How I, a newbie, got VNC to work across the Web with SOHO
firewall on cable modem
Barry Zubel
barry@zubel.co.uk
Fri Jul 11 13:43:00 2003
A marvellous walk-thru!
For those of you interested in this 'ip sniffing, tunnelling and SSH'
stuff, here is a brief description. I'll try to give analogies
as-and-where I can.
For the normal, insecure, end-user (of which most of us in reality are),
the chances that your VNC connection will be 'sniffed' is pretty small.
Sniffing is basically a fond term given to the inspection of TCP-IP
packets as they cross over the internet.
We all know that the Internet is an interconnected network of networks.
Imagine, if you will, that it is actually the same as a country-wide
postal service. Each TCP-IP packet is routed to-and-from the
destination by passing through various routers/networks. Liken this to
your 'postcard' (TCP-IP Packet) being sent to a far destination has to
pass through your local mailbox (router), then the sorting office
(another router), then across the country by some means (another
router), and then through a remote sorting office (you should be
starting to get the idea), and then to the destination.
'Sniffing' your packet is the same as the postie at the other end
reading the back of your postcard before he delivers it. (In actual
fact, it could be a postal worker in ANY part of the chain).
To get around this problem, some geeky people (geeky being used fondly -
I regard myself as a geek!) out there developed something called SSH.
SSH is a method of 'end-to-end' encryption, which still passes over the
internet, but the information is scrambled so that it is illegible to
all but you and the destination. This would be the same as writing the
postcard in some secret code that only you or the destination
understand.
Now to the 'tunnel' part. Once you have initiated an 'SSH connection',
it can be used to 'tunnel' lots of different types of information to the
host, in a secure way. There are lots of different ways to achieve this
which I will not go into here, suffice to say that once this 'tunnel' is
operative, you can send any sort of data up-and-down it.
This is a difficult thing to think of an analogy for. Just believe me
that this 'tunnel' is pretty secure, and is not susceptible to
'sniffing'
Anyway, to Dave - thanks for providing a walk-thru to the list. This
sort of information is absolutely invaluable as most of the people on
this list who can help do not necessarily have the time, or equipment to
document the setup procedure on all the different types of routers or
modems.
For anyone else who just read this and is now sat wondering what the
hell I'm talking about - its not as difficult as you think. Just believe
what I've said, and work on the basis that you're using a technology
that you don't *have* to understand. (we all use mobile phones, huh? :))
Barry Zubel
Able Packaging Designs Ltd
************************************************************************
***
This email may contain confidential information and/or copyright
material. This email is intended for the use of the addressee only. Any
unauthorised use may be unlawful. If you receive this email by mistake,
please advise the sender immediately by using the reply facility in your
email software. Thank you for your cooperation.
Please note that any opinions expressed in this e-mail are those of the
author personally and are not necessarily those of the Company or any of
its subsidiary companies, none of whom accept responsibility for the
contents of the message. This footnote also confirms that this email
message has been swept for the presence of computer viruses.
************************************************************************
***
-----Original Message-----
From: vnc-list-admin@realvnc.com [mailto:vnc-list-admin@realvnc.com] On
Behalf Of Dave Gayman
Sent: 11 July 2003 13:07
To: vnc-list@realvnc.com
Subject: How I, a newbie, got VNC to work across the Web with SOHO
firewall on cable modem
In this list there regularly pops up a cry for help: "I can't reach my
home computer using VNC via the Web" -- that is, with the Java-enabled
browser.
Reading answers in the archives here and from many a Web search gave me
only partial clues here and there, because I don't understand what a NAT
is, what tunneling is, or what is meant by IP address, gateways, dynamic
DNS or other terms casually flung about. Of course, I should not be
trying
to do anything along this line, but there you are: I wanted to work my
home computer when I was on the road.
The solution to my problem turned out to be multi-fold. (My problem was
this: I could reach my primary home computer via browser anywhere on
any
of my home-based local-area network machines. However, I could NOT
reach
my primary home computer when using a browser on any machine outside my
home LAN.)
Unlayering the problem like a cosmic onion resulted in the following:
1. The Java viewer in VNC -- no surprise -- needs Java. Microsoft has
stopped including Java in Internet Explorer because someone yapped at
them
and they took their baseball bat and went home.
So, if you're using a late-model IE, you probably have to download Java
from Sun. Sun has finally shielded us from having to know what "Java
virtual machine" means by automating the process at
http://www.java.com/en/index.jsp
2. My SMC Barricade router/hub/firewall whatever-the-heck-it-is, which
I
threw into my cable modem setup to save me from nasty people and then
later
turned into a LAN by adding other computers to it, had to be told that
VNC
is OK to let through.
For the Barricade, this is done by going into the configuration utility,
clicking on "Virtual Server" (no idea what that means) and indicating
"Service Ports" of 5800 and 5900 for the IP address of the primary home
computer. The latter is easily found by hovering your mouse over the
VNC
icon in the little tray at the bottom of the screen. Owing to confusing
chatter in various places, I also added Service Ports 5801 and 5901, but
I
have no idea why.
3. The browser running the Java viewer has to be told the IP address of
the SMC Barricade, NOT THE IP ADDRESS OF YOUR HOME COMPUTER as all the
VNC
docs tell you.
As a way of torturing you, this turns out to be ABSOLUTELY NOT the same
as
the IP address that the SMC Barricade tells you it is, if your cable
ISP,
like mine, assigns you a dynamic IP address -- that is, one that can
change
at the whim of the ISP provider. I don't know how the ISP does this,
and I
don't care. I found mine through a helpful guy at my ISP's phone-based
technical support.
4. The solution to reaching this dynamic IP is, of course, "dynamic
DNS." I think this is a named (or numbered) Web address -- an address
you
choose -- that maps itself to your actual IP address, even when the
latter
changes. The practical result is that on any computer anywhere, you can
enter an unchanging (non-dynamic) URL in the address line of your
browser
and still talk to yourself, regardless of where you have gone as the
result
of your ISP futzing with your IP address (probably called 'dynamizing'
it).
The free dynamic DNS service from No-IP works for me (No-IP Free at
http://www.no-ip.com/index.php). There are others that you can pay for
and
probably these have advantages. I was not able to discern what they
are.
5. This whole thing, I'm told, is unsafe because nasty people can
"sniff
your packets." I hope this does not mean what it appears to mean
(something akin to what those ill-trained pet dogs do to your
trousers). To keep baddies from sniffing, apparently, you have to
"tunnel"
via "SSL." If and when I understand what that means in the IBM-clone
world, I'll be back with an update.
Point 1 took me several hours to find out.
Point 2 took me 3 days to work out
Point 3 took an additional day
Point 4 took half a day
Point 5 is still unresolved and I'm still just a dog watching television
on
this one.
Dave
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list