A marvellous walk-thru! For those of you interested in this 'ip sniffing, tunnelling and SSH' stuff, here is a brief description. I'll try to give analogies as-and-where I can.
For the normal, insecure, end-user (of which most of us in reality are), the chances that your VNC connection will be 'sniffed' is pretty small. Sniffing is basically a fond term given to the inspection of TCP-IP packets as they cross over the internet. We all know that the Internet is an interconnected network of networks. Imagine, if you will, that it is actually the same as a country-wide postal service. Each TCP-IP packet is routed to-and-from the destination by passing through various routers/networks. Liken this to your 'postcard' (TCP-IP Packet) being sent to a far destination has to pass through your local mailbox (router), then the sorting office (another router), then across the country by some means (another router), and then through a remote sorting office (you should be starting to get the idea), and then to the destination. 'Sniffing' your packet is the same as the postie at the other end reading the back of your postcard before he delivers it. (In actual fact, it could be a postal worker in ANY part of the chain). To get around this problem, some geeky people (geeky being used fondly - I regard myself as a geek!) out there developed something called SSH. SSH is a method of 'end-to-end' encryption, which still passes over the internet, but the information is scrambled so that it is illegible to all but you and the destination. This would be the same as writing the postcard in some secret code that only you or the destination understand. Now to the 'tunnel' part. Once you have initiated an 'SSH connection', it can be used to 'tunnel' lots of different types of information to the host, in a secure way. There are lots of different ways to achieve this which I will not go into here, suffice to say that once this 'tunnel' is operative, you can send any sort of data up-and-down it. This is a difficult thing to think of an analogy for. Just believe me that this 'tunnel' is pretty secure, and is not susceptible to 'sniffing' Anyway, to Dave - thanks for providing a walk-thru to the list. This sort of information is absolutely invaluable as most of the people on this list who can help do not necessarily have the time, or equipment to document the setup procedure on all the different types of routers or modems. For anyone else who just read this and is now sat wondering what the hell I'm talking about - its not as difficult as you think. Just believe what I've said, and work on the basis that you're using a technology that you don't *have* to understand. (we all use mobile phones, huh? :)) Barry Zubel Able Packaging Designs Ltd ************************************************************************ *** This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you receive this email by mistake, please advise the sender immediately by using the reply facility in your email software. Thank you for your cooperation. Please note that any opinions expressed in this e-mail are those of the author personally and are not necessarily those of the Company or any of its subsidiary companies, none of whom accept responsibility for the contents of the message. This footnote also confirms that this email message has been swept for the presence of computer viruses. ************************************************************************ *** -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Gayman Sent: 11 July 2003 13:07 To: [EMAIL PROTECTED] Subject: How I, a newbie, got VNC to work across the Web with SOHO firewall on cable modem In this list there regularly pops up a cry for help: "I can't reach my home computer using VNC via the Web" -- that is, with the Java-enabled browser. Reading answers in the archives here and from many a Web search gave me only partial clues here and there, because I don't understand what a NAT is, what tunneling is, or what is meant by IP address, gateways, dynamic DNS or other terms casually flung about. Of course, I should not be trying to do anything along this line, but there you are: I wanted to work my home computer when I was on the road. The solution to my problem turned out to be multi-fold. (My problem was this: I could reach my primary home computer via browser anywhere on any of my home-based local-area network machines. However, I could NOT reach my primary home computer when using a browser on any machine outside my home LAN.) Unlayering the problem like a cosmic onion resulted in the following: 1. The Java viewer in VNC -- no surprise -- needs Java. Microsoft has stopped including Java in Internet Explorer because someone yapped at them and they took their baseball bat and went home. So, if you're using a late-model IE, you probably have to download Java from Sun. Sun has finally shielded us from having to know what "Java virtual machine" means by automating the process at http://www.java.com/en/index.jsp 2. My SMC Barricade router/hub/firewall whatever-the-heck-it-is, which I threw into my cable modem setup to save me from nasty people and then later turned into a LAN by adding other computers to it, had to be told that VNC is OK to let through. For the Barricade, this is done by going into the configuration utility, clicking on "Virtual Server" (no idea what that means) and indicating "Service Ports" of 5800 and 5900 for the IP address of the primary home computer. The latter is easily found by hovering your mouse over the VNC icon in the little tray at the bottom of the screen. Owing to confusing chatter in various places, I also added Service Ports 5801 and 5901, but I have no idea why. 3. The browser running the Java viewer has to be told the IP address of the SMC Barricade, NOT THE IP ADDRESS OF YOUR HOME COMPUTER as all the VNC docs tell you. As a way of torturing you, this turns out to be ABSOLUTELY NOT the same as the IP address that the SMC Barricade tells you it is, if your cable ISP, like mine, assigns you a dynamic IP address -- that is, one that can change at the whim of the ISP provider. I don't know how the ISP does this, and I don't care. I found mine through a helpful guy at my ISP's phone-based technical support. 4. The solution to reaching this dynamic IP is, of course, "dynamic DNS." I think this is a named (or numbered) Web address -- an address you choose -- that maps itself to your actual IP address, even when the latter changes. The practical result is that on any computer anywhere, you can enter an unchanging (non-dynamic) URL in the address line of your browser and still talk to yourself, regardless of where you have gone as the result of your ISP futzing with your IP address (probably called 'dynamizing' it). The free dynamic DNS service from No-IP works for me (No-IP Free at http://www.no-ip.com/index.php). There are others that you can pay for and probably these have advantages. I was not able to discern what they are. 5. This whole thing, I'm told, is unsafe because nasty people can "sniff your packets." I hope this does not mean what it appears to mean (something akin to what those ill-trained pet dogs do to your trousers). To keep baddies from sniffing, apparently, you have to "tunnel" via "SSL." If and when I understand what that means in the IBM-clone world, I'll be back with an update. Point 1 took me several hours to find out. Point 2 took me 3 days to work out Point 3 took an additional day Point 4 took half a day Point 5 is still unresolved and I'm still just a dog watching television on this one. Dave _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
