Remote into Linux workstation behind a firewall

Let's say I have a Linux workstation at work, behind a firewall. So even though I may have a remote access server set up on it (such as the most excellent NoMachine NX Server), I can't access it from home.

My home network happens to have a Linux server. Is it possible to ssh from work to the home Linux machine and set up a tunnel so that once I'm at home, I can run the NX client, point it to my home Linux box on some port like 9000, and have that forward through the tunnel to port 22 on my work Linux box? How would I set this up?

CaptSaltyJack

Posted 2011-04-22T15:53:59.653

Reputation: 1 515

Your company doesn't provide some kind of vpn access? – Keith – 2011-04-22T17:19:59.317

Answers

From the machine at work, create a tunnel to your machine running ssh at home:

randolf@workserver:~$ ssh -vvv randolf@myhomeserver -R 44455:localhost:22

This will forward the remote port 44455 from your home server to port 22 (or whichever port ssh is listening on) on your work machine.

From home, check to see if anything is listening on 44455

randolf@homeserver:~$ netstat -an | grep 44455
tcp        0      0 127.0.0.1:44455         0.0.0.0:*               LISTEN

Next, to connect from home to your work machine, from your home server:

randolf@homeserver:~$ ssh localhost -p 44455
Password: ******

From there you should be connected to your work machine via your tunnel.

CJ Travis

Posted 2011-04-22T15:53:59.653

Reputation: 921

Perfect, exactly what I was looking for. Then I can use NX to log in remotely. – CaptSaltyJack – 2011-05-27T22:11:39.447

Awesome, glad to have helped! – CJ Travis – 2011-05-30T13:06:41.557

You could set some port forwarding up with your firewall, or possibly even use a tool like "bounce" to re-direct ports if there are some restrictions on what you're allowed to do with your firewall, but here's what I'd do if I were you:

Install the excellent free, open source, userland OpenVPN software. Set up the target server as an OpenVPN client (and configure infinite connection retries), and your home Linux server as the OpenVPN server. This way, the target server running the OpenVPN client will be connected to your home Linux server whenever it's operational and connected to the internet -- through this VPN connection, you can have full access to your work/target server (running the OpenVPN client).

OpenVPN (full-featured free, open source, userland VPN solution)
http://www.openvpn.net/index.php/open-source.html

Randolf Richardson

Posted 2011-04-22T15:53:59.653

Reputation: 14 002

So just to make sure I have this right: my home Linux box runs an OpenVPN server, and my Linux box at work runs an OpenVPN client that stays connected to my Linux home VPN? And that will allow me (at home) to remote into my work Linux box? – CaptSaltyJack – 2011-04-22T17:13:38.557

@CaptSaltyJack: Yes. The purpose of an VPN is to extend the network to another computer or another network of more computers, and communications can go both ways. You can set either one up as the VPN server (and it probably would be more useful to set your work one up as the server, but the way you asked your question prompted me to suggest otherwise -- it really doesn't matter which way you do it though). The OpenVPN server's private IP will be 10.8.0.1 (default), and the first OpenVPN client will be 10.8.0.6 (default) -- they'll be able to ping/connect-to each other. – Randolf Richardson – 2011-04-22T17:16:54.763

@CaptSaltyJack: The server that has a static IP address should really also be the OpenVPN server though (unless it has a hostname that changes automatically with the IP). – Randolf Richardson – 2011-04-22T17:17:43.767

Well, at work, the network is set up in a way that all the computers are firewalled and to the external world they have one IP. So I don't think I could run a VPN server on my work machine and connect to it. I'd probably have to have it connect to my home machine. – CaptSaltyJack – 2011-04-22T17:40:06.087

@CaptSaltyJack: Just as I suspected. Either way you set it up (whichever side is the OpenVPN server), your applications (including ssh) won't know the difference. – Randolf Richardson – 2011-04-22T18:06:38.527

@CaptSaltyJack: Make sure your employer knows that you're setting up a VPN for remote access to their server before you do this. Also, your firewall might need to be configured to allow UDP port 1194 through (that's the [configurable] default for OpenVPN; TCP can also be used, but UDP yields better performance). – Randolf Richardson – 2011-04-22T19:09:46.493

How to connect to a Linux box on port 3389 (RHEL5)

Unfortunately, port 22 is blocked by many firewalls and tunnels may open security holes so the best approach is to set ssh and NX to listen on port 3389 instead of the standard 22 which may confuse the majority of hackers

Configure OpenBSD to listen to port 3389

vim /etc/ssh/sshd_config

Port 3389

service sshd restart

Download NX Client for Windows to the RHEL ftp site

wget http://64.34.173.142/download/3.5.0/Windows/nxclient-3.5.0-9.exe

Download NX Free Edition for Linux

wget http://64.34.173.142/download/3.5.0/Linux/nxclient-3.5.0-7.i386.rpm
wget http://64.34.173.142/download/3.5.0/Linux/nxnode-3.5.0-9.i386.rpm
wget http://64.34.173.142/download/3.5.0/Linux/FE/nxserver-3.5.0-11.i386.rpm

As root - Install NX in this order

rpm –ivh nxclient-3.5.0-7.i386.rpm
rpm –ivh nxnode-3.5.0-9.i386.rpm
rpm –ivh nxserver-3.5.0-11.i386.rpm

Configure NX for port 3389

vim /usr/NX/etc /node.cfg
#
# Specify the TCP port where the NX node SSHD daemon is running.
#
SSHDPort = "3389"

vim /usr/NX/etc /server.cfg
#
# Specify the TCP port where the NX server SSHD daemon is running.
#
SSHDPort = "3389"

service nxsensor restart
nxserver --daemon restart

George

Posted 2011-04-22T15:53:59.653

Reputation: 11