How I, a newbie, got VNC to work across the Web with SOHO firewall on cable modem

Barry Zubel barry@zubel.co.uk
Fri Jul 11 13:43:00 2003


A marvellous walk-thru!

For those of you interested in this 'ip sniffing, tunnelling and SSH'
stuff, here is a brief description. I'll try to give analogies
as-and-where I can.

For the normal, insecure, end-user (of which most of us in reality are),
the chances that your VNC connection will be 'sniffed' is pretty small.
Sniffing is basically a fond term given to the inspection of TCP-IP
packets as they cross over the internet.

We all know that the Internet is an interconnected network of networks.
Imagine, if you will, that it is actually the same as a country-wide
postal service.  Each TCP-IP packet is routed to-and-from the
destination by passing through various routers/networks.  Liken this to
your 'postcard' (TCP-IP Packet) being sent to a far destination has to
pass through your local mailbox (router), then the sorting office
(another router), then across the country by some means (another
router), and then through a remote sorting office (you should be
starting to get the idea), and then to the destination.

'Sniffing' your packet is the same as the postie at the other end
reading the back of your postcard before he delivers it. (In actual
fact, it could be a postal worker in ANY part of the chain).

To get around this problem, some geeky people (geeky being used fondly -
I regard myself as a geek!) out there developed something called SSH.
SSH is a method of 'end-to-end' encryption, which still passes over the
internet, but the information is scrambled so that it is illegible to
all but you and the destination. This would be the same as writing the
postcard in some secret code that only you or the destination
understand.

Now to the 'tunnel' part.  Once you have initiated an 'SSH connection',
it can be used to 'tunnel' lots of different types of information to the
host, in a secure way.  There are lots of different ways to achieve this
which I will not go into here, suffice to say that once this 'tunnel' is
operative, you can send any sort of data up-and-down it.

This is a difficult thing to think of an analogy for. Just believe me
that this 'tunnel' is pretty secure, and is not susceptible to
'sniffing'

Anyway, to Dave - thanks for providing a walk-thru to the list. This
sort of information is absolutely invaluable as most of the people on
this list who can help do not necessarily have the time, or equipment to
document the setup procedure on all the different types of routers or
modems.

For anyone else who just read this and is now sat wondering what the
hell I'm talking about - its not as difficult as you think. Just believe
what I've said, and work on the basis that you're using a technology
that you don't *have* to understand. (we all use mobile phones, huh? :))

Barry Zubel
Able Packaging Designs Ltd


************************************************************************
***
This email may contain confidential information and/or copyright
material. This email is intended for the use of the addressee only. Any
unauthorised use may be unlawful. If you receive this email by mistake,
please advise the sender immediately by using the reply facility in your
email software. Thank you for your cooperation.

Please note that any opinions expressed in this e-mail are those of the
author personally and are not necessarily those of the Company or any of
its subsidiary companies, none of whom accept responsibility for the
contents of the message. This footnote also confirms that this email
message has been swept for the presence of computer viruses.
************************************************************************
***
 

-----Original Message-----
From: vnc-list-admin@realvnc.com [mailto:vnc-list-admin@realvnc.com] On
Behalf Of Dave Gayman
Sent: 11 July 2003 13:07
To: vnc-list@realvnc.com
Subject: How I, a newbie, got VNC to work across the Web with SOHO
firewall on cable modem


In this list there regularly pops up a cry for help:  "I can't reach my 
home computer using VNC via the Web" -- that is, with the Java-enabled
browser.

Reading answers in the archives here and from many a Web search gave me 
only partial clues here and there, because I don't understand what a NAT

is, what tunneling is, or what is meant by IP address, gateways, dynamic

DNS or other terms casually flung about.  Of course, I should not be
trying 
to do anything along this line, but there you are:  I wanted to work my 
home computer when I was on the road.

The solution to my problem turned out to be multi-fold.  (My problem was

this:  I could reach my primary home computer via browser anywhere on
any 
of my home-based local-area network machines.  However, I could NOT
reach 
my primary home computer when using a browser on any machine outside my 
home LAN.)

Unlayering the problem like a cosmic onion resulted in the following:

1.  The Java viewer in VNC -- no surprise -- needs Java.  Microsoft has 
stopped including Java in Internet Explorer because someone yapped at
them 
and they took their baseball bat and went home.

So, if you're using a late-model IE, you probably have to download Java 
from Sun.  Sun has finally shielded us from having to know what "Java 
virtual machine" means by automating the process at 
http://www.java.com/en/index.jsp

2.  My SMC Barricade router/hub/firewall whatever-the-heck-it-is, which
I 
threw into my cable modem setup to save me from nasty people and then
later 
turned into a LAN by adding other computers to it, had to be told that
VNC 
is OK to let through.

For the Barricade, this is done by going into the configuration utility,

clicking on "Virtual Server" (no idea what that means) and indicating 
"Service Ports" of 5800 and 5900 for the IP address of the primary home 
computer.  The latter is easily found by hovering your mouse over the
VNC 
icon in the little tray at the bottom of the screen.  Owing to confusing

chatter in various places, I also added Service Ports 5801 and 5901, but
I 
have no idea why.

3.  The browser running the Java viewer has to be told the IP address of

the SMC Barricade, NOT THE IP ADDRESS OF YOUR HOME COMPUTER as all the
VNC 
docs tell you.

As a way of torturing you, this turns out to be ABSOLUTELY NOT the same
as 
the IP address that the SMC Barricade tells you it is, if your cable
ISP, 
like mine, assigns you a dynamic IP address -- that is, one that can
change 
at the whim of the ISP provider.  I don't know how the ISP does this,
and I 
don't care.  I found mine through a helpful guy at my ISP's phone-based 
technical support.

4.  The solution to reaching this dynamic IP is, of course, "dynamic 
DNS."  I think this is a named (or numbered) Web address -- an address
you 
choose -- that maps itself to your actual IP address, even when the
latter 
changes. The practical result is that on any computer anywhere, you can 
enter an unchanging (non-dynamic) URL in the address line of your
browser 
and still talk to yourself, regardless of where you have gone as the
result 
of your ISP futzing with your IP address (probably called 'dynamizing'
it).

The free dynamic DNS service from No-IP works for me (No-IP Free at 
http://www.no-ip.com/index.php).  There are others that you can pay for
and 
probably these have advantages.  I was not able to discern what they
are.

5.  This whole thing, I'm told, is unsafe because nasty people can
"sniff 
your packets."  I hope this does not mean what it appears to mean 
(something akin to what those ill-trained pet dogs do to your 
trousers).  To keep baddies from sniffing, apparently, you have to
"tunnel" 
via "SSL."  If and when I understand what that means in the IBM-clone 
world, I'll be back with an update.

Point 1 took me several hours to find out.
Point 2 took me 3 days to work out
Point 3 took an additional day
Point 4 took half a day
Point 5 is still unresolved and I'm still just a dog watching television
on 
this one.

Dave
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list