peter_m
Premium
join:2005-07-13
Canada, QC
edit:
May 3rd, @09:21PM
|  [XP] Access a PC remotely via the Internet
Hello everyone,
looking to use something like RealVNC, TightVNC or UltraVNC to access a PC remotely. It has to be secure since I want it to run all the time. I need to consider the following:
-Security of the server/client
-Speed/performance of the server/client
-Accessible even is no local users are logged in
-Getting around a dynamic IP on the server side
-NAT/router that might not allow static IP table over DHCP
So which VNC software to choose?
Should I try something with SSH to secure things?
Is something like a no-ip.com, dyndns.com or easydns.com helpfull?
Is there any NAT traversal solution out there?
Peter |
|
LLigetfa
join:2006-05-15
Fort Frances, ON | Why not use RDP? It will have better performance. |
|
peter_m
Premium
join:2005-07-13
Canada, QC
edit:
May 3rd, @10:07PM
| "Why not use RDP? It will have better performance."
XP home!!!
Anyone have an opinion between: RealVNC, TightVNC or UltraVNC ?
Peter |
|
jinjimbob
Troy Mcclure
join:2001-11-13
Enumclaw, WA
 ·Qwest.net
| reply to peter_m
I use real vnc all the time, but this connects to a sun system.
I used real vnc to connect to a Ubuntu PC on the same network, seemed very slow. But its ok, aslong as you keep things graphically to a minimum.
I use dyndns.org to connect to my home network, very easy to use, I use the Tomato WRT54GS firmware with a built in client. |
|
tubbynet
more voices, more choices
Premium
join:2008-01-16
Mesa, AZ
 ·Sprint Mobile Broa..
 ·Cox HSI
·FrontierNet Intern..
| reply to peter_m
I would suggest throwing any traffic through a VPN of some sort. OpenVPN is fairly simple to get up and running if you have a spare Linux server or a WRT54G/GL running dd-wrt. Other solutions are available via Linksys, Cisco, etc. type routers. I wouldn't suggest having any open ports with unsecure services facing the net, be they RDP or VNC type services.
q. |
|
peter_m
Premium
join:2005-07-13
Canada, QC
edit:
May 4th, @01:45AM
| Can OpenVPN take care of port forwarding? With some UPnP of some sort or will I have to take care of that separately?
Can I run OpenVPN directly on the PC that will be the VNC server? Will that PC's network traffic be restricted to the VPN or can I just force the VNC through openVPN?
Peter
EDIT: so if i understand correctly, will need VNC, Open VPN and the DynDns client on the PC running at boot time as a system service. Is that going to slow down the PC? |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
edit:
May 4th, @08:41AM
|  said by peter_m  :Can OpenVPN take care of port forwarding? With some UPnP of some sort or will I have to take care of that separately? Can I run OpenVPN directly on the PC that will be the VNC server? Will that PC's network traffic be restricted to the VPN or can I just force the VNC through openVPN? Peter EDIT: so if i understand correctly, will need VNC, Open VPN and the DynDns client on the PC running at boot time as a system service. Is that going to slow down the PC? By default once the OpenVPN tunnel is established client traffic is automatically directed through the VPN tunnel if your addressing VNC to look for the VNC server on the remote network. You can also force all traffic, ie. disable split tunneling, on your OpenVPN clients.
»openvpn.net/index.php/documentat···redirect
Yes you can run the OpenVPN server on the PC you want to remotely access with VNC if you want.
The only performance issues I saw with a setup like that is with VNC. In my case I ran UltraVNC on some XP Pro machines as a test. You can speed up UltraVNC (or any flavor of VNC) a bit by disabling the rendering of the remote VNC server/host PCs desktop wallpaper.
Personally I found SSH easier to setup than OpenVPN, but that is just a personal opinion. Both work equally well once you get them going. Here are my SSH links.
»theillustratednetwork.mvps.org/S···ell.html
My old OpenVPN links page...
»theillustratednetwork.mvps.org/O···VPN.html
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
tim_k
Buttons, Bows, Beamer, Shadow
Premium
join:2002-02-02
Stewartstown, PA
| reply to peter_m
I've found those programs to be a pain to use. Have to forward ports, set IP addresses, get through firewalls, etc. I prefer »https://secure.logmein.com/welcome/get_l···gnup.asp It's the only way I can connect remotely from work. The free version does all I did it to do. You don't need to worry about setting up routers or IP addresses.
--
RIP my baby Buttons 1/15/94-2/9/07 Buttons, Buttons video
|
|
peter_m
Premium
join:2005-07-13
Canada, QC | Thanks Tim,
that sounds interesting. Just wonder what limitations has the free version? Does it expire? Does it limit the logged on time? Does it allow CTRL-ALT-DEL to be sent? Can it run as service at boot time?
Peter |
|
peter_m
Premium
join:2005-07-13
Canada, QC | reply to SoonerAl
SoonerAl,
thank you for the links. Will look into it this week.
Peter |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to peter_m
Something to consider with LogMeIn or a similar service versus a roll-your-own setup like SSH/OpenVPN and VNC is do you want to control the whole process, ie. server, client, etc or are you willing to allow a third party to control part of the process. While I agree LogMeIn is probably pretty simple to setup and use I am in the I want to control everything camp. I guess you can call me a control freak... 
The bottom line it comes down to your personal risk threshold.
Also in the vein of full disclosure I do sometimes use TeamViewer and their third-party connection servers to remotely support one of my sister-in-laws. Not often but I do use that service.
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
peter_m
Premium
join:2005-07-13
Canada, QC
edit:
May 5th, @03:43PM
| SoonerAl, I have to admit I am leaning towards rolling my own setup. Having the VPN(ssh or openvpn) the TihghtVNC and the dyndns client running 100% of the time, how much of RAM and CPU cycle will I be sacrificing? On a 256mb/XP machine will it be viable?
Peter |
|
tubbynet
more voices, more choices
Premium
join:2008-01-16
Mesa, AZ
·Sprint Mobile Broa..
·Cox HSI
·FrontierNet Intern..
| I have successfully done this (albeit a while ago) using a PII-350 with 256MB RAM running Debian 3.1. Granted the software was a little different, but it was still a VERY low end machine. One caveat: I was not pushing all traffic through the machine, but rather split tunneling. I had "interesting traffic" run across my VPN, while generic internet traffic was pushed out using the usual devices. I am not sure how much the actual crypto part of the packet will take to decode on the local PC, but given that the actual OpenVPN implementation is using SSL and not IPSec, I'm sure that actual CPU requirements for OpenVPN are much less than one would think.
I would assume that the newer versions of OpenVPN can't be too intensive as it is possible to run the OpenVPN solution on a typical WRT54G (v.1-4) which were running ~200MHz processors with only 8MB of RAM. It took a little leg work to get it up and running, but it is very doable with about $30 on eBay (which may suit you a little better in the long run, as the DynDNS client runs on the router as well). If you wish to have a little more flexibility, a company by the name of TekLinux takes WRT54GLs and mods an SD card to the router (giving extra space for mini-web and ftp-type services). This is a little "much" for your setup, however it may be well worth it as I have trouble fitting the openVPN binary and the required keys/configs on the flash of a normal WRT without a little finagling. I believe that they sell several models right around (or under) $100.
This is all very dependent on the requirements of granularity for control. I prefer to be able to admin everything that I can so I can assure quality, on the fly config changes, etc. You may prefer to actually "roll your own" solution as it may be cheaper and a little more effective for you. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to peter_m
said by peter_m :SoonerAl, I have to admit I am leaning towards rolling my own setup. Having the VPN(ssh or openvpn) the TihghtVNC and the dyndns client running 100% of the time, how much of RAM and CPU cycle will I be sacrificing? On a 256mb/XP machine will it be viable? Peter I ran copSSH (my choice for a maintained SSH server install package) on a similar machine and did not see a performance hit. Of course I only had at the most one user at a time logging in with Tunnelier (my SSH client of choice). Personally I say test it and see if it performs to your needs.
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to peter_m
I forgot to add another roll-your-own alternative which is SSL-Explorer. I don't know how many users you need to have connected at any given time but you can get a free 2-user license. I ran the former free SSL-Explorer Community Edition a few years ago. It has a built-in VNC (UltraVNC and TightVNC are supported natively) extension. The nice thing about SSL-Explorer is that it is a so called clientless solution. You can use any Java supported browser like IE, etc, ie. no need to install a VNC client, etc on the remote PC for example.
»3sp.com/showSslExplorer.do
»3sp.com/forums/forums/list.page
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
tim_k
Buttons, Bows, Beamer, Shadow
Premium
join:2002-02-02
Stewartstown, PA
| reply to peter_m
said by peter_m :Thanks Tim, that sounds interesting. Just wonder what limitations has the free version? Does it expire? Does it limit the logged on time? Does it allow CTRL-ALT-DEL to be sent? Can it run as service at boot time? Peter The free version does not expire. The times I used it I didn't need to do a CTRL-ALT-DEL so I'm not sure if it can be sent. It does allow me to log on from the Windows XP startup menu so it does run as a service. The client doesn't need anything but a web browser (might have to be IE). You can look on their website for the differences, the pay version allows things like direct file transfers.
--
RIP my baby Buttons 1/15/94-2/9/07 Buttons, Buttons video
|
|
phreekd
Premium
join:2003-06-10
Parkville, MD
·Verizon Online DSL
| reply to peter_m
I use UltraVNC with encryption on mostly but you should also look at this VNC implementation:
»www.teamviewer.com/index.aspx
--
Think or you may be eliminated...at the very least assimilated. |
|
peter_m
Premium
join:2005-07-13
Canada, QC
edit:
May 7th, @07:11PM
| reply to peter_m
Thank you all for the information. It is priceless.
I've decided on the simplest solution possible. I will use tightVNC server that users can start when they need help and then do a reverse connection by having them right click the VNC icon in the tray and select "add new client". This way I will be the only one to have to worry about ports and such at my end only. I can then either give them my actual IP or just give them a DynDNS address and bingo! Obviously at my end I will need the Viewer client in "listening mode" running an waiting just before they start the process at their end. The best thing about this is that it's an outgoing connection for them so it should work almost 100% of the time, regardless of routers or if they change locations (laptop).
Also by having them start it only when needed, all security issues are eliminated. It has it's disadvantages but it is as simple as it gets without registering for anything or depending on a third-party server.
Again thanks for all the info guys. If I ever decide to go the 100% of the time accessible and fully automated route, I will refer back to this thread.
Cheers,
Peter |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to peter_m
From the TightVNC FAQ...
»tightvnc.org/faq.html
quote:
How secure is TightVNC?
Although TightVNC encrypts VNC passwords sent over the net, the rest of the traffic is sent as is, unencrypted (for password encryption, VNC uses a DES-encrypted challenge-response scheme, where the password is limited by 8 characters, and the effective DES key length is 56 bits). So using TightVNC over the Internet can be a security risk. To solve this problem, we plan to work on built-in encryption in future versions of TightVNC.
In the mean time, if you need real security, we recommend installing OpenSSH, and using SSH tunneling for all TightVNC connections from untrusted networks.
At a minimum I would use UltraVNC with its encryption plug-in as noted by phreekd. You can also setup its SingleClick function.
»www.uvnc.com/addons/singleclick.html
Since this now appears to be a help desk function that your looking for TeamViewer as noted by phreekd and me in an earlier reply is a good solution. I sometimes use TeamViewer to support a sister-in-law. You can setup a preassigned password on the novice PC to ease the connection process. If you use their third-party servers connections can be made without needing to forward/open any ports on either end of the connection, ie. your end or the novice end.
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
peter_m
Premium
join:2005-07-13
Canada, QC
edit:
May 8th, @05:56PM
| SoonerAl,
I am sold! UltraVNC with it's single click solution is exactly what I need. If it has built-in encryption I will most certainly use it. Thanks for the valuable info.
Peter
EDIT: been playing with both Tight and Ultra and I have to say regardless of Ultra's "Single Click" feature, I find TightVNC more responsive. Not much lag at tall. I tried different encoding formats and Tight always has less lag. Sometimes it's almost exactly like being at the remote PC. |
|
