Connecting to your Office or Home from anywhere   

I learnt the hard way as how to set up connections between our homes and offices, especially when behind others' firewalls. This detailed instruction set outlines my difficulties in getting to grips with the problems in doing so.  This may help some people starting similar projects. It may irritate those who know a lot and confuse those who do not.   This is also an archive of my Zebedee instruction, the little prgoramme may still have a role, see below.

There are many ways to connect home and office and to control remote machines.

1. By far the BEST to use is SoftetherVPN
2. Use software tools such as provided by www.logmein.com
3. Set up a  Virtual Private Network (VPN).  
4. Use tunnel systems with SSH, Zebedee or putty (I am now using SSH tunnels)
   
5. Buy routers with VPN serving function (not just VPN pass thru)
6. Use Zebedee

My first method was to make tunnels with Zebedee.     I think I have got my head around its features. And it is free, fast and pretty secure (especially if you set up your own private keys).  It transmits encrypted data in a tunnel port of your choice.  It secures and tunnels VNC and real VNC so you can control your office computer, as if in front of it, from home. You do not need logmein to do that.  It is fast and secure.  It can work in reverse mode so that you can connect through tight office firewalls. It passes UDP as well.

Now use SoftetherVPN, blog is here and also SSH, and my essay on SSH is here

Logmein.com bought VPN product called Hamachi which is wasan excellent mini VPN tool.   It might in 2017 be getting back its credibility.  Logmein had been damaging the product with upgrades and a terrible pricing structures so it lost its  appeal.  Users are dependent on their mediation server, and connections can be terribly slow. Recently they have reversed the pricing changes and may be a quick and simple solution. Hamachi with VNC means you do not need the original logmein product.  You can upload and download files as well as control the remote desktop.  It is very useful as the backdoor to allow you to set up faster direct alternatives such as zebedee or SSh tunnels.
 Hamachi was much simpler to set up, but will not offer such a fast service.

There is less reason to deploy Hamachi now.

 Softhervpn is simply less bother all round.

Zebedee : Neil Winton’s instructions on his wonderful little programme (just 600kb) are good, but horrid for novices as he does not mention the obvious (although obvious to him and others).  I set this out as a supplement to his instructions.  My instructions are not complete, and may not be accurate, so you are warned. They just emphasise the points that it took me a while appreciate.  I am a doctor (GP) not an IT guru.

Download and install Zebedee on both home and office machines from Neil Winton’s site here

What it does: stating the obvious: Zebedee presents to the inside your home machine IP ports which are then used to transmit data across the internet, securely.  The command Zebedee.exe 23:myofficeinlondon.dynu.com:23 sets the local home machine is listening to itself on port 23 (aka telnet) locally and will send the data over the internet on port 11965 in an encrypted manner to your office machine. You connect to your office machine by sending data to ports on your LOCAL home machine.  The tunnel does what it says.  Telnet localhost: up pops your remote login (assuming Zebedee and telnet is running at the other end!).  Zebedee wraps up whatever you send and whatever ports you specify, encrypts it, sends it over the internet on port 11965 and unwraps it at the other end.

Router and firewalls: In this blog I call use the word "home" meaning where you are sitting (client in the jargon) and Office (server) meaning the place you want to connect to.  For standard connections your "office" router needs to allow port 11965 through to your office machine that has Zebedee in server mode running, but you can chose another port for Zebedee to use to get through firewalls.  Zebedee’s default is to send data across the internet on port 11965.  You can set Zebedee to use any port number you like to transmit the data providing it does not clash with your other used ports and you can fix the firewall at the office to accept it. You can change the port Zebedee uses over the internet by using the –T option (or serverport if using a config file)  

Zebedee –T 2712 23: 23:myofficeinlondon.dynu.com:23  will transmit the data using port 2712 and the other end router must let port 2712 through to the right machine running Zebedee in server mode.  You never want to open port 23 on the firewall or indeed any ports below 1057.  In the above example Zebedee is listening for traffic inside your home machine on port 23 and spits out port 23 at the other end. The router only needs to pass a port such as 2712 (or 11965) through to your office machine which has Zebedee running in server mode.

 At the office end Zebedee needs to be serving, waiting remote connections.

Zebedee -s –T 2712 internal-ip-addess-of-office-machine-you-wish-to-use:23

You can list ports and range of ports which are to be tunnelled.  You can change ports, listening to one port and spitting the data out on another.

Proxy Server and port changes: Zebedee 8080:my-office-in-london-by-IP-or domain-name:6588  would listen on port 8080 locally and transmit data to my office (on port 11965 as that is the default transmission port aka server port).   You can use this as a proxy server:   You can set your browser to use proxy server called localhost, or set the browsers proxy to the local IP of your home machine, the same thing,  and for the browser to use port 8080. It would reach your real proxy server on your office machine on port 6588.   Zebedee itself can connect to the outside world via proxy servers using another command, see Winton's instructions.

Redirection: Zebedee's server mode (receiving: at the office) can send data on to other machines anywhere (and are not running Zebedee).  Zebedee -s –T 2712 internal-ip-addess-of-office:23 means just that: you can redirect port 23 (now unencrypted at office end) to any machine anywhere from your office machine; once it has got there.  So either you put in the server command line the IP address of the office machine itself: Zebedee –s –T 2712 localhost:23, or you put in any machine or domain name you want that you want it to reach usually within your office network: Zebedee -T 2712 the-local-ip-address-of-the-machine-in-the-next-door-room:23    That will now be ordinary non-encrypted data on your office network on port 23.  As far as the destination in the room next door is concerned it will look as if the data on port 23 arose from the local network- from the machine with Zebedee running on it, not from the remote home machine or internet.  So no clever routing is required to get to another machine on your office network.

At home, the command (with Zebedee running in the background) Telnet localhost does the following: Telnet programme uses port 23, the outgoing is accepted by Zebedee locally listening on port 23, which is transmitted over the internet on port 2712 to my office router.  My office router directs that port 2172 to a windows machine which has Zebedee in server mode waiting on port 2712. The office windows Zebedee then redirects port 23, my telnet traffic, to my office UNIX machine another room at the office.  On home machine up pops my remote UNIX server’s login prompt.  Meanwhile Mr Gibson at  www.grc.com finds my firewall perfect and "stealth".

If you want information on encryption keys and IP checking read Neil Winton’s instructions!

Multiple instances: Zebedee can be run many times on the same machine.  A single Zebedee instance can redirect different ports to different machines.  I found that rather confusing, so I am not inclined to use that feature, preferring to have different instances of Zebedee using different “transmission ports"(serverports  (-T)) when redirecting ports or to different machines. That way one can redirect identical ports to different machines. It may be wasteful doing it that way, but the one machine in the office with Zebedee server instances running is not doing much else apart from running my mail server.

Command line or config files: Zebedee can ether use command line instructions or use a file instruction set, called up by Zebedee – f .  In Windows you do not usually need the –f as the installation programme of Zebedee makes windows recognise .zbd extension as Zebedee.   You make/edit config files ending with .zbd and it will run when clicked or left in startup. To edit a .zbd file you then have to right click or shift right click to open with wordpad.  I find the -f commans useful when using Zebedee on a USB stick with ASUITE

For some reason I often set up home machines to use command line instructions and the server end use Zebedee config files.  Two server.zbd shortcuts sits in startup in the office machine so they run as the machine reboots. You can also setup Zebedee as a service. 

Start playing: It is best when first playing with Zebedee to open a command prompt window and sit in C:\program files\zebedee and type in your Zebedee commands or run .zbd files with "detached false, and verbosity 5.   You will see the errors. Once you have the command syntax right and it works, create a shortcut to Zebedee on your desktop using your working syntax.  Edit the properties of your shortcut, after the inverted commas to put in the command parameters.  You can then copy the working shortcut to program files\startup. Here is an example of the target line in properties of a shortcut:  "C:\Program Files\Zebedee\zebedee.exe" -b 172.21.204.229 -T 2712 20-23,1024,3000-3010,3306,139:myofficeatwork.dnsalias.net:20-23,1024,3000-3010,3306,139

That means force Zebedee to listen only to local IP 172.21.204.229 (in fact a loopback adapter) transmit over the internet on port 2712, and listen locally (172.21.204.229) to those listed ports, and spit them out at the other end as the same port numbers as went in.

VNC and Zebedee.  Neil’s instructions are clear.  I set a different transmission (serverport, -T), instance and name for Zebedee (a copy of Zebedee) for VNC.  It is obviously the first thing you must have working  If this fails you cannot do anything remotely unless using the logmein services.   

REMAMING Copies of Zebedee: I suggest that you make a copy of zebedee.exe and call the copy ZVNC.EXE.  Use ZVNC.EXE to run your VNC tunnel server on the office machine.  When you come to use taskmgr (in VNC that is SHIFT-alt-ctl-del  to call up the remote taskmanager. or run taskmgr,  in order to kill other Zebedee instances that you have not got right, you can recognise your VNC session tunnel as ZVNC and not cut yourself off by killing that one special process.  Unless renamed every Zebedee instance is called Zebedee in Windows task manager.

Access Remote Windows files: To get Zebedee to act as a VPN, that is to access the files remotely you need to install windows loopback adapter.  This is because port 139 is bound to 0.0.0.0.  Do not bother with ftp with Zebedee: it is a pain and you need an ftp server at the office.  I gave up on it.  Ftp is the problem.  Ftp though firewalls is a bummer, and proxying ftp not much fun either. Other solutions are to use SSH SCP

How to access files on remote machine uploading and downloading.  This uses windows ports139.  This requires additional work, on your local home machine you need to install Window’s loopback adapter.  This acts like another network card on your home machine.  It is installed from control panel add new hardware: Yes you have the hardware connected, go to the bottom of the list, scroll down, and “add new hardware device”, and then install hardware manually (advanced) and chose network adapters, and then Microsoft loopback adapter.

Once the new "network card" installed go to network connections (properties of network places) and give the loopback adapter an IP address.  Give it an IP address that is not on your local network:  222.222.222.222 for example.  For my purposes I want to fool some programmes at home that they are connecting directly to my office UNIX server by name and IP. So I gave the home loopback adaptor the IP address of my remote UNIX server (of the office's internal network range) that is a machine running mysql and samba.  Zebedee is neat as by default it hides the home internal IP address, so it never looks at the Office end that I have two machines with the same IP address on the office network.  I gave the home machine's loopback adapter the smallest net mask possible 255.255.255.252.  No gateway or DNS needed and it would confuse matters if you put things in there on loopback TCP/IP properties.  Just IP and small net mask.

LMHOST and HOST : In loopback adaptors TCP/IP advanced properties disable Netbios over TCP.  We want NetBIOS to go via Zebedee's ports.  While at it tick “enable LMHOSTS lookup”.

Then you need to give your loopback adaptor your remote office machine’s name (or any name) in LMSHOTS./windows/system32/drivers/etc/LMHOSTS. Make sure Wordpad does not save your edited version of LMSHOSTS.SAM as .txt file or as a .SAM file.  Needs to be call LMHOSTS and ditto for HOSTS  (not LMSHOST.SAM…..meaning unreadable by system, a sample file). If so, rename the file without any extension despite Window’s protests.

A line in LMHOSTS

172.21.204.229    officemachime  #PRE

The Zebedee on my home machine needs to tunnel a lot of things including mysql traffic.  To access files you just need to tunnel port 139.   My Zebedee shortcut at startup is OTT for most people.  Ports 5900 (VNC) 139, and perhaps a port to reach a proxy server may be enough.

"C:\Program Files\Zebedee\zebedee.exe" -b 172.21.204.229 -T 2712 20-23,1024,3000-3010,3306,139:myofficeatwork.dnsalias.net:20-23,1024,3000-3010,3306,139

 At the office end I have a shortcut to server.zbd  set up in startup.   (I could use a command line shortcut)

From Neil’s example file.

#

# $Id: server.zbd,v 1.4 2002/04/16 16:49:42 ndwinton Exp $

verbosity 2          # Slightly more than basic messages

detached true    # You will probably want this 'true' for normal

                                # use but I want to make sure that you see the

                                # preceding message if you haven't edited this.

 

server true          # Yes, it's a server!

ipmode both      # Operate in mixed TCP/UDP mode

serverport 2712

compression zlib:6           # Allow maximum zlib compression

keylength 256                    # Allow keys up to 256 bits

keylifetime 36000             # Shared keys last 10 hours

maxbufsize 16383            # Allow maximum possible buffer size

 keygenlevel 2    # Generate maximum strength private keys

 

#  include './server.key'    #  I do run these but start with hashed out.

 

#  checkidfile './clients.id'  #DITTO

 

# The "redirect" expression can be use to set the default ports

# allowed when a target specification consists of a hostname but

# no other ports. The "redirect none" statement prohibits

# tunnelling anywhere by default.

 

redirect none

 

# Set up allowed targets. Note that there are NO targets allowed

# by this file by default. You must explicitly edit it to enable

# them.

 

# The following are good for testing purposes. Either TCP or UDP

# are allowed.

#

target 172.22.203.228:110/tcp

 

# Basic interactive services, TCP only.

#

target 172.21.204.229:6588/tcp

target 172.21.204.228:1080/tcp

 

# VNC traffic -- usually you will only need a subset of this

# range, perhaps 5900 or 5901. 

#I have a separate incidence of Zebedee for VNC on different serverport

#

# The following line ensures that the default target host

# is the local machine. The last named host becomes the

# default so leaving this here ensures that "localhost" is,

# the default unless overridden on the command line.

 

target 172.21.204.229

  

#end

Office machine runs server.zbd as above but you change the target to your office target machine, even if it is the same machine as zebedee is on) 

Home machine: Zebedee -T serverport-you-want -b IP-of-loopback-adapter 139:ip-or-domain-name-office:139

With both ends running you should be able to go to "run" and type \\ip-of-loopback-adapter or the name you used in hosts or lmhosts. In run  \\whatever-U-called-it and the listing of shared directories on your office machine pop up. You may get a windows login and you need to know those details.   Sometimes windows is idiotic and remembers the wrong details and you have to manually enter them in your profile: control panel, user accounts chose your own account, and "manage my network passwords".  It seems to need a reboot.  Sometimes you need to delete the network passwords and start again.  At the office end you need a windows account with a password set.  Blank passwords fail. 

Once you can see your shared directories you can map them to a home local drive letter(s) (right click on directory).  When windows reboots it thinks the mapped drives are disconnected and you have to click on them to activate the connection. Windows will not map shared directories down the tree. It can only map the top remote directories.  To get round that you share the lower directory.

SPEED of VPN: Remember that VPN tunnels to and from work are slow because it is limited by the upload speed of the ISPs, and some windows programmes can be slow to list the directories.  The speed is limited Windows and by the maximum upload speed at your office end, which in my case is 417kbs.  It is OK, but irritating if you want to grab a many-megabit file. 

DNS: finding your office and dynamic IPs: To find you office machine on the internet and to use Zebedee or anything else you need to know the office IP address or a domain name that maps to the IP.  If your office has a fixed IP address use that.  Most cheap broadband connections have dynamic IP addresses, although Virgin Media IPs seem pretty static to me: the modem has to be off for ages for it to get a new IP address. With dynamic IP that most of us have, register with any of the firms that offer domain names for dynamic IPs.  These programmes sit on you office machine and find out your IP address even if it changes, and propagates a domain name via these firms. The simple DNS services are free.  www.dynu.com and DynDNs http://www.dyndns.com  but there are others.  There is no harm in registering with one of more.  Give your domains very unfriendly names like BL85U36YZ.dynu.com  as added security, providing you remember it!  Their programmes need to run on the office machines at startup.

Use www.grc.com Shields Up web page to check your firewall.  All ports and ping should be closed and “perfect stealth".  Only the ports (high numbers) that you use for Zebedee should be open.  Even ping should be off.

After much fiddling I found this works and the line stays up. At home, the client machine you set Zebedee running like this with an edited file homeclient .zbd.

message "client"
# verbosity 5
# detached false
server false
idletimeout 0
acceptconnecttimeout 65535
serverport 443
listenmode true
readtimeout 300
tunnel 9080/tcp:*:8080/tcp     (or whatever ports you like...this is to connect to the office proxy server)
tunnel 1080/tcp:*:1080/tcp
tunnel 5940/tcp:*:5900/tcp

The " :*:" means accept from any IP so a risk.  Better put in the exact IP of the office and also use private/public key

While setting it up remove the hashes so you can see the verbose reports and closing the window closes the zebedee session.   Set this at home running first

At the office machine a serverreverse.zbd file:

#detached false
#verbosity 5
server true
message "server"
serverport 443
clienthost mymachine.dnsalias.net    (or IP address of home machine or something dyn.com etc)
connectattempts 1000
idletimeout 0
target localhost:8080/tcp
target localhost:1080/tcp
target localhost:5900/tcp
 

You should be able to connect from the home machine to the office.  In the case above I set my home browser to use proxy server on localhost 9080 and localhost socks 1080 and  I am connect to the proxy at my office.

Gerry Bulger

SSH update

Contact

Home