Joe's Project

Q: How can I connect to a machine that is behind a Cable/DSL Modem or NAT Firewall?

A: When working through a network address translation (NAT) device like a Cable/DSL Modem, Router, or Firewall you will need to setup "Port Forwarding" on the device to forward the VNC port (5900 by default) from that device to the internal IP address of the machine running OSXvnc (the internal IP will look like 192.168.X.X, 10.X.X.X, or 127.0.0.X). For further details on setting up port forwarding please read your device's documentation or refer to the following helpful website: http://www.portforward.com.

Not all devices offer port forwarding, for those that do not, you can set your Mac to be the designated DMZ host for the NAT but this has the effect of forwarding ALL ports from the internet to your Macintosh. If you need to go this route we highly recommend you enable the Firewall on your MacOS X machine and ONLY allow port 5900 to pass through.

Once the port for VNC has been directed toward your Macintosh you should be able to connect via an external VNC client to your Network's External (or WAN) IP address. This number will be substantially different from the internal IP of your computer and can usually be found by looking at the modem configuration information or else by visiting this handy page from the machine running OSXvnc to get your IP and check your VNC access: http://www.gotomyvnc.com

Q: How can I have my connection to OSXvnc tunnel through SSH?

A: Since MacOS X ships with SSH support built in this is pretty easy. First you will want to make sure your VNC machine has SSH running. You can turn this on in the System Preferences -> Sharing Panel by checking the box for "Remote Login". Then you need an SSH client on the machine you want to connect from (again, it's there by default on MacOS X). For the rest of the instructions read the VNC page http://www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/sshvnc.html.

If you use the "-localhost" option in OSXvnc you will need to literally specify "127.0.0.1" when you make your ssh port forwarding call, like this example: ssh -L 5905:127.0.0.1:5900 mydomain.com

(from: http://www.redstonesoftware.com/osxvnc/OSXvnc.html)

Date: Fri, 21 Jun 2002 10:22:40 -0400 From: Subject: VPN needs

Jeff may want to take a look at Netgear's new FVS318 broadband router. It retails for around $150 and includes the ability to IPsec tunnel between multiple sites. Of course, this would require a broadband connection (which I am assuming he is going to use) and it would NOT tunnel AppleTalk, but that shouldn't be a problem in the larger WAN picture (he shouldn't desire WANing AppleTalk, it is too chatty for WAN). This would also alleviate any need to run special software on clients or servers.

I have not yet used the product, but have a client with 2 ready to go (just waiting for the DSL). I have used other Netgear products (with good results) and the feature set of this firewall is quite impressive. It requires at least 1 static IP address, and setup documentation is available from Netgear's site.

Date: Sat, 21 Dec 2002 15:07:44 -0500 From: Subject: Wireless Guide response

I would like to reply to Kelly Neill's question concerning Remote Management behind NAT. Another solution from those mentioned, would be to install a broadband router with VPN support, such as the Netgear FVS318 or the Asante VR2004.

By using one of these routers a VPN tunnel can be set up between any two IPs on the Internet. That way any of the Macs on the internal LAN will be visible, without resorting to configuring the NAT ports on the WAN side for Timbuktu.

The VPN tunnel can be set up between either between two of these routers, or between the built-in OsX 10.2.x VPN client and the router. A useful tool for using the built-in VPN client is VaporSec.

(from: http://www.macintouch.com/vpnnortel2.html)