC. It is obviously the first thing you must have working If this fails you cannot do anything remotely unless using the logmein services.
REMAMING Copies of Zebedee: I suggest that you make a copy of zebedee.exe and call the copy ZVNC.EXE. Use ZVNC.EXE to run your VNC tunnel server on the office machine. When you come to use taskmgr (in VNC that is SHIFT-alt-ctl-del to call up the remote taskmanager. or run taskmgr, in order to kill other Zebedee instances that you have not got right, you can recognise your VNC session tunnel as ZVNC and not cut yourself off by killing that one special process. Unless renamed every Zebedee instance is called Zebedee in Windows task manager.
Access Remote Windows files: To get Zebedee to act as a VPN, that is to access the files remotely you need to install windows loopback adapter. This is because port 139 is bound to 0.0.0.0. I do not understand exactly what that means. Do not bother with ftp with Zebedee: it is a pain and you need an ftp server at the office. I gave up on it. Ftp is the problem. Ftp though firewalls is a bummer, and proxying ftp not much fun either. Other solutions are to use SSH SCP
How to access files on remote machine uploading and downloading. This uses windows ports139. This requires additional work, on your local home machine you need to install Window’s loopback adapter. This acts like another network card on your home machine. It is installed from control panel add new hardware: Yes you have the hardware connected, go to the bottom of the list, scroll down, and “add new hardware device”, and then install hardware manually (advanced) and chose network adapters, and then Microsoft loopback adapter.
Once the new "network card" installed go to network connections (properties of network places) and give the loopback adapter an IP address. Give it an IP address that is not on your local network: 126.96.36.199 for example. For my purposes I want to fool some programmes at home that they are connecting directly to my office UNIX server by name and IP. So I gave the home loopback adaptor the IP address of my remote UNIX server (of the office's internal network range) that is a machine running mysql and samba. Zebedee is neat as by default it hides the home internal IP address, so it never looks at the Office end that I have two machines with the same IP address on the office network. I gave the home machine's loopback adapter the smallest net mask possible 255.255.255.252. No gateway or DNS needed and it would confuse matters if you put things in there on loopback TCP/IP properties. Just IP and small net mask.
LMHOST and HOST : In loopback adaptors TCP/IP advanced properties disable Netbios over TCP. We want NetBIOS to go via Zebedee's ports. While at it tick “enable LMHOSTS lookup”.
Then you need to give your loopback adaptor your remote office machine’s name (or any name) in LMSHOTS./windows/system32/drivers/etc/LMHOSTS. Make sure Wordpad does not save your edited version of LMSHOSTS.SAM as .txt file or as a .SAM file. Needs to be call LMHOSTS and ditto for HOSTS (not LMSHOST.SAM…..meaning unreadable by system, a sample file). If so, rename the file without any extension despite Window’s protests.
A line in LMHOSTS
172.21.204.229 officemachime #PRE
The Zebedee on my home machine needs to tunnel a lot of things including mysql traffic. To access files you just need to tunnel port 139. My Zebedee shortcut at startup is OTT for most people. Ports 5900 (VNC) 139, and perhaps a port to reach a proxy server may be enough.
"C:\Program Files\Zebedee\zebedee.exe" -b 172.21.204.229 -T 2712 20-23,1024,3000-3010,3306,139:myofficeatwork.dnsalias.net:20-23,1024,3000-3010,3306,139
At the office end I have a shortcut to server.zbd set up in startup. (I could use a command line shortcut)
Office machine runs server.zbd as above but you change the target to your office target machine, even if it is the same machine as zebedee is on)
Home machine: Zebedee -T serverport-you-want -b IP-of-loopback-adapter 139:ip-or-domain-name-office:139
With both ends running you should be able to go to "run" and type \\ip-of-loopback-adapter or the name you used in hosts or lmhosts. In run \\whatever-U-called-it and the listing of shared directories on your office machine pop up. You may get a windows login and you need to know those details. Sometimes windows is idiotic and remembers the wrong details and you have to manually enter them in your profile: control panel, user accounts chose your own account, and "manage my network passwords". It seems to need a reboot. Sometimes you need to delete the network passwords and start again. At the office end you need a windows account with a password set. Blank passwords fail.
Once you can see your shared directories you can map them to a home local drive letter(s) (right click on directory). When windows reboots it thinks the mapped drives are disconnected and you have to click on them to activate the connection. Windows will not map shared directories down the tree. It can only map the top remote directories. To get round that you share the lower directory.
SPEED of VPN: Remember that VPN tunnels to and from work are slow because it is limited by the upload speed of the ISPs, and some windows programmes can be slow to list the directories. The speed is limited Windows and by the maximum upload speed at your office end, which in my case is 417kbs. It is OK, but irritating if you want to grab a many-megabit file.
DNS: finding your office and dynamic IPs: To find you office machine on the internet and to use Zebedee or anything else you need to know the office IP address or a domain name that maps to the IP. If your office has a fixed IP address use that. Most cheap broadband connections have dynamic IP addresses, although Virgin Media IPs seem pretty static to me: the modem has to be off for ages for it to get a new IP address. With dynamic IP that most of us have, register with any of the firms that offer domain names for dynamic IPs. These programmes sit on you office machine and find out your IP address even if it changes, and propagates a domain name via these firms. The simple DNS services are free. www.dynu.com and DynDNs http://www.dyndns.com but there are others. There is no harm in registering with one of more. Give your domains very unfriendly names like BL85U36YZ.dynu.com as added security, providing you remember it! Their programmes need to run on the office machines at startup.
Use www.grc.com Shields Up web page to check your firewall. All ports and ping should be closed and “perfect stealth". Only the ports (high numbers) that you use for Zebedee should be open. Even ping should be off.Running Zebedee behind a firewall If you want to connect to your office and you cannot control the office firewall then you have to "reverse" the connection and have Zebedee from inside the office connect you your home machine first. Firewalls may limit incoming ports but cannot limit all outgoing ports! Setting up a reverse tunnel can be fiddly. I set the Zebedee transmission port to 443, which normally sees encrypted data. I had problems before I did that. I have to open port 443 on my firewall router at home.
After much fiddling I found this works and the line stays up. At home, the client machine you set Zebedee running like this with an edited file homeclient .zbd.
The " :*:" means accept from any IP so a risk. Better put in the exact IP of the office and also use private/public key
While setting it up remove the hashes so you can see the verbose reports and closing the window closes the zebedee session. Set this at home running first
At the office machine a serverreverse.zbd file:
You should be able to connect from the home machine to the office. In the case above I set my home browser to use proxy server on localhost 9080 and localhost socks 1080 and I am connect to the proxy at my office.