|
Connecting to your
Office or Home from anywhere Part two
An
experience
with Reverse Tunnels and Virtual Private Networks over secured networks.
This
is
like
my Zebedee blog.
It may simply
serve to
irritate the IT guru and confuse the novice.
It is based on what I found difficult to understand and get going.
This
is
for logging into your at work systems so
that you can use the work desktops, download and upload files, and use
the
remote network and gateway. I
own my own
office so I am only breaking my own rules by using these tunnels. Setting
up these tunnels always requires you
to go into the office to put on some software such as VNC and the
tunneling devices
on at least one machine. You
have to be
able to work on both sides of the firewalls.
Quickest
and simplest solution for was
Hamachi
:
I can be used as a backup to get to your remote
office computer network. The
disadvantage is that it can be quite slow, especially if the connection
has to
be relayed because of difficult firewalls, and I have found it a bit
slow even
in the paid-for version and is getting pricey to use
The
advantage of Hamachi is that it tunnels TCP
and UDP and all protocols including port 139 so you see all the shared
directories of the remote machine. It is two way.
Office will see the home files. Hamachi
uses an Internet connection
TUN/TAP device as do other VPN solutions, but uses a mediation server
to find a path between machines. Hamachi
does
what it says on the tin; it is very easy to set up and finds its way
through
firewalls. It
may not be very secure
and you are dependent on a third party to put the tunnels together:-
the servers
at Hamachi.cc
Hamachi
is now superseded by Softetherrvpn
http://www.softether.org/
Blog on SoftetherVPN is here
Details of Hamachi in
Use up to 2011:
Old and Archival!
One
computer at work with Hamachi running can
allow home access to all shared files at your office on other PCs or
VNC to them. With Hamachi you can also reach other computers on
the remote network via a single remote machine running Hamachi. This is documented
on the Hamachi forums https://forums.hamachi.cc/
Access to
other machines on
the remote network is
achieved by adding a file called override.ini
in
C:\Documents and Settings\{user}\Application
Data\Hamachi the
file
In that file place the one line
RoutedTunneling 1
On your Hamachi machines
On your
remote network Hamachi machine you will need the registry tweak
to allow XP routing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
In the right pane double click on IPEnableRouter and change its value
to 1
Each
machine on your remote network which are not running Hamachi, but
you wish to access, will need to know the routes via the Hamachi
adapter
machine back to you, so these machines need manual route command on
each of the
machines. Route add
–p to ensure it that
are permanent.
You
will not be able to reach the router and gateway, unless you can
fiddle with the remote router config.
An easier solution to access the
rest of your office network. Windows VPN over Hamachi VPN:
A
somewhat clumsy and sluggish approach is to run
windows VPN over a Hamachi
VPN connection. The advantage is that this way you
do not have to
fiddle with routing tables. You can give yourself an IP of the remote
office site for
the Microsoft VPN connection.
Note that XP only allows for one incoming Microsoft VPN connection at a
time.
To
create a Microsoft VPN over Hamachi go to the remote Hamachi machine
and in its Network Connections to “enable incoming
connections”. Make
sure you have a log-in ticked that works
with incoming connections (blank passwords fail). Set
up a small DCHP range using a different
network range, but also “allow remote user to provide
IP”
At
the home end, create a new VPN connection in Network Properties
Connection
with the host name the Hamachi 5.x.x.x
IP of the remote machine at the office.
Put
in an unused internal IP address of your remote office network with
the correct netmask used by that network in the new VPN connection
networking
TCP/IP properties.
At
this stage it is important to untick the tcp/ip advanced general box,
so as not to use remote gateway.
If
you
do not do so you will cut of the branch you are sitting on, and cut of
Hamachi
and all its connections when you connect the Microsoft VPN.
After
connecting your Microsoft VPN over Hamachi, you now have an IP
address at home as if on the remote network. In RUN typing \\the-ip-of-a-remote-machine,
you should see the remote shared files of a machine on the
remote network, without having to fuss each machines’ routing
table. If you have
remote desktop running or VNC running
you can login in to any machine on the remote network.
The Ultimate Connection breaking
of your firewall:
An extra tweak, totally unsupported by Hamachi, allows you to reach and
use the remote gateway using Microsoft’s VPN connection over
an Hamachi
connection.
Connecting
to a proxy server based at work, rather than full VPN is
usually better for most things such as browsing, but sometimes one
needs to be on the same network hence needing full VPN
and use of remote gateway by the home machine.
To
use the remote office gateway from home via Hamachi one needs to add a
static route pointing to Hamachi’s mediation servers on your
home system, so
that when the Microsoft VPN connects, the Microsoft VPN and your
computer can
switch to use the remote office gateway without losing Hamachi, on
which it is
riding. The
Hamachi client must
always know the route
to Hamachi servers, which is your local router/ gateway, not the remote
one.
The object is that the remote gateway become the default gateway your
home
machine when Microsoft’s VPN connects. You need
add the route to
Hamachi mediation server:
Route
add –p 69.25.20.0 mask 255.255.254.0
IP-of-your-local-router:
These IPs have been changed: usually the IPs of
bibi.hamachi.cc
This
will lock down the route to your local network so Hamachi stay up. Hamachi corp may
of course change their IP range
at any time.
The
configuration continues: on your home VPN connection settings you add
the DNS of the remote system and tick “use remote
gateway”. You
can now connect completely as if on the
remote machine, using remote IP, remote gateway.
Your
external IP at home is now that of your
remote system’s external IP. It
is as if
you are at work. The
connection can be
sluggish, and worse if relayed. You
can
authenticate yourself as if at the office.
SSH : still important.
Faster methods, or Tunnel only what you
need
A full
VPN using the
remote network not usually needed and can be a
sledge hammer to crack a nut. It
is
simpler to connect a selection of ports for things like VNC http://www.tightvnc.com/
and for web browsing connect to the proxy server at the other end, such
as Free
Proxy http://www.handcraftedsoftware.org/index.php?page=5
A
socks proxy is flexible as it allows you to use Explorer, Firefox, and
MSN via the proxy.
I
had been using Zebedee to tunnel http://www.winton.org.uk/zebedee/ and free proxy at my
office, but recently then become converted to using SSH for the tunnel. SSH server also a SOCKS
proxy and can tunnel
all ports
See http://www.jfitz.com/tips/ssh_for_windows.html and http://pigtail.net/LRP/printsrv/cygwin-ssh.html
I
had
not understood that SSH it is a whole suite of tools. In my
mind
SSH was just telnet with added
security. Mistake.
An
advantage of Zebedee is that it can tunnel UDP connections. SSH is entirely TCP.
The
one of the problems I had with Zebedee is that is sometimes drops the
line in listen mode (for reverse tunnels) which is needed when your
office is behind a
behind a tight firewall. Zebedee
probably needs a
script to remake the connections. For
direct connections Zebedee is fast and stable.
https://www.bulger.co.uk/zebedeeins.htm
SSH
tunneling is more secure than Hamachi and much
faster. You are not
dependent on a third
party.
You
can install SSH on a windows machine by installing Cgwin http://www.cygwin.com/ and
cut down versions for SSH alone. http://www.securityforest.com/wiki/index.php/SSH_Daemon_-_Setup_with_Cygwin and http://ist.uwaterloo.ca/~kscully/CygwinSSHD_W2K3.html
Simplest solution is to
use Bitvise
server and client produts.
On
Linux of course SSH server comes with it. SSH server at home and SSH client at
the office.
I use SSH server on VPS to give me a
UK IP address
using the socks
proxy function of SSH.
Using Virtual Private Hosted
servers
(VPS) are now getting very cheap; to me it
is well worth the £19 a month.
You
mainly use it to set up your web pages and email server of course. The
server
is backed up. And
then you can use the
VPS as your gateway to work. Its
connections are fast in both directions.
A
hosted VPS gives you a UK IP when abroad if you
use it as your own
personal proxy or VPN when abroad.
Most
Linux VPS suppliers do NOT support Virtual Private Networks, as the
root
access offered does not allow you to add modules (TUn and TAP devices,
although
the
interface provided often does (Plesk).
Webfusion
only supports VPN on full servers. But
partial VPNs can be
effective fast and
useful with Zebedee and SSH and are entirely practical.
However
I have managed to install Softervpn
on both Windows and Ubuntu Linux VPS servers.
Running SSH to connect to your SSH
server:
1.
Connecting to
use your remote
machine as a proxy server: Useful when mobile to use your UK IP, your
email
servers. Firstly download Putty http://www.putty.org/
and MyEntunnel http://nemesis2.qx.net/software-myentunnel.php
on your home and office machines.
Put the
myentunnel files inside Putty’s
directory. (Bitvise better now)
You
can use the portable Putty version for USB sticks
and put myentunnel and putty, along with portable Firefox and thunderbird on your USB
stick. I used Asuite http://sourceforge.net/projects/asuite on my USB stick which is
an effect a launcher; all
those programmes boot up on plugging the stick into any machine,
including myentunnel. I
find that more practical than Linux
on a stick. So I have my tunnel,
browser and email in and out wherever I am.
Set
up your Putty to log into your SSH server.
First
thing you should do is to make keys so
you can be rid of password login alone.
I
was confused for a while as the public key stays
on the server and the
private key goes on the clients which struck me as the wrong way round.
Putty’s
Puttygen programme converts the
private key for putty. Create
a user for
your tunnel purposes and keys. You
do
not need to use keys of course and could test with passwords alone, but
one
should use keys.
There
are many instructions out there on setting up Putty to tunnel: http://linux.justbegun.net/pdf/VNC.pdf
http://www.devdaily.com/unix/edu/putty-ssh-tunnel-firefox-socks-proxy/
http://www.cyberknights.com.au/doc/PuTTY-tunnelling-HOWTO.html
Configure
Putty “Tunnels”
tab with tunnel Dynamic on port 7070
say, connect and one immediately has access to your SSH server as a
socks proxy. Nothing
needs doing at the piggy SSH server.
In
Firefox put in the sock proxy as localhost 7070 and you will be using
your SSH machine as proxy server.
Check
by checking what is your IP such as http://www.ipaddressworld.com/
The address will be that of the remote server.
However you do not really
want to have an open SSH and shell prompt
session running to do this.
This is
where MyEntunnel comes into its own.
I
put a link to myentunnel in startup.
Copy your key file to keyfile.ppk
for meyentunell to use your key yo SSH log in
Bitvise
tunerlier is even easier to set up
Enable
dymanic socks 7070
and… hey
presto! You
can now use your browser
using the remote
server’ connection. It
runs in the
background on the taskbar. I
use slow polling
and disable notifications otherwise a balloon comes up every time it
remakes a
dropped connection
Reverse tunnels.
Connecting to your SSH server is all very well, but you really want to
connect
to your office behind the firewall through this server. I
tended
to use using an SSH
server on the internet as
a mediation server, piggy in the middle. Use your SSH server
as a pig in the middle connecting two or more
machines behind their respective firewalls, but you might as well set
the SSH server up on the home machine. I had clients at home
and
office connecting via my SSH server on the internet.
Firewalls
restrict incoming connections, but seldom restrict outgoing
ones. They seldom
block ports 22, 80, or
443 outgoing. They
often block port 25
for SMTP of course. You
need your
office to initialise and outgoing connection to your SSH server, and
keep up the outgoing SSH connection to allow you back
in.
Reverse SSH tunnel
Assume you want to connect to your remote office machine and
network. You have a
proxy server running
at the office (Free Proxy) and VNC or remote desktop.
Set up an http proxy on port say port
4445. I assume you
also have VNC running
on the office machine on 5900
Make
sure you can log into your piggy in the middle or home server or with
putty.
Then
on the REMOTE panel of MyEntunnel put something
like this
4446:localhost:4445
5930:localhost:5900
5931:10.184.2.70:5900
This
means that anything on 4446 on the SSH server end will end up
on the workplace machine on port 4445,
your office proxy server. Ditto 5930 will end up on your VNC
port.
Check
that /etc/sshd.config has "GatewayPorts yes" on the mediation Piggy SSH
server machine (mine
is an internet hosted
VPS). If oyu cannot change that file you need
to direct traffic coming in from your home machine to go down these
paths opened
up, by opening new ports to for the traffic through:
ssh –L 4445:localhost:4446 –f –N
–g root@localhost
ssh –L 5931:localhost:5930 –f –N
–g root@localhost
etc
On
the home machine MyEntunnel logs into the medication server piggy
machine:
In the LOCAL of MyEntunnel panel I put
5913:localhost:5913
(allows
VNC to
the remote machine 10.184.2.70
5930:localhost:5930 (allows
VNC to the remote machine running
MyEntunnel
6110:emailserver:110
(so I can
use
my email server from anywhere)
6125:emailserver.com:587
(so I
can
use
my SMTP server from anywhere)
There
is now a proxy switcher for Firefox https://addons.mozilla.org/en-US/firefox/addon/125
On
that set up VNC localhost 5930 will connect to the remote behind
firewall office machine.
SSH
reverse tunnels are faster and more stable and more secure
then Zebedee for reverse tunnels. I use zebedee as a backup or for one
way traffic. SSH reverse tunnels are faster than Hamachi
relayed VPNs, and may be more secure, and you are not dependent on
thrid parties.
Bitvise
installations great, easier
and work well on windows. The client also gives SFTP and a
terminal window.
Gerard
Bulger
October 2013
Contact
|
