****** UPDATE 2009/01/12
Fix on the port numbers used as example. Port numbers must not be bigger than 65535.
Thanks Mike for noting this.
First of all, for simplicity, let’s assume we have a desktop at home that we want to connect to (control remotely) using a laptop while we are at a friend’s home. We will use Remote Desktop to connect from the laptop to the home desktop. The home network is behind a router (firewall) compatible with Tomato (ex: Linksys WRT54GL).
Remote Desktop is a server application that uses TCP/IP network to enable remote control of a machine. It opens the port 3389 to handle network communications. By default Remote Desktop is disabled on Windows XP.
How to enable Remote Desktop on Windows XP (on the home desktop):
At this point, Windows can handle remote connections. In order to do it through the Internet you could simply forward the port 3389 from your router to the actual machine but at the same time you would expose your machine to the whole world. If you can do it, somebody else can try too.
Instead, we use a 3rd party firmware (called Tomato) on the Linksys router. This firmware allows us to connect using SSH (a secured command line shell).
With SSH we can create encrypted communication links (called Tunnels) between the laptop and the router. SSH protocol requires a server that will also open a listening port. We need to login to this server to establish the SSH connection and create tunnels.
Why this instead of just opening Remote Desktop port (3389)?
- Because we will use a *different password* (will we? well we should… and a strong one!) than the one on your computer.
- If we would have multiple computers to remote desktop to, we wouldn’t need to open additional ports, just create additional tunnels instead.
- If somebody cracks our router password, he is still limited in he can do, he has to guess/find our machine and crack its password.
- We can make SSH connection more secured by using a key file. This file is needed to establish the connection link, so another level of difficulty for a pirate…
- The communication is encrypted between the two ends of the Tunnels (more privacy)
So how to enable the SSH Server on the Tomato firmware?
The home computer is enabled for remote desktop and the router is configured for SSH. Now we need to establish the SSH connection/tunnels, so put the laptop on the backpack and let’s ride to our best friend! Since the laptop is also running Windows XP, we are going to use PuTTY, an open source SSH client software (download it here).
Let’s configure PuTTY:
When we are going to open the SSH connection, PuTTY will open a local port defined by “source port”. All the communication to that port will be encrypted and forwarded on the LAN to the destination address and port specified (ex: 192.168.1.15 port 3389).
Now let’s login to SSH Server
The only step left is to run Remote Desktop Connection software on the laptop:
Voilà we are now controlling the home desktop from outside the house using the laptop!
Specifications of the software used in this post:
|Tomato firmware version||1.21.1515|
|Windows version||Windows XP Service Pack 3|