This guide will show you how to access a computer located on your home network from outside of your local area network. For the purposes of this guide, let’s assume we are trying to access a HOME SERVER such as a Mac Mini located on your home WiFi router. The home computer could just as easily be a Ubuntu, or similarly flavored Linux machine. The first thing that we will need to do is determine your home IP address, and then we will setup port forwarding on your wireless router. Keep reading to get started with this process or go here to learn how a SSH Tunnel works.
The easiest way to determine your outside IP address is by visiting a site such as www.whatismyip.com. Write this number down but keep in mind that this number may change from time to time depending on your ISP. However, if you don’t turn off your cable or DSL modem, then your IP address shouldn’t change that often. For the remainder of this guide, let’s assume your home IP address is 64.3.10.24 and your username on the home machine is USER. You’ll see USER@64.3.10.24 occurring in each of the terminal commands below.
Enable Remote Login or SSH Daemon
This is really easy on a Mac and not too difficult to figure out on a Linux machine. For a Mac, visit System Preferences - Sharing and enable Remote Login. While you are in this window you can also enable Screen Sharing if you want to be able to access the machine using the VNC protocol. If you are running Linux, a quick Google search will turn up plenty of guides or you can get started here.
Enable SSH Port Forwarding
For the purposes of this guide we only need to enable forwarding of the port used by SSH. Once this is established we will be using SSH to create secure tunnels for the other functions. Before we begin, determine the IP address of your HOME SERVER. This can be done on a Mac by going to System Preferences - Network. Let’s say your HOME SERVER has the local IP address of 192.168.1.111.
Log on to your wireless router by entering 192.168.1.1 in a browser - preferably Firefox. From here the directions will vary from router to router but you need to find the Port Forwarding area. If you have trouble you might want to visit Portforward.com for router specific directions. For example your settings might look something like the following
For this example, set the ‘port from’ field to 6111 and the IP address field to 192.168.1.111, save the changes and let’s give it a try. Open up a Terminal and enter the following command,
If everything is setup properly your router will now forward the traffic directed to port 6111 to port 22 on your HOME SERVER and you should be prompted for your password. Voila!
SFTP Access via FTP Client
Now you should be able to use a FTP client capable of the SFTP protocol (such as cyberduck) to access the files on your home machine. Simply enter the IP address (e.g. 64.3.10.24) and port number (e.g. 6111), followed by your username and password and you should have access to files on your HOME SERVER.
Secure Remote Desktop Access
This next command will allow you to use a VNC client such as Screen Sharing in Leopard, Apple’s Remote Desktop, or Chicken of the VNC to remotely access the home machine via the graphical user interface (GUI) as if you were actually sitting in front of the machine. At the Terminal prompt enter the following,
Now open Screen Sharing or a similar VNC client and connect to 127.0.0.1:1024 and you should see your HOME SERVER.
Access Your Local Subversion Repository from the Road
I highly recommend using Subversion (SVN) to keep non-destructive versions of your work, whether it be code or just a paper you are working on. This guide won’t cover how to get started using SVN but rather show you how to access your repository from anywhere. Since SVN uses port 3690 we simply need to create a tunnel using that port both locally and remotely. For example, you could enter the following command,
Then you can access the repository via svn://127.0.0.1/YOUR-SVN-PATH
Secure Web Traffic when Traveling
Suppose you are traveling and are using Starbucks’ or perhaps a hotel’s wireless connection. Most of your traffic over this network is susceptible to sniffing by potentially malicious people. If you want to log on to your bank I’d recommend creating a secure tunnel to send your web browser’s traffic through your home internet connection.
First enter the following command,
then go to Firefox’s Preferences, Advanced, Network then click on Settings. Select manual and enter the following settings
Now you’ll want to visit www.whatismyip.com again to confirm that you see the IP address of your HOME SERVER. If so, then everything is working and you can browse with confidence knowing you are secure.
Great tutorial! Thanks so much. Works like a charm. It would be cool to see a tutorial for automator to connect via SSH to VNC. any suggestions?
Sam | Feb 22, 2008 | Reply
@Sam - Did the VNC over SSH section above not work for you? An automator action might be difficult due to the password required for the SSH tunnel. You might be able to use ssh-keygen to avoid this, I’ll think on it. If you just want to automate the VNC part, you could do a ‘Run Applescript’ action containing the following,
tell application “Finder”
open location “vnc://127.0.0.1:1024″
end tell
Franklin | Feb 22, 2008 | Reply
yeah, i ran ssh-keygen and have the keys on both computers. so the password isnt the problem. it’d be nice to have one thing to click and would run ssh and vnc. thanks so much!
Sam | Feb 25, 2008 | Reply
Pretty elementary stuff, but important to have out there for people to learn about.
My school blocks access to blogs fairly indiscriminately, so I’m only able to read this during my lunch hour today by using Portable PuTTY and Portable Firefox running off a USB drive to tunnel through to my linux box at home.
It would be helpful to post instructions for that here for Windows users. Shoot me an e-mail if you’d like for me to write up instructions / provide screenshots to post here.
Brandon Wardlaw | Apr 18, 2008 | Reply
Good tips, although very much Mac-centric (not that that’s a bad thing - I’ve been a Mac owner/programmer since 1985!). As you mention, the above will work on OS X or a Linux box, but needs slight modification on a Windows machine (no built-in SSH!). I’d recommend downloading the PuTTY package, along with Plink (the PuTTY CLI component). That way, all of your instructions will apply to Windows users as well (make sure the PuTTY binaries are in your PATH system variable).
Another thought - why mess with doing the WhatIsMyIp when you can use Dynamic DNS (www.dyndns.org). You can get yourself a free account with a quasi-unique canonical URL. If your router doesn’t support it natively, there are plenty of clients available for Mac, Windows, or Unix/Linux machines that will update your account whenever your external IP changes. So - all you then have to remember is the canonical name (e.g., “smithfamily.homeip.net”) instead of the IP. I’ve found that the IP can change on you when you’re on a trip - what if there’s no one at home to tell you what it’s changed to?
Anyway - still a very great/useful article. Thanks for the time it took to create!
Greg | Apr 18, 2008 | Reply
There’s no need to use an SSH tunnel with subversion, just use the built in svn+ssh handler.
svn checkout svn+ssh://USER@SERVER/path/to/svnrepository
git has this feature as well
Mark | Apr 18, 2008 | Reply
@Brandon - A windows guide would be great, I’ll be in touch.
Franklin | Apr 18, 2008 | Reply
@Greg - Good point about Dynamic DNS, I wasn’t aware it was free.
Franklin | Apr 18, 2008 | Reply
@Mark - I had trouble figuring out how to specify a specific port number with svn+ssh. I have to poke through a firewall to reach the svn server. If you know of a solution please let me know.
Franklin | Apr 18, 2008 | Reply
Yes, Dynamic DNS is free…
http://www.dyndns.com/services/dns/dyndns/
…as long as you use one of their canned domains (a decent-sized collection now):
http://www.dyndns.com/services/dns/dyndns/domains.html
They link to a number of update clients should your router not support DynDNS (my Netgear does so I’m golden):
http://www.dyndns.com/support/clients/
I actually wrote my own Perl script to do this - I’ll have to dig it out and post it if anyone prefers that to the larger clients.
Greg | Apr 18, 2008 | Reply
@Franklin
svn+ssh uses port 22… It’s basically svn over a ssh tunnel but built into the client.
Phillip Wills | Apr 18, 2008 | Reply
Although the secure web traffic using proxies will work, it does not mask the actual sites visited as the DNS lookups by the client are still made the whatever local repository is available. So people will know which web pages you are visiting, although they will not be able to see the content.
Jojo | Apr 18, 2008 | Reply
CAREFUL with dynamic port forwarding (Secure Web Traffic when Traveling).
This setup will send all DNS look ups TO YOUR LOCAL SERVER, not over the SSH tunnel. Only the actual data for your web requests will go over the SSH tunnel.
For a more secure approach, set up an HTTP proxy (apt-get install tinyproxy) on the other end of the SSH tunnel. This will end-to-end secure your web connection without leaking DNS requests.
Sniper Fox | Apr 18, 2008 | Reply
@Philip - Thanks, however, if someone is using port forwarding (i.e., a port other than 22) to get through a firewall I don’t think svn+ssh will work. If anyone knows of how to specific a port number in the svn+ssh command let me know.
Franklin | Apr 18, 2008 | Reply
@Sniper Fox - Very very good point. I guess I am most concerned about securing traffic such as banking and email when in a hotspot (e.g., starbucks, panera). If someone is concerned about an outside party knowing which sites they are visiting they should use a HTTP poxy as you suggest.
Franklin | Apr 18, 2008 | Reply
http://svn.haxx.se/users/archive-2004-09/0574.shtml
Seems you can do alternate SSH ports with svn+ssh:// by either adding an appropriate stanza to ~/.ssh/config or within your svn config (somewhere, it’s kinda vague)
git uses the obvious ssh://HOST:PORT/path/to/gitdb
Mark | Apr 18, 2008 | Reply
We use SSH tunnels with X forwarding to do graphical touchscreen point of sale. X11 is both a network protocol and a graphics protocol.
The new devices from ThinLinx allow us to build vertical market solutions which can provide remote users with access to the software even if they don’t have computers. All the administration of apps & storage is centralized and costs go way down.
We don’t even need VNC but NX really speeds things up.
Gene Mosher | Apr 19, 2008 | Reply
Hi,
please stop hotlinking images from my website, or at least credit me for it …
vic | Apr 20, 2008 | Reply
@vic - link removed, my apologies
Franklin | Apr 20, 2008 | Reply
Make sure to change “network.proxy.socks_remote_dns” to true in the about:config page for Firefox to prevent DNS leakage.
stoops | Apr 21, 2008 | Reply
For Safari you may set up a socks proxy as described here:
http://textsnippets.com/posts/show/1326
Jack Willard | Apr 24, 2008 | Reply