PC from a
remote location,
under the strong encryption of OpenSSH.Advanced
This tutorial shows you how to use (putty) OpenSSH
to tunnel VNC traffic through the public
Internet so that you can access and control
your home/office Windows PC from a
remote location,
under the strong encryption of OpenSSH.
| The
encryption ciphers used by OpenSSH are AES, 3DES, Blowfish,
cast-128 or arcfour (RC4) The default OpenSSH encryption (cipher) is AES-128-CBC. You might get some performance increase by specifying that you prefer the Blowfish encryption (cipher), do this: On the ssh server side, force a specific preferred encryption algorithm by adding a line like below to the sshd config file Ciphers blowfish-cbc,aes128-cbc,3des-cbc server's configuration file is usually /etc/sshd_config |
Recent version of TightVNC performs
reasonably fast and it is free.
Commercial remote control software can do the above, with less hassle and less setup, e.g.
Remote Utilities
(1) At your home/office network, behind a firewall (or router, or NAT box), setup up an OpenSSH server
If
you use
Windows XP SP2, you need to tweak the "windows firewall" to open TCP
Port 22.
Click Start...Control Panel...(in Category
View mode)...Security
Centre...Windows Firewall
...Exceptions Tab...Add port....port name SSH, port 22, TCP and port
name VNC, TCP port 5900
Thanks to Stefano of Sardegna, Italy for the XP-SP2-firewall
reminder.
(2) On your home/office firewall/router,
set up a port-forward of TCP
port 22 to the IP address
of the computer that runs the OpenSSH server (called sshd). D-Links
calls port-forward "virtual server". For most large corporations, you
cannot do that as the system
administrators don't allow it.
(3) On the home/office Windows computer,
install TightVNC server.
TightVNC server can be download from
http://www.tightvnc.com/
Install the "TightVNC server". See this diagram.
Register TightVNC server as a system service;
Start the TightVNC service. See this
diagram.
If the TightVNC server is also on the same machine as the ssh
server, click
loopback.
(3a) If setup asks you to supply a password, give it a safe (hard to guess) password. See this diagram.
(4) If you miss step (3), on the bottom
icon tray, double click the TightVNC
icon. Set a
password. See this
diagram.
(5) On the remote
location (I assume you are using a laptop at the remote location),
install TightVNC Viewer.
During install, select the checkbox "TightVNC Viewer".
(6) On the remote laptop, install Putty (see this page).
Create a SSH connection
to your_home_outside_ip_address;
add a tunnel
, source port = 5900,
destination = 10.1.1.101:5900
(I am assuming your home/office PC is 10.1.1.101, you may
need to change 10.1.101
to the actual IP address of your home/office Windows box)
Click the "Add" button to add the tunnel.
Click the "Session"
category and click the "Save" button. See this diagram.
(7) On the remote laptop, launch Putty:
highlight the IP address you wan to to connect to, click "Load", click
"Open". See this diagram.
(7a) Launch the TightVNC Viewer.
In the server field, type
127.0.0.1, click Connect, see this diagram
|
|
Advanced++
(8) For multiple internal PCs and multiple
external road warriors, such as this setup.
This is a M x N situation, there can be M laptops (belong to different people or just one) and N desktops (belong to different people or just one). For the purpose of this demonstration, I assume a simpler situation: inside a company/office, there are exactly 3 employees (Alice, Bob and Charlie), each employee has exactly one laptop for use outside the office. Each employee can access his/her own office desktop from remote. Thanks to David Smith for some suggestions about this section.
(8a)
Install TightVNC server on Alice/Bob/Charlie desktops. For Windows XP,
don't forget to open Windows Firewall TCP port 5900.
| If you decide to designate one of the staff desktops to server as a company-wide ssh server to save cost. In that case, on that particular desktop, because VNC server and the SSH server are on the same machine, check loopback. The benefit of setting up a separate box (either Linux or Windows with cygwin sshd) as the office/home ssh server is increased stability and increased service availability; add a UPS for the ssh server for higher availability and reduced tendency to crash due to power failures. |
(8b) On the company firewall (or router box, or NAT box), port forward TCP port 22 to the IP of the computer running SSH server (DLink calls it Virtual Server). In the example above, port forward TCP port 22 to 10.1.1.3
On each of the 3 remote laptops, install putty and add a
specific tunnel, the tunnel
settings for the above example are:
Tunnel for Alice, source port = 5900, destination =
10.1.1.101:5900
Tunnel for Bob, source port = 5900,
destination = 10.1.1.102:5900
Tunnel for Charlie, source port = 5900,
destination = 10.1.1.103:5900
| To re-visit the m x n situation. Assume you have only one road warrior (e.g. Dave with only one laptop) and three office desktops (named Alice, Bob and Charlie). In that case, on Dave's laptop, install putty and create 3 sessions, all pointing to the office's external IP address. For each of the putty session, add a (different) tunnel just like above example. |
(8c) On the remote laptop, launch Putty: highlight the external IP address of your home/office, click "Load", click "Open". See this diagram.
(8d) Launch the TightVNC Viewer.
In the server field, type
127.0.0.1, click Connect, see this diagram
 Caveats(1) assuming your home/office have an IP address that is accessible by the outside world, some ISPs do not give outside-accessible IP address. If that is the case, either change ISP or pay them extra to give you an IP that is outside-accessible. For ISPs that give out dynamic, non RFC-1918 IP, you can turn a "dynamic IP" into an "accessible IP" by using the services such as www.dyndns.com D-LINK routers include this dynamic DNS (DDNS) capability through www.dlinkddns.com in their router firmware. (2) assuming your laptop's IP address subnet is not the same as the address subnet of your office/home network (collision) e.g, if you laptop is given the IP address space 192.168.1.xxx; and your home network is also using IP address space 192.168.1.xxx, then a collision occurs and VPN will not work. This unfortunate situation can happen if you use a Linksys (or D-Link) router at the home/office and the hotel (thousands of miles away) is also using a Linksys (or D-Link) router. The smart road warrior changed the IP address space of his home/office network before travel. The following are very popular private subnets, avoid using them in your home/office network (i.e., by changing your home/office router/DHCP configuration settings). Popular subnets are: 192.168.0.xxx, 192.168.1.xxx, 192.168.2.xxx Hint: If you choose the RFC1918 private subnets such as 10.1.1.xxx for your home/office network, then the chance of collision is greatly reduced. But I suggest choosing the netmask 255.255.255.0 (you can have up to 254 machines behind your home/office router). In this case, your probability of collision from any hotel is less than 1 in 65,000 |
© 2003-2012 Nicholas
Fong 
Last revised: January 24, 2012
