Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Maui19

macrumors 6502
Original poster
Jul 16, 2007
251
52
I have a static IP address at my home that I use to manage some web sites. I need to be able to remotely access that static IP when I travel using my Macbook Air. I have looked into VPNs and tunneling, but aren't sure which, if any, of these solutions would work. I am not a network guy, so I am struggling with some of the products and suggestions I have come across thus far.

Can someone point me in the right direction? Thx.
 

switon

macrumors 6502a
Sep 10, 2012
636
1
RE: vpn, vnc, ssh, ...

Hi Maui19,

I would suggest one of three possibilities, depending upon what you require for your connection to your home from the Internet.

1.) SSH (Secure Shell) allows you to login to your home machine (assuming your router has been properly setup to relay the appropriate ports from the Internet (WAN side) to your home network (LAN side). On your machine on the Internet, you would:

ssh yourloginname@homeIPaddress

where <yourloginname> is obviously your login account name and <homeIPadress> is the static IP address that you refer to in your post. The beauty of using ssh is that the communications can be encrypted and thus more secure. This gives you a terminal (shell) interaction with your home machine from anywhere on the Internet.


2.) VNC (Virtual Network Computing), also known as Screen Sharing in the Apple world, requires a little more setup than SSH but allows you to Screen Share with your home computer from anywhere in the world. This is very useful for managing/administering your home computer from work or from the road. VNC viewers, including third party viewers, are available on all platforms including Windows, Linux, and Mac OS X. The builtin Screen Sharing app on the Mac is found in the directory:

/System/Library/CoreServices/Screen Sharing.app

3.) The VPN (Virtual Private Network) service is the most flexible of all, as it makes it look like your machine on the Internet is in fact hooked to your home network (LAN). Thus using VPN makes it appear as if you are sitting at home; you can use all of your home LAN's resources, such as backup disks, large file servers, printers, etc. For instance, you may wish to access some data/files that are stored on a RAID disk system mounted on your home computer, by using VPN you can access those data/files from the Internet.

I personally VPN from home to my work's LAN, and then use VNC to screen share with various machines at work, including Windows, Linux, and Mac OS machines. I also do the reverse, VPN from work to home, and then use VNC to screen share machines at home. I also mount my home RAID disks from anywhere on the Internet using VPN. Part of the advantage of VPN is that communications can be setup to be encrypted and thus more secure.

...just my two cents worth of suggestions, and the quality of which is directly proportional to what you pay for it...

Switon
 
Last edited:

esoupy

macrumors newbie
Nov 3, 2012
2
0
Will you have another system at home while away or is the MBA your only hardware? You will not be able to spoof your static IP while you are away.

If you had another system at home, you could be able to use something like logmein.com while away.

Or better yet, just let who ever is the network or sys admins know you are traveling. They may have a client based vpn solution for remote travelers.
 

Maui19

macrumors 6502
Original poster
Jul 16, 2007
251
52
Will you have another system at home while away or is the MBA your only hardware? You will not be able to spoof your static IP while you are away.

If you had another system at home, you could be able to use something like logmein.com while away.

Or better yet, just let who ever is the network or sys admins know you are traveling. They may have a client based vpn solution for remote travelers.

Yes I have a Mini as my business computer at home.

The only thing I need to accomplish is send files via FTP to a secure server that hosts my web sites. That server will only let me log in from a specific IP address, which is the static IP I have at home.
 

Maui19

macrumors 6502
Original poster
Jul 16, 2007
251
52
Hi Maui19,

I would suggest one of three possibilities, depending upon what you require for your connection to your home from the Internet.

1.) SSH (Secure Shell) allows you to login to your home machine (assuming your router has been properly setup to relay the appropriate ports from the Internet (WAN side) to your home network (LAN side). On your machine on the Internet, you would:

ssh yourloginname@homeIPaddress

where <yourloginname> is obviously your login account name and <homeIPadress> is the static IP address that you refer to in your post. The beauty of using ssh is that the communications can be encrypted and thus more secure. This gives you a terminal (shell) interaction with your home machine from anywhere on the Internet.


2.) VNC (Virtual Network Computing), also known as Screen Sharing in the Apple world, requires a little more setup than SSH but allows you to Screen Share with your home computer from anywhere in the world. This is very useful for managing/administering your home computer from work or from the road. VNC viewers, including third party viewers, are available on all platforms including Windows, Linux, and Mac OS X. The builtin Screen Sharing app on the Mac is found in the directory:

/System/Library/CoreServices/Screen Sharing.app

3.) The VPN (Virtual Private Network) service is the most flexible of all, as it makes it look like your machine on the Internet is in fact hooked to your home network (LAN). Thus using VPN makes it appear as if you are sitting at home; you can use all of your home LAN's resources, such as backup disks, large file servers, printers, etc. For instance, you may wish to access some data/files that are stored on a RAID disk system mounted on your home computer, by using VPN you can access those data/files from the Internet.

I personally VPN from home to my work's LAN, and then use VNC to screen share with various machines at work, including Windows, Linux, and Mac OS machines. I also do the reverse, VPN from work to home, and then use VNC to screen share machines at home. I also mount my home RAID disks from anywhere on the Internet using VPN. Part of the advantage of VPN is that communications can be setup to be encrypted and thus more secure.

...just my two cents worth of suggestions, and the quality of which is directly proportional to what you pay for it...

Switon

Switon,

Thanks for the great info. Unfortunately, I still can't determine if any of this will allow me to do what I need to do: send files via FTP that looks for my login info from a specific IP. I contacted one VPN vendor and asked if their software could do this, and they said no. So I don't really know where to go from here.
 

dazey

macrumors 6502
Dec 9, 2005
327
55
My recommendation would be to buy the osx server app and set up VPN. This will let you use your home network while travelling and your air will appear to be coming from your home IP (you need to also tick 'send all traffic over VPN' on the client and set the VPN service as highest priority). Also set up screen sharing for the server, VPN services do sometimes need restarting so its useful to have another route to access the server.
 

jared_kipe

macrumors 68030
Dec 8, 2003
2,967
1
Seattle
Yes I have a Mini as my business computer at home.

The only thing I need to accomplish is send files via FTP to a secure server that hosts my web sites. That server will only let me log in from a specific IP address, which is the static IP I have at home.

Thats some locked down FTP there.

How good are you at using command line for that sort of stuff? If you can do it, SSH will be the easiest option.

If not, VPN will be the best, just make sure you either 'Remote Desktop' to your home Mac or use the 'Send all traffic over VPN' option to make sure your FTP leaves your home IP address.
 

switon

macrumors 6502a
Sep 10, 2012
636
1
RE: vpn and ssh...

Switon,

Thanks for the great info. Unfortunately, I still can't determine if any of this will allow me to do what I need to do: send files via FTP that looks for my login info from a specific IP. I contacted one VPN vendor and asked if their software could do this, and they said no. So I don't really know where to go from here.

Hi Maui19,

I'm sorry, I guess I'm not understanding exactly what you need to do. It sounds like you wish to transfer files using FTP to your home Mac mini from only a specific Internet IP address. Is this so? If so, then I would still suggest using vpn or ssh (scp or sftp) for this. There are two places where you can block all other IP access, either on your router or on your Mac mini.

So, if you are wishing to login to your home LAN from only a specific Internet IP address, then you can set this up either on your router or on your Mac mini. For example, you could setup your router to only forward the FTP port 21 to your Mac mini if it comes from a specific Internet IP address. For any other incoming IP address your router will block access. Or you could also write a firewall rule on your Mac mini to "deep six" all packets on port 21 excepting those from the specific Internet IP that you wish to use FTP from -- essentially using your Mac mini to block all access excepting for a specific IP address. Either of these are possible (assuming your router has the necessary capabilities).

If you are worried about security, I would use ssh and its sftp (secure ftp) that provides encryption and thus better security than simple ftp. You could then readily write pfutil firewall rules on your Mac mini to only allow ssh (and sftp) from certain specific IP addresses, if you wish to have even greater restriction than what is already provided by the strong authentication of VPN or SSH.

(...removed irrelevant personal details...)

Switon

P.S. The Mac OS X Server ($20 from Mac App Store) gives you an easily setup VPN service for your Mac mini. So, how this would work for you is: you setup the VPN service on your Mac mini running Mac OS X Server. You forward the ports required for VPN from your router to your Mac mini. When you are "on the road", you login to your home LAN using VPN. This requires strong authentication and provides strong encryption of all communications. You now administer your Mac mini and your web sites just as if you were at home, but you are doing so from the road. In other words, if you need to ftp something from your laptop to your Mac mini, then you can do so. Or if you need to administer your Mac mini using Screen Sharing, then this is also possible. All of this is done over the VPN tunnel and is transparent to you --- as far as you are concerned your "on the road" connection appears as if you are sitting at home doing whatever you would normally do when you are at home.
 
Last edited:

esoupy

macrumors newbie
Nov 3, 2012
2
0
If you have a mac mini at home and don't travel that often, I'd recommend trying out Logmein.com. It provides free remote access and you will not need to configure any port forwarding on your home router.

If you're workflow is more complicated or plan to travel often, I'd recommend using the VPN solution.
 

switon

macrumors 6502a
Sep 10, 2012
636
1
RE: port forwarding...

... trying out Logmein.com. It provides free remote access and you will not need to configure any port forwarding on your home router.

Hi esoupy,

I just want to clarify one point...

When you say that you will not need to configure any port forwarding on your home router, does this not mean that you won't have to "manually" configure port forwarding, as obviously if your router forwards no ports to your Mac mini, then you potentially can't reach the Mac mini from the "outside" (the Internet). At least you can't reach it with a SYN packet (meaning you can't instigate a connection from the Internet, but this does not mean that you can't "continue" an already established connection). Does Logmein.com provides some app that automatically configures your router for you, or does the Logmein.com app continuously run some routine communicating with the Logmein.com site to keep open a return port (ACK) through which you have access from the "outside" by going through the Logmein.com web site itself? (Sorry for my ignorance, but I've never looked into how Logmein.com actually works its magic.)

By the way, when using Mac OS X Server on a Mac mini, the VPN, SSH, and VNC services automatically configure the necessary port forwardings on Apple's wireless routers for you, thus you do not need to perform this task manually, just as you don't need to do so when using Logmein.com.

Regards,
Switon
 

Maui19

macrumors 6502
Original poster
Jul 16, 2007
251
52
You forward the ports required for VPN from your router to your Mac mini. When you are "on the road", you login to your home LAN using VPN. This requires strong authentication and provides strong encryption of all communications. You now administer your Mac mini and your web sites just as if you were at home, but you are doing so from the road. In other words, if you need to ftp something from your laptop to your Mac mini, then you can do so. Or if you need to administer your Mac mini using Screen Sharing, then this is also possible. All of this is done over the VPN tunnel and is transparent to you --- as far as you are concerned your "on the road" connection appears as if you are sitting at home doing whatever you would normally do when you are at home.

Thanks again switon for your input. This is exactly what I need to do. I installed OS X Server on my Mini, but was unable to configure it properly. Screen sharing will do everything I need (I tested it on my LAN), but getting it configured will take some reading on my part. I need to get smarter about port forwarding. I also am running into a problem on my laptop with setting up a virtual interface in my Network Preferences. When I go to setup a VLAN, I can't complete the setup because I get no options in the pulldown menu, if that makes any sense.

Anyway, I am traveling now so no more fiddling with it until I return. Can you point me toward a good reference source to learn about this, perhaps a "VPN with Screen Sharing for Dummies?"
 

Parystec

macrumors member
Mar 30, 2011
62
27
UK
VNC on the move

I have assumed here that you are using an iPad. You would need to find your IP and the port number which is used to route that incoming connection to you your computer. VNC Pocket Office pro on the iPad will do this for you. hope that helps :)
 

benjalamelami

macrumors member
Jul 30, 2012
35
3
If what I understand is correct, your solution is very simple.

You want to upload from your mac mini server big files to an ftp that only receives files from your mac mini IP.

Right?

Log me in will spare you a lot of trouble or teamviewer. Hook up using either of them to your mac mini and use your mac mini to upload files.
 

jtara

macrumors 68020
Mar 23, 2009
2,008
536
If your web host requires that you use FTP, I would get a new web host. FTP is an insecure protocol that should never be used in any situation requiring security.

FTP transfer passwords in the clear. Anyone in a position to evesdrop on the connection at any point along the way can read your password.

Your web host apparently erroneously thinks that limiting the IP address provides some security to an insecure protocol. They are protecting you only from an attacker that is knowledgable enough and in a position to evesdrop, but is not also knowledgable enough and in a position to spoof your IP address...

It's false security, and if this is all they offer, I would take my business elsewhere.

Can't imagine why they don't support sftp. sftp, despite the name, is unrelated to FTP. It runs over an encrypted ssh connection.

If this really is a requirement, then, yes, you need a VPN or ssh tunneling. The later is probably easier to set-up. Either one will do the job.

A VPN can be set-up on your router without any need for your computer to be involved. Some commercial routers support this, in any case, you could install third-party firmware on your router to do this.

Otherwise, I think the ssh would be easier to set-up. You would need to set-up port forwarding on your router to direct ssh traffic to a computer that is always on. ssh is normally on port 22 - I would pick a non-standard support for a bit of additional security through obscurity.

This is pretty much the standard operating practice for network administratration these days.

ssh will let you log-in to your home machine to a command-line prompt. You can also transfer files to your home machine using sftp (assuming you configure sftp), and you can also arrange routing. So, you could perform the insecure FTP that your host apparently requires through a secure protocol from your notebook to your home machine.

(It would, of course, continue to provide a woefully insecure connection for transferring files from your home to the web host.)

Unfortunately, I still can't determine if any of this will allow me to do what I need to do: send files via FTP that looks for my login info from a specific IP. I contacted one VPN vendor and asked if their software could do this, and they said no. So I don't really know where to go from here.

Scratch that vendor off the list, then. They have no idea what they are talking about. Of course, any VPN will let you do that. That's the whole idea of a VPN. Your remote computer appears on your local network within your local network IP address space. It is indistinguishible from any other machine on your local network. You would have outbound access through your home Internet connection just like any machine in your house.
 

ChristianVirtual

macrumors 601
May 10, 2010
4,122
282
日本
You could give "TeamViewer" a try ... Or if you are eager to learn a bit: pfSense is a nice router solution I use as allowing me IPSec-based VPN connection.

When you go the ssh way make sure to use a very strong password. I see lots attempts in my logs to connect to my fixed IP.

Start with TeamViewer ...
 

switon

macrumors 6502a
Sep 10, 2012
636
1
RE: VPN and Screen Sharing...

Can you point me toward a good reference source to learn about this, perhaps a "VPN with Screen Sharing for Dummies?"

Hi Maui19,

As jtara indicates, some routers have their own VPN service available, so you might look into using whatever router you have to see if you can setup VPN with it. While my router does do VPN, I don't use it but rather setup VPN on my server (I like the better control and logging of the server versus the router).

If you are using Mac OS X Server, the VPN service is relatively easy to setup and it saves a Configuration Profile that your client can use for easy setup of the client. Personally, I would choose L2TP VPN (more secure). I also choose my own Shared Secret instead of using the automatically generated one, just so that I can remember it and thus use it to VPN in from any machine, even ones for which I don't have access to my Configuration Profile file. Select an IP address range for your VPN clients that does not "step on" the IP addresses that you use for your machines on your LAN. Make sure the DNS servers are correct. I would setup your own caching DNS server first of all to give your local machines reasonable hostnames. If you are using Open Directory, make sure you set that up too. Then start the VPN service and save the configuration file for your client. Personally, I use 10.6.8 Server for VPN instead of 10.8.2 Server, mostly because 10.6.8 has a better GUI to serveradmin; I find that under 10.8.2 Server I use the commandline serveradmin command a fair amount for chores that are available in the ServerAdmin GUI under 10.6.8. If you don't use the Configuration Profile file, then it is still fairly simple to setup the client using the Add "+" button in the Network System Preference pane. Select VPN and enter your home's DNS name (if you have one) or its IP address along with the Shared Secret, etc.

To use Screen Sharing, the app is in the /System/Library/CoreServices/ directory. I drag this Screen Sharing.app to my Dock in order to have it readily available. On your home's server, or any machine that you wish to Screen Share with, first switch on the Remote Management and Remote Login (but not the Screen Sharing) by checking the On buttons in the Sharing pane of System Preferences. I would setup the "Allow access for: Only these users:" and add yourself; give yourself all of the options for Remote Management (Observe, Control, etc.) by checking every box available in the "Options..." button. If you are using VNC from Windows or Linux, then you might want to setup the "Computer Settings..." "VNC viewers may control screen with password:" setting, but this is a security risk. Close the Sharing pane when finished with your setup. On your client computer, click on the Screen Sharing.app and enter the hostname/IP address of the machine, say your home's server, that you wish to Screen Share with. Enter your password, and voila, a window opens showing your server's display. That's all there is to it. From "outside", i.e., the Internet, you should first VPN into your home's LAN and then use Screen Sharing to connect to your home's server's display. This keeps everything encrypted and secure.

Good luck,
Switon

P.S. I see that a number of others have suggested third party solutions to VPN and SSH. I don't have much experience with these, so I won't comment on them, but the setup of VPN and SSH is already fairly straightforward using Mac OS X Server. If you are using an Airport Extreme as your router, the VPN and SSH setup also automatically opens the appropriate ports on your router. If this does not happen, it is a simple matter to port forward the appropriate ports for both VPN and SSH. And, as I see jtara does also, I too setup my SSH to use a non-standard port (the standard SSH port 22 will get "hit on" by those hackers attempting to guess your usernames/passwords) that eliminates the username/password guessers. [Never use simple/common/default/personal information/none passwords, as these will likely get you into trouble.]

One further hint concerning security and unsecured machines: If you find yourself in the position of needing to VPN into your home LAN from a machine that is not yours (say public or from your customer's company), then I would use a "throw-away" account. By this I mean that before going to my customer's company or using a public computer, say at an university, I first setup a dummy account on my server. I give this dummy account the ability to VPN in, and I use a strong password for it (do not use a Guest account or one without a password - frankly, you should disable your Guest accounts). When I need to VPN from an insecure machine (say one that might be keystroke recording), I use this dummy account. I use it for a single VPN session, and then I delete the account afterwards. I also check my log files to make certain that the dummy account only VPNed in a single time. This way I am more protected when using VPN from a potentially insecure machine -- if a keystroke recorder sent my login and password somewhere else to a hacker, it doesn't matter since the account has been deleted. You can also check your logs to see if some hacker attempted to VPN in using the dummy account (which no longer exists since you deleted it).
 

960design

macrumors 68040
Apr 17, 2012
3,691
1,548
Destin, FL
I agree with all the above and recommend Teamviewer as probably the best place to start. Free for personal use, cost if used commercially.

I have a personal, headless web/mail/file server at home, I can access it via teamviewer from anywhere in the world.

There are many, many ways to accomplish what you are looking to do.
 

Soverc

macrumors member
Oct 7, 2005
55
1
Ssh

If you have access to the remote machine, can you change SSH to allow for being key based. So now you need no password and you can allow all in the sshd_config, but restrict it to shared key.

Use scp for copying files not FTP.

One other option is ssh tunnel, little tricky to get going but will do the job.

The remote gui tools sound like over kill here.
 

CiscoGuy

macrumors newbie
Jan 22, 2013
1
0
Get a Cisco ASA 5505 and setup a SSL tunnel. This is how we access Cisco enterprise datacenters and its pretty much like being on the LAN. There are plenty of youtube clips of how to configure it.

How it works is that you configure the ASA with an external fixed IP address and connect to it externally via external IP address. after authenticating with the Cisco connection client, that you really download from the ASA itself you can ping IP addresses that previously were only reachable from the inside, meaning, that you in effect now are on the LAN and can reach private address spaces such as 10.0.0.0, 172.16.0.0 and 192.168.0.1. From here you can do anything as described in the above thread.

You may however have to run your main router in bridgemode, which can present a whole new set of issues.
 

BeanieMan

macrumors regular
Feb 18, 2010
135
107
I know this thread is way old, but....

maybe set up sshuttle on (just) the laptop (which requires ssh and python on both your laptop and the mini, i think) then on the laptop do this in terminal:

./sshuttle --dns -r username@ipaddress 0/0

Then all of your internet traffic will go through the mac mini, and you should be able to FTP to the secure server, because all your internet traffic actually is going to it from your static IP (via the mac mini). That's my theory, anyway...

This is how I got around the great china firewall when i was in shanghai a short time ago. To China, all my internet was coming from some IP they didn't know and weren't blocking. To the rest of the internet, I was surfing from some server in the US, so they didn't redirect me to their localized non-US sites.

https://github.com/apenwarr/sshuttle
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.