17 February 2012

69. Reverse VNC using vncviewer and tightvnc

Reverse VNC is a good way of helping people remotely. It requires that your IP is remotely accessible, but it does NOT require that the client's IP is public.

This is based on http://ubuntuforums.org/showthread.php?t=299489 and https://caedesnotes.wordpress.com/2010/01/08/remote-administrationtech-support-with-reverse-vnc/ but with screenshots. If both of you are using linux but you for some reason prefer vnc over ssh, have a look at that link for how to do (i.e. using x11vnc on the client)

Like a lot of people I have parents. Like most of those people, my parents aren't too interested in augmenting their computer skills. Which is fine. But trying to explain over the phone where to click etc. gets old really fast -- VNC is an advantage here if they are running windows. Parents also tend to appreciate lots of screenshots -- so I've provided that. It's running on a French version of XP -- it's my way of indirectly learning and keeping my French alive.

-- START HERE --

 The situation:
You're running linux. The client is running Windows. You are you, the person you're helping is The Client.
Set up your system before having the client follow the instructions here. I put the client instructions first so you can send them to this page.


The Client:
They are running Windows. They don't have a public IP. Here's what they should do:

1. Download tightvncviewer from here: http://www.tightvnc.com/download.php

2. Installation of tightvnc

a) Install both client and server or only server. It doesn't matter -- the server is important here.


b) During setup, make sure that you check all the boxes as shown below


You will not need to share your password with the person helping you. Make sure not to leave these blank.


c) Tightvnc requires the administrator password to be able to accept connections.

Right-click on the icon in the taskbar tray, and click on Configuration...

Change main server port to 5500. We're doing this to be consistent.
You may de-select 'Serve Java Viewer to Web clients)




The steps above you will only need to do once.

 The following steps you will need to do each time you want to get help:
1. Right-click on the vnc icon in the taskbar tray. Select Attach Listening Viewer...

2. In Hostname or IP address of the viewer, type the IP address given to you by the person helping you. In this example it's 192.168.1.102, but it can be anything. Append ::5500 to the IP address. In our example, the input is 192.168.1.102::5500


 That's it. If something not described here is happening, make sure to tell the person helping you. Especially if messages about Blocked programmes or Firewalls come up.
You (linux person):
Your public IP is 192.168.1.102 in the example above. Your port 5500 is open to the world.

sudo apt-get install vncviewer

Start your listening session by

 vncviewer -compresslevel 9 -listen 0
vncviewer -listen: Listening on port 5500
vncviewer -listen: Command line errors are not reported until a connection comes in.


Once the connection is started by the client you get:
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "tantalum"
VNC server default format:
  16 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 31 green 63 blue 31, shift red 11 green 5 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
You can play around with the compresslevels which runs from 0 to 9. Make sure to keep an eye on your firewall log -- your client/parent may easily get frustrated if things aren't working -- and you really don't want to be the cause of it.

Notes:
iptables
I tested this by running windows xp in virtualbox on one linux box, 192.168.1.1, and piped the vnc connection through to another linux box at 192.168.1.102. The firewall settings I had to do were:

On 192.168.1.1

Open port 17500 to tcp traffic from 192.168.1.102 to 255.255.255.255:
sudo iptables -A INPUT -i eth1 -s 192.168.1.102 -d 255.255.255.255 -p tcp --dport 17500 -j ACCEPT


On 192.168.1.102
Open port 5500 to tcp traffic destined for 192.168.1.102:
sudo iptables -A INPUT -d 192.168.1.102 -p tcp --dport 5500 -j ACCEPT
Posted by at 5 comments:
Labels: , , , , , , ,

15 February 2012

68. Reverse ssh tunnel to access server behind firewall

This isn't so much a post to show how to do it as it is a post describing a specific example of it in use. I basically spent two minutes looking at http://www.howtoforge.com/reverse-ssh-tunneling and was up and running in no time. It's that simple.

The sitation:
I have a computer at work. Opening up a port to allow for remote access is a headache and a half, since it involves getting signatures from a range of people and drawing up an IT security plan etc. As an academic during grant season I don't have that kind of time. Nor do I want to put up with all that BS. I also  understand that opening up ports willy-nilly can leads to security threats.

Anyway, I have iinet at home and they leave port 22 open by default. I have a Linksys WRT54 running Tomato and I allow key-based ssh external access.

My IP address is not static but changes perhaps once per month at most.
On my main desktop at home I run  this as a cron job:


#!/bin/bash
ipaddr=`wget http://automation.whatismyip.com/n09230945.asp -O - -o /dev/null`
when=`date +%a' '%d' '%b' '%Y' '%H':'%M`
echo $when $ipaddr >>/home/me/Dropbox/currentip.dat
exit 0

That way I can easily look up the latest ip address in my dropbox folder.

I run debian testing on all boxes.
Connecting via ssh to my home router works flawlessly. The other way doesn't work at all.

The solution:
We'll pretend that my home ip is 124.54.34.23 and my work ip is 169.23.54.6

At work
While at work, I connect to my home router using
ssh -R 19999:localhost:22 root@124.54.34.23

This logs me in to my Tomato router. Once in, start
top -d 600

This will keep top running, updating every ten minutes. This is to prevent the connection from being dropped.

The alternative is of course to use autossh -- the basic usage is just to replace ssh.

Now, go home

At home
log in to your router from the local network, then connect to port 19999 on localhost:
me@niobium:~$ ssh root@192.168.2.1

Tomato v1.28.1816

BusyBox v1.14.4 (2010-06-27 20:11:16 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ssh me@localhost -p 19999
me@localhost's password:

Linux beryllium 3.2.0-1-amd64 #1 SMP Sun Feb 5 15:17:15 UTC 2012 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 15 18:55:45 2012 from localhost

me@beryllium:~$ 

Simple as that
Posted by at No comments:
Labels: ,

67. Neat trick using reverse proxy -- several http hosts behind a firewall with only one port open

The situation: I was running two wireless webcams (Airlink101 AIC 250W) in order to monitor my laboratory. Both of these were connected to a linksys router. Only port 22 and 80 were opened by the university. We were forwarding port 80 to a Debian box running apache.

The goal: We wanted to have a page, e.g.www.externalhostname.com/image.html, serve up images from both the webcams. Using apache.

The solution:
A friend came up with this neat solution.

The following is assumed:
  • The external dns name is www.externalhostname.com
  • The cameras have the LAN ips 192.168.1.121 and 192.168.1.122


 First the html file -- image.html:

<html>
<head>
<title>Lab Webcams</title>
<META HTTP-EQUIV="REFRESH" CONTENT="5">
</head>
<body bgcolor="rgb(0,0,122)" text="white">
<table border="1">
<tr>
<td>
Cam 1480
</td>
<td>
Cam 1485
</td>
<tr>
<td>
<img src="http://www.externalhostname.com/cam1/image.jpg" width="320" height="240"/>
</td>
<td>
<img src="http://www.externalhostname.com/cam2/image.jpg" width="320" height="240"/>
</td>
</table>
</body>
</htm>
Next, configure apache using /etc/apache2/httpd.conf:
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule proxy_connect_module /usr/lib/apache2/modules/mod_proxy_connect.so
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /cam1 http://192.168.1.121
ProxyPassReverse /cam1 http://192.168.1.121
ProxyPass /cam2 http://192.168.1.122
ProxyPassReverse /cam2 http://192.168.1.122

Finally, copy the following from /etc/apache2/mods-available to /etc/apache2/mods-enabled:
proxy.conf
<IfModule mod_proxy.c>
</IfModule>
proxy_http.load

# Depends: proxy
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
proxy.load


LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so


That's it.
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)