Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Use an office Mac from a home Mac Network
If you can access the Secure Shell Daemon on the firewall at your work, you can then use Remote Desktop over an ssh-ppp tunnel.

Warning:
Show this hint to network management and your legal advisor before implementing this. You can surf the intranet and launch any network application that uses TCP/UDP as well. Query databases, mount network shares, hop over the corporate networks. Basically because you have SSH and a Unix machine on the inside (also possible with VirtualPC!), you are now in full control of the network, so use it wisely and bail out now if you do not forsee the consequences.

[robg adds: I have not tested this one, and I'll be honest and admit that some of it is clearly over my head...]

Here's the hint, with the following names used in this example:
workmac.firm: The Mac inside the work network, on IP range 192.168
fw.work.com: The firewall machine at your work
homemac: Your home mac
VPN network: home 10.9.8.7, work 10.9.8.6 (unlikely subnet?)


At work: Install Remote Desktop
Add these two lines to the sudoers file of workmac.firm that you got root (sudo visudo):
Cmnd_Alias VPN=/usr/sbin/pppd,/sbin/route
%vpn    ALL=(ALL) NOPASSWD: VPN
You should install your ssh-keys on fw.work.com. Then start an ssh-tunnel with workmac's ssh port forwarded over the tunnel from homemac:
ssh -X -L 2222:workmac.intra:22 fwuser@fw.work.com
You will install root@homemac's ssh-keys on workmac.intra over the tunnel. For PPP tunneling, it is important to get rid of any output on stdout. So touch your ~/.hushlogin to get rid of banners and disable any funny output if you get it at login. Test all SSH logins before proceding: as yourself, as your homeroot to the firewall and to the workmac. All hosts should be accepted now, and you cannot have prompts for password. You should use the ssh-keys. Open a new shell and type:
$ sudo su -
$ ssh-keygen -t dsa
  # just enter till your done (no passphrase)
$ ssh -p 2222 -l workuser localhost 'mkdir .ssh && chmod 700 .ssh'
$ scp ~/.ssh/id_dsa.pub -P 2222 ~/.ssh/id_dsa.pub workuser@localhost:.ssh/pub   
$ ssh -p 2222 -l workuser localhost 'cat .ssh/pub >> .ssh/authorized_keys2'
  # logout all remote shells, to add fw.work.com as known host for root@homemac
$ sudo ssh fwuser@fw.work.com
logout
  # open the tunnel again (tunnelhost will resolve internal DNS)
ssh -X -L 2222:workmac.firm:22 fwuser@fw.work.com
Now run install and run this script, and then ping 10.9.8.6. Get the routing working at home (Apple needs to work on this; it does not seem to work the first try, but the second try will work):
$ sudo route delete -net 192.168 10.9.8.6
$ sudo route add -net 192.168 10.9.8.6
$ ping some 192.168_host_you_know
You could add the IP of an internal nameserver in Network Prefs to resolve the internal DNS. SSH to workmac and add routes if needed. You now have the same network access as your office Mac -- all from the comfort of your home. You can control the Mac if you launch Remote Desktop and add the Mac, entering the IP and your login on workmac.firm.

To kill when done:
sudo kill -9 `ps wax|grep pppd|grep -v grep|awk '{print $1;}'`
    •    
  • Currently 1.50 / 5
  You rated: 1 / 5 (4 votes cast)
 
[21,216 views]  

Use an office Mac from a home Mac | 8 comments | Create New Account
Click here to return to the 'Use an office Mac from a home Mac' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use an office Mac from a home Mac
Authored by: treck on Oct 19, '04 11:50:13AM

Yes, you could do all this, or you could use Apple Remote Desktop.

---
treck



[ Reply to This | # ]
Use an office Mac from a home Mac
Authored by: trekan on Oct 19, '04 02:33:09PM

And that is actually what the hint author is telling us how to do through an ssh-tunnel. This is very practical, if we for example only have ssh access through the firewall and or router.



[ Reply to This | # ]
Use an office Mac from a home Mac
Authored by: dreness on Oct 19, '04 04:02:40PM

There are many instances in which an ssh session can be established but a remote desktop session cannot. This hint combined with reverse ssh tunnels allows extremely flexible setups to be achieved, provided you have an ssh server that can be reached from the public net, and that outgoing ssh sessions are allowed from any network you use.

These instructions are fairly rigidly purposed, so it may take some gnashing to figure out how to use the vpn over ssh stuff in a different context (I'll go as far as to point folks to an ssh tunneling guide I wrote (http://www.dreness.com/ssh_tunnels.html) and no further :)



[ Reply to This | # ]
Use an office Mac from a home Mac
Authored by: CompuDude on Oct 19, '04 04:16:56PM

If you have access to an OSX server, setting up a VPN through which you can establish a normal (yet ultra-secure) ARD connection is a LOT easier than this. I suppose this hint is mostly for those who can't just use the built-in VPN server in OSX server, and then run ARD over that, rather than jumping through all the SSH hoops.

For OSX server, just turn on the VPN service, add a user with rights, open a couple ports in your firewall to the VPN server (GRE/vpn passthrough and tcp 1723) (assuming you use a hardware firewall over and above the built-in OSX firewall), and connect from home with the internet connect applet (which takes all of 4 easy steps the first time, username, password, address and PPTP, and 2 clicks on the menubar item thereafter). Once connected, you're on the internal work network as if you had plugged into the switch, and making an ARD connection is exactly the same from doing it from inside the network (scan and click connect or choose from master list).

-CD



[ Reply to This | # ]
Use an office Mac from a home Mac
Authored by: jaysoffian on Oct 19, '04 06:10:38PM

You might want to take a look at OpenVPN.



[ Reply to This | # ]
Use an office Mac from a home Mac
Authored by: tji on Oct 20, '04 12:14:18AM

Maybe I'm missing something, but this seems overly complex if you have ssh access to the gateway host, and just want to connect with VNC to an internal host.

Why not just use ssh port forwarding?

ssh -L 5901:192.168.1.2:5900 workfw

Then, just connect your vnc client to localhost/127.0.0.1 port 5901, and it will go through the ssh tunnel to the internal host (192.168.1.2).



[ Reply to This | # ]
Use an office Mac from a home Mac
Authored by: legacyb4 on Oct 20, '04 10:18:44AM

That's okay for VNC which runs over TCP; the problem with SSH is that it won't forward UDP packets which is what Remote Desktop uses (at least version 1.x).



[ Reply to This | # ]
Use an office Mac from a home Mac
Authored by: datasmid on Oct 23, '04 03:21:44PM

>That's okay for VNC which runs over TCP; the problem with SSH is that it >won't forward UDP packets which is what Remote Desktop uses (at least >version 1.x).


Remote Desktop will, after a while whine about it being tunneled, allthough it is nota ware that it is. It complains that "This mac seems to be controlled by [ip-of-pppd-server]"



[ Reply to This | # ]