Security: Road Warrior Remote Access - control a PC from iOS or Android

Monday, December 22, 2014
How many times do you have to travel in a given year?  When you start packing your bags, do you dread having to bring along a laptop and all of the related accessories - including that power supply that is larger than the laptop?

Don't you wish that you could bring something more portable - such as a tablet or cell phone?  They are so much lighter, easier to carry, and may have a battery that lasts longer than your laptop.

But.....there is always that fear that you will need a file from your machine at home or want to one of those rare applications that does not have a mobile equivalent.

Fear no more - you can have the best of both worlds by following this "Road Warrior Remote Access" guide.  This tutorial will show you how to configure a machine to be remotely available to you in a secure fashion.

Road Warrior Architectural Decisions

When designing this solution, I tried to stick to a few simple architectural decisions, which are:
1) It had to be secure - no, very secure
2) I didn't want to rely on any 3rd party relay or proxy service
3) I wanted to use well-proven open-source software, when possible
4) Keep the cost as small as possible, with a strong preference on avoiding subscription based services
5) It has to be available from computers, Android tablets and phones and Apple tablets and phones

Road Warrior Overall Solution

This led me to a solution consisting of:
1) TightVNC (http://www.TightVNC.com/)
2) OpenSSH
3) A dynamic DNS name provided by No-IP (http://www.noip.com/)

Now you too can have an iPad or Android tablet that displays a Windows or Linux desktop:


NOTE:  While I expect most readers of this article to be using Windows, I used Windows for this article.  All of the principals would work exactly the same on Linux or Mac - you just might need a different VNC server.  On almost every Linux distribution I have used, OpenSSH is either automatically installed or available to install.  There are also plenty of VNC servers available, depending on your distribution.

For an equivalent choice of software on Ubuntu 14.04.01 LTS, you can use
sudo apt-get install tightvncserver openssh-server
If you are using a RHEL desktop, you can install the same software using
sudo yum install tigervnc-server openssh-server 

Now, for the important (and fun) part......here is how to set it up on Windows.

I do want to be clear, this information is meant to provide legitimate remote access to equipment that you either own or are fully authorized to use remotely.  This is not to be used to circumvent any rules or policies that govern your equipment, to be placed on someone else's computer unknowingly, or to be used in any unauthorized fashion.

I also want to mention that while the instructions look daunting, the process of setting everything up is pretty simple and only has to be done once.  Then you will be on your way to being a full-fledged Road Warrior.

Setting up the Windows VNC server

VNC is a well-established protocol for remote control.  It might not be as fancy as some of the other remote access protocols (such as Spice, RDP,  NX, etc.....) but it works and it seems to work well.  There is also the additional benefit that some applications seem to be able to detected when you are using other protocols (such as RDP) and behave differently.  Specifically, I have found that some VPN clients will not allow me to establish connections when I am connected for RDP - which limits the overall functionality of the service.
I ended up choosing TightVNC as my VNC server because of their very generous licensing terms.  The significant point is "free for both personal and commercial usage, with full source code available"  It is that commercial usage wording that is important and unique to TightVNC, as far as I can tell.  Here is a screenshot of their web-site showing the "commercial usage" wording:

Now, enough talking, let's get down to it.  Here are the instructions to configure TightVNC:
1) Go to http://www.tightvnc.com/download.php (link opens in new window) and download the latest version of TightVNC
2) Start the installer.  At the time of this writing, the latest version was tightvnc-2.7.10-setup-64bit.msi

3) Hit "Next" and you will see:



4) Read (yeah, right) and accept the license and press Next


5) Press "Typical" and you will see


6) Uncheck "Add exception for TightVNC to Windows Firewall" and press Next.  Remember, we are after security and OpenSSH will provide the access method, not TightVNC.  Therefore, there is no reason to open a firewall port specifically for TightVNC.



7) Press Install. Files will be copied and then you will see


8) Set both passwords.  The first one is the password you will use to access this computer remotely via VNC, and the second one will protect the VNC server's settings from being changed.  I will be honest, I use the same password for both.  Press OK



 9) Your TightVNC server is ready.  You may also notice that an additional icon has appeared in your Windows System tray, which looks like

10) Double clicking this icon in the system tray will bring up the settings dialog for TightVNC.  While most of the default settings for TightVNC are appropriate for our usage but there are some that we need to change.



11) On the first tab, in the "Web Access" section, uncheck "Serve Java Viewer to Web Clients" from the top right then go to the Access Control tab


 12) You will have to check the "Allow loopback connections" and "Allow only loopback connections" options.  Then press Apply

Your TightVNC Server is now ready for usage.  Let's test it to make sure it works:
1) Go to the Start Menu
2) Look for the TightVNC group

3) Start the TightVNC Viewer

4) Enter localhost as the Remote Host and press Connect

5) Enter the password you selected for remote access and hit OK

If everything went well, you will see a screen that shows your current laptop screen.  Don't be surprised, you will get an effect of looking into a TV screen that has the same image over and over and over.  This is normal and it means that your TightVNC Server is working just fine.

You can close the TightVNC Viewer and move onto setting up the SSH server.

Setting up the OpenSSH server using public key authentication:

To provide secure access, I used OpenSSH.  OpenSSH is normally a Linux program that provides an encrypted connection between two machines.  OpenSSH also has the attributes of being open source, well studied, generally considered to be secure, provides public/private key authentication and port tunneling.

Those last 2 attributes are very important to increasing the security of this solution.  By using public/private key authentication, it is significantly more difficult for someone to access our system or capture and decrypt our traffic at a later time.  The port tunneling feature will allow us to route our VNC connection through the SSH connection, gaining the strength and protection of the SSH encryption.  This is the reason that we didn't need TightVNC to open a Windows Firewall rule and we only allowed VNC connections from localhost.  The TightVNC server will believe that we are connecting locally, even though we are really at the other end of the SSH connection.  By allowing only loopback connections, we basically have closed off the possibility of someone directly accessing the TightVNC server and avoiding the SSH session.

For this solution, I have chosen to the the OpenSSH server as packaged by ITeFlx.  The reason I chose this packaging is because it takes the binary provided by Cygwin and packages a nice user interface on top.  You also don't have to edit configuration files manually.  If you prefer to use Cygwin directly yourself, I have posted instructions at http://blog.visideas.com/2015/01/security-openssh-on-windows-using-cygwin.html

Enough talking, let's get to installing:
1) Go to https://www.itefix.net/content/copssh-free-edition and download the free edition.  The only restriction that I am aware of on this version is that you can only activate a single SSH user.  This limitation should be fine for what we are trying to accomplish.
2) Start the installer you just downloaded

3) Click Next

4) Read and accept the license agreement (if you agree)

5) Accept the default installation directory by clicking Install
6) Wait for the files to finish copying

6) Click Finish - leaving "Run Copssh Control Panel" checked

Now that the OpenSSH server is installed, we will use the Copssh Control Panel to check (and change) a few of the configuration settings.  The Control Panel should have automatically launched when the installer finished.and it will look like this:


 1) Switch to the "Configuration" tab and change the listening port to a number over 1024 then hit Apply

2) Change to the "Users" tab

3) Click "Add" which will start the Copssh User Activation Wizard

4) Click Forward

5) Hit the down arrow next to the white user entry area, and pick the username you wish to activate

6) Hit Forward


7) Change "Access Type": to Sftp and Uncheck "Allow password authentication" - leaving the other default settings of:
     Access type: Linux Shell and Sftp
     Home directory: c:\users\<username>
     Allow PKA authentication: checked
     Allow port forwarding: checked
NOTE:  Pay close attention to the Home Directory setting.  You will be restricted to transferring files to that directory and below when you transferring files via SFTP.  If you want to transfer files anywhere on any of your disks, you will need to enable full shell access
8) Click forward

9) Review the settings and click "Apply"

 Upon successful completion of this User Activation Wizard, you will be returned to the COPSSH Control Panel and it should look similar to:

NOTE:  The username you use to connect to this SSH server will be only what is after the final backslash (\) and always in lower-case.  In the example above, the username for the SSH server is dmorlitz - regardless of the rest of the line

Because we have chosen an access type of Sftp, we will not have any shell access remotely.  We will only be able to connect to the SSH server to transfer files via SFTP or to connect to remote services (such as VNC) via port tunnelling.

Creating the public/private keypairs with COPSSH:

We now have a choice to make.  We can create keypairs using COPSSH and transfer them to the devices that we wish to use to remotely access this machine, or we can create the keypairs on the remote device directly.

I have found that if I am working on an iOS device, I prefer to create the keypairs on the iOS device.  You can find instructions for doing this later on in this posting.

On Android, I have found that I really don't have a preference.

In COPSSH, we can support both creating the keys locally or remotely.  Either way, you start by pushing the "Keys" button on the Users tab

1) Click the Keys button from the screenshot above
 

If you want to import a public key that was created on another device:
2) Click the Import button.  I have included a sample public key in the screenshot below.  You will be able to recognize a SSH public key because it will usually start with ssh-rsa or ssh-dsa

3) Press Apply
4) You will see your public key has been imported, and the comment is the key name you created on the other device.
5) Press the Apply button - which will authorize this key to the SSH server - and then you can close this dialog box

If you want to create your keypair in COPSSH:
6) Press the "Add" button to launch the "Public Key Authentication" wizard

7) Click Forward
8) Decide the key type settings that you would like to use and click Forward

9) The next screen will ask you where you want to store the private portion of your keypair.  This is the portion that you must get onto the device that will remotely access this computer.  For convenience, I choose not to encrypt the private key - because not all devices can decrypt it easily.  You also need to pay attention to the folder and the file name you export the private key to.
10) Once you have your private key settings right, click Forward
11) Review the settings to ensure they are correct and click Apply

12) Move the private portion of the key to your device and continue to set up your iOS or Android device using the instructions below.

COPSSH allows each user to have multiple keypairs.  Therefore, you could create a unique keypair for each device that connects remotely.  The benefit of doing this is that in the logs you will be able to tell who is connecting, and if you lose a single device you won't have to reconfigure all of your devices.

Opening a port on your router:

This section is up to you to complete.  You selected a port number above when you configured your SSH server.  You will need to configure your home router's port forwarding feature to forward the port number you selected to the internal IP address of the system you want to control.
I would also recommend that you assign the machine you want to control a static IP address - so the port forwarding rule always works.  On many routers this is called a DHCP Reservation.

Dynamic DNS:

You will need to know the IP address of your router so that you can connect to it remotely.  Since the IP address may change over time, having a dynamic DNS name is easier.  Personally, I use a service called No-IP - which you can find at http://NoIP.com.
The No-IP service allows you to have up to 3 hostnames that are tracked and mapped to DNS names.  You should set up an account there and pick a hostname that you can remember.

No-IP is also nice because they provide a dynamic DNS client which you can download from http://www.noip.com/download?page=win  This program will monitor the public IP address of whatever network your computer is plugged into and keep your dynamic DNS name up to date.  Your router may also have a similar function.  Here is what my router's screen looks like:

You are now all set to connect remotely to your computer.  Here is the key information you will need for any client that you use.
SSH Tunnel hostname: <your dynamic dns name>
SSH Tunnel password: <leave blank>
SSH Tunnel identity file: <the private key portion of your SSH keys - possibly id_rsa>
VNC Server: 127.0.0.1
VNC password: <the TightVNC password you set for remote access>

Good luck Road Warrior - you are on your way to lighter travels.

Now, we will talk about setting up mobile devices.  Since I have more experience with Android devices, Android comes first.  But don't worry iOS users, just scroll down and you will find my instructions for Apple devices.

Android Remote Access (VNC over SSH) setup

As I mentioned before, any client that supports VNC over SSH will work just fine to connect to the solution that you just built.  Personally, I am currently using bVNC Pro on my Android devices.

bVNC Pro has the capability to create your SSH public/private keypair for you.  You can also transfer the private key portion of a key you generated above to your Android device.  In the example above, the private key portion of the keypair is called id_rsa

bVNC allows you to enter all of the necessary settings on a single screen.  Here are the settings you will need after you press "New Connection":
Connection type: Secure VNC over SSH (NOTE: There is a choice using SSL also - do not confuse them)
Connection name --> Any descriptive name you will recognize
SSH server name --> Your Dynamic DNS hostname (i.e. secret.ddns.net)
SSH server port --> The port you entered in sshd_config (i.e. 34567)
SSH password --> blank
SSH passphrase --> blank
Use Key --> checked
VNC server name --> 127.0.0.1
VNC port --> 5900
VNC username --> blank
VNC password --> The TightVNC password you chose


When you are ready to select your private key, tap the Manage Key button in the middle of the screen.  On the screen that appears (shown below) you can either "Generate New Key" (don't forget to add the public portion to your authorized_keys file on the SSH server) or Import the private key that you transferred to your Android device.

Android File Transfer (SFTP) setup

As with the remote control section, you can use any file manager that supports SFTP (which is different from FTPS) to connect to your system remotely.  I am currently using ES File Explorer as my SFTP client.  Here is how I setup ES File Explorer to access my remote system:

Since ES File Explorer does not generate SSH keypairs (as far as I know), you will need to generate your SSH keys in your Cygwin64 Terminal, as described above.  Then you will need to get the private key portion, id_rsa, onto your Android device through the file transfer method of your choice.

Once you have the private key transferred, here is what you need to do:

1) In the left-hand navigation area, select "Network" and then "FTP"
2) From the bottom of the screen, choose "New"
2) Choose "sftp" by tapping on it
3)  Enter the following settings:
Server: Your dynamic DNS hostname (i.e. secret.ddns.net)
Port: The port you entered in sshd_config (i.e. 34567)
Username: Your Windows username
Passphrase: blank
Check "Login by private key"
Tap the "Private key" button and select the private key portion (i.e id_rsa) from the file listing that appears


4) Save the connection

You can now access your remote system via SFTP and transfer files back and system.  When you first login, you probably won't see any files.  To find everything on your Windows system, you will need to browse to /cygdrive/C - which will show you your entire C: drive.  If you have additional drives on your Windows system, they will appear under /cygdrive/D, /cygdrive/E, etc.......

iPad Remote Access (VNC over SSH) setup

Here is a sample configuration that will work on an iPad using a program called Remoter Pro.   You really can use any VNC program provided it supports VNC over SSH.  This happened to be the least expensive program that I found on the iTunes App Store, coming in at $7.99.  (You will also notice that until this point, everything has been free)

Here are the steps to follow to create an SSH keypair in Remoter Pro
1) Press the menu button at the top right and select SSH Key Manager

2) Press the + button at the top right

3) Select RSA SSH2

4) Wait a few seconds for the "Created Successfully message"


5) Tap the newly generated SSH key and select Rename


6) Pick a useful name, so you can remember where you are going to use this key


7) Tap the new name you changed and choose E-Mail


8) Send the public portion of the key to an E-Mail address you can access from a computer


9) Copy the single line beginning "ssh-rsa" and ending with the key name you chose to the laptop you want to remotely connect to

10) Add this line to the file c:\Cygwin\home\<username>\.ssh\authorized_keys (notice the period before the ssh again)

Adding this line to the authorized_keys file is what authorizes access to your iPad

To create the connection in Remoter Pro:
1) Click the + button at the top left of the screen and choose "Add Session Manually" and use the following settings:
Choose the server type "VNC over SSH"
Make "Name" anything descriptive to you
Set the SSH Hostname to your dynamic DNS name that you picked above
Set the SSH Port to match the one you selected in sshd_config and on your router's port forwarding screen
Set the SSH Username to your Windows username (spaces might not be allowed, I haven't tried that yet)
For SSH Key Auth - tap the "No Key Auth" button
Select the key name you just created
Leave SSH passphrase blank
Enter 127.0.0.1 for VNC Hostname
Leave VNC port at 5900
Leave VNC Username blank
Enter the TightVNC access password for VNC Password





2) Press Save at the top left of the screen

iPad File Transfer (SFTP) setup

One nice benefit of SSH is that it provides a built-in file transfer mechanism - still protected by the SSH encryption and public/private key authentication.
On the iPad, I am currently using FTP On Connect Free as my SFTP client.  I am honestly not sure what the limitations are of this version over the full one, but for $2.99 I will upgrade if I find that I run into any limitations.

Here is how I got FTP On Connect Free configured.  First, I put the private key portion of my SSH keypair on an FTP server that I could see inside my house - this file is called home_rsa (you might need to create another keypair based on the instructions above, unless you can get the private portion out of RemoterPro)  If you don't have an FTP server handy, FileZilla Server from https://filezilla-project.org/ is very quick and easy to set up on any Windows PC.

Once I had downloaded the private key portion to FTP On Connect Free, here is how I created the profile to connect to my remote machine:
1) Go to the "My Document" section of the left-hand navigation bar


2) Tap the "right arrow" button to the right of home_rsa (the file that you previously downloaded)


3) Choose "Add to private key list"


4) Give the key a descriptive name you can recognize


5) Click on "Site Add" from the left hand navigation


6) Set the options as follows
SFTP - SSH File Transfer Protocol
Profile --> Any name you like
Host --> Your dynamic DNS hostname
Port --> The port you configured your SSH server to listen on
User ID --> Your Windows username
Private Key --> Turn the slider on and on the popup screen, pick the Private Key that you imported earlier


7) Press Save

You should now be able to connect to your home computer and transfer files freely.  Within the Cygwin environment, you can browse to the directory /cygdrive/C to see your entire C: disk on Windows.  If you have other drive letters available, they will all be under /cygdrive/


You should now have a session icon that will allow you to remotely connect and control your PC at home.