Free GotoMyPC-like VPN, traversing three firewalls!
I have my PCs at home behind THREE firewalls (all NAT Routers). At work, my PC is behind a corporate router over which I have no control. They turn off almost all outbound services, and no inbound services are allowed.
I want to be able to VPN to my machine at work from home, and vice versa. My office provides enterprise VPN, but I hate the software and hoops they use. Also, it doesn’t help me connect to my PC at home. So I started looking for a free alternative. And I found one.
I looked at some commercial and semi-commercial services like GotoMyPC, LogMeIn and QNext. But they’re limited and/or cost money. I’m a cheap bastard. I want it to work, but I don’t want to pay for it. I’d rather build it myself.
What I wound up with is free for me, but I used an external server that I control as a bridge to get my traffic across. You may not have that luxury, so your mileage may vary.
The Challenge
Here’s my original network configuration:
I have a PC at work behind a serious honkin’ firewall. I have several PC’s at home behind one or two NAT routers. Getting the home PC’s to connect to the work PC (and vice versa) is today’s challenge. To make this happen I have to bridge inbound connections (and outbound connections) across all three firewalls in a single bound. No small feat!
GotoMyPC works by connecting both PCs to an intermediary server whose firewall is under their control. That’s the ideal solution for connectivity, but it can slow things down since it adds a middle-man. Connectivity is my real problem, though; not speed. And, by the way, I happen to have a server out there whose firewall is under my control.
That webserver in the network diagram belongs to me. It runs Linux. I read my email on there, and I already use SSH port forwarding via Putty to connect to my secure email ports. (Corp firewall allows POP (110) but doesn’t allow Secure-POP (995). Go figure!) If you don’t have one of these at your disposal, you can add one at home with some extra hardware and some fancy DMZ configuration. Or you could even buy one of these.
Remote Control using VNC
The sort of connection I really want is VNC. I use VNC to connect from my laptop at home to my desktop at home. It works like PC Anywhere and lets me take over the desktop as if I’m right there at the PC. And it’s free.
I also use it at work to control my PC from other PC’s. But it doesn’t work across the firewall. My corporate firewall won’t allow inbound or outbound connections on port 5900, the VNC port. So even if I opened up my port 5900 on my home routers (a huge security risk!), it wouldn’t get me connected to my office.
First attempt
I started exploring how I could use SSH port forwarding on my server to make this all work. And I think I could, too. But it was still pretty klugey. I discovered that when I opened too many ports, Putty crashed. I had to open lots of paths to get omnidirectional connections (home-to-work, work-to-home, laptop-to-work, work-to-laptop). And it would only open up VNC, really. What about file and printer sharing? (Note: UltraVNC Repeater claims it can help with most of this, but I didn’t find it until later. Also it seems to require a human on both ends.)
Second attempt
I tried using a product called Kaboodle. It was quite goofy looking, but someone promised it did what I wanted. If it does have this feature, it managed to hide it from me quite well.
Third attempt
I experimented with ProxyTunnel (only helpful for outbound connections) and VTun (no Windows client). Somewhere along the way I found OpenVPN. The clouds parted, angels sang soprano Hallelujahs and the sun came shining down. I found my solution.
OpenVPN is just that, an Open source VPN project. In its current incarnation it supports multiple clients and client-to-client visibility. I followed the simple step-by-step FAQs on how to set up the server. I installed the client on my Work PC, and suddenly I had my own VPN to the outside world. I even started up Samba on my webserver and mapped /home as a local drive on my work PC. I was in hog heaven.
When I got home, I installed the clients on my laptop and desktop. Now I could ping my work PC over the VPN. Voila! And I could use VNC to — omigosh! — control my desktop at the office. I just heard another Hallelujah!
Finally, I downloaded the OpenVPN-GUI for Windows and installed it on all three machines. This is the final magic that makes this all work because it causes the Windows machines to automatically connect to the VPN when Windows starts up. This seems stupid-simple to all the Unix users out there, but believe me, it’s not so easy on Windows when you’re running a linux ported app like OpenVPN.
The Result
Here’s my new network configuration with my VPN overlayed on everything (in red):
.png "My VPN Network")
Performance
Speed is actually pretty good. I have an expensive webserver connection, so I expect that to work well. But even with encryption and forwarding, my ping times are about 90ms from work to home. (For comparison, work to webserver is 45ms and webserver to home is 55ms.) VNC works about like it does on my regular lan, or maybe a tad slower. Network file sharing is the same. I haven’t tried printing, but I expect it to just work. Everything else has.
Conclusion
So now I have it. And you could too if you had an external webserver to host it or enough smarts to hook up your DMZ at home. Well, I do have an external webserver to host it. That’s also how GotoMyPC works. And QNext. And several others.
And now that I have it set up, I could even build my own GotoMyPC service. Maybe I will. Or maybe I’ll ignore it like all my other projects. 
Caveat
This setup probably violates my employment contract and computer usage agreements with my employer. It will probably violate yours, too. If you do this, you might get fired. Don’t come crying to me. I’ll just say, “I told you so!”
Other links
UltraVNC SC — I should find a way to make this connect for my Dad so I can do his tech support.
UltraVNC NAT-to-NAT may be a better solution for some folks.
Gliffy is a free Visio-like web application that I used to draw those network diagrams
September 5th, 2006 at 11:24 am
RealVNC together with BarracudaDrive solves ALL of my remote access problems. BarracudaDrive is bundled with a HTTPS tunnel that solves two major problems with RealVNC. The tunnel makes the VNC connection secure. The tunnel also bypasses my company’s very restrictive proxy and makes it possible to run the VNC client from behind my company’s firewall. BarracudaDrive also includes a WebDAV server that makes it possible to securely copy files to and from your home PC
RealVNC client and server:
http://www.realvnc.com/
BarracudaDrive server:
http://barracudaserver.com/examples/BarracudaDrive/
HTTPS Tunnel client:
http://barracudaserver.com/examples/BarracudaDrive/HttpsTunnel/
November 16th, 2006 at 9:26 am
Try Hamachi too. Simple and great!
November 16th, 2006 at 9:37 am
I did try Hamachi. I was going to mention it in the article but they became part of LogMeIn and I expected them to be rebranded. So I didn’t.
Anyway, it doesn’t work from my office because my firewall is too restrictive.
November 25th, 2006 at 9:27 pm
Used my new Bytemark VM on which I have full root access to act as the server/CA. Works beautifully! Thanks for being the page which started me on this track, which will continue to make life easier for me!
Cheers!
J.
November 28th, 2006 at 9:51 pm
this is simply perfect! thanks alot
December 9th, 2006 at 7:39 pm
So, would hamachi work over three NATs? My network would be:
Another PC—NAT—internet—NAT—NAT—My PC
Is it possible? Im not sure
January 29th, 2007 at 4:21 am
can you send tv over a home network
February 28th, 2007 at 11:56 pm
Wait, so you set up the OpenVPN server on your webserver that lives out in the open somewhere and then put clients on your work PC (behind your corporate firewall) and on your home PC (behind your several routers) and then once both the work PC and the home PC were connected to the VPN as clients, they could see each other by virtue of the fact that they were both connected as clients?
Did you have to use IP addresses with VNC or could you resolve hostnames?
Was your main goal to be able to control the work PC from home and vice versa, or was it to be able to “break out” of the corporate VPN and make outside connections as if they were coming from the webserver machine?
Thanks — just trying to understand what you did here!
March 1st, 2007 at 8:48 am
Wait, so you set up the OpenVPN server on your webserver that lives out in the open somewhere and then put clients on your work PC (behind your corporate firewall) and on your home PC (behind your several routers) and then once both the work PC and the home PC were connected to the VPN as clients, they could see each other by virtue of the fact that they were both connected as clients?
Yes.
Did you have to use IP addresses with VNC or could you resolve hostnames?
I have to use IP addresses. In fact I have to use IP addresses assigned by the VPN, so there’s no name server that even knows these. I could add the names to my “etc\hosts” file since the IPs are static for each client.
Was your main goal to be able to control the work PC from home and vice versa
Yes.
or was it to be able to “break out” of the corporate VPN and make outside connections as if they were coming from the webserver machine?
No. In fact, I haven’t been able to do this. I think if I set up routes and enabled traffic forwarding on the web server I might be able to make this work, but it hasn’t been a feature I need.
Well, sometimes I do need to bypass work firewalls to get to web pages, for example, on non-standard ports. For this I use another mechanism which is not VPN-related.
March 17th, 2007 at 12:42 am
So anyways, I’m curious if any of you folk can help me. See, my problem is that I’m trying to play a game which doesn’t support NAT routers. The obvious solution is port forwarding, but I’m in an apartment which doesn’t do that for nice people like me. So after they told me to go screw myself, I did a bit of research. The game I’m trying to play uses all peer-to-peer connections, so I have to be able to get through the NAT firewall to a bunch of different ports. I was wondering if I could use OpenVPN to get through all my NAT problems and play against thousands of people without error. I’m not really that great with computers compared to the whole lot of ya, but I’d love some responses. =]
-Randy
June 18th, 2007 at 12:04 pm
Phord says:
“…sometimes I do need to bypass work firewalls to get to web pages, for example, on non-standard ports. For this I use another mechanism which is not VPN-related”
What is that ‘mechanism’ that you use to get to web pages on non-standard ports, may I ask?
-mus51
July 19th, 2007 at 2:00 pm
I have a Windows VPN server which works great (with most machines connected to it from work and home). However, the work wireless gateway will not allow outbound VPN connections. Is there a way for my laptop to get out through the firewall somehow and connect to the VPN port on the external machine? You mentioned getting to web pages on non-standard ports.. can you tell us which solution you used, and would it work for this purpose?
August 22nd, 2007 at 6:22 pm
check out www.dialINtomypc.com he basically provided a site of FREE vnc based remote support… it does what we are discussing but for free and no work!!
September 12th, 2007 at 9:30 pm
That’s also highly unethical, probably illegal, and probably grounds for a lawsuit against you by your employer.
September 19th, 2007 at 1:44 pm
What is that ‘mechanism’ that you use to get to web pages on non-standard ports, may I ask?
I use SSH to connect to my public machine on the internet. My SSH connection (Putty) supports SOCKS Proxy forwarding. I point the web browser to my localhost SOCKS Proxy, and *bingo*, all my web traffic (on any port) goes through my extant SSH connection instead of through my corporate firewall packet filter.
The problem with this hack is that it requires you to have a server running somewhere to act as your proxy. If you are using openVPN to connect to your home PC like I am, then you’re practically done. All you need to do is make that SSH connection and turn on Dynamic Tunneling.
[Recently I was able to get my Cisco/Linksys WRT54GL router to act as a VPN for me running OpenVPN and OpenWRT. Then I installed srelay on it for SOCKS Proxying. And it worked! Sweet!]
September 19th, 2007 at 1:48 pm
It is not unethical. Sorry. Nothing I’m doing on this VPN is in violation of any ethical norms.
It’s also not illegal, excepting that I am using company resources aberrant of corporate policy. I am using the computer with their consent, though the case could be made that I am doing so in an unapproved manner.
It probably is grounds for termination. That’s why I included the caveat. Dumbass.
September 19th, 2007 at 1:49 pm
The problem with that is that it requires me to set up the connection on both ends. I don’t want to have to be able to touch both computers to effect this connection. I want to be able to connect from either side to either side on a whim.
However, that is a cool resource, and I’ll probably use it for some one-off connections in the future. Also, check out check out http://www.showmypc.com/. Maybe I’ll set up a server for this of my own!
April 6th, 2009 at 9:53 pm
very easy www.ntrconnect.com and free.