Accessing a computer that uses NAT
Mon Nov 18 21:46:59 2002
(I've also sent this to the list since it might be useful for others...)
>> If you can't forward a port yourself through the NAT (say, because it
>> belongs to your ISP - that's the situation I'm in with my home
>> service), then it is still possible to get at it (in a round-about
> that is exactly my problem
As Micheal Salem said, it is important to be sure that you really mean a
NAT, rather than just your ISP giving you a dynamic IP.
Do you have your own network of machines that you connect through an
ADSL router to your ISP? Or do you have only one machine that has an IP
address that changes according to your ISP's choice? -If the second, how
do you know your ISP uses a NAT? (Check your IP address - if it's in the
range 10.x.x.x or 192.168.x.x or 172.16.x.x then your ISP is using NAT.)
OK, if your ISP really is using NAT, here's how to get a connection back
to your box within the NAT (it's worth noting this method can be used
for getting through a NAT to just anything you want, not just VNC - I
often use it while I'm at work to get a command-line for my laptop back
at home [within the ISP's NAT] - and it's all encrypted automatically!):
The secret is to do it "backwards"... that is, since there's no way to
get directly through to your machine from outside, you have to start off
from your machine within the ISP's NAT and create an ssh port forward on
an external machine that tunnels back to your NATed box. You can then,
while at that external machine, connect locally to that port, which will
go through the ssh tunnel back to your NATed box and connect to the
required port there.
If your NATed box is running some form of unix with OpenSSH, then the
command to create the ssh tunnel would look something like this (see
"man ssh" for info about these options):
ssh -C -c blowfish -f -N -R 5950:localhost:59xx <remote-host>
Where "xx" is the display number for the NATed machine (i.e. if your VNC
server is running on display 1, then use port 5901, etc.)
(Note that I've added compression here: "-C", since I've found it helps,
even when using a broadband connection, and I've also used 'blowfish'
encryption: "-c blowfish", which is somewhat faster than the default
Remember that you are typing this into your NATed box, so the remote
host is the name of the machine you want to connect *from*, once you get
to it again...
Of course, for this to work you must have an ssh client on your NATed
box and an ssh server on the one you want to view from...
What this will do is listen for a connection on port 5950 on
<remote-host> and forward it through the ssh tunnel to port 59xx on your
NATed box - which is the port used by the VNC server with display "xx".
Once you are sitting back at the 'remote' host, you make a vnc viewer
connection to display 50 (which corresponds to port 5950 above -you can
change this as required), but as if the vnc server is running on that
machine. - i.e. connect to localhost with display 50.
One thing to watch out for with this is that the vnc viewer might try to
use raw encoding (since it thinks it is connecting locally). You don't
want it to do this, so you need to force it to use different encodings.
If the viewer box is a unix-based machine then you would add some extra
options to the command-line as follows:
vncviewer -encodings "hextile rre corre copyrect" localhost:50
I expect the windows vnc viewer has options that you can change to make
it use other encodings.
If you have Windows running on these machines, and you don't know how to
use ssh on them, you'll have to ask around for somebody who has some
experience of setting up port forwards (remote) on the Windows version
Another thing to watch out for is that you might find the ssh connection
times-out due to no activity. This is a bit inconvenient if it takes
more than ten minutes to get from home to the remote machine!
Unfortunately, I don't really have a ready solution for this (though you
may be able to come up with some creative way to keep the connection
busy if you can connect to the remote box from home and push packets at
the port until you get there) - what I do is create a standard ssh
connection back to my home machine, using the method described above,
which I keep busy until I get to work. Then I kill that ssh connection
and start a new one straight away so I can type in the commands I want -
which would be the ssh port forward commands for VNC, in your case...
I suspect there's probably a way to prevent the ssh timeout, though I've
been too lazy to check the mac pages to see what it is...
Anyway, hope all that lot helps!
Any questions, let me know.
Adrian Umpleby firstname.lastname@example.org http://julia.ese.ic.ac.uk/adrian/