Affect of static IP address on a workgroup

beer enigma

I have the standard UTV Clicksilver package, wireless set up with one desktop & one laptop linked to the wireless router at home (neither PC is a server, just two machines sharing the wireless connection)

At the moment, the router automatically furnishes the two PC's with local IP addresses.

I now want to set up a VPN connection to enable me to access the desktop PC from the laptop when I'm away from home.

UTV will supply me with a static IP address, but how will this affect the local addressing ? ie, the two machines are on a workgroup connecting via the router to the local IP addresses - does this still work with a static address ?

dil999

Your local addressing is a function of the DHCP server in the router. This is whatever you set it up to be. It is independant of the IP address that you get from UTV.

I'm not sure how you will access you desktop through your LAN though from the Public IP address. DO you have VPN software to do this?

Regds
Dil

secret_squirrel

You need to make sure your router supports VPN and if so what type. This will define what vpn software you need on your laptop.

You will then have to define a route from your router to your desktop pc. Giving your desktop a static ip address (on your lan) may help do this.

You then make a vpn connection to the static ip address given to you by UTV. You then have to make sure your router then forwards that to your desktop.

beer enigma

Thanks - I'm planning to use the inbuilt XP VPN software


My plan is to configure the VPN software to connect to the static address & I presume I can somehow then connect through to the Desktop. I'm using a Cayman Netopia wireless router which apparently supports VPN.

From looking at the basic config for VPN under XP, you enter the ip address & providing the PC at the other end is configured the same - hey presto...somehow I cant see that with Microsoft, but I'm an optimist !

If the Static ip is assigned to the router ´- I have to get through that to the PC, thats the bit that confusing me.

Sorry for the basic questions- I'm an experimenter rather than a network techy

dil999

best of luck with it. Doing something like that is a great way to learn. Just make sure you don't leave your home network open to the world

Cake Fiend

Andip wrote:

If the Static ip is assigned to the router ´- I have to get through that to the PC, thats the bit that confusing me.

You'll use port forwarding for this - most common DSL routers should support it. You'll need to find out what TCP port your VPN will use (google), and forward this port on your DSL router to whatever IP address your desktop is using (as secret_squirrel said).

beer enigma

Sico wrote:

You'll use port forwarding for this - most common DSL routers should support it. You'll need to find out what TCP port your VPN will use (google), and forward this port on your DSL router to whatever IP address your desktop is using (as secret_squirrel said).

Lol thank you...where have you been all my life

This makes total sense & the Netopia site gives all the config needed to allow PPTP through, along with the info on port forwarding.

Cheers to all who helped on this

lamaq

I don't believe XP is a VPN server which is what your looking for. On XP you can make a VPN connection to a network that has a VPN server installed (I believe this only comes with Windows Server editions).

An easier way to achieve what you want to do is use remote desktop. If you forward port 110 to the static IP address of your first computer then you can connect to this PC from anywhere by inputting your external IP address from UTV into remote desktop connection.

beer enigma

You can in fact set up XP Pro as a VPN server through New Connections.

Click New Connections/ Advanced Connection & follow on from there. When it comes to selecting a device for the incoming connection, you will probably only have your basic modem on there, if so, leave it unchecked.

After setting up, go to Network Connections & right click the new 'incoming connection' icon & select 'internet' as the incoming medium.

This is a useful link that got me sorted http://www.onecomputerguy.com/networking/xp_vpn_server.htm

lamaq

Didn't know you could do that with XP, could be quite usefull. Still think you would be better off with remote desktop though as you get more functionality and there are less issues with firewalls/routers.

beer enigma

Sure, I agree, this is more of a self-learning experiment than anything else.

I need to install a server at home shortly & will be putting a secure VPN together for that (probably with a dynamic key fob token), so this is very much a trial run to get the theory right.

It's amazing how much there is in XP that you just kinda find out about !

lamaq

Yeah it amazes me how much stuff is in there under Windows components. Apparently Microsoft did a survey for the next version of Office on what people would like to see added. Something like 80% of things people wanted to see was already in Office but they didn't know it.

dil999

Andip wrote:

You can in fact set up XP Pro as a VPN server through New Connections.

Click New Connections/ Advanced Connection & follow on from there. When it comes to selecting a device for the incoming connection, you will probably only have your basic modem on there, if so, leave it unchecked.

After setting up, go to Network Connections & right click the new 'incoming connection' icon & select 'internet' as the incoming medium.

This is a useful link that got me sorted http://www.onecomputerguy.com/networking/xp_vpn_server.htm

So how do you protect your Network? It looks like all you are doing here is opening up the VPN Port. That means that anyone who knows your IP address can access your PC through an XP VPN client. I think you need to do this in conjunction with VPN software, that will require passwords, and will encrypt your data.

Regds
Dil

beer enigma

During the new connection set up, it brings up a user permissions screen & asks you to select the users that are allowed access to your system. I presume it takes it from the User Accounts already set up within XP

In effect its as good as the password you have on your system.......

dil999

Is your data encrypted? If not, your Username and password are being sent as plain text accross the Web. Also remember that Windows passwords are not that hard to crack.
Not trying to be alarmist, in all probability nobody will notice your IP and nobody will give it a second thought, But there are guys,( and gals) out there with nothing better to do than Scan IP addresses and sniff network traffic.

Even from reading this I could have a good guess at what your IP address will be.

beer enigma

XP VPN connections are enabled with PPTP or L2TP and authenticated by using PPP user-level authentication - its not rock hard, but its enough for my purposes.

The way I look at it is, if they want to get in, they will !

I don't hold anything of any value on my system thats not stored elsewhere anyway.

secret_squirrel

lamaq wrote:

Still think you would be better off with remote desktop though as you get more functionality and there are less issues with firewalls/routers.

Wrong - using RDP on its own is crazy - only the authentication is encrypted for a start, the actual communication is 'in the clear'. Plus there's a good history of the RDP protocol being exploited.

However afaik there is nothing stopping him using RDP over the VPN.

Another solution I've been looking at is RDP over SSH - there's a product called WiSSH that does it for around €30.

Another alternative to a vpn is RealVNC and TightVNC which provide remote admin like RDP but also provide encrypted tunneled connections.

@Andip - check if your netopia can refuse incoming connections from anything from a set of specific ip addresses. Obviously this limits you to locations where you know the ip address in advance. If your netopia supports remote admin you might even be able to alter the incoming IP restrictions on the fly. This of course carries its own risks.
If your netopia doesnt support incoming restrictions you can always use Zonealarm which will and is free.

Also I would create a new Remote access user that doesnt have Admin privs adding another layer of protection should the bad guys get in....

beer enigma

Thanks Squirrel,

Looks like it can be configured to refuse connections, but I'll have a definitive on it tomorrow. Either way, it definitely supports remote admin & I'm using Zonealarm already on one box, so I'll use that as well.

This is going to be a whole heap of fun

Fortunately I have a mate who's an excellent security guy & he's offered to have a 'look' at the VPN when its set up........

TimTim

Andip wrote:

I need to install a server at home shortly & will be putting a secure VPN together for that (probably with a dynamic key fob token), so this is very much a trial run to get the theory right.

Either you work for RSA Security or have deep pockets :eek: The systems to support key fobs ain't cheap.

Just a fyi...

lamaq

secret_squirrel wrote:

Wrong - using RDP on its own is crazy - only the authentication is encrypted for a start, the actual communication is 'in the clear'. Plus there's a good history of the RDP protocol being exploited.
However afaik there is nothing stopping him using RDP over the VPN.

I didn't say it was more secure, just easier to use. This is a home network we're talking about. RDP is encrypted, it uses RC4, though it is recommended that it is used inside a VPN for an extra layer of security.

beer enigma

TimTim wrote:

Either you work for RSA Security or have deep pockets :eek: The systems to support key fobs ain't cheap.

Just a fyi...

I used to work for Ebeon.com, the e-business company shafted by Eircom in 2001, when Eircom pulled the plug, the liquidator sold off all the assets & nobody seemed interested in the new RSA system we'd just installed....I bought it in a bundle with two Compaq servers for €300........

Happy Days

secret_squirrel

lamaq wrote:

This is a home network we're talking about.

a port scanner doesnt give a damn whether you have a business or a home network - all it does is notify someone that you have an exposed port.

Just because its a 'home' network doesnt mean you should neglect basic precautions.

lamaq

secret_squirrel wrote:

a port scanner doesnt give a damn whether you have a business or a home network - all it does is notify someone that you have an exposed port.

Just because its a 'home' network doesnt mean you should neglect basic precautions.

Anything open on a firewall is going to be a risk but that doesn't mean it will automatically be exploited. Not everyone has a router with VPN passthrough as well.

Do you have any links to the holes in RDP (not trying to start an arguement here just interested).

secret_squirrel

I cant actually - I could have sworn one of the major trojans/worms from a couple of years ago used a RDP expoit but I may be wrong.

Lots of advice out there about not using it on its own though. MS are adding SSL encryption to the RDP traffic stream in W2k3 Sp1

beer enigma

Ok...here's an update

This may end up as a communal VPN given all the advice I've looked for

Anyhow, static IP address now applied to the router (It's a Cayman netopia 3347 wireless), all Hunky Dory (and for those of you too young - that's one of the best albums Bowie EVER released !!).......dont worry, there's nothing on any of the boxes & all encryption, passwords will be changed once I have it working - this is a learning exercise for me........a BIG one.

Router seems to be fine, internet connection is working & I can connect to the router via remote admin on the new IP address. The router supports VPN through PPTP & L2TP...

BUt....I cant connect from the laptop through the Router to the home PC

Just as a reminder, I'm using XP's VPN for starters. The laptop is using the latest version of XP, SP2 with all the updates. The Host PC is on an early version of XP, but with almost all of the patches applied - only SP1a though.

I'm getting either error connection 623, or 800 - it varies.

I think it could be the PPTP - anyone any experience on Netopia's or just a super duper guru ????

secret_squirrel

Ok things to check

1. All firewalls off (for testing purposes)
2. Port forwarding set up on Router to Desktop?


Install SP2 on desktop?
Can you make a remote desktop connection without the VPN? (lamaq is gonna kill me lol)

Let me have think for anything more...

wandererz

You've probaly done this already but just checking:

- Have you placed a static address on the internal PC rather than use the DHCP address assigned from the router? (port forwarding is then configured to forward PPTP to this internal static address)

- When both PC's are connected to the LAN, Can you establish a direct PPTP VPN connection?

(This will help narrow down whether the problem lies with XP or the router/modem.)

Gavin

For those interested in one time passwords, this is very easy to setup with a linux/bsd system and a mobile phone !

http://www.mulliner.org/wj/ for the OTP client. There are others out there. Setup s/key on your ssh server. Not sure if this integrates with OpenVPN, but it's useful to have for connecting to a ssh server when a ssh key is not possible.

Gav

beer enigma

Thanks to all on this thread - I'm now up and running !!!!, spending time hardening the box etc.

Turns out that with the Cayman netopia, you don't go into the port forwarding menu (pinholes) to set up VPN passthrough, for some strange reason its configured under software hosting & you assignthe service you want to let through, PPTP, L2TP etc.

Anyways, it works - thanks again