Monday, September 10, 2007

getting to the desktop while away from home

While traveling, one of the problems I frequently run into is the inability to do more than access a web site from a remote application. For instance, I might drop into a coffee shop with Internet access only to find out they've locked down everything except port 80.

I now have a partial solution to the problem. We have a home Linux server with sshd and vncserver installed. Based on this post, I've configured our setup to allow ssh connections on ports 22 and 80 and tunneled VNC over those connections. I've also put a copy of porta-putty, a portable ssh client, on a USB thumb drive so I can run it from a borrowed machine for those times when I don't have my own machine available. (In that case, I can connect a web browser to http://localhost:5801 and get the Java-based VNC viewer.)

Here's how to do it:

Configuring Access on Ports 22 and 80
First, make sure you have sshd installed on your Linux server. Most of them already do. Edit /etc/ssh/sshd_config. Uncomment the "Port 22" command, and just below it add "Port 80". Note that you can't run both a web server on port 80 and sshd on port 80, which is fine for us because this host handles internal stuff like e-mail and printing--for security reasons, any web pages are on a different host.

You may have to allow firewall access to ports 22 and/or 80. On our slightly older Fedora machine, you can set the firewall permissions via System->Administration->Security Level and Firewall. Allow TCP connections on port 22 (which it probably already does if you installed sshd) and 80 (where you'd normally have web access.)

If you have an external hardware firewall, you'll also need to set up any necessary port forwarding for those ports to reach your server.

Configuring Porta-Putty
Next, get a copy of portaputty and unpack it onto your USB drive or, if you're a bit more cautious, put it in the hard drive folder you use as a master image for your USB drive.

Run putty.exe. For the host name, type the name you use to connect to your Linux server from the Internet. Leave the port at the default 22. Then give this session a name in the "Saved Sessions" box, something like "Server (22)."

Click on Connection->SSH and check "Enable Compression." (I suggest leaving "Don't start a shell or command at all" un-checked so you have a convenient way to launch the VNC server manually. That way, you can bring up the server only when you need it.)

Click on Connection->SSH->Tunnels. Put "5901" in the Source Port box and "localhost:5901" in the Destination box and click "Add." Then put "5801" in the Source Port box and "localhost:5801" in the Destination box and click "Add."

Click on Session and click "Save."

Now create a second configuration that's identical except that it connects on port 80. Change the Port to 80, change "Saved Sessions" to something like "Server (80)," and click "Save."

Using It
To use the arrangement, first launch putty.exe. Depending on whether you have access on port 22 or port 80, double-click the appropriate session name to open the connection.

Once the ssh terminal starts and you've logged in, run vncserver to launch your VNC server. Remember that VNC changes the port number based on the display name: if it puts your display on :1, then it'll use ports 5901 and 5801, but if it puts you on :2 it'll use 5902 and 5802, etc. The port forwarding above assumes you'll always get :1, so it's a good idea to verify that's where VNC did, indeed, put your display.

If you're running putty on a machine with a VNC viewer installed, launch the VNC viewer and connect to localhost:5901. You should then be able to enter your password and get a VNC display.

Otherwise, if all you have is a web browser, launch the web browser and connect to http://localhost:5801. (Note: 5801 for http, 5901 for VNC viewers.) The VNC server will feed your browser a VNC viewer in the form of a Java applet. Wait a moment for Java to load, and then you should be able to log in and run.

One caveat: So far, I've been testing from inside our network by bouncing the connection through the router. I haven't had time yet to retreat to the local firewalled coffee shop for a test from there. I'll post a follow-up if further testing requires any configuration changes.

No comments: