Accessing a computer that uses NAT

Adrian Umpleby a.umpleby@ic.ac.uk
Mon Nov 18 21:46:59 2002 

Hi Eldad,

(I've also sent this to the list since it might be useful for others...)

>> If you can't forward a port yourself through the NAT (say, because it 
>> belongs to your ISP - that's the situation I'm in with my home 
>> service), then it is still possible to get at it (in a round-about 
>> way...)
>
> that is exactly my problem

As Micheal Salem said, it is important to be sure that you really mean a 
NAT, rather than just your ISP giving you a dynamic IP.

Do you have your own network of machines that you connect through an 
ADSL router to your ISP? Or do you have only one machine that has an IP 
address that changes according to your ISP's choice? -If the second, how 
do you know your ISP uses a NAT? (Check your IP address - if it's in the 
range 10.x.x.x or 192.168.x.x or 172.16.x.x then your ISP is using NAT.)


OK, if your ISP really is using NAT, here's how to get a connection back 
to your box within the NAT (it's worth noting this method can be used 
for getting through a NAT to just anything you want, not just VNC - I 
often use it while I'm at work to get a command-line for my laptop back 
at home [within the ISP's NAT] - and it's all encrypted automatically!):

The secret is to do it "backwards"... that is, since there's no way to 
get directly through to your machine from outside, you have to start off 
from your machine within the ISP's NAT and create an ssh port forward on 
an external machine that tunnels back to your NATed box. You can then, 
while at that external machine, connect locally to that port, which will 
go through the ssh tunnel back to your NATed box and connect to the 
required port there.

If your NATed box is running some form of unix with OpenSSH, then the 
command to create the ssh tunnel would look something like this (see 
"man ssh" for info about these options):

ssh -C -c blowfish -f -N -R 5950:localhost:59xx <remote-host>

Where "xx" is the display number for the NATed machine (i.e. if your VNC 
server is running on display 1, then use port 5901, etc.)
(Note that I've added compression here: "-C", since I've found it helps, 
even when using a broadband connection, and I've also used 'blowfish' 
encryption: "-c blowfish", which is somewhat faster than the default 
'3des' encryption...)

Remember that you are typing this into your NATed box, so the remote 
host is the name of the machine you want to connect *from*, once you get 
to it again...

Of course, for this to work you must have an ssh client on your NATed 
box and an ssh server on the one you want to view from...


What this will do is listen for a connection on port 5950 on 
<remote-host> and forward it through the ssh tunnel to port 59xx on your 
NATed box - which is the port used by the VNC server with display "xx".

Once you are sitting back at the 'remote' host, you make a vnc viewer 
connection to display 50 (which corresponds to port 5950 above -you can 
change this as required), but as if the vnc server is running on that 
machine. - i.e. connect to localhost with display 50.


One thing to watch out for with this is that the vnc viewer might try to 
use raw encoding (since it thinks it is connecting locally). You don't 
want it to do this, so you need to force it to use different encodings.

If the viewer box is a unix-based machine then you would add some extra 
options to the command-line as follows:

vncviewer -encodings "hextile rre corre copyrect" localhost:50

I expect the windows vnc viewer has options that you can change to make 
it use other encodings.

If you have Windows running on these machines, and you don't know how to 
use ssh on them, you'll have to ask around for somebody who has some 
experience of setting up port forwards (remote) on the Windows version 
of ssh.

Another thing to watch out for is that you might find the ssh connection 
times-out due to no activity. This is a bit inconvenient if it takes 
more than ten minutes to get from home to the remote machine!

Unfortunately, I don't really have a ready solution for this (though you 
may be able to come up with some creative way to keep the connection 
busy if you can connect to the remote box from home and push packets at 
the port until you get there) - what I do is create a standard ssh 
connection back to my home machine, using the method described above, 
which I keep busy until I get to work. Then I kill that ssh connection 
and start a new one straight away so I can type in the commands I want - 
which would be the ssh port forward commands for VNC, in your case...

I suspect there's probably a way to prevent the ssh timeout, though I've 
been too lazy to check the mac pages to see what it is...


Anyway, hope all that lot helps!

Any questions, let me know.

Adrian

=====================================================================
  Adrian Umpleby   adrian@ic.ac.uk  http://julia.ese.ic.ac.uk/adrian/
=====================================================================
   vncPatches68k:-   http://julia.ese.ic.ac.uk/adrian/software/vnc/