iCIS Intra Wiki
categories: Info - Support - Software - Hardware | AllPages - uncategorized
Difference between revisions of "Remote Access"
Line 38: | Line 38: | ||
Example 1: '''Bridging''' RDP traffic to an RDP server behind a firewall with the help of an SSH bridge server open to the outside world 'eg. lilo.science.ru.nl' Note that the RDP protocol supports encryption by itself, so only passing the firewall using an SSH bridge server is needed. | Example 1: '''Bridging''' RDP traffic to an RDP server behind a firewall with the help of an SSH bridge server open to the outside world 'eg. lilo.science.ru.nl' Note that the RDP protocol supports encryption by itself, so only passing the firewall using an SSH bridge server is needed. | ||
− | # bridge local port 13389 via lilo.science.ru.nl bridge to port 3389 | + | # make a firewall bridge from local port 13389 via lilo.science.ru.nl bridge to RDPSERVER port 3389 to bypass the firewall |
sshbridge 13389 lilo.science.ru.nl RDPSERVER 3389 | sshbridge 13389 lilo.science.ru.nl RDPSERVER 3389 | ||
# executes: ssh -N -L 13389:RDPSERVER:3389 lilo.science.ru.nl | # executes: ssh -N -L 13389:RDPSERVER:3389 lilo.science.ru.nl | ||
Line 44: | Line 44: | ||
Example 2: '''Tunneling''' VNC traffic to a VNC server behind a firewall with the help of SSH server open to the outside world 'eg. lilo.science.ru.nl' where the VNCSERVER itself also runs an SSH server so we can send all VNC messages safely over an end-to-end encrypted tunnel. Note that the VNC protocol does not encrypt its traffic so we must supply an end-to-end encrypted tunnel for it to prevent eavesdropping | Example 2: '''Tunneling''' VNC traffic to a VNC server behind a firewall with the help of SSH server open to the outside world 'eg. lilo.science.ru.nl' where the VNCSERVER itself also runs an SSH server so we can send all VNC messages safely over an end-to-end encrypted tunnel. Note that the VNC protocol does not encrypt its traffic so we must supply an end-to-end encrypted tunnel for it to prevent eavesdropping | ||
− | # make an encrypted | + | # make an encrypted SSH tunnel from local port 15900 to VNCSERVER port 5900 to prevent eavesdropping |
sshtunnel 15900 VNCSERVER 5900 | sshtunnel 15900 VNCSERVER 5900 | ||
# executes: ssh -N -L 15900:localhost:5900 VNCSERVER | # executes: ssh -N -L 15900:localhost:5900 VNCSERVER |
Revision as of 09:28, 5 September 2024
Remote access from Home to your Work
VPN
Not all network resources available at the university are not available when you are outside the university.
However when connected to a VPN one can have access to all network resources as like you are working on a computer located at the university locally.
SSH terminal
You can always log in to one of the linux login servers with ssh. (eg. lilo.science.ru.nl).
You can also log in to a ssh server behind the university firewall, by using lilo as a jumping server:
ssh -J [USER1@]lilo.science.ru.nl [USER2@]SSH_SERVER
The USER between brackets is optional.
SSH bridging and tunneling to a service
Sometimes you need to access a service that is behind the university's firewall and you even might for safety reasons encrypt all traffic to this service.
Then the ssh command is a great tool to make SSH tunnels for either
- tunneling: making an end-to-end encrypted tunnel to protect data traffic that is send through it from eavesdropping
- bridging: setup an SSH connection to a bridge SSH server to bridge data traffic over a firewall to a server behind it
However, the syntax for the SSH command to implement the above cases is a bit tricky in detail. Every time I want to set up such a connection I have to figure out the details again, which costs me a lot of time every time.
Therefore I decided to make 2 simple wrapper commands over the SSH command to make it more easy and intuitive to create a new SSH tunnel or bridge within a few seconds:
sshtunnel - create an end-to-end encrypted SSH tunnel from a local port on localhost to a local port on a SSH server sshbridge - use SSH to bridge TCP traffic over a firewall.
These commands are more intuitive because their arguments specify the linear order in which the data is flowing. So by just thinking about how you want the traffic to go, you can just immediately write out the command. We just give some examples which explain how to use the commands.
Example 1: Bridging RDP traffic to an RDP server behind a firewall with the help of an SSH bridge server open to the outside world 'eg. lilo.science.ru.nl' Note that the RDP protocol supports encryption by itself, so only passing the firewall using an SSH bridge server is needed.
# make a firewall bridge from local port 13389 via lilo.science.ru.nl bridge to RDPSERVER port 3389 to bypass the firewall sshbridge 13389 lilo.science.ru.nl RDPSERVER 3389 # executes: ssh -N -L 13389:RDPSERVER:3389 lilo.science.ru.nl
Example 2: Tunneling VNC traffic to a VNC server behind a firewall with the help of SSH server open to the outside world 'eg. lilo.science.ru.nl' where the VNCSERVER itself also runs an SSH server so we can send all VNC messages safely over an end-to-end encrypted tunnel. Note that the VNC protocol does not encrypt its traffic so we must supply an end-to-end encrypted tunnel for it to prevent eavesdropping
# make an encrypted SSH tunnel from local port 15900 to VNCSERVER port 5900 to prevent eavesdropping sshtunnel 15900 VNCSERVER 5900 # executes: ssh -N -L 15900:localhost:5900 VNCSERVER # also bridge the tunnel over a firewall using lilo.science.ru.nl sshtunnel 15900 lilo.science.ru.nl VNCSERVER 5900 # executes: ssh -N -J lilo.science.ru.nl -L 15900:localhost:5900 VNCSERVER
Installation instructions for the sshtunnel and sshbridge commands you can find here. But you can also run the SSH commands in the above examples directly.
IMPORTANT: on a Windows machine, you can install Git for Windows which provides you with a terminal running bash on which you can run ssh commands, and above installation instructions to install sshtunnel and sshbridge.
Remote desktop: from Home on your work machine's desktop
Protocols
There are multiple protocols to share your machine's desktop over the internet. The best protocol is RDP (Remote Desktop Protocol) from Microsoft. For both Windows and Linux there is a RDP server available. So for these platforms we advise to use RDP.
However on Macos there is currently no a RDP server available. Therefore we have to fallback to the VNC protocol on MacOS.
The RDP protocol is encrypted via SSL, however the VNC protocol is not encrypted. So for the VNC protocol we can setup an end-to-end ssh tunnel to provide a safe encrypted channel for the VNC protocol.
The RDP protocol by default uses port 3389. The VNC protocol by default uses port 5900. Although the RDP protocol is already encrypted, we still need a ssh tunnel to cross the firewall.
Conclusion
- RDP server
- use on Windows and Linux
- uses port 3389
- already encrypted with SSL
- only need ssh tunnel to pass the firewall (or ask C&CZ to configure VPN)
- VNC server
- use on Mac
- uses port 5900
- does not provide encryption
- need ssh tunnel to provide end-to-end encryption
Remote desktop using RDP protocol (access Windows/Linux)
setup RDP server
On Windows you can enable a RDP server builtin windows. If you are trying to connect to a Windows Managed PC you should ask C&CZ to set these settings.
On Linux you can install xrdp to enable a RDP server on linux. Below are 2 manuals found in the internet describing the installation:
- https://ultahost.com/knowledge-base/install-and-connect-to-linux-server-with-xrdp/
- https://www.turbogeek.co.uk/how-to-install-xrdp-server-on-ubuntu-22-04/
- https://www.howtogeek.com/devops/how-to-install-a-desktop-environment-on-your-headless-linux-server/
To make sure you can connect from home you have to prevent your work machine to go to sleep, because when it is sleeping you cannot connect.
connect via VPN
Although it is possible to set up a Remote Desktop connection via an SSH-tunnel, the preferred way (according to C&CZ) is to do it over VPN.
This basically means that if you have setup a VPN connection with the faculty's VPN-server, you only need to make sure that your targetmachine is reachable from the VPN-server. This typically needs to be configured by C&CZ.
connect via SSH tunnel
Assuming that you want to run a remote desktop via a login server such as lilo.science.ru.nl you can do that via an SSH tunnel. We setup an SSH tunnel which does local port forwarding. It forwards all traffic that goes into the port 13389 on the local host to the port 3389 on the targetmachine.
Note: these instructions assume that using the instructions above the VNC server is installed and running on the targetmachine on port 3389.
Run in a terminal the ssh command you can create this tunnel with the following command:
sshbridge 13389 username@lilo.science.ru.nl targetmachine 3389 -> which means create a ssh tunnel from local port 13389 to lilo.science.ru.nl which forwards data to targetmachine to its external port 3389 -> which runs the more complicated ssh command: ssh -N -L 13389:targetmachine:3389 username@lilo.science.ru.nl
It causes a ssh tunnel to be created from localhost:3389 to lilo.science.ru.nl,
where from lilo all traffic is forward to port 3389 on the targetmachine.
The latter forward is not protected anymore with an ssh encrypted tunnel.
Latter is also not needed because RDP by itself is already encrypted usin SSL.
To run above command on a Windows machine install Git for Windows which provides you with a terminal running the bash in which you can run above ssh command.
Now the ssh-tunnel is setup, we can connect to the remote RDP server by connecting our RDP client to port 13389 on localhost.
We advice the following RDP clients:
- Windows: Microsoft Remote Desktop (install via App store)
- Macos: Microsoft Remote Desktop (install via App store)
- Linux: Remmina
Remote desktop using VNC protocol (access Macos)
only for Mac clients: use Apple's screen sharing in 'High Performance' mode
Apple has its own implementation for screen sharing based on the VNC protocol. However, it has made its own changes causing it not to work perfectly with VNC clients on none-MacOS platforms. Eg. the clipboard sharing doesn't work with VNC clients on none-MacOS platforms. On a MacOS client apple provides its own VNC client, the 'Screen Sharing' App, which of course supports all changes.
Apple also supports 'High Performance' screen sharing mode between Apple's 'Screen Sharing' server and the 'Screen Sharing' App on the client. This mode gives you a very good remote desktop experience. It support stereo audio, HDR video reference mode, 4:4:4 chroma subsampling, high frame rates (30 or 60 fps), and low latency. High Performance is only available on Mac computers with Apple silicon and macOS Sonoma 14 or later.
So for Mac to Mac remote desktop I advise to use Apple's own screen sharing solution. It also supports encrypting the VNC communication.
Getting started:
- On your 'Server' Mac:
- choose Apple menu
- System Settings
- click General in the sidebar
- then enable sharing by clicking on Sharing on the right. (you might need to scroll down first)
- on your 'client' Mac:
- start 'Screen Sharing' App
- connect to the hostname of your Mac server
Screen Sharing on macOS is primarily designed for use within the same local network or over a direct connection via IP address or hostname when both devices are on the same network. So, if you want to access it behind a firewall, you could use ssh to make a tunnel.
using the open source Vine server (Advised)
We use the VNC and SSH protocol combined to create a secure remote VNC connection to your mac.
Below are the instructions to setup the Vine VNC server on your mac, and setup an end-to-end encryption to protect the VNC traffic from earsdropping.
We advise to use the "Vine VNC server" because that is the best performing open source VNC server on the mac. We use the "RealVNC Viewer" app as VNC client because its free and gives best performance.
To make sure you can connect from home you also have to prevent your work machine to go to sleep, because when it is sleeping you cannot connect.
server ------ 1) enable Remote Login (SSH) on your mac 2) install latest Vine server from: https://github.com/stweil/OSXvnc/releases/ => download dmg and install start vine server (vnc server) and configure it: authentication VNC Password -> select none. (because via ssh port forwarding authenticated) turn checkbox for 'Require Remote Login (SSH)' on `-> allows only connections to localhost, and not on externel ip, so it enforces you to make an ssh tunnel into the machine! 3) in System Settings -> Privacy & Security -> Screen & System Audio Recording (Allow the application to record the content of your screen and audio, even while using other applications) enable Vine Server (none-system instance) OSX-vncserver (system instance) in System Settings -> Privacy & Security -> Accessibility (allow the application control your computer) enable Vine Server (none-system instance) OSX-vncserver (system instance) in System Settings -> Displays -> Advanced, make sure Prevent computer from sleeping automatically when the display is off is selected. client ------ 1) create an end-to-end encrypted tunnel to the vine server, which is also running a ssh server, from your local machine on port 5900 sshtunnel 5900 lilo.science.ru.nl mymacmachinerunningvncandssh 5900 -> which means: create a ssh tunnel from local port 5900 to first lilo.science.ru.nl and then to mymacmachinerunningvncandssh to its local port 5900 -> which runs the more complicated ssh command: ssh -N -J lilo.science.ru.nl -L 5900:localhost:5900 mymacmachinerunningvncandssh -> if we are on same local wired network , another wired network or eduroam -> it always works!! 2) in "RealVNC Viewer" open server at 'localhost' -> it warns you about insecure connection, but that is not true because we use ssh tunnel we setup ourselves => so make it ignore these warnings in the future in Options, in Expert tab, set ScrollWheelThreshold to value 3 this fixes slow scrolling from connection not having a 4K monitor to apple with 4K monitor!
using the commercial RealVNC server (lite licence,free for non-commercial use)
When using the RealVNC for both the server as client you have to subscribe for the lite licence, which is free for non-commercial use. Because we have both the server and client from RealVNC, the RealVNC software can setup an encryption channel for us which is not supported standard by the VNC protocol. It also supports 'RealVNC Connect' which automatically redirects traffic via the cloud if no direct connection possible! When this redirects happens both RealVNC client and server connect themselves to the cloud making mosts firewalls easily circumvented!
Getting started:
- subscribe with your email for a lite subscription at https://www.realvnc.com/
- download at the server the RealVNC Server software. Install the server, sign-in with your RealVNC credentials and setup a vnc password.
- download at the client the RealVNC Viewer software. Install the client, sign-in with your RealVNC credentials, and automatically the RealVNC server shows up as icon in the client. Click on the icon, and start your connection. This works locally but also behind a firewall, which makes connecting very easy.