VPN connection question

NoOp glgxg at sbcglobal.net
Fri Sep 28 23:45:39 UTC 2007 

On 09/27/2007 06:06 PM, Patton Echols wrote:

> 
>>
>> If Patton simply wishes to connect into his home PC from his wireless he
>> can use a VNC connection. That can be plain or encrypted - I do it all
>> the time. But if he wants to create an ipsec VPN connection into the
>> BEFSX41 he'll need to have an ipsec client on the remote side.
>>
>>   
> 
> Truth is I didn't think much about this possibility.  If I wanted to do 
> just a VNC, how would I do that?  Set the Router for port forwarding to 
> the appropriate machine?  Don't I still need an encryption solution?
> 
> I guess I'm a bit reluctant for two reasons:
> First, since the machines inside are WinXP boxes, I'd need a VNC server 
> on each one I want to access (Just one more thing) But the Terminal 
> Service Client on my laptop connects natively to the Remote Desktop 
> built into XP
> 
> Second, again since the machines are XP, I don't really want to have 
> random port scans forwarded to my XP box.  I'm not sure I trust Gates 
> and Co. to protect those machines.  I think (though I suppose I really 
> don't know) that the VPN opening in my router will be much harder to 
> crack than my XP desktop.
> 

You could eliminate all of the hassles by just buying a BEFxx41 and
using at home. That way you let the routers do their work on each end.
Again, make sure that the routers firmware is fully up to date.

For roaming & VNC:

On most XP machines I set up a VPN tunnel into them. However in
instances where that might be difficult here is what I do for VNC:

1. Download & install UltraVNC on the XP's. See: http://www.uvnc.com/ (I
dont' recommend the beta, just use 1.0.2. Set up the VNC as a service,
that way you'll be able to reboot them and log back in remotely. When
you go home at night, leave the machine on, but at the login screen,
when finished reboot/logout so that it goes back to the login screen, or
shut down so that the machine isn't up and happily chatting away to
anyone else.

2. Set a strong password for the UltraVNC's and change the port numbers
from 5900  and 5800 to some arbitrary non-well known port that is not
used for any particular service and/or trojan. See:
http://isc.sans.org/port.html?port=5900 and
http://www.iana.org/assignments/port-numbers
This will help to avoid the common scrip kiddies that scan well known
ports. It won't stop someone finding the ports, but in combination with
your router firewall it will make it harder. You'll just need to
remember to enter the port number when you VNC into the machine.

3. Set your router to allow connections on that port from a specic FQDN
only.

4. If the BEFSX41 is connected to a dynamic IP, then go to dyndns.org
(http://www.dyndns.com/ - http://www.dyndns.com/services/dns/dyndns/)
and set up a free DDNS. Put that into the DDNS settings in your router
so that you can find your router from home. Do the same for your home
router/machine. You'll need this even when setting up the VPN as well.

5. Download and install UltraVNC client (not server) on your Ubuntu
machine via WINE. The interface is somewhat kludgy under WINE, but
you'll find this handy as UltraVNC has a very nice file transfer
capability that you can use to transfer files back and forth between the
Ubuntu machine and the XP machines. For standard stuff I use the Krdc
interface on the Ubuntu machine and use the UltraVNC interface for file
transfer & chat.

You can experiment with UltraVNC's encryption and or use SSL via the web
on the alternate of the 5800 port if you wish. But if you use some good
sense, change the port numbers (and change them on a regular basis), and
set up your BEFSX41 firewall properly you should be OK for standard
in/out sessions without much worry.

I'm sure that other folks will have some good/better suggestions with
SSH/SSL, but that's what I use & so far I've been pretty happy with it.
I much prefer the router-to-router VPN, but VNC works well when I don't
have that setup.

BTW: I'm still planning on doing the kvpnc & racoon testing when I get
access to the remote machine (which I'll krdc/VNC into to do the
testing:-) & I'll definitely post back the results.

Gary

More information about the ubuntu-users mailing list