Saturday, May 26, 2012

NoMachine for Remote Desktop through a VPN (with port restrictions)

What Happended?  

I have been happily 'doing' a VPN from my home to my office work rig for quite a while. My home workstation is a simple Latitude D820 laptop with Fedora 16 (32bit).  I VPN using CheckPoint SSL Extender (snx). The target rig (work desktop) is a Dell t3400 (the one with the 3heads) workstation running Fedora 15 (32bit).  I have xrdp running on that and all is well: I can get to my workstation from just about anywhere and from any client.

After an unknown series of events, my vpn/xrdp connection became un-usably slow. My home broad band is residential Verizon FIOS 35/35 Mbs. Long story short, I actually wound up pointing the finger at software, rather than my home LAN after proving my FIOS services didn't appear to be the problem.

There is no shortage of NoMachine HowTo and setup guides out there.    I just google one up and followed that.    But that didn't really help as NoMahine's wire protocol just seems to be ssh (at least in default).   That wouldn't work as after my VPN is established I can really only use port 3389 to/from work.   FYI, 3389 is the RDP port.

Ok move, ssh to 3389.   But what if my NetAdmins are actually blocking protocols not just ports?    Rolled the dices and reset my SSHd to be on 3389; voila they aren't.   Now I have ssh access via my VPN.   I then discovered you can have SSHd listen on more than one port.   After editing /etc/ssh/sshd_config and adding 2 'Port' lines and restarting sshd.   I could now ssh to both 22 (the norm) and 3389.

The rest of the setup is boring and somewhat routine; go google it.    But now I can ssh/NoMachine via my VPN.     On the balance NoMachine seems a whole lot faster than xRDP while it is not quite as ubiquitous as RDP.

Here are some updates on this (as of 7/28/2012)

I got a new machine at work, and rolled out F17x64.    Here are a few things that I bumped into:

  • SELinux may block sshd from restarting with port 22 and 3389.   You can remedy with a command like:   semanage port –a –t ssh_port_t –p tcp 3389
  • /etc/sshd/sshd_config is set to only look at '.ssh/authorized_keys' and is seems that nxserver likes to use  '.ssh/authorized_keys2'.  Comment out 'AuthorizedKeysFile      .ssh/authorized_keys' ins sshd_config and restart sshd  (systemctl restart sshd.service).  Or   you could teach nxserver how to use authorized_keys2 or maybe just rename it....(this files lives in /usr/NX/home/nx/.ssh)