Networking help

[Prime95]

When out of town, is it possible to have my laptop connect to and route my Internet traffic through my home LAN?

Why do this? When out of town, I'd like to send instructions to the PrimeNet server which is firewalled so that only my home static IP can get in. I'd also like to telnet/VNC to the machines on my home LAN.

My home setup is a DSL modem supporting a static IP. That is connected to a router. My machines connect to the router.

[smh]

I see two possible options.

1) Setup a VPN. For example with http://openvpn.net/
2) Access the console of a pc/server at home. I have good experience with http://www.teamviewer.com

[mdettweiler]

Quote:

Originally Posted by Prime95

When out of town, is it possible to have my laptop connect to and route my Internet traffic through my home LAN?

Why do this? When out of town, I'd like to send instructions to the PrimeNet server which is firewalled so that only my home static IP can get in. I'd also like to telnet/VNC to the machines on my home LAN.

My home setup is a DSL modem supporting a static IP. That is connected to a router. My machines connect to the router.

The first method that comes to mind is to use SSH tunneling: set up an SSH server on a machine in your network, forward port 22 on that machine so it's accessible from the outside, and you can then use an SSH client from anywhere to a) access the console on that machine, and b) securely tunnel a connection to any port on any machine that the SSH server box can access (such as another machine on the local network).

As an example, say you have a box with local IP address 10.0.0.1 running an SSH server which is port-forwarded to be accessible from the internet. You want to VNC into 10.0.0.2, which is not port-forwarded in any way, from your laptop, which is connected to the Internet in another location. To do this, you'd run the following command from the laptop (assuming you have an SSH client installed--it's present in most Linux distributions by default, but is also available for Windows):

ssh user@your-home-static-ip -L 1234:10.0.0.2:5900

SSH will prompt for the given user's login password on 10.0.0.1. Once you've entered that, you will be given a terminal shell on 10.0.0.1, which may or may not be of direct use to you. However, more importantly, the SSH client on the laptop has now started up a server on localhost (the laptop) port 1234, which is securely "tunneled" through the SSH session such that the server (10.0.0.1) will forward any packets received through the tunnel to 10.0.0.2 port 5900. The upshot is that you can open a VNC client on the laptop, connect to localhost port 1234, and it works as if you were on 10.0.0.1's console and VNCing to 10.0.0.2 port 5900.

I've used this method myself and found it to be very powerful--essentially, you are opening a little one-port pipe to the SSH server through which you can connect to anything the server can connect to. You can use one internet-accessible machine as a "jumping-off point" by which to securely access any machine on your local network, thus allowing you remote access to all of your machines without having to actually expose each machine to the Internet and all its dangers.

SSH also includes another option, a sort of "dynamic tunneling", which can be used to tunnel web access through the server:
ssh user@your-home-static-ip -D 8080
which will run a SOCKS proxy server on the laptop's port 8080 such that if you configure the laptop's browser to use localhost:8080 as a proxy, all of its connections will be encrypted and relayed through the server. You can thus browse with the same level of security you'd enjoy at home, even if your internet access point is through (say) an insecure public hotspot. And since you are browsing vicariously through the server, you can access web servers on your local private network as well (if such would be useful).

I do believe there is also an option -R which is supposed to be the inverse of -L (run a server on port 1234 on the SSH server, i.e. 10.0.0.1 in this example, which can be used to poke through and access a server and port through the laptop), though I haven't actually tried that one myself.

Hope this helps!

[Prime95]

Excellent leads on how to proceed. Thanks.

Right now I'm stuck getting my DSL modem and DLink router to forward port 22. Three hours and no luck. Any help would be appreciated.

Attached is a screen shot of my feeble attempt. Four more follow as forum won't attach more than one per post. (later merged per suggestion)

[mdettweiler]

Quote:

Originally Posted by Prime95

Excellent leads on how to proceed. Thanks.

Right now I'm stuck getting my DSL modem and DLink router to forward port 22. Three hours and no luck. Any help would be appreciated.

Attached is a screen shot of my feeble attempt. Four more follow as forum won't attach more than one per post.

Huh...you need to configure it on both the modem and router? This would seem to indicate a dual-NAT configuration (with a modem/router integrated combo on the outside, and a standalone router within it); is that indeed what you have? I have a similar setup, and it can be a bit of a pain in the butt with port forwarding to a machine within the inner network. What you'll need to do is configure the outside router (the modem, that is) to forward port 22 to the inside router, which will in turn forward it to the client machine. (You may already be doing exactly this, from what I can infer from the screenshots; just checking to make sure though.)

BTW, regarding attaching files to forum posts, I've discovered a little trick that lets you attach as many files as you want to one post (as long as they each individually are within the size limits): attach them to separate posts, then use the "Merge Posts" feature to combine them into one. This only works if you have mod status in the applicable subforum, but in your case that wouldn't be a problem.

[Flatlander]

Quote:

Originally Posted by smh

...
2) Access the console of a pc/server at home. I have good experience with http://www.teamviewer.com

I have problems with TeamViewer (Free Edition) switching itself off on a Ubuntu box. Anyone else get this?

[Prime95]

Quote:

Originally Posted by mdettweiler

Huh...you need to configure it on both the modem and router? This would seem to indicate a dual-NAT configuration (with a modem/router integrated combo on the outside, and a standalone router within it); is that indeed what you have?

Yes, that is what I have. The DSL modem has my 69.x.x.x static IP on the WAN side and 192.168.2.1 on the LAN side, it also acts as a DHCP server to the router. The router is 192.168.2.4 on the WAN side and 192.168.0.1 on the LAN side. The router als oacts as a DHCP server to all my machines. My target box is 192.168.0.7.

How I ended up with this dual-NAT configuration is lost in antiquity. It might be possible to simplify things, but I'd lose at least 2 "features". 1) I like IP addresses that don't change. The router has a DHCP option that hands out the specific IP addresses to specific MAC addresses - the DSL modem does not have this feature. 2) Dual-NAT gives some minuscule security benefit in that if the bad guys pierce the DSL modem firewall they have to get through the router firewall too (that dual firewall is so good even I can't get through to do port forwarding!).

I'll try more banging my head against the wall tonight.

[sdbardwick]

A long time ago (1996-8) I encountered a router that simply would not route if both WAN and LAN had 192.168.x.x addresses. Had to change LAN to 10.x.x.x

[Brain]

Quote:

Originally Posted by Prime95

When out of town, is it possible to have my laptop connect to and route my Internet traffic through my home LAN?

By the way, is there a George Woltman 2, i.e. a trusted backup person? I can't help thinking as an information scientist (availablity, reliability, performance and so on). I'm also curious about the server software and hardware. But there are many more important things than sneeking about PrimeNet's infrastructure (speed up FFTs ). Thanks for all your work!

[Prime95]

Quote:

Originally Posted by sdbardwick

A long time ago (1996-8) I encountered a router that simply would not route if both WAN and LAN had 192.168.x.x addresses. Had to change LAN to 10.x.x.x

I'm up and running (I hope). The problem was that whenever I did "ssh my-fixed-ip" the DSL modem detected this as a loopback and did not perform port forwarding. When I logged into a machine outside my network and ssh'ed back in, all was well.

Much time wasted on that little gotcha!

[chalsall]

Quote:

Originally Posted by Prime95

I'm up and running (I hope). The problem was that whenever I did "ssh my-fixed-ip" the DSL modem detected this as a loopback and did not perform port forwarding. When I logged into a machine outside my network and ssh'ed back in, all was well.

Much time wasted on that little gotcha!

No disrespect intended, but your modem did the right thing.

Such remote access only makes sense when done remotely....