[opensuse] VNC from internet into private network computers.
Up until recently, I have set up computers on my internal private 192.168.x.x networks with a VNC server running on each system. Using port forwarding (configured in SuSEFirewall2) we were able to access each computer from a remote site, over the internet, so long as we remembered which port was forwarded to port 5900 of the computer we wanted to attach a vnc viewer to. That worked fine, but three issues came up which made me decide to try a different approach. One this is an unencrypted channel. Two our open VNC ports were coming under heavy attacks, and three it is hard to remember which port on the firewall computer is forwarded to which destination computer in our network. So I decided to turn off the VNC servers and use SSH to establish an encrypted channel, start a x11vnc server when needed, and port forward the VNC port to the local host. This works fine when establishing a connection to our firewall computer - ssh -t -L 5900:localhost:5900 username@ourdomain.com 'x11vnc -localhost -nolookup -nopw -display :0' and then attach a vncviewer to localhost - vncviewer -encodings "tight copyrect hextile" localhost:0 but, my question is how can I extend this approach so as to reach different computers within our private network? What I would like to do is something like this - ssh -t -L 5900:localhost:5900 username@computername.ourdomain.com 'x11vnc -localhost -nolookup -nopw -display :0' but I don't know (or think it is even possible) how to configure our DNS server to resolve "computername.ourdomain.com" with a useable address for accessing it from the internet. Internally our DNS server resolves "computername.ourdomain.com" to a private 192.168.x.x which is not useable from an external location. (Works fine internally only) Seems like we would have to purchase a bunch of static IP addresses, which is not feasible/desirable. I looked to see if there is some way to configure bind (named) to associate a port with a particular computername so that we could then use port forwarding to route it to an appropriate computer, but no joy finding such a solution... i.e. something like this A record is what I am thinking, if you get my drift - computername IN A IPAddress:port but I don't think there is a way to specify a particular port as such, and this would get messy if I wanted to reach different ports. Probably had to use unique computernames to identify which port I wanted or some such scheme. Should I open up a bunch of ports for SSH connections and use SuSEFirewall to route them to the appropriate computer? That puts us right back to having to remember which port gets forwarded to which computer.... Is there any other approach I could take? Thanks in advance for any and all ideas... Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 09 Nov 2012 00:46:16 -0800, Marc Chamberlin wrote:
Is there any other approach I could take?
Personally, I'd use a VPN (and in fact I do). That puts your machine "inside" the firewall and you can reach the systems you want to connect to directly. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 09/11/12 05:46, Marc Chamberlin escribió:
computername IN A IPAddress:port
No, no.. the domain name system does not understand ports in that way.. You need to setup an openVPN server in your network, see http://www.shorewall.net/OPENVPN.html Cheers. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/9/2012 6:17 PM, Cristian Rodríguez wrote:
El 09/11/12 05:46, Marc Chamberlin escribió:
computername IN A IPAddress:port
No, no.. the domain name system does not understand ports in that way.. Thanks Cristian, yes I understand this will not work, it was just the concept that I was after....
You need to setup an openVPN server in your network, see http://www.shorewall.net/OPENVPN.html I am in the process of grokking VPN (openVPN) and believe it may be the right answer. But it is a complicated solution and not one that I will be able to easily explain to others on how to set up. I think I have it set up and working for my own laptop, but it is not easy to test unless I am outside of my own internal network, so progress is slow....
I took a brief look at shorewall, but so far have avoided using it as I would like to stay within the supported utilities provided by openSuSE. Perhaps you can explain what is the difference between using shorewall and SuSEFirewall2? I have long been using SuSEFirewall2 to configure my firewall, (which I believe in turn configures iptables underneath the covers) and yes it does have it's warts and bugs but as least I know what to avoid, for the most part (such as using YaST2->Security and Users->Firewall to configure it!).... Not sure I want to learn another tool unless there is a real advantage to doing so... Is there insofar as openVNP is concerned? Marc...
Cheers.
-- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Nov 14, 2012 at 10:23:30AM -0800, Marc Chamberlin wrote: [ 8< ]
I am in the process of grokking VPN (openVPN) and believe it may be the right answer. But it is a complicated solution and not one that I will be able to easily explain to others on how to set up. I think I have it set up and working for my own laptop, but it is not easy to test unless I am outside of my own internal network, so progress is slow....
Yes. This isn't easy. In particular if you have to get remote systems added to your VPN setup without being in person at the remote location/ on site. :/
I took a brief look at shorewall, but so far have avoided using it as I would like to stay within the supported utilities provided by openSuSE. Perhaps you can explain what is the difference between using shorewall and SuSEFirewall2? I have long been using SuSEFirewall2 to configure my firewall, (which I believe in turn configures iptables underneath the covers) and yes it does have it's warts and bugs
Please as soon as you speak about bugs always include the issue ID which is used to track the issue. If there is no bug filed there is no issue. ;)
but as least I know what to avoid, for the most part (such as using YaST2->Security and Users->Firewall to configure it!).... Not sure I want to learn another tool unless there is a real advantage to doing so... Is there insofar as openVNP is concerned?
YaST offers a ca-management module which offers anything you need to establish and maintain your own and private Certification Authority. Next you might check the quality of the openvpn howto. Cf. http://openvpn.net/index.php/open-source/documentation/howto.html You might have to read the howto stuff first to get a better feeling what the YaST CA stuffer offers. Or you need to switch between the documentation and the YaST module. But at the end you'll get what you need and the YaST CA stuff minimizes the general SSL pain a lot. Cheers, Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team + SUSE Labs SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On 11/14/2012 07:23 PM, Marc Chamberlin wrote:
On 11/9/2012 6:17 PM, Cristian Rodríguez wrote:
El 09/11/12 05:46, Marc Chamberlin escribió:
computername IN A IPAddress:port
No, no.. the domain name system does not understand ports in that way.. Thanks Cristian, yes I understand this will not work, it was just the concept that I was after....
You need to setup an openVPN server in your network, see http://www.shorewall.net/OPENVPN.html I am in the process of grokking VPN (openVPN) and believe it may be the right answer. But it is a complicated solution and not one that I will be able to easily explain to others on how to set up. I think I have it set up and working for my own laptop, but it is not easy to test unless I am outside of my own internal network, so progress is slow....
I took a brief look at shorewall, but so far have avoided using it as I would like to stay within the supported utilities provided by openSuSE.
My understanding is if a package is in the official distribution than it is supported and in shorewall case it is part of 12.2 hence it is supported if there is a bug. If you mean Yast support then the answer is no shorewall does not have yast integration and it is very unlikely it will have Yast support in the future.
Perhaps you can explain what is the difference between using shorewall and SuSEFirewall2? I have long been using SuSEFirewall2 to configure my
Susefirewall is easy to configure for simple tasks, shorewall is more advanced in its configuration. But at the end they both are front ends to iptables. One simple example is using multiple internet providers. Configuring by SuSEFirewall2 means using the custom script and that configuration is not easy. On the other hand achieving such a configuration with shorewall is not so complicated.
firewall, (which I believe in turn configures iptables underneath the covers) and yes it does have it's warts and bugs but as least I know what to avoid, for the most part (such as using YaST2->Security and Users->Firewall to configure it!).... Not sure I want to learn another tool unless there is a real advantage to doing so... Is there insofar as openVNP is concerned?
Shorewall comes with really good documentation and if you follow the guides then configuring your firewall is not that difficult. Having said that ,if you read the documentation Cristian pointed out you should be able to come out with a solution for SuSEfirewall2 also. Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/14/2012 7:10 PM, Togan Muftuoglu wrote:
On 11/14/2012 07:23 PM, Marc Chamberlin wrote:
On 11/9/2012 6:17 PM, Cristian Rodríguez wrote:
El 09/11/12 05:46, Marc Chamberlin escribió:
<snip>
You need to setup an openVPN server in your network, see http://www.shorewall.net/OPENVPN.html I am in the process of grokking VPN (openVPN) and believe it may be the right answer. But it is a complicated solution and not one that I will be able to easily explain to others on how to set up.
<snip> Just to chime in with relatively mild experience with openVPN (in terms of providing public openVPN service). OpenVPN is relatively easy to setup and get going depending on the authentication method. Whatever method that you choose, it's simple as preparing a working openvpn-client.conf and distribute it to your clients with a short documentation explaining how to implement it on there system. If we are talking about about clients on Windows machines, this should be more straightforward, as openVPN has a Windows GUI client. On Linux, there are several methods to accomplish this which you could lookup on your own. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Cristian Rodríguez -
General Mail -
Jim Henderson -
Lars Müller -
Marc Chamberlin -
Togan Muftuoglu