Remote Access

Contents

Introduction

...

Shortcut - Debian 4.0 Etch client package stack

If you know what you're doing and just want the packages, this is the complete client's remote connection package stack for Debian 4.0 Etch (VPN client, VNC client, SSH client and additionally dialup and GNOME Bluetooth for connecting using a cellular phone):

VPN

There are different types of VPNs:

VPN Server Using IPCop

We will use IPCop (http://www.ipcop.org/) as our router and firewall. As of this writing the latest stable version is 1.4.16. IPCop will run the VPN server software. (You need to check the latest stable version of the ZERINA VPN server is available for the latest version of IPCop else you may have to use an older version of IPCop until ZERINA is updated.)

The VPN server can cover host-to-net (where by you connect a (potentially roving) client to the network) and net-to-net (where by you connect two networks together).

The main IPCop documentation on VPN, covering 'host-to-net' and 'net-to-net', is at http://www.ipcop.org/1.4.0/en/admin/html/vpnaw.html.

IPCop 140 Blue Vpn Howto: http://www.ipcop.org/modules.php?op=modload&name=phpWiki&file=index&pagename=IPCop140BlueVpnHowto.

Host-to-Net or 'Roadwarrior'

You could use the IPSec VPN that comes with IPCop but I had difficulty with this and instead chose a seperately installable OpenVPN module for IPCop.

The ZERINA OpenVPN module for IPCop

http://www.zerina.de/zerina/

Allows Windows or other operating systems to connect, including through NAT. This uses OpenVPN (SSL), rather than IPCop's default IPSec VPN, adding a module into IPCop to do it.

Setting up ZERINA

Upgrading is the same process as installing. Download the latest stable release of the software from http://www.zerina.de/zerina/?q=download that matches the version of IPCop you're running to a workstation. As of this writing that is ZERINA version 0.9.5a for IPCop 1.4.16. (Note that a version of Zerina that matches the latest stable version of IPCop isn't always available shortly after the release of the IPCop version. You might might have to wait for the corresponding Zerina update or use a previous version of IPCop. This could represent a security risk.)

Connect into IPCop at the command-line, using either

Create a directory on the IPCop machine for the VPN software installer:
mkdir /openvpn-installer

Copy the VPN installer to the VPN software installer directory on the IPCop machine

Log into IPCop at the command-line, using either

Extract the installer:
tar -xzvf ZERINA<version number>Installer.tar.gz

Run the installer:
./install

Here are some options to make sure you've set

Note: set system time from time server

Note: configuration settings are saved in /var/ipcop/ovpn/server.conf

Adding VPN Clients

Follow this to create a client certificate or you can follow a 'HOWTO Roadwarrior' tutorial at http://www.zerina.de/zerina/?q=documentation/howtorw-step4.

Upgrading ZERINA

Download the latest stable release of the software from http://www.zerina.de/zerina/?q=download that matches the version of IPCop you're running to a workstation. (Note that a version of Zerina that matches the latest stable version of IPCop isn't always available shortly after the release of the IPCop version. You might might have to wait for the corresponding Zerina update or use a previous version of IPCop. This could represent a security risk.)

Uninstalling ZERINA
Uninstallation is only possible if you kept the original Zerina installer or Zerina update installer /zerina-<version> SSH into IPCop cd to the latest original Zerina installer or Zerina update installer directory Run the uninstaller: ./uninstall
Troubleshooting

Test the VPN connection from within the intranet when you first set it up to know if it works in and of itself. Then test from outside the intranet.

There might be a log available in the DSL modem. This is an example of a working OpenVPN connection:
Tue, 2007-08-14 11:14:36 - TCP Packet - Source:192.168.1.2,53828 Destination:217.155.32.145,1194 - [OpenVPN rule match]

Check the IPCop firewall log. In this example from the firewall log the incoming connection is being blocked because of a misconfigured Zerina setting:
12:10:00 INPUT eth1 TCP 192.168.1.1 53828 00:18:4d:ff:ab:68 192.168.1.2 1194

References

'Open VPNHowto - RoadWarrior VPN Connection to IPCop using OpenVPN': http://www.ipcop.org/modules.php?op=modload&name=phpWiki&file=index&pagename=OpenVPNHowto (this document led me to ZERINA, but the ZERINA site itself has readable documentation, which in my view makes this document redundant).

? http://thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto/.

Net-to-Net

I haven't done this yet...

OpenVPN Client Software

OpenVPN client for Windows

Configuration

This will work with Windows 2000 or XP.

Go to http://openvpn.se/ and download the stable version of the client software, OpenVPN GUI Installation Package. As of this writing this was version 1.0.3 (including OpenVPN 2.0.9), 'openvpn-2.0.9-gui-1.0.3-install.exe'.

Whilst logged in as an administrator, install OpenVPN GUI with the default installation options

Get the configuration file and certificate file that tells the software where and how to connect, and gives it a certificate of authentication. Note: this file contains your private key - it is imperative you keep the file secret (it may not even be enough to leave it lying around on the disk unencrypted).

Either these files will be given to you by your system administrator or you will need to get them yourself. If you need to get them yourself, download the configuration file and client certificate from within IPCop:

Once you have them:

? Enable LMHOSTS lookup - disabled

System clocks between the VPN client and the VPN server need to be synchronised, so make sure your system time is set correctly by syncing with a time server:

Firewalls

If you're using Windows XP and the Windows firewall is turned on it will prompt you and you should choose to unblock.

Similarly other firewalls, such as ZoneAlarm, should prompt you.

Storing the Client Certificate Securely

Now you need to put the client certificate (the PKCS12 file) somewhere. OpenVPN GUI defaults to expecting it in its config directory and if you put it there everything should now work but we want to keep it somewhere user-specific and more secure. The location is defined in the .ovpn file, under pkcs12 <name and location of .p12 file> (spaces need to be in quotes; backslashes need to be double backslashes)

THIS SECTION IS UNFINISHED BUT IS COVERED BY ONE METHOD, STORING IT IN THE WINDOWS CERTIFICATE STORE, IN THE NEXT SECTION FOR NON-ADMINISTRATIVE USERS and there's another method hinted at in the next section's 'to do' list.

Allow Non-Administrators to Use the VPN

Typically, to use the VPN your Windows user account must be an administrator. Running the computer as an administrator, especially when using Internet software, is inherantly insecure. When using the VPN we need the computer to be as secure as possible as it will be directly connected to the remote intranet - there won't be any firewalling software to protect the wroskations and servers on that network. So running the VPN as an administrator isn't advised. However the next series of somewhat convoluted steps will configure the system to allow non-administrators to use the VPN software.

These were used as references but they're incomplete:

Other documents that were used to learn this are also referenced but each only provides some of the steps required to set this up and many have parts with the wrong advice.

You need to be Administrator the first time you run OpenVPN GUI for it to create its registry keys. After that you don't have to be administrator just to run the GUI, however OpenVPN still requires the user to be administrator to run, but we will overcome this.

Unzip the certificate package.

Use OpenVPN GUI to Control the OpenVPN Service

From http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html:

Set the following (REG_SZ) registry values in HKEY_LOCAL_MACHINE/Software/OpenVPN-GUI/:

These are possibly also useful:

Give a normal user the right to control (start/stop/restart) the OpenVPN Service

From http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html:
"Normally starting and stopping a service requires administrator privileges, but you can assign a normal user the right to control an individual service. You do this with the subinacl.exe utility included in the Windows Resource Kit. You can also download it here: http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en"

Install subinacl.

To give a user the right to start and stop the OpenVPN service, log on as administrator and run the following command:
%PROGRAMFILES%\Windows Resource Kits\Tools\SubInAcl.exe /SERVICE "OpenVPNService" /GRANT=<username>=TO

"You can also give a user the right to control a service through the use of Group Policies." See: http://support.microsoft.com/default.aspx?scid=kb;en-us;288129."

Allow any user to run the service as an administrator

"Keep in mind that by using this feature you are potentially giving your users a way to escalate their privileges to administrator rights. If your main reason for not running as administrator is to protect against malicious code on the web from executing with administrator rights in your computer, then this could be a good way to run OpenVPN GUI, but if your users under no circumstances should be able to run other applications as administrator, you should NOT use this way to run OpenVPN GUI either!"

[These instructions also claimed "While installing OpenVPN GUI, make sure to un-check "AutoStart OpenVPN GUI", as you will need to create your start-up shortcut manually." but you don't actually need to do this]

"Create a "RunAs" short-cut" - OpenVPN GUI defaults to loading via the registry key HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run. Change that to either:

See http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for other methods such as a desktop shortcut.

Storing Your Client Certificate Package in Windows' Certificate Store

"Another important issue is that the [OpenVPN] service can't handle password-protected keys [it has no means of passing back the request for the password to the logged in user]; the [password protected] key has to be stored in the Microsoft certificate store and the configuration file has to be changed accordingly. The [Windows] certificate store requires [the certificate as] a PKCS12 file [which is the form we have it in], which must be ... imported into the local machine's certificate store. It's very important to use the local machine's store, as this is the only location that the service can access." - http://www.informit.com/articles/article.aspx?p=387173&seqNum=9&rl=1

"Remember that the [OpenVPN] service is running as "Local System" (by default) so you must import the key/cert into the System account, not your user account" - http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html

Login to Windows as an administrator (or Power User?).

Run the Microsoft Management Console (MMC): Start → Run... → mmc → OK

Add the Certificates snap-in to the MMC. From http://support.real-time.com/open-source/ipsec/index.html (which is mostly applicable to our situation but not completely - ignore the adding of the 'IP Security Policy Management'): File → Add/Remove Snap-in... → Add → Certificates → Add → Computer account → Next → Local computer → Finish → Close → OK (If you weren't an administrator you wouldn't be prompted for 'My user account / Service account / computer account')

Import your PKCS12 client certificate file. Console Root → Certificates (Local Computer) → select Personal → Action → All Tasks → Import... → Next → Browse → find where your .p12 certificate is → Files of type: Personal Information Exchange (*.pfx,*.p12) → choose the file → OK → Next → enter the associated password/passphrase → choose 'Automatically select the certificate store based on the type of certificate' → Next → Finish. The certificate will be added to 'Certificates' below 'Personal'.
(what about 'Mark this key as exportable. This will allow you to back up or transport your keys at a later time'?). Two certificates will appear: '<organisation> CA', the CA Root certificate, and <VPN user's name> - the particular user's certificate.

(By 'Personal' it doesn't seem to mean that you have to do this for the specific user)

Get the thumbprint for later (a unique identifier for the key). In the MMC, double-click on the certificate → Details → Thumbprint. - http://www.informit.com/articles/article.aspx?p=387173&seqNum=9&rl=1

Extract the Root Certificate From Your PKCS12 File

(I think this is possible on Windows but I've not tried it, I've used Linux)

Issue the command:
openssl pkcs12 -in <client-cacert>.p12 -nokeys -cacerts -out <organisation>-root-ca.crt.
You get asked "Enter Import Password:" and if it worked get "MAC verified OK". - From http://wiki.cacert.org/wiki/openVPN.

(Or could we get it from the .zip file provided by IPCop?)

Save the resulting certificate (<organisation>-root-ca.crt), which doesn't need to remain secret, somewhere on the workstation [where? C:\Documents and Settings\<user who'll use the VPN>?]

Configure OpenVPN GUI to use the Windows Certificate Store

Note: all OpenVPN GUI config is per-machine, not per-user.

"In the configuration file, the files[?] cert and key [we don't have one of these, I forget which] have to be replaced with the following line:
cryptoapicert "THUMB:<your thumbprint>"

The thumbprint is a unique identifier for the key and can be found on the Details page if the key is opened in the MMC." - http://www.informit.com/articles/article.aspx?p=387173&seqNum=9&rl=1

Configure OpenVPN GUI with the Name and Location of the Root Certificate

The OpenVPN GUI configuration file needs to have the name and location of the root certificate (a .crt file) using the setting:
ca "<name and location of .crt file>"
i.e.: ca "c:\\Documents and Settings\\<user you're running it as>\\<organisation>-ca.crt"
(You can't put it in an administartor's profile because you don't have permission to read it from there.)

Remove the line beginning 'pkcs12' from the OpenVPN GUI config file.

(Why isn't this gotten from the Windows certificate store? There are CA and ROOT certificates. Perhaps loading the PKCS12 file into Windows' certificate store only took the ROOT and not the CA certificate?)

If you don't do this you get the error "Options error: You must define CA file (--ca)". OpenVPN's documentation says of --ca: "Certificate authority file in .pem format containing root certificate".

"I'm not sure why we need this when the CA stack should be available from the Microsoft CryptoAPI" - https://wiki.inf.ed.ac.uk/DICE/DiceWindows

To Do

Learn pre- and post- config so can create drive mappings to mirror my netlogon.bat:
"If a batch file named xxx_pre.bat exists in the config folder, where xxx is the same name as an OpenVPN config file, this will be executed before OpenVPN is launced. If a batch file named xxx_down.bat exists in the config folder, where xxx is the same name as an OpenVPN config file, this will be executed on disconnect, but before the OpenVPN tunnel is closed. Registry value "show_script_window" controls whether _up, _down and _pre scripts should execute in the background or in a visible cmd-line window. Registry value "[pre/dis]connectscript_timeout" controls how long to wait for each script to finish."

Is this an alternative to the Windows certificate store, described at http://wiki.cacert.org/wiki/openVPN?:
# It's best to use a separate .crt/.key file pair for each client.
# A single ca file can be used for all clients.
cert client-cacert.pem
key client-cacert.pem

There's a patched version of OpenVPN GUI 2.0.1 for non-admin use at http://openvpn.se/development.html but it is an older version of OpenVPN GUI than the current 2.0.4.

Issues

The OpenVPN GUI icon in the system tray is green indicating that it has succeeded in connecting but this is meaningless, it turns green when you ask it to connect whatever happens. The only way to find if it didn't connect is to right-click on the OpenVPN GUI icon and choose View Log.

If you have more than 1 VPN all of them will be started and stopped when you choose Connect / Disconnect / Restart.

The addressing scheme of the local intranet your computer is initially connected to (i.e. 192.168.1.0 or 10.0.0.0) could clash with that of the remote intranet or, less likely, the remote VPN network (10.0.10.0/255.255.255.0). I think that even if they do, this is only a problem if there is a specific IP address clash, such as both something on the local intranet having the same IP address as a server you're trying to connect to.

Troubleshooting

Firefox: you might get the message "The connection has timed out. Server at 192.168.0.10 taking too long to respond". You'll still have Internet access but is the VPN connection up and running? Hopefully you can find this out by looking at the OpenVPN GUI log. Another way is to Start → Run → cmd [Enter] → ping 192.168.0.10 [Enter]. See if you get a positive response, such as: '64 bytes from 192.168.0.10: icmp_seq=3 ttl=240 time=113 ms' or a negative response, such as: 'Destination Host Unreachable'.

Usage
For users with a Windows administrator account
For users with a Windows Limited / Restricted or Power User account

Right-click on system tray icon and choose Connect | Disconnect | Reconnect. If you've connected successfully you should see at the end of the log file 'initialization sequence completed'.

OpenVPN clients for Linux

The Windows OpenVPN client wouldn't work with UDP, which is the default for the Linux client, so the OpenVPN server is configured to use TCP and the client uses the '--proto tcp' switch.

OpenVPN clients for Debian
Command-line

Package(s)

Usage
You'll need the PKCS12 client certificate file, but not the .ovpn configuration file.

You need to set restrictive permissions on the VPN certificate using chmod 600.
Use the following commands to connect:

Setup the tunnel:
# openvpn --dev tun0 --mktun
Connect:
# openvpn --remote <IP address or hostname of VPN server> --dev tun0 --pkcs12 <filename of certificate>.p12 --client --comp-lzo --proto tcp

You can increase the amount of detail given by openvpn using --verb 5.

GUI

? kvpnc

OpenVPN clients for Ubuntu
Command-line

Package(s)

Usage
You'll need the PKCS12 client certificate file, but not the .ovpn configuration file.

You need to set restrictive permissions on the VPN certificate using chmod 600.
Use the following commands to connect:

Setup the tunnel:
$ sudo openvpn --dev tun0 --mktun
Connect:
$ sudo openvpn --remote <IP address or hostname of VPN server> --dev tun0 --pkcs12 <filename of certificate>.p12 --client --comp-lzo --proto tcp

GUI

Package(s)

You'll need to convert the PKCS12 file into a different format for NetworkManager, details of how to do this forthcoming.

OpenVPN client for Mono

? http://sourceforge.net/projects/openvpn-ad. There are .exe and .deb installers.

OpenVPN client for Java

OpenVPN client for Mac OS X

Tunnelblick (http://www.tunnelblick.net/)

Mac OS X 10.5 Leopard

"But along comes Leopard - with changes such that the low level network drivers don't function anymore (along with other issues in the GUI). With some research, mrz found that a OS X tuntap development team just released new drivers which support Leopard. Still, openvpn won't connect, TunnelBlick won't run, etc, so this weekend I set out to fix the issues. After 3-4 hours of figuring out how the TunnelBlick build setup works, fixing some bugs and adding in the new drivers, I have a working version of TunnelBlick, openvpn and tuntap drivers on Leopard." - Justin

Use Justin's TunnelBlick pre-release of 3.0 (with tuntap drivers and openvpn 2.0.9 with lzo support) http://people.mozilla.com/~justin/Tunnelblick-Leopard-3.0b5.dmg

Mac OS X 10.4 Tiger

Use a pre-release version of Tunnelblick 3.0 (universal binary)

Mac OS X 10.3.9

Use Tunnelblick 2.0.1

OpenVPN client for Symbian

?

OpenVPN client for PocketPC

http://ovpnppc.ziggurat29.com/ovpnppc-main.htm

Workarounds

"You get the Initialization Sequence Completed message but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.

Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center → Windows Firewall → Advanced and unchecking the box which corresponds to the TAP-Win32 adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below)."

External Router Port Forwarding

OpenVPN

If you have an ADSL / DSL modem and router, that has your front facing routable IP address on its WAN interface, doing NAT, with your IPCop machine having a non-routable IP address on its WAN interface, then you'll need to add a port forwarding rule. This allows remote users to go to the DSL modem's WAN interface and be forwarded through to IPCop behind it. Effectively IPCop is at that front-facing IP address.

If on the other hand you have an ADSL / DSL modem acting as a classic router, where the modem's NAT is disabled and it has an routable static IP on its LAN interface; and where IPCop also has a routable IP address on its WAN interface, then don't use port forwarding. Instead disable the firewall on the DSL modem as it will block the VPN traffic to the IPCop machine. For example, with a Netgear DG834G this is done by choosing 'NAT: Disable firewall')

Port forwarding rules may otherwise be called firewall rules or virtual servers. Before you can enter the port forwarding you may have to add a custom service specifically for OpenVPN.

Add the following:

Troubleshooting

There might be a log available in the DSL modem. This is an example of a working OpenVPN connection:
Tue, 2007-08-14 11:14:36 - TCP Packet - Source:192.168.1.2,53828 Destination:214.154.22.165,1194 - [OpenVPN rule match]

1.4 VPN Client Key Management / Key Storage

Secure Private Key Storage for Linux? http://ask.slashdot.org/askslashdot/07/03/01/237209.shtml

1.5 VPN Client Key Security

1.6 Hardware

Your Internet connection speed is going to determine how quickly things will work. Usually your outgoing connection rate won't noticeably affect you, as it's probably not used much, so it's probably correspondingly slower than your incoming connection speed. Now that you're using it from VPN host to VPN client it will have a great bearing on how responsive the software is; you've turned things around and are using your connection in the opposite way to the typical way it's used.

1.7 References

HowTo: Securely get into your office network using WindowsXP over the Internet http://domain-logic.com/support/secure_tunnel_XP.htm I think this is for using a Windows client to connect to a Windows VPN server

Linux VPN Masquerade HOWTO by John D. Hardin http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html

Ubuntu Linux laptop roadwarrior to IPCop VPN 1.4.6 http://ubuntuforums.org/archive/index.php/t-50688.html

thegreeenbow IPSec VPN client for Windows: http://www.thegreenbow.com/vpn.html

Installation and Configuration of a Linux VPN Client to SmoothTunnel: http://www.smoothwall.net/support/knowledge/view.php?id=42

?

RoadWarrior VPN Connection to IPCop using OpenVPN: http://ipcop.org/modules.php?op=modload&name=phpWiki&file=index&pagename=OpenVPNHowto

IPCop 140 Road Warrior Vpn Howto: http://www.ipcop.org/modules.php?op=modload&name=phpWiki&file=index&pagename=IPCop140RoadWarriorVpnHowto

HowTo: Securely get into your Private Network using a PPTP tunnel through the Internet: http://domain-logic.com/support/secure_tunnel.htm (Windows 2000 and XP instructions)

VPN to SME Server through IPCop: http://www.tech-geeks.org/geeklog/article.php?story=20040223114208788

"here is a good article on client setup: http://domain-logic.com/support/secure_tunnel.htm "

Easy to use freeware/open Source windows VPN clients?: http://www.firewall.cx/ftopict-1755.html

Using a Linux L2TP/IPsec VPN server: http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

VPN HOWTO by Matthew D. Wilson http://www.tldp.org/HOWTO/VPN-HOWTO/

Client software for Linux: http://pptpclient.sourceforge.net/

1.8 Accessing Intranet Services

Currently through the VPN, using a web interace you get mail through Squirrelmail and eGroupWare. Add VNC Viewer and you get full access to a machine incl file transfer

[checkout smb2www - A Windows Network client that is accessible through a web browser With this package you will be able to browse a Windows Network using a standard web browser. It is based upon the samba package.]

Using A Web Browser

Using a web browser you can access email in particular using Squirrelmail and groupware features using eGroupWare.

Using Windows Machines To Access Inranet Services

Native Windows Applications Installed On Servers

Connect to a shared drive:

For running software applications, have them installed on the server so you can run them from there. Using this approach, where you've not logged into a domain, when you run applications, you will only see a shared profile (settings etcetera) if it is kept somewhere other than in your Windows profile (which, if you'e logged into a domain, would have been downloaded to you when you logged in). For example, Pegasus Mail is ok because you enter your username manually and it finds your profile in the mail directory which is located centrally. Where as, in comparison, your web browser bookmarks are likely to be in your Windows profile. When you run the web browser over the VPN, the browser looks to your Windows profile, which in this case is on the computer you're now sat at.

Things which are specific to your environment when usually you're logging in to a domain, that you won't have when using it without in this way:

1.9 Administrator's Questions For Users

What operating system, and specific version, are you using?

For example 'Windows XP Home, Service Pack 2'

If you're to use Windows XP it's probably going to be an absolute must that you have Service Pack 2 installed (it's a service pack specifically focusing on fixing an enormous amount of the legacy poor security practices that Microsoft had built up going back years)

To find out, press the Windows key, then with it depressed, press the pause/break key, it will bring up a window that should say under 'System:' somethine like: 'Microsoft Windows XP Professional Edition Version 2002 Service Pack 2' (if you don't have those keys you can go to 'System' in the Control Panel)

What priviliges does the user you login to your operating system have? (i.e. if Windows then administrator, power user, or restricted user?)

To find out, using Windows XP in Classic mode go to Start → Settings → Control Panel → User accounts → and it should give you a list of the accounts with wording describing them as something like 'Computer administrator', 'Limited account' etcetera. Look for the name you login as and see what type of accuont it is

(I ask because if you're logged in as administrative user, browsing random web pages, then you're vulnerable to the many security vulnerabilities that crop up in Windows where-by a web page can have malicious code built into it that can do _anything_ to your computer, such as delete all your files, install software. Almost invariably you are only at risk from such maliciousness only if logged in as an Administrator, and probably as a Power User, which is why at work and elsewhere I set people up to have only 'Restricted' / 'Limited' accounts.

Is your operating system regularly updated with fixes for security vulnerabilities?

What firewalling software (whether personal firewall or stand-alone firewall) do you use?

how do you connect to the Internet? is it through a DSL modem? if so then is it connected to your computer using a USB cable or a networking cable? what make and model is it?

What are you using it for?

i.e. are you browsing random web pages, for example?

do you know if your Internet service provider gives you a 'static' or a 'dynamic' IP address?

we don't need it to be for the VPN, but for reference it would be useful to have it if you can get it

What software at work do you need to use?

Exactly what software do you have installed on your computer? If you go to Control Panel → Add/Remove Programs it wil give you a list. Tell me everything apart from the Windows updates / security fixes (if it shows them) - sorry I don't know a reliable way to copy and paste a list of installed software

What places on the network do you need to have access to, i.e. S: on the server?

Exactly what software do you have installed on your computer?

What computer are you using - tell me what you can of the CPU and it's speed; amount of memory (AKA RAM)

if you use Windows XP, do you have the Windows XP firewall turned on?

if you use Windows XP, does it have Windows Automatic Updates turned on (Control Panel → Windows Automatic Updates) and is it running properly, installing updates?

Does anyone else use your computer? if so what do they use it to do?

Would you be averse to having an additional computer in your home that worked as a firewall?

(I'm not saying it's necessary but it would be useful to know if it's plausible)

would you be willing to not use the operating system thats installed on your computer and instead boot off a CD when you wanted to do work, using a GNU/Linux operating system

(that we know was untainted as it ranoff CD) (again, it may not be necessary, just need to know whats plausible)

I doubt now it'll be necessary, but for reference it wouldn't be that different. Such a method is the easiest option of all from a security perspective, as if we did it we wouldn't have to consider any other aspect of how the computer was being used or setup etcetera

What web browser and version do you use?

If it's locked down in order to be more secure, please describe in what way.

what email program is either of you using?

What anti-virus software is being used and is it regularly auto updating itself? (both the program and its definitions/updates)?

VNC

Use VNC for access to workstations.

VNC Server

VNC server for Windows

Download 'Ultr@VNC 1.0.2 Setup' from http://www.uvnc.com/ and install to a workstation. As of this writing the current version is 1.0.2, with version 1.0.3 expected soon (we've had problems in testing 1.0.3 RC6 with the service under Windows 2000 so are recommending 1.0.2 unless you use Windows Vista).

Make the following choices for parts to install:

Choose only the following options during installation (deselect the other options):

Reboot the system to make sure it starts OK.

Settings

Until you enter a VNC password the UltraVNC service won't run.

Get to the configuration section using Start → Programs → UltraVnc → Run server as application. Right-click on the system tray shortcut → Admin Properties →

If you have the Windows Firewall in Windows XP turned on you will have to configure it to allow UltraVNC to work. It seems either UltraVNC will create a setting for it that is turned off, which you should turn on; or when you first run UltraVNC the Windows Firewall will display a dialog asking if you want to allow UltraVNC; or you will have to add the UltraVNC program manually through Control Panel → Windows Firewall.

MS Logon Issue

I wanted to recommend turning on MS Logon with the 'Configure MS-Logon II' option so that VNC used Windows domain accounts for authentication. However the UltraVNC authors have enabled this feature through non-standard additions to the VNC protocol. If you enable MS Logon you cannot connect using a different VNC program, such as from GNU/Linux operating systems where there is no UltraVNC client available but there are plenty of other VNC clients. So for now we recommend the single VNC password approach.

The problem manifests itself in Debian GNU/Linux with the following error when the username field is set to 'username@domain-name.localdomain':

CConnection: server supports RFB protocol version 3.4
CConnection: Using RFB protocol version 3.3
main: your connection has been rejected

And with the following when the username field is set to 'username'

CConnection: server supports RFB protocol version 3.4
CConnection: Using RFB protocol version 3.3
unknown 3.3 security type -6
main: unknown 3.3 security type

Here are links on the issue that I found:
The problem isn't the upgrade from UltraVNC Server 1.0.1 to 1.0.2 that was supposed to fix a security flaw with MS domain logon II.
Client VNC programs don't even describe which version of the RFB protocol they support.
The RFB protocol is defined in a document at http://www.realvnc.com/docs/rfbproto.pdf.
Wikipedia claims there are RFB protocol versions 3.3, 3.7 and 3.8.
somewhere with a related, unanswered, question: http://forum.ultravnc.info/viewtopic.php?t=8425&view=previous
A patch: http://www.realvnc.com/pipermail/vnc-list/2004-May/045424.html
Possibly related: http://www.realvnc.com/pipermail/vnc-list/2004-May/045425.html
Someone else with the problem: http://linux.derkeiler.com/Newsgroups/comp.os.linux.networking/2006-08/msg00846.html
Developer discussion: http://www.realvnc.com/pipermail/vnc-list/2000-June/014774.html, http://www.realvnc.com/pipermail/vnc-list/2000-August/015937.html

VNC server For Linux

You don't need a VNC server for the Linux command-line as you can instead use the OpenSSH server and client programs. But you will want them if you need to see GNOME or KDE.

Both GNOME and KDE incorporate VNC / remote desktop server features. GNOME includes Vino, which is enabled and configured using Desktop → Preferences → Remote Desktop. KDE includes krfb.

VNC Viewer

For basic viewing it doesn't seem to matter what client you choose to use, though if you want extended features, such as file transfer and domain logon, you may need to match the viewer with the server.

Add to any personal firewalling software's allowed connections that of your VPN connection.

VNC Viewer For Windows

UltraVNC viewer

UltraVNC Viewer settings: Auto Scaling - on - allows you to see the whole screen in your VNC viewer window

VNC Viewer For Linux command-line

xvnc4viewer

VNC Viewer For GNOME

xvnc4viewer

tsclient - an rdesktop (terminal server / Windows XP remote desktop) / X / VNC client. Applications - Internet - Terminal Server client

VNC Viewer For KDE

KDE by default includes krdc.

VNC Viewer For Java

Perhaps TightVNC's Java viewer

VNC Viewer For Symbian

? http://www.imhotek.com/06/products/vnc.shtml

? http://sourceforge.net/projects/symvnc/

? http://vnc-for-symbian.en.softonic.com/ie/22483

SSH

SSH Server

SSH server for Linux

openssh-server

SSH Client

SSH Client For Windows

PuTTY - http://www.chiark.greenend.org.uk/~sgtatham/putty/

SSH Client For Linux

openssh-client

SSH Client For Symbian

PuTTY for Symbian OS: http://s2putty.sourceforge.net/

To Do

Run OpenVPN GUI on Windows as a non-administrative user

EasyRSA on Debian for an OpenVPN CA

carpaltunnel - Configuration helper for OpenVPN

OpenVPN on Knoppix 4.0.2: http://www.knoppix.net/wiki/OpenVPN_on_4.0.2CD

Appendix 1 - Notes From Trying IPCop's built-in ipsec / openswan VPN

BUG: http://www.ipcop.org/1.4.0/en/admin/html/vpnaw.html 7.4.2.1. Host-to-Net Connection - in IPCop, despite choosing Host-to-Net Connection I still get 'Remote Host/IP:' in the setup screen

Is it possible to connect to ipcop's VPN using Windows' built-in ipsec tools? If the windows client is behind a NAT, then it won't work. If the windows client can access the RED interface directly, then it should work.

IPSec tunnels over the LAN connection, you need one.

'cannot respond to IPsec SA request because no connection is known for <client IP ADDRESS>:17/1701...<destination(?) IP ADDRESS>:17/1701' '"vpn"[12] <destination(?) IP ADDRESS> #12: sending encrypted notification INVALID_ID_INFORMATION to <destination(?) IP ADDRESS>:500' is an error you get when behind NAT

TauVPN needs ipseccmd from the 'XP support tools'.

It's not as easy as it should be.

Linsys IPSec tool does not need the support tools, at least it didn't say it did.

Blue VPN mini-tutorial/experience http://www.ipcop.org/modules.php?op=modload&name=phpWiki&file=index&pagename=IPCop140BlueVpnHowto

Subcontracting VPN Solutions? http://ask.slashdot.org/article.pl?sid=04/11/24/1720247

Low Cost VPN Solutions? http://ask.slashdot.org/article.pl?sid=05/01/03/1617208

VPN HOWTO http://www.tldp.org/HOWTO/VPN-HOWTO/