Date: Mon, 18 Nov 2002 17:59:37 -0800 From: Darren Pilgrim <dmp@pantherdragon.org> To: Murat Bicer <mbicerorg@yahoo.com> Cc: Doug Poland <doug@polands.org>, freebsd-questions@FreeBSD.ORG Subject: Re: Secure tunneling of remote-access Windows sessions? Message-ID: <3DD99B09.3040406@pantherdragon.org> References: <20021118223957.63187.qmail@web13103.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Murat Bicer wrote: > If remote address is not routable you will not be able to access it > anyways. So you have to either open port 22 on the firewall of the > remote machine which will be natted to the internal ip:port or you > have to open port 5900 ( which is not secure). Either way you have to > punch a hole on the firewall if you need to access non-routable > addresses. Maybe I'm not understanding what you're trying to explain, or maybe I'm not explaining myself well enough. I know this is possible when public IPs are used. What I'm trying to determine (before I spend the time and money to reconfigure gateway2) is if this is possible when the VNC client and server machines aren't directly accessible from the public internet because they're behind NAT'ing gateways. The SSH tunnel gets me through the firewall via the ssh port on gateway2. Local only sees and uses the faked VNC port on gateway1. Assuming local can reach the faked port on gateway1 and gateway2 can reach the actual port on remote, do the IP addresses used even matter? Darren Pilgrim wrote: > Doug Poland wrote: >> Darren Pilgrim said: >> >>> I want to setup VNC on some Windows machines so I can access them >>> over the internet, but I need to secure the connection in a way >>> that will work with NAT'ing firewalls on both ends of the >>> connection. How can I do this? I was thinking of setting up a >>> tunnel between the two >>> firewalls. On the local end, the tunnel starts at a given port on >>> the firewall, which is connected to a port on the remote firewall >>> that forwards to the VNC port on the remote machine. How would I >>> go about doing this? Is there a better option? >>> >>> >> >> I recommend you use the TightVNC form of VNC. Read the info on this >> link: http://www.uk.research.att.com/vnc/sshvnc.html then read the >> ssd man page paying close attention to the -L switch. If you have >> particular problems after this leg work, then ask again. > > > Okay, I see how I can use ssh/sshd running on the FreeBSD gateways on > each end of the connection to make the remote VNC port accessible via a > port on the local gateway. However, their setup requires that the > remote machine have a routable IP address, doesn't it? Modifying the > model on the page you sent me: > > local machine (me) ----- gateway1 > 10.2.3.4/24 `ssh -g -L 5900:10.1.2.3:5900 gateway2` > runs vncviewer | > internet > | > gateway2 ----- remote machine > running sshd 10.1.2.3/24 > running vnc server > on port 5900 > > Since the IP address I'm forwarding is non-routable, what happens? What > happens to the source IP address, which is also non-routable and, to > gateway2, non-local? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DD99B09.3040406>