Pascal's blog » ssh

Remote Desktop through SSH with PuTTY and Tomato firmware

Pascal — Sat, 06 Sep 2008 14:00:46 +0000

****** UPDATE 2009/01/12

Fix on the port numbers used as example. Port numbers must not be bigger than 65535.

Thanks Mike for noting this.

************************

First of all, for simplicity, let’s assume we have a desktop at home that we want to connect to (control remotely) using a laptop while we are at a friend’s home. We will use Remote Desktop to connect from the laptop to the home desktop. The home network is behind a router (firewall) compatible with Tomato (ex: Linksys WRT54GL).

Remote Desktop is a server application that uses TCP/IP network to enable remote control of a machine. It opens the port 3389 to handle network communications. By default Remote Desktop is disabled on Windows XP.

How to enable Remote Desktop on Windows XP (on the home desktop):

Start the system properties in the Control Panel (or right click “My Computer” and click properties).
Go to the “Remote” tab.
Enable remote desktop by checking “Allow users to connect remotely to this computer”.

Note 1: Don’t forget to set a password on the user you intend to use to connect remotely because Remote Desktop will prevent connection with blank passwords.

Note 2: By defaut, only users with the administrative priviledges are allowed to connect remotely.

At this point, Windows can handle remote connections. In order to do it through the Internet you could simply forward the port 3389 from your router to the actual machine but at the same time you would expose your machine to the whole world. If you can do it, somebody else can try too.

Instead, we use a 3rd party firmware (called Tomato) on the Linksys router. This firmware allows us to connect using SSH (a secured command line shell).

With SSH we can create encrypted communication links (called Tunnels) between the laptop and the router. SSH protocol requires a server that will also open a listening port. We need to login to this server to establish the SSH connection and create tunnels.

Why this instead of just opening Remote Desktop port (3389)?

Because we will use a *different password* (will we? well we should… and a strong one!) than the one on your computer.
If we would have multiple computers to remote desktop to, we wouldn’t need to open additional ports, just create additional tunnels instead.
If somebody cracks our router password, he is still limited in he can do, he has to guess/find our machine and crack its password.
We can make SSH connection more secured by using a key file. This file is needed to establish the connection link, so another level of difficulty for a pirate…
The communication is encrypted between the two ends of the Tunnels (more privacy)

So how to enable the SSH Server on the Tomato firmware?

Login to Tomato’s web interface
Go to Administration / Admin Access
In SSH Deamon section, set the following :
- Enable at startup: checked
- Remote access: checked
- Remote port:
  (ex: 5555 — used from Internet)
- Port: 22
  (used from inside the LAN)
- Authorized Keys:
  (for simplicity of this post)

Note: Even if the screenshot shows this, we should use a different port than 22 (or 2222). If somebody discover our machine using a port scanner, he will have to guess what is the protocol (is it SSH, RDP, HTTP, FTP, etc?). If we leave the default, the guess is easy.

The home computer is enabled for remote desktop and the router is configured for SSH. Now we need to establish the SSH connection/tunnels, so put the laptop on the backpack and let’s ride to our best friend! Since the laptop is also running Windows XP, we are going to use PuTTY, an open source SSH client software (download it here).

Let’s configure PuTTY:

Start PuTTY and fill the information of the first tab:
- Host name or IP Address:
- Port:
  (ex: 5555)

Configure tunnels in Connections / Tunnels tab:
- Enter a source port:
  (ex: 15338)
- Enter a destination address and port: :
  (ex: 192.168.1.15:3389)
- Local: Checked
- Auto: Checked
- Click add button

Note: The destination address and port is the address of our home desktop which is often in the range of 192.168.x.x depending on the router. Our Linksys uses 192.168.1.x range by default. IP address could be anything within the range when address is assigned by a DHCP server. To make sure the desktop computer always have the same IP address, we can set a fixed address or configure Tomato DHCP server to always assign the same (see this post)

When we are going to open the SSH connection, PuTTY will open a local port defined by “source port”. All the communication to that port will be encrypted and forwarded on the LAN to the destination address and port specified (ex: 192.168.1.15 port 3389).

Now let’s login to SSH Server

Click the Open button, a black screen should appear.
We now have to enter the router’s username and password

The only step left is to run Remote Desktop Connection software on the laptop:

Open up remote desktop and specify the computer:
- localhost:
  (ex: localhost:15338)
Click connect

Voilà we are now controlling the home desktop from outside the house using the laptop!

Specifications of the software used in this post:

Tomato firmware version	1.21.1515
PuTTY version	0.60
Windows version	Windows XP Service Pack 3

Tomato firmware: Remote desktop through SSH, using Wake-On-Lan and configuring LAN Hostnames

Pascal — Thu, 14 Aug 2008 03:34:28 +0000

Hi,

I’ve been using 3rd party firmware for my Linksys WRT54GL router for some time. I’ve used DD-WRT, OpenWRT and finally Tomato. I switched from DD-WRT (for a reason I can’t remember) to go with OpenWRT. I learned a lot on OpenWRT and really like their Kamikaze version. The work they did for making it more like a standard distribution (no more NVRAM variables) is really cool. Finally I recently moved to Tomato because of the lack of User Interface of OpenWRT (Yes I could use X-WRT but I tried it before and prefered to explore Tomato…). When I feel lazy I prefer to use a GUI than go to the CLI…

Now that I am more familar with my WRT (thanks to OpenWRT and all its documentation), it has been pretty easy to configure Tomato (firmwares are different, but in the end, they often use the same tools… busybox, dnsmasq, etc.). I have some specific needs that drove me to install a 3rd party firmware in the first place:

I need to be able to access my computers from the internet using remote desktop
But I don’t want to leave my computers open all day long for nothing, so I need to be able to use Wake-On-Lan to power them up remotely
I don’t want to open remote desktop port (3389) on the firewall
I want to use DHCP server, but I need to set some specific address (static DHCP) on some computers
(so port forwarding is always configure correctly for my P2P machine…)
I need to be able to use the same domain name (ex: mysite.dyndns.org) with my laptop no matter if I connected to my LAN or to a public network (through the Internet)

My Solution:

Feature	Tomato Configuration
Access my computers from the internet using remote desktop.	I setup an account with dynDNS. It is free up to 5 domain names (if I remember correctly).This account allows me to use a software to update a domain name with my new IP address when my ISP changes it. From the internet I can just connect to my router using example.dyndns.org.Most routers supports dynDNS (and some others as well) natively. I enabled the SSH Deamon (Administration / Admin access)Enabled at Startup: checked Remote Access: checked Remote Port: [your choice] Allow Password Login: checked When I want to connect to my computers, I use a SSH client software (PuTTY) to connect to my router.PuTTY allows me to configure SSH Tunnels so I can redirect a local port to a remote machine on my LAN without opening any additionnal ports.
I need to power up my computers only when needed.	This requires the Wake-On-Lan feature.Most modern computer has this feature (My old Pentium 2 266Mhz had it back in 1998) but you usually have to turn the feature ON in your computer BIOS because it is often disabled by default.When you want to power-up a computer, all you need is its mac address (in Windows, you can find it by running IPCONFIG at the command line) and a software that will broadcast a “magic packet” on your LAN.Tomato has a built-in software called ether-wake that does the job.My configuration is like this:On startup of the router, generate a file called wakeup-mycomputer.sh that will be placed in the root home directory. This file will contain the command able to wake-up the computer you want. Then when you logon to your router using SSH (from the LAN or the Internet), you can issue this command “sh wakeup-mycomputer.sh” and you’re done. You wait a little bit (until your computer responds to ping) and use the steps of the previous feature to connect remotely… How to achieve this: In the Initialization script of the firmware (Administration / Scripts / Init tab), type this: `echo "/usr/bin/ether-wake 01:23:45:67:89:AB" > /tmp/home/root/wakeup-mycomputer.sh` (change 01:23:45:67:89:AB to the mac address of the computer you want to wake-up) Save and reboot the router, you should see the file “wakeup-mycomputer.sh” appear in the root home directory when you connect using SSH. Try it “sh wakeup-mycomputer.sh” Note: for the wake-on-lan to work, the computer must have been turn off (soft off). After a power outage or a hard off (unplug, press power off for 5 seconds) the wake-on-lan may not work. Just turn on the computer manually and perform a shutdown. Note2: I found out that some Linux distribution does not “soft off”. With Ubuntu 8.04, for example, I needed to add a command in the shutdown script… can’t remember. Just post a comment if you want me to digg it again…
Configure static DHCP addresses.	This is easy, just navigate to the Tomato “Basic / static DHCP” menu item. Use the mac address of the computer you want a fix address and the address you want for it.
Use the same domaine name inside the LAN and outside (from the Internet).	When I am connected from the Internet, my domain “example.dyndns.org” resolve to my router public address which forward the port to the right LAN machine.When I am on the LAN, I want to be able to connect using “example.dyndns.org”. But if this domaine resolve to the public address of the router while you are already in the LAN, it does not work. To correct the problem, you could use a host file on your LAN computers, but when you have a laptop that is sometimes on the LAN, sometimes on an external network, you would need to enable/disable your host file every time…The way I succeed to anwer my need, is by providing a host file to the router. I found 2 ways with the Tomato firmware: First way is explained here on Tomato FAQ. Unfortunately, I needed to provide multiple host names (domain name) to the same IP address, you can do it by separating them with a space, but Tomate host name field is not wide enough for me. So my solution goes like this: Create a host file with my ip / host bindings at router boot time (before firewall is started). In “Administration / Scripts” menu item, on “Init” tab, place the following lines (use your IP addresses and domain names): `echo "192.168.1.xxx example.dyndns.org" > /tmp/hosts.local echo "192.168.1.yyy example2.dyndns.org" >> /tmp/hosts.local` Configure the firewall (dnsmasq) to use this additional host file. In “Advanced / DHCP/DNS” menu item, in custom configuration, place this to enable your custom host file: `addn-hosts=/tmp/hosts.local` Save and reboot the router. Test by doing a ping of you domain names (ping example.dyndns.org). The result should be your configured local IP addresss, not the router’s public IP address.