VPN Solutions

Here users can ask questions about security and tutorials about security can be posted to help others, too.
Message
Author
User avatar
cgriffin
Forum Regular
Forum Regular
Posts: 221
Age: 45
Joined: Sun Mar 27, 2011 9:59 pm

Re: VPN Solutions

#11 Postby cgriffin » Sat May 05, 2012 8:08 am

GoManutd wrote:the WHOLE purpose behind SSH is that it uses private/public keys for encrypting communication. so long as you properly protect the private keys on the system (which never get transmitted) someone can steal the public key and still have no effect, since decrypting the public key takes a tremendous amount of computing effort - read, resources that the average bear doesn't have.

from the sounds of it, SSH will fit the bill. why use a nuke to kill a mosquito, when a flyswatter does the job?



Good point!
--
Chris Griffin

User avatar
GoManutd
Forum Guide
Forum Guide
Posts: 2952
Joined: Mon Jun 30, 2008 8:06 pm

Re: VPN Solutions

#12 Postby GoManutd » Sat May 05, 2012 8:37 am

btw, the proxying capability that SSH and port forwarding allows works VERY well.

you can also do remote desktop stuff over SSH and it works, but most ISPs throttle your upload bandwidth so you'll need to take care how much graphical data you're pushing to your remote location. compression would help this too.

User avatar
cgriffin
Forum Regular
Forum Regular
Posts: 221
Age: 45
Joined: Sun Mar 27, 2011 9:59 pm

Re: VPN Solutions

#13 Postby cgriffin » Sat May 05, 2012 11:01 am

GoManutd wrote:btw, the proxying capability that SSH and port forwarding allows works VERY well.

you can also do remote desktop stuff over SSH and it works, but most ISPs throttle your upload bandwidth so you'll need to take care how much graphical data you're pushing to your remote location. compression would help this too.


I believe that tightvnc, whichis in the repos, supports compression. I might have to up my bandwidth...

I've seen a few pages that describe different kinds of port forwarding. Specifically, the link mentioned above (https://help.ubuntu.com/community/SSH/O ... Forwarding) notes that there is local port forwarding, remote port forwarding and dynamic port forwarding. It's all a bit foggy to me still, but I think I'd just need to do local port forwarding...no?
Thanks,
Chris
--
Chris Griffin

User avatar
GoManutd
Forum Guide
Forum Guide
Posts: 2952
Joined: Mon Jun 30, 2008 8:06 pm

Re: VPN Solutions

#14 Postby GoManutd » Sat May 05, 2012 11:37 am

you'll want to find some dynamic dns solution that allows you to assign a hostname to your router's DHCP address - dyndns was a way to do this, but think they've since stopped taking new members. depending on your router software, there's client software that is used to automatically periodically check the IP and update the record. you really need this because your router/modem IP is not guaranteed unless you've paid for a static IP.

you're not going to want to use dynamic port forwarding because you need to setup your router so it can forward inbound traffic on a particular port, to a particular host. so, SSH is typically port 22 and would be forwarded to port 22 on your home machine - it's strongly suggested to use an alternative port, one that is outside of the assigned IANA ports. so, for instance traffic to port 22222 would forward to port 22. it's a security measure aimed at reducing brute force attacks.

btw, if you are going to do this make sure you INSTALL fail2ban. not only does it automatically bans (either permanently, or temporarily depending on how you config it) IPs that it deems to be attacking your system.

there are a couple of good set of instructions on how to use SSH for port forwarding:

for linux, http://www.debianadmin.com/howto-use-ss ... rding.html
for windows, http://www.dotcomunderground.com/blogs/ ... o-hide-ip/

do you use dd-wrt or some other open source router firmware? there are plenty of howtos on setting up your router for port forwarding, and also on how to properly secure your SSH server setup

User avatar
cgriffin
Forum Regular
Forum Regular
Posts: 221
Age: 45
Joined: Sun Mar 27, 2011 9:59 pm

Re: VPN Solutions

#15 Postby cgriffin » Sat May 05, 2012 11:45 am

GoManutd wrote:you'll want to find some dynamic dns solution that allows you to assign a hostname to your router's DHCP address - dyndns was a way to do this, but think they've since stopped taking new members. depending on your router software, there's client software that is used to automatically periodically check the IP and update the record. you really need this because your router/modem IP is not guaranteed unless you've paid for a static IP.

you're not going to want to use dynamic port forwarding because you need to setup your router so it can forward inbound traffic on a particular port, to a particular host. so, SSH is typically port 22 and would be forwarded to port 22 on your home machine - it's strongly suggested to use an alternative port, one that is outside of the assigned IANA ports. so, for instance traffic to port 22222 would forward to port 22. it's a security measure aimed at reducing brute force attacks.

btw, if you are going to do this make sure you INSTALL fail2ban. not only does it automatically bans (either permanently, or temporarily depending on how you config it) IPs that it deems to be attacking your system.

there are a couple of good set of instructions on how to use SSH for port forwarding:

for linux, http://www.debianadmin.com/howto-use-ss ... rding.html
for windows, http://www.dotcomunderground.com/blogs/ ... o-hide-ip/

do you use dd-wrt or some other open source router firmware? there are plenty of howtos on setting up your router for port forwarding, and also on how to properly secure your SSH server setup


Thanks for all of those pointers. fail2ban is on my list to do. I have DD-WRT on a buffalo AirStation. I've had trouble getting the port forwarding to work , but I think that it's an issue with something called a "loopback". I have some bookmarks for sites that talk about the solution.

Best,
Chris
--
Chris Griffin

User avatar
GoManutd
Forum Guide
Forum Guide
Posts: 2952
Joined: Mon Jun 30, 2008 8:06 pm

Re: VPN Solutions

#16 Postby GoManutd » Sat May 05, 2012 11:50 am

this option works with dd-wrt. it takes a bit to get things setup, but i've had it working in the past.

also, plenty of the free dyndns options also work with dd-wrt.

User avatar
Adrian
Forum Veteran
Forum Veteran
Posts: 6198
Age: 41
Joined: Wed Jul 12, 2006 1:42 am

Re: VPN Solutions

#17 Postby Adrian » Sat May 05, 2012 11:52 am

For remote desktop access I've always recommended NX from Nomachine. When I needed remote access that work perfectly, it was easy to setup and it it beat in performance any other VNC solution that I tried.

User avatar
GoManutd
Forum Guide
Forum Guide
Posts: 2952
Joined: Mon Jun 30, 2008 8:06 pm

Re: VPN Solutions

#18 Postby GoManutd » Sat May 05, 2012 11:55 am

i've used NX for remote desktop access, too. it works well and provides a number of options to improve response times.

User avatar
kumar
Forum Regular
Forum Regular
Posts: 135
Age: 2015
Joined: Thu Aug 17, 2006 9:06 pm

Re: VPN Solutions

#19 Postby kumar » Fri May 11, 2012 6:07 pm

Sorry I'm late to the discussion, but I regularly use NX for remote access of my home computer while travelling. It defaults to a secure connection. I've also set up fail2ban. As an additional precaution, I close the ports on my router when I don't plan on travelling for a while.

Another option is Team Viewer (in the repositories). I've experimented around with it some, and I remember it being easier to setup. However I think it uses their servers to make connections similar to other services. I just prefer not having to rely on the security (or trustworthiness) of a 3rd party.

User avatar
cgriffin
Forum Regular
Forum Regular
Posts: 221
Age: 45
Joined: Sun Mar 27, 2011 9:59 pm

Re: VPN Solutions

#20 Postby cgriffin » Fri May 11, 2012 10:10 pm

kumar wrote:Sorry I'm late to the discussion, but I regularly use NX for remote access of my home computer while travelling. It defaults to a secure connection. I've also set up fail2ban. As an additional precaution, I close the ports on my router when I don't plan on travelling for a while.

Another option is Team Viewer (in the repositories). I've experimented around with it some, and I remember it being easier to setup. However I think it uses their servers to make connections similar to other services. I just prefer not having to rely on the security (or trustworthiness) of a 3rd party.


Yep, that's why I'm staying away from Hamachi.
NX is not open source, that's my only beef with it. But it is peer to peer, and works over SSH, so I don't see how it could really be doing anything too nefarious...
--
Chris Griffin


Return to “Security”

Who is online

Users browsing this forum: No registered users and 2 guests