Jump to content

  •  

CNers have asked about a donation box for Cloudy Nights over the years, so here you go. Donation is not required by any means, so please enjoy your stay.

Photo

VPN Versus 'Just Remote RDP' Questions

  • Please log in to reply
13 replies to this topic

#1 mikeyL

mikeyL

    Viking 1

  • *****
  • topic starter
  • Posts: 727
  • Joined: 17 Dec 2007
  • Loc: Longmont, CO, USA

Posted 23 December 2018 - 04:16 PM

So I am looking to have an astroimaging configuration set up at a friend's house, who lives under some darker skies with better visibility than I have at home. The plan is to eventually get set up to run my gear remotely, although he lives close enough to allow for a slow transition with lots of testing before things are expected to work this way. I am fairly confident that a number of the remote control issues are already understood, but the one aspect of this that I have not done before is getting set up to safely control my astroimaging computer, that will be on his local network, from my computer at my house.

 

My astroimaging computer is running Win10 Pro, and I have already successfully run it using RDP locally, but this is the first time I would attempt to do this remotely. Since I am accessing my friend's network remotely, I want to come up with a solution that is not only reasonably simple to implement, but also does not require him to make any significant modifications to his router firmware or his network configuration, while still making sure we are keeping his network as safe as possible. So my questions are these:

 

1) I know that VPN can be used for this sort of thing, but I also have heard that using RDP remotely does not necessarily require VPN. Running without VPN is no doubt easier to set up, but how much less secure is running an external RDP solution without employing VPN?

 

2) If VPN is the only 'safe' way to make this happen, is it possibly to use this with a VPN enabled router that uses OpenVPN, without having to subscribe to a monthly VPN service? He has a Nighthawk R7000 router, that can be enabled to support VPN WITHOUT reblowing the firmware (which is not currently an option he wants to consider...)

 

3) Ideally, I wouild love to be able to set this up so that when I am logging in remotely, all I can access is my computer, not any of the rest of his gear. If I use RDP (behind a VPN or not) is it enough if my system is the only box set up to be running an RDP server?

 

4) I would be running TheSkyX, which seems to work reasonably well speed-wise over RDP on a local connection - what kind of speed degredations would I expect to see over an external connection? Is this adversely affected if VPN is also used?

 

Thanks for any advice or experiences you can share,

 

 

ML



#2 Sixburg

Sixburg

    Vendor (Deep Sky West)

  • *****
  • Vendors
  • Posts: 298
  • Joined: 18 Mar 2013
  • Loc: Rowe, NM

Posted 23 December 2018 - 04:22 PM

ML...

If you use Chrome Remote Desktop or TeamViewer (both free) you will not need to make any router / network changes, nor is a VPN required.

 

For both programs there is a procedure to set the remote PC for unattended access (the observatory side).  You local / controlling PC only needs to know your UID/PW in the case of TV and in the case of CRD there is a similar procedure, but it uses a PIN.  I use both interchangeably with TV being primary and CRD secondary.  

 

If you use TV don't be tempted to use the remote access UID and PW on the screen...this is for allowing someone else to control your system and the PW will change with each reboot!  Use the unattended access options only.  

 

P.S...set the BIOS on your remote computer to return to pre-powerloss state (i.e., set to reboot on power restoration...same for any IP power switches)....your friend will thank you for not calling him so often to reboot / power cycle stuff ;-)

 

-Lloyd


Edited by Sixburg, 23 December 2018 - 04:24 PM.


#3 Dan Crowson

Dan Crowson

    Vanguard

  • *****
  • Moderators
  • Posts: 2119
  • Joined: 08 Oct 2010
  • Loc: Dardenne Prairie, MO

Posted 23 December 2018 - 04:50 PM

To use RDP remotely, you would just need to have a dynamic dns client running on the router (most have these) or the PC. Once this is done, you would just need to have a port-forward added in the list on the router. For example, 9999 -> [your PC IP]:3389. One could do the same with VNC.

 

The security issue would be that someone could dictionary hit your PC. As long as you're using an account named something other than the obvious of admin/administrator and have a decent password, you're probably fine.

 

Chrome Desktop, TeamViewer and countless others will work but in the case of ones like TeamViewer, one can only assume the services are secure. They've had issues in the past and who knows right now.

Dan


  • Terry White likes this

#4 Sixburg

Sixburg

    Vendor (Deep Sky West)

  • *****
  • Vendors
  • Posts: 298
  • Joined: 18 Mar 2013
  • Loc: Rowe, NM

Posted 23 December 2018 - 05:06 PM

Specifically, there were security vulnerabilities announced / fixed 2017-Dec, May-2016.  I've not personally experienced any problems and we use secure passwords, security protocol, etc.  Dan makes a good point.  It would suck to have someone get in and do stupid things.  Most of the known entry points in to TV require user input and/or dialogs to complete.  

 

Our use case is different than some and involves many remote computers all using a variety of RDP programs. Most work well, but in all cases, an alternative entry is a good idea.  There are times when TV is not working / slow and I use CRD instead. We are wary of opening a bunch of ports (security) and from a support perspective qualified members can get set up without external input.  

 

-Lloyd



#5 TxGeek

TxGeek

    Explorer 1

  • -----
  • Posts: 66
  • Joined: 19 Nov 2018

Posted 23 December 2018 - 05:34 PM

VPN is extremely simple to setup. I personally would NEVER expose a machine directly to the internet. You're just asking for issues. Check out Untangle or an OpenVPN Access Server. Untangle can be setup within a matter of minutes and has a beautiful UI. The built in OpenVPN server works great as well.


  • Sixburg likes this

#6 Sixburg

Sixburg

    Vendor (Deep Sky West)

  • *****
  • Vendors
  • Posts: 298
  • Joined: 18 Mar 2013
  • Loc: Rowe, NM

Posted 23 December 2018 - 05:46 PM

OpenVPN does a great job...

 

-Lloyd



#7 t-ara-fan

t-ara-fan

    Viking 1

  • -----
  • Posts: 545
  • Joined: 20 Sep 2017

Posted 04 January 2019 - 06:21 PM

I use VNC instead of RDP.   The sweet thing about VNC is that both the remote and local user can control the computer at the observatory at the same time.

 

 

Security through obscurity works.  Open a router port on some oddball port like 54321.  Forward that to the IP of the PC to be controlled.  Use a decent password and you will be fine.  



#8 TxGeek

TxGeek

    Explorer 1

  • -----
  • Posts: 66
  • Joined: 19 Nov 2018

Posted 05 January 2019 - 08:25 AM

I use VNC instead of RDP.   The sweet thing about VNC is that both the remote and local user can control the computer at the observatory at the same time.

 

 

Security through obscurity works.  Open a router port on some oddball port like 54321.  Forward that to the IP of the PC to be controlled.  Use a decent password and you will be fine.  

 

Changing the port really doesn't do much. RDP/VNC/SSH are going to reply to things like NMAP no matter what port you set.



#9 Alex McConahay

Alex McConahay

    Cosmos

  • *****
  • Posts: 7886
  • Joined: 11 Aug 2008
  • Loc: Moreno Valley, CA

Posted 05 January 2019 - 11:38 AM

It seems nobody has addressed the question:

 

>>>>>>  I would be running TheSkyX, which seems to work reasonably well speed-wise over RDP on a local connection - what kind of speed degredations would I expect to see over an external connection?

 

As I understand it, and I am willing to be corrected, The Sky X is operating on the remote computer, and its speed has nothing to do with whether it gets its commands from the mouse/keyboard on that computer or the mouse/keyboard of the remote computer. So, The Sky X will perform the same regardless. Now, getting those commands in and out may meet with an ever so slight delay. But most of the time, The Sky X is not accepting a command, but just performing whatever it is that it is supposed to be doing. So, its speed is not affected.

 

Alex 



#10 CharlesW

CharlesW

    Long time member

  • ***--
  • Posts: 3633
  • Joined: 01 Nov 2012
  • Loc: Chula Vista, CA

Posted 05 January 2019 - 12:53 PM

Just to piggyback on Alex for a moment, no one here knows what your latency is going to be. It all depends on what kind of service you and your friend have. I occasionally Team Viewer into a friend/client’s computer to run his MX mount/SBIG camera. We live about 120 miles apart. There is no latency. I might as well be sitting in his office chair. On the other hand, my personal scope is at GMARS, controlled over satellite internet. There is a noticeable pause but you get used to it. That connection is the best I can do because of location. 

 

If you value this friendship, I would not use his internet service. Something will happen that will strain that relationship. Get a Viasat satellite dish for $80 a month and don’t put him at risk of anything. 


  • Sixburg likes this

#11 Sixburg

Sixburg

    Vendor (Deep Sky West)

  • *****
  • Vendors
  • Posts: 298
  • Joined: 18 Mar 2013
  • Loc: Rowe, NM

Posted 05 January 2019 - 12:56 PM

Performance degradation is more about line speeds between  you and the target computer than anything else.  With Teamviewer (not so with CRD), you can make adjustments to improve response time on the margin (i.e., optimize speed over graphics, for example).  How about setting it up and trying it out with several RDP systems?

 

-Lloyd



#12 Dan Crowson

Dan Crowson

    Vanguard

  • *****
  • Moderators
  • Posts: 2119
  • Joined: 08 Oct 2010
  • Loc: Dardenne Prairie, MO

Posted 05 January 2019 - 07:42 PM

To answer the TSX question, it is similar to stellarium and others. You can set the frame rate low and it will use a lot less bandwidth and be more responsive.
 
Dan



#13 Lightpath

Lightpath

    Vostok 1

  • *****
  • Posts: 145
  • Joined: 23 Jan 2014

Posted 06 January 2019 - 01:52 AM

I *THINK* I understand your question.  So here are my thoughts:

 

Depending on the product you use remote access software should be encrypted, so honestly the security part of that is mostly covered.  I use Team Viewer, Parallels access, and a couple of other products to remotely connect into my home PC from work (I work nights) and run my "observatory".  Both of these use port-to-port SSL encryption and I "trust" them as much as you can trust any cloud service these days.  I'm pretty sure both of them are simply VNC over SSL, but don't quote me on that.  So short story is, this will work, and be secure.  As long as your friend doesn't have awful internet it should work well.  You don't need a VPN to get remote desktop software like Teamviewer to be secure.  

 

Keep in mind:

 

1.  You are at the mercy of your friend running a decent firewall, and actually actively managing it.  Since Team viewer and those types of applications require the "remote" PC to connect to the Teamviewer servers in order to register their availability and allow connections, there really shouldn't be any goofing around that your friend will have to do on their firewall/router. HOWEVER in this day and age your PC really does need to be behind a firewall that is regularly updated and managed.

 

2.  You are at the mercy of your friend having good security hygiene on his local PC(s).  No question that your PC will have more of an "attack surface" from an internal attack than an external attack.  So you will also need to make sure you have current security software (there's things like Norton and others) that will protect your PC.  I'm sorry I can't be much help on what software on the windows side would help, as all of my experience is on Mac, and UNIX (please, no hate).  I use Norton 365 on the windows 7 pc I have running my "balcony remote" setup.  I know zero about windows 10 except that I wanted to throw my X's windows 10 pc off a cliff because it was so hard to fix when it pooped itself.  Just make sure you're always up to date on whatever software you eventually choose to secure your PC with, so it isn't you that infects your friend!

 

As far as using a service like NordVPN as a VPN service for your remote PC, I see no real value there for this use case.  It's not going to get more secure using a VPN to obfuscate where you are coming from.

 

Configuring your remote PC to VPN into your home network may work, and I'm thinking of a couple of ideas along this line for another project I'm working on, but then what happens if it breaks and you need your friend to troubleshoot it?  The more complex it gets the more likely it is to be frustrating for all involved.  I'd just keep it as simple as you can.

 

Keep in mind that network aware devices like digital-loggers power strips are really not very sophisticated, and may well be very insecure on the network side.  I haven't tried to hack mine, but just be aware that if you use pieces of kit like that, and plug them into his network, you may be exposing him to a potential attack vector there.  There are lots of ways to stymie this sort of thing though, it's just something to be aware of, that these IOT devices are sometimes pretty dumb.  (The web server on the digital-loggers power bar doesn't use SSL for example)

 

Oh, and Team Viewer magically determined that I was using it's software for commercial purposes while I was using it, and limited me to about 10 seconds of connection before it punted me out with a message asking me to pay.  Requests to TV customer support to fix it went unanswered.  I don't know how to avoid that, sorry, but just be aware it can happen.  I already pay for Parallels Access so I am just using that.  PA is a similar but much lesser known, and I'd probably wager less reliable, remote access service.

 

Good luck!


Edited by Lightpath, 06 January 2019 - 01:58 AM.


#14 DMRandall

DMRandall

    Explorer 1

  • -----
  • Posts: 65
  • Joined: 25 Dec 2008

Posted 23 January 2019 - 11:44 PM

FWIW, TeamViewer tripped the "commercial use" for me when I was remoting to obs'y 30+ times over the course of 8-10 hours.  

 

Other than the convenience factor, there was no change in operation. 

 

Dave




CNers have asked about a donation box for Cloudy Nights over the years, so here you go. Donation is not required by any means, so please enjoy your stay.


Recent Topics






Cloudy Nights LLC
Cloudy Nights Sponsor: Astronomics