I'm thinking about using remote desktop to access my parents' mac so I can update their software and help them w/ any problems they might be having. We won't be on the same local network. Is it possible for me to access the remote computer via the internet from my house?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Using Remote Desktop outside of network
- Thread starter flalaw
- Start date
- Sort by reaction score
If you're actually using the Apple Remote Desktop service for this, the default ports are 3283 and 5900. You'll need to forward those ports through their router to their Mac's IP address.
What router do they have? You're going to need to get into its control panel (if it's a Linksys, for example, you typically do this by going to http://192.168.1.1 in the browser of a computer on the network and then selecting Applications & Gaming). You're looking for something called Port Forwarding. You'll then make two entries, one for each port you want to forward (if it asks, you need to forward them for both protocols, UDP and TCP). You'll specify the port number and the IP address of the computer on the network you want it to go to. This allows traffic coming from the outside -- like your VNC remote desktop request -- to pass through their router and be directed to the right computer.
Great. Thanks for the clear explanation. So when I want to log in using ARD do i just type in my parent's computer's IP address?
Not their computer's address, no. Think about it: their computer has something like a 192.168.1.100 IP address, right? And that's assigned by the router. The rest of the world doesn't know about that address, because 192.168.x.x is part of private address space; meaning it can only be used on small-scale networks not visible to the whole world. What you need to do from a remote location is to type in their public IP address (the router's IP address it gets from the modem). You can get that by checking the router or by visiting whatismyip.com from inside their network.
If you want a free solution, you can use VNC instead of Apple Remote Desktop. ARD is $299 if you don't steal it. VNC is free. Just do a google search for OS X VNC and it will give you a download for Chicken of the VNC. On your parents computer, go to the sharing system preference and check the checkbox next to Apple Remote Desktop if its not already checked. Then click on Access Privileges and about 2/3 the way down on the left is a check box for VNC viewers. VNC uses port 5900 just like ARD. It works the same way you put in your parents' external IP address. You can setup a password on your parent's computer as well so not just anyone can connect to it. Its pretty simple. I use it everyday at work for the businesses we support. Also, VNC is platform independent, so a PC can take control of a Mac, or visa versa. There's also a Unix and Linux version as well. So any platform can take control of any other platform which is really nice.
Following up on the above:
First, I'd have your parents (or you on their systyem) go to someone like DynDNS and get a free dynamic IP address.
You'll need to be sure to update their server when your parent's IP changes (takes 5 seconds, and there's software to do it for you). This will give you an address to use (like myparentsmac.homeip.net or whatever).
Then see here.
Basically, enable Apple Remote Desktop in System Preferences...->Sharing on the other Mac, download and install Chicken of the VNC on yours, make sure the routers are set up with the proper forwarding, and you'll be fine.
I remotely control my parent's Mac (and PC) using CotVNC. No issues, other than slowness.
Note: unlike what the guide says, you won't need to install a VNC server. Tiger (OS X 10.4) has one built in, accessible via System Preferences...->Sharing->Apple Remote Desktop.
This post might also help.
First, I'd have your parents (or you on their systyem) go to someone like DynDNS and get a free dynamic IP address.
You'll need to be sure to update their server when your parent's IP changes (takes 5 seconds, and there's software to do it for you). This will give you an address to use (like myparentsmac.homeip.net or whatever).
Then see here.
Basically, enable Apple Remote Desktop in System Preferences...->Sharing on the other Mac, download and install Chicken of the VNC on yours, make sure the routers are set up with the proper forwarding, and you'll be fine.
I remotely control my parent's Mac (and PC) using CotVNC. No issues, other than slowness.
Note: unlike what the guide says, you won't need to install a VNC server. Tiger (OS X 10.4) has one built in, accessible via System Preferences...->Sharing->Apple Remote Desktop.
This post might also help.
VNC with 2 computers on the same DSL?
I'm trying to set up two VNC servers on one network, both hooked up to the same DSL connection via Airport Extreme. Both machines already have permanent IP addresses.
One is a Powerbook G4 that has been working fine as a server for a while now. Other people can successfully access that computer from remote locations via the Internet.
The second is an iMac G4, which is always on here at my office. I want to be able to access that iMac from home (using the same Powerbook).
Both computers can successfully connect to each other over our office LAN, using Chicken of the VNC and VineServer. Ive also tried the built-in VNC server in OS 10.4. All fine.
But I cant get my Powerbook to connect to the iMac over the Internet. Just within the LAN.
I thought it must have something to do with port mapping on the Airport Extreme router. But Im not sure how to set up port mapping when I want two different computers to work as servers on the same DSL connection.
I hope somebody knows the answer, or can direct me to a good resource.
Thanks!
I'm trying to set up two VNC servers on one network, both hooked up to the same DSL connection via Airport Extreme. Both machines already have permanent IP addresses.
One is a Powerbook G4 that has been working fine as a server for a while now. Other people can successfully access that computer from remote locations via the Internet.
The second is an iMac G4, which is always on here at my office. I want to be able to access that iMac from home (using the same Powerbook).
Both computers can successfully connect to each other over our office LAN, using Chicken of the VNC and VineServer. Ive also tried the built-in VNC server in OS 10.4. All fine.
But I cant get my Powerbook to connect to the iMac over the Internet. Just within the LAN.
I thought it must have something to do with port mapping on the Airport Extreme router. But Im not sure how to set up port mapping when I want two different computers to work as servers on the same DSL connection.
I hope somebody knows the answer, or can direct me to a good resource.
Thanks!
Port forwarding to two identical ports / different destinations on the same DSL connection? Not possible.
Get a router which has VPN + DynDNS capability (assuming you have a dynamically assigned Internet address for your office router) and use them together - they'll be a little more expensive, but not prohibitively so. Having a quick look around, the Netgear FVG318 is such a router and is available for around $120. Alternatively using Linux and either a redundant PC or the right Linksys WRT54, you should be able to roll your own low-cost VPN server.
Dialling in via VPN makes you, the remote user, a part of the local network. Then from there all you have to do is to type in the internal IP addresses of any machine you want to control. It's also more secure. VNC has had a number of security issues to date as far as I know so it's a good idea not to directly expose it to the Internets.
Get a router which has VPN + DynDNS capability (assuming you have a dynamically assigned Internet address for your office router) and use them together - they'll be a little more expensive, but not prohibitively so. Having a quick look around, the Netgear FVG318 is such a router and is available for around $120. Alternatively using Linux and either a redundant PC or the right Linksys WRT54, you should be able to roll your own low-cost VPN server.
Dialling in via VPN makes you, the remote user, a part of the local network. Then from there all you have to do is to type in the internal IP addresses of any machine you want to control. It's also more secure. VNC has had a number of security issues to date as far as I know so it's a good idea not to directly expose it to the Internets.
Irritatingly, the built-in VNC server doesn't let you change the port to 590x via the GUI, but it probably does underneath.
I VNC into both of my parent's computers - the Mac on 5900, and the PC on 5901. If anyone knows how to change the build-in VNC server's port, this would work for you too.
Mac OS X Client also comes with a VPN server; PPTP and L2TP/IPsec VPNs are supported without needing to download or install any additional software.
I would go with PPTP, just because finding a SOHO router that properly handles IPsec ISAKMP NAT traversal is a pain. Many routers that advertise "IPsec fowarding" choke on this.
OS X Client does? I wasn't aware of that. I thought it was an OS X Server feature. How do you set it up on the client?
Applications->Internet Connect->VPN tab.
Edit: oh, wait, you want a server, right? I think the OS X (non server) has but the client.
Mac OS X Client comes with all you need to get a VPN server running, it just lacks a pretty GUI to configure it and has almost no documentation.
Part of the difficulty in setting up the vpn server is that it processes arguments stored in a plist file whose schema is undocumented.
When I have a little more free time (i.e. after work today), I'll post a more detailed write-up on how to get a VPN server working on Mac OS X Client such that you can dial in via PPTP or L2TP/IPsec.
Part of the difficulty in setting up the vpn server is that it processes arguments stored in a plist file whose schema is undocumented.
When I have a little more free time (i.e. after work today), I'll post a more detailed write-up on how to get a VPN server working on Mac OS X Client such that you can dial in via PPTP or L2TP/IPsec.
Here is some info from Mac OSX hints on how to configure a secure L2TP VPN
http://www.macosxhints.com/article.php?story=20060616150640529
Note that it does say untested at the bottom
http://www.macosxhints.com/article.php?story=20060616150640529
Note that it does say untested at the bottom
Easiest VPN method i would think would be set up a m0n0wall then use IPSecuritas to log in vis IPsec.
That's very interesting. I must give that a try sometime, could come in handy. It seems strange that no-one would come out with a 'pretty GUI' for it given the nature of OS X.
I suppose in relation to the original question it depends on how much hassle you want to go through to save a hundred bucks
Just to further the cause in derailing the thread...
I used that hint when I was setting my iMac G3 up as a server, though I modified it to accommodate two servers. I didn't/don't have an install of Mac OS X Server at home, but after this, plus tweaking various settings in the default install of the web server, etc, I've come across with a stable and usable server. It's worked through each and every minor point update (I think I implemented it in 10.4.4 or so), but I've had to reauthorize the keychain a couple times, IIRC.
The instructions work as stated, but if you're allotting time for the project you may wish to add a few minutes for testing purposes.
EDIT: After rereading my post, I forgot to mention that Apple's implementation of IPSec is somewhat... odd. My router's firewall wasn't happy with my trying to connect from outside, and so I created two servers -- PPTP and L2TP.
Perhaps someone on MacRumors would create us a 'pretty GUI' to make it easier to use.
I found this some months ago and Gmailed it to myself. Props to the original author - whoever you are...
This hint describes how to use Apple Remote Desktop (ARD) to connect to a Mac that is behind a residential gateway, or more generally, behind any device that is performing NAT or dropping the necessary TCP ports. The short version of this hint is this:
1. Have the target user ssh to you, with a remote port forward that connects an arbitrary TCP port (e.g. 5800) on your machine to port 5900 on their machine. Email them the command line entry to the user, since they probably aren't ssh-savvy if you're trying to ARD to them in the first place.
2. Use ipfw to rewrite packets for 127.0.0.1:5800 to go to 127.0.0.1:5900.
3. In ARD, create a machine manually by address, and specify 127.0.0.1
4. (Optional) I actually created a secondary address on my lo0 (127.0.0.2), and had ipfw look for 127.0.0.2:5900 to rewrite to 127.0.0.1:5800 . This means that I can be set up to reach more than one remote client at a time, without having to reconfigure anything.
Read on for a more detailed walkthrough...
Here's the longer version: I recently bought a 10-client copy of ARD for, among other things, helping my little brother and my mother with their Macs (VNC lacks some key features, discussed below). ARD has no direct support for connecting or listening on non-standard TCP ports, so there is no straightforward way to connect to a machine that is behind a residential gateway (NAT) or a firewall.
You are probably already familiar with SSH port forwarding; if not, you'll have to read up on that elsewhere. Normally you pick an arbitrary port on your local computer, and configure ssh to create a proxy connection to the normal port on the destination computer. Then you configure your appliction to connect to localhost on the arbitrary port.
In this case, ARD will not let you specify a non-standard port. So, if you try to ARD to 127.0.0.1, you'll just end up connecting to yourself. Also, ARD client seems to *always* be running, even if you disable it in the Sharing System Preferences panel. As such, I was unable to simply forward port 5900 directly; ssh always fails to bind to that port because it's in use.
The solution:
1. Configure ipfw to rewrite packets destined to 127.0.0.1 port 5900 (the standard ARD TCP port) to 127.0.0.1 port 5800 (the arbitrary port your destination user will be forwarding to himself). In Terminal, run this command: sudo ipfw add 00099 fwd 127.0.0.1,5800 tcp from me to 127.0.0.1 dst-port 5900
2. Tell the remote machine to ssh to you, and forward the remote arbitrary port to themselves on port 5900. They presumably have no idea how to do this, so you should just email them an entire ssh command line, and ask them to paste it into Terminal, like this:
ssh ip_num -l username -R 5800:127.0.0.1:5900
Note that ip_num is your IP address or domain name, and username is an account on your machine. I have a non-administrator account on my machine that I use when I need someone else to connect to me. Don't use localhost, as Mac OS X likes to resolve that to an IPv6 address, and SSH will end up proxying an IPv4 port forward into an IPv6 session, which probably won't work.
3. Configure a new machine in ARD with address 127.0.0.1, and your remote user's username and password.
Now ipfw will intercept these packets before your local ARD captures them, and send them down the arbitrary poirt, and thus the ssh tunnel, which will proxy the TCP session to one at the local end going to the correct ARD port.
There are two optional spins that I'm actually using with this:
1. As described, this trick will only let you connect to one host -- ARD will not let you configure multiple machines with the same address. You can trick it into it doing so, but even so, you'd only be able to have one connection at a time. So, I actually add secondary addresses to my loopback interface, like 127.0.0.2, 127.0.0.3, etc., and I configure ipfw to look for those, and re-write them to different TCP ports. Then I have the remote users use different TCP ports. Since I connect to them regularly, I actually set up .ssh/config files for them, so they only need to type ssh me.mydomain.com. The command to add the secondary IP address is:
ifconfig lo0 alias 127.0.0.2/32
And the modified ifpw command to make use of it is (note that this syntax looks backwards, but it's not; ipfw is just weird):
add 00099 fwd 127.0.0.1,5800 tcp from me to 127.0.0.2 dst-port 5900
2. The secondary addresses and ipfw stuff is certainly tedious to set up, so I have scripts in /System -> Library -> StartupItems which make it all happen automagically at boot time. Between that and having set up their .ssh/config files to use the right port forward and username, all I have to do when they want my help is tell them to type ssh domain in Terminal, and then I fire up ARD.
Why not VNC? Is anybody even still reading? You probably already know that this is all much easier using VNC, which is built into OS X. No tricky packet rewriting necessary; the clients all let you specify the port. Well, ARD version 3 has some key features that I can't seem to find in any VNC clients:
1. I can't find any VNC clients that can connect to the built-in OS X VNC server using 8-bit color. 16-bit is the minimum, so it makes for a slower connection. If your remote user has Dock magnification and/or hiding turned on, you're looking at minutes just to click on a Dock icon. ARD allows 8-bit greyscale, and even 1-bit black & white. Yes you can turn off their Dock effects, but that takes time, and is a little rude, and this is faster for everything else too, not just that.
2. ARD will scale the remote screen to your screen or window if it is smaller. It will also auto-scroll if you need to turn of scaling because things are too small.
3. ARD has excellent support for the remote machine having two monitors. It will actually show you both displays at once (scaled or scrolled), or you can pick which one you want to see.
Note that ARD 3 is very expensive; it retails for $250, I think. If you're eligible for academic pricing, I think you can get it for $150. I found a factory-sealed 10-client version on eBay for under $130, which is fairly common.
This hint describes how to use Apple Remote Desktop (ARD) to connect to a Mac that is behind a residential gateway, or more generally, behind any device that is performing NAT or dropping the necessary TCP ports. The short version of this hint is this:
1. Have the target user ssh to you, with a remote port forward that connects an arbitrary TCP port (e.g. 5800) on your machine to port 5900 on their machine. Email them the command line entry to the user, since they probably aren't ssh-savvy if you're trying to ARD to them in the first place.
2. Use ipfw to rewrite packets for 127.0.0.1:5800 to go to 127.0.0.1:5900.
3. In ARD, create a machine manually by address, and specify 127.0.0.1
4. (Optional) I actually created a secondary address on my lo0 (127.0.0.2), and had ipfw look for 127.0.0.2:5900 to rewrite to 127.0.0.1:5800 . This means that I can be set up to reach more than one remote client at a time, without having to reconfigure anything.
Read on for a more detailed walkthrough...
Here's the longer version: I recently bought a 10-client copy of ARD for, among other things, helping my little brother and my mother with their Macs (VNC lacks some key features, discussed below). ARD has no direct support for connecting or listening on non-standard TCP ports, so there is no straightforward way to connect to a machine that is behind a residential gateway (NAT) or a firewall.
You are probably already familiar with SSH port forwarding; if not, you'll have to read up on that elsewhere. Normally you pick an arbitrary port on your local computer, and configure ssh to create a proxy connection to the normal port on the destination computer. Then you configure your appliction to connect to localhost on the arbitrary port.
In this case, ARD will not let you specify a non-standard port. So, if you try to ARD to 127.0.0.1, you'll just end up connecting to yourself. Also, ARD client seems to *always* be running, even if you disable it in the Sharing System Preferences panel. As such, I was unable to simply forward port 5900 directly; ssh always fails to bind to that port because it's in use.
The solution:
1. Configure ipfw to rewrite packets destined to 127.0.0.1 port 5900 (the standard ARD TCP port) to 127.0.0.1 port 5800 (the arbitrary port your destination user will be forwarding to himself). In Terminal, run this command: sudo ipfw add 00099 fwd 127.0.0.1,5800 tcp from me to 127.0.0.1 dst-port 5900
2. Tell the remote machine to ssh to you, and forward the remote arbitrary port to themselves on port 5900. They presumably have no idea how to do this, so you should just email them an entire ssh command line, and ask them to paste it into Terminal, like this:
ssh ip_num -l username -R 5800:127.0.0.1:5900
Note that ip_num is your IP address or domain name, and username is an account on your machine. I have a non-administrator account on my machine that I use when I need someone else to connect to me. Don't use localhost, as Mac OS X likes to resolve that to an IPv6 address, and SSH will end up proxying an IPv4 port forward into an IPv6 session, which probably won't work.
3. Configure a new machine in ARD with address 127.0.0.1, and your remote user's username and password.
Now ipfw will intercept these packets before your local ARD captures them, and send them down the arbitrary poirt, and thus the ssh tunnel, which will proxy the TCP session to one at the local end going to the correct ARD port.
There are two optional spins that I'm actually using with this:
1. As described, this trick will only let you connect to one host -- ARD will not let you configure multiple machines with the same address. You can trick it into it doing so, but even so, you'd only be able to have one connection at a time. So, I actually add secondary addresses to my loopback interface, like 127.0.0.2, 127.0.0.3, etc., and I configure ipfw to look for those, and re-write them to different TCP ports. Then I have the remote users use different TCP ports. Since I connect to them regularly, I actually set up .ssh/config files for them, so they only need to type ssh me.mydomain.com. The command to add the secondary IP address is:
ifconfig lo0 alias 127.0.0.2/32
And the modified ifpw command to make use of it is (note that this syntax looks backwards, but it's not; ipfw is just weird):
add 00099 fwd 127.0.0.1,5800 tcp from me to 127.0.0.2 dst-port 5900
2. The secondary addresses and ipfw stuff is certainly tedious to set up, so I have scripts in /System -> Library -> StartupItems which make it all happen automagically at boot time. Between that and having set up their .ssh/config files to use the right port forward and username, all I have to do when they want my help is tell them to type ssh domain in Terminal, and then I fire up ARD.
Why not VNC? Is anybody even still reading? You probably already know that this is all much easier using VNC, which is built into OS X. No tricky packet rewriting necessary; the clients all let you specify the port. Well, ARD version 3 has some key features that I can't seem to find in any VNC clients:
1. I can't find any VNC clients that can connect to the built-in OS X VNC server using 8-bit color. 16-bit is the minimum, so it makes for a slower connection. If your remote user has Dock magnification and/or hiding turned on, you're looking at minutes just to click on a Dock icon. ARD allows 8-bit greyscale, and even 1-bit black & white. Yes you can turn off their Dock effects, but that takes time, and is a little rude, and this is faster for everything else too, not just that.
2. ARD will scale the remote screen to your screen or window if it is smaller. It will also auto-scroll if you need to turn of scaling because things are too small.
3. ARD has excellent support for the remote machine having two monitors. It will actually show you both displays at once (scaled or scrolled), or you can pick which one you want to see.
Note that ARD 3 is very expensive; it retails for $250, I think. If you're eligible for academic pricing, I think you can get it for $150. I found a factory-sealed 10-client version on eBay for under $130, which is fairly common.
Aha! The above link was from macosxhints...
http://www.macosxhints.com/article.php?story=20060703221751926
You should be able to use the same kind of thing for Chicken of the VNC.
http://www.macosxhints.com/article.php?story=20050222062346277
Here's a third...
http://www.macosxhints.com/article.php?story=20050429153115383
http://www.macosxhints.com/article.php?story=20060703221751926
You should be able to use the same kind of thing for Chicken of the VNC.
http://www.macosxhints.com/article.php?story=20050222062346277
Here's a third...
http://www.macosxhints.com/article.php?story=20050429153115383
Start with the 3rd link in my post above - uses COTVNC so it's free and the guy in the post is trying to do EXACTLY what you want to do - and he gives explicit instructions.
http://www.techtoolblog.com/archives/using-osx-vnc
slightly different as its to a windows box
Cord remote desktop
http://sourceforge.net/project/showfiles.php?group_id=176891
Share my desktop
http://www.bombich.com/software/smd.html
VNCDimension (VNC Client for use with Share my desktop)
http://www.mdimension.com/cgi-bin/W...ame=VNCDimension&wosid=DC4E8alWGbY6hItZJv8Jrw
slightly different as its to a windows box
Cord remote desktop
http://sourceforge.net/project/showfiles.php?group_id=176891
Share my desktop
http://www.bombich.com/software/smd.html
VNCDimension (VNC Client for use with Share my desktop)
http://www.mdimension.com/cgi-bin/W...ame=VNCDimension&wosid=DC4E8alWGbY6hItZJv8Jrw