人生在世，看得透，又看得远者prevail everywhere.

gg.gg/13nbnz gg.gg/13p5tj gg.gg/13p9s5 gg.gg/13tljl gg.gg/13xudz gg.gg/13xy3p gg.gg/143tqc linux.die.net linux.it.net.cn ostechnix.com unix.com gg.gg/19yv96 man.linuxde.net gg.gg/148erg bit.ly/2vsM34J bit.ly/2EzoUDo bit.ly/2wCsZSI bit.ly/2v6jGJi bit.ly/2tW6eYT bit.ly/2u2MMtm bit.ly/2X6vadl bit.ly/2viLpHU bit.ly/2fzzbEU linuxprobe.com linuxtechi.com ttlsa.com systutorials.com ghacks.net linuxopsys.com reurl.cc/8W1x3X reurl.cc/NpzMWe reurl.cc/WrgYdx reurl.cc/Yv4Yvo reurl.cc/Lmy90K reurl.cc/Rr5aeG

Saturday 7 January 2012

how to use (putty) OpenSSH to tunnel VNC traffic through the public Internet

Advanced
Disclaimer
This tutorial shows you how to use (putty) OpenSSH to tunnel VNC traffic through the public Internet so that you can access and control your home/office Windows

PC from a remote location, under the strong encryption of OpenSSH.

The encryption ciphers used by OpenSSH are AES, 3DES, Blowfish, cast-128 or arcfour (RC4)
The default OpenSSH encryption (cipher) is AES-128-CBC.
You might get some performance increase by specifying that you prefer the Blowfish encryption (cipher), do this:
On the ssh server side, force a specific preferred encryption algorithm by adding a line like below to the sshd config file
Ciphers blowfish-cbc,aes128-cbc,3des-cbc
server's configuration file is usually /etc/sshd_config

Recent version of TightVNC performs reasonably fast and it is free.
Commercial remote control software are available, e.g. Radmin, www.radmin.com
You can also use Hamachi instead of ssh client and ssh server to establish a vpn from the road warrior side to the home base.
Click here to go to Hamachi's web site. Thanks to Gord for this tips.

Get cheap coldfusion hosting with intermedia.net

(1) At your home/office network, behind a firewall (or router, or NAT box), setup up an OpenSSH server
If you use Windows XP SP2, you need to tweak the "windows firewall" to open TCP Port 22.
Click Start...Control Panel...(in Category View mode)...Security Centre...Windows Firewall
...Exceptions Tab...Add port....port name SSH, port 22, TCP and port name VNC, TCP port 5900
Thanks to Stefano of Sardegna, Italy for the XP-SP2-firewall reminder.
(2) On your home/office firewall/router, set up a port-forward of TCP port 22 to the IP address
of the computer that runs the OpenSSH server (called sshd). D-Links calls port-forward "virtual server". For most large corporations, you cannot do that as the system
administrators don't allow it.
(3) On the home/office

Windows computer, install TightVNC server.
TightVNC server can be download from http://www.tightvnc.com/
Install the "TightVNC server". See this diagram.
Register TightVNC server as a system service;
Start the TightVNC service. See this diagram.
If the TightVNC server is also on the same machine as the ssh server, click loopback.
(3a) If setup asks you to supply a password, give it a safe (hard to guess) password. See this diagram.
(4) If you miss step (3), on the bottom icon tray, double click the TightVNC

icon. Set a password. See this diagram.

(5) On the remote location (I assume you are using a laptop at the remote location), install TightVNC Viewer.
During install, select the checkbox "TightVNC Viewer".
(6) On the remote laptop, install Putty (see this page).
Create a SSH connection to your_home_outside_ip_address;
add a tunnel , source port = 5900, destination = 10.1.1.101:5900
(I am assuming your home/office PC is 10.1.1.101, you may need to change 10.1.101 to the actual IP address of your home/office

Windows box)
Click the "Add" button to add the tunnel.
Click the "Session" category and click the "Save" button. See this diagram.
(7) On the remote laptop, launch Putty:
highlight the IP address you wan to to connect to, click "Load", click "Open". See this diagram.
(7a) Launch the TightVNC Viewer. In the server field, type 127.0.0.1, click Connect, see this diagram

Caveats
(1) assuming your home/office have an IP address that is accessible by the outside world, some ISPs do not give outside-accessible IP address. If that is the case, either change ISP or pay them extra to give you an IP that is outside-accessible. For ISPs that give out dynamic, non RFC-1918 IP, you can turn a "dynamic IP" into an "accessible IP" by using the services such as www.dyndns.com D-LINK routers include this dynamic DNS (DDNS) capability through www.dlinkddns.com in their router firmware.
(2) assuming your laptop's IP address subnet is not the same as the address subnet of your office/home network (collision)
e.g, if you laptop is given the IP address space 192.168.1.xxx; and your home network is also using IP address space 192.168.1.xxx, then a collision occurs and VPN will not work.
This unfortunate situation can happen if you use a Linksys (or D-Link) router at the home/office and the hotel (thousands of miles away) is also using a Linksys (or D-Link) router. The smart road warrior changed the IP address space of his home/office network before travel.
The following are very popular private subnets, avoid using them in your home/office network (i.e., by changing your home/office router/DHCP configuration settings).
Popular subnets are: 192.168.0.xxx, 192.168.1.xxx, 192.168.2.xxx
Hint: If you choose the RFC1918 private subnets such as 10.1.1.xxx for your home/office network, then the chance of collision is greatly reduced. But I suggest choosing the netmask 255.255.255.0 (you can have up to 254 machines behind your home/office router). In this case, your probability of collision from any hotel is less than 1 in 65,000

Advanced++
(8) For multiple internal PCs and multiple external road warriors, such as this setup.

This is a M x N situation, there can be M laptops (belong to different people or just one) and N desktops (belong to different people or just one). For the purpose of this demonstration, I assume a simpler situation: inside a company/office, there are exactly 3 employees (Alice, Bob and Charlie), each employee has exactly one laptop for use outside the office. Each employee can access his/her own office desktop from remote. Thanks to David Smith for some suggestions about this section.
(8a) Install TightVNC server on Alice/Bob/Charlie desktops. For Windows XP, don't forget to open Windows Firewall TCP port 5900.

If you decide to designate one of the staff desktops to server as a company-wide ssh server to save cost. In that case, on that particular desktop, because VNC server and the SSH server are on the same machine, check loopback. The benefit of setting up a separate box (either Linux or Windows with cygwin sshd) as the office/home ssh server is increased stability and increased service availability; add a UPS for the ssh server for higher availability and reduced tendency to crash due to power failures.

(8b) On the company firewall (or router box, or NAT box), port forward TCP port 22 to the IP of the computer running SSH server (DLink calls it Virtual Server). In the example above, port forward TCP port 22 to 10.1.1.3
On each of the 3 remote laptops, install putty and add a specific tunnel, the tunnel settings for the above example are:
Tunnel for Alice, source port = 5900, destination = 10.1.1.101:5900
Tunnel for Bob, source port = 5900, destination = 10.1.1.102:5900
Tunnel for Charlie, source port = 5900, destination = 10.1.1.103:5900

To re-visit the m x n situation. Assume you have only one road warrior (e.g. Dave with only one laptop) and three office desktops (named Alice, Bob and Charlie). In that case, on Dave's laptop, install putty and create 3 sessions, all pointing to the office's external IP address. For each of the putty session, add a (different) tunnel just like above example.

(8c) On the remote laptop, launch Putty: highlight the external IP address of your home/office, click "Load", click "Open". See this diagram.
(8d) Launch the TightVNC Viewer. In the server field, type 127.0.0.1, click Connect, see this diagram