At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software makers have a right to charge whatever they choose; however, the one week countdown was enough to make me never trust them again. They knew that people had built business processes around their software, and many people would be forced to buy a license if they weren't given enough time to consider other options. That's the road they chose, and I took the path less traveled.
The LogMeIn solution is a fantastic product, and if you have a requirement to log in to machines on a day-to-day basis, it might be worth the investment. But, for the rest of us - especially the occasional user who only logs into a given machine three times per year - $99 / year just isn't worth the convenience. To me, the math didn't add up. I have around 20 computers that I log into once or twice a year. That's a $2,000 - unwarranted - expense.
So, I began the search for alternatives. A simple Google search doesn't reveal any secrets. You see links for Teamviewer and a few other remote desktop style products, but nothing that can replace LogMeIn with free, open-source software. So: challenge accepted.
The main components of LMI
The LMI product has five parts to it: firewall traversal, access to dynamic IP address spaces, an encrypted connection, remote control, and remote file transfer. The service does have a few more bells and whistles like remote WOL (Wake on LAN) and updates monitoring, but if you need enterprise features, cough up the $99 bucks and pay the piper. If you're just looking to replace the free product, keep reading.
Firewall Traversal & Dynamic IPs
Nearly everyone knows about port forwarding. If you want to access windows remote desktop on a remote computer on a remote network, you need to forward port 3389 to that computer's LAN IP address. It's easily done, but requires two things that make simple port forwarding a bad choice for a LogMeIn replacement. First, you either need a static IP address or a Dynamic DNS client in order to "find" the remote computer on the vast expanse of the internet and then you need to properly configure the router. With thousands of routers to choose from and clients who never know their router's user / pass, this isn't an easy process.
However, the only thing required to win here is basic networking and firewall knowledge. All routers and firewalls, from home routers to enterprise, utilize NAT routing tables. These are (effectively) lists of what network resources have made outbound requests to the internet, and where the replies to those requests should be delivered when they reach the WAN side of your router. For example, when your computer makes a request to http://www.experts-exchange.com
, the router on your network remembers that "the computer at 192.168.1.100 sent a request to www.experts-exchange.com
, so when I get a reply from www.experts-exchange.com
, I need to route it back to 192.168.1.100". So, our free solution must be a program that runs on the client computer (just like LogMeIn) that initiates a sustained connection to a server we control. This kills two birds with one stone: it traverses the firewall and it helps us discover where the computer is on the internet.
An Encrypted Connection
LogMeIn uses some strong encryption: ECDHE AES-256 SHA1 to be exact. Without going into detail of what that means, we can say: it's strong. Real strong. We need something equally strong or close to it.
Remote Control & Remote File Transfer
This is probably the easiest to figure out: there are a number of solutions that afford you remote control of a Windows computer, Mac, or Linux computer. Some are cross platform, some are not. Here, you get to pick your poison, but I have a specific program stack that will work with all three.
A Two-Part Solution
Now that we understand the requirements, we can find open source, free software that will fit the bill. The first three requirements (Firewall Traversal, Access to Dynamic IP addresses, and Encryption) can be easily satisfied with tinc VPN. Tinc VPN is a great, free, open-source VPN solution that allows you to make point-to-point VPN connections that can assume many different configurations: mesh, hub-and-spoke, and gateway (just like Hamachi
). For our purposes, we are going to setup a hub-and-spoke network.
On a server you have control over, and which has either a public static IP (preferred) or working Dynamic DNS, setup a tinc node that will be used as the centralized node. For example, our setup for the business is located at web-services.highpoweredhe
lp.com. Now, for each computer that you need remote access to, setup tinc on those machines as well. (For detailed, technical information on how to use Tinc in this setup, see this article
Now we have a hub-and-spoke encrypted VPN network that connects all the machines we need to manage, which satisfies requirements 1, 2, and 3.
Next, choose your remote client. For Windows, use UltraVNC - the open source VNC solution that is a counterpart to TeamViewer (and maintained by many of the TeamViewer developers). UltraVNC is an ideal client because you can script the installation to setup the UVNC service with pre-chosen passwords for access, as well as other settings. It also has powerful file transfer features as well as other management features like being able to disable the mouse and keyboard so the person you're helping can't battle with you for control. You can also blank the monitor if you prefer to work without clients watching what you're doing.
The Secret Sauce
Setting up Tinc VPN on Windows and then setting up UltraVNC can be time consuming and tedious, which is why I am sharing with you all the script that makes it all possible to setup in just a few minutes. The script, sample files, and readme are all hosted on Github: https://github.com/DrDamnit/BYOLMI
. It downloads the required files, installs tinc and UltraVNC, installs VPN network adapters, and even allows the VPN firewall in the Windows Firewall.
These scripts pre-suppose you have already:
1. Setup a primary tinc node See: Setting Up a VPN with Tinc VPN Software
2. Have a basic understanding of RSA Encryption See: RSA Encryption and Authentication Primer
3. A publicly accessible URL where you can safely store your zip packages that contain your custom setup INI files (for UltraVNC) and your VPN configuration directory skeleton (and public RSA key) for tinc. You can use a webserver (as I have done) or a public Dropbox folder. Anything that is HTTP accessible will work just fine.
Preparing Your Keys and Settings
The installation script relies on being able to download pre-configured zip files that contain directory skeletons and configuration files for both tinc and UltraVNC. The three zip files the script will attempt download and use:
which contains the tinc executables and an initial directory.
which contains the skeleton structure for your VPN service (named webservices
which contains the UltraVNC installable with the pre-configured ini file for silent installation as well as pre-configured remote management settings.
The UltraVNC settings that come from this repo DO NOT contain a password. Instead, the passwd and passwd2 values are set to [CHANGEME]. This value needs to be replaced with the encrypted version of the password you want to use to connect to UVNC. To get the encrypted password, you'll need to setup / install UltraVNC on a workstation and set the password to what you want, then look at the UltraVNC.ini settings file to get the encrypted password. Copy this value into uvnc-webservices\UltraVNC.
ini for the values of passwd and passwd. (It should look like:
Once you're done setting the password, zip the three files (excluding the subdirectory they are in) to uvnc-webservices.zip and post on a publically accessible webserver (DropBox public file or a web server) to be downloaded by the setup script later.
Configure tinc with your public RSA key for your primary tinc node.
Your primary node, which you created when you went through this tutorial,
, should have three directives: Compression, Subnet, and Address followed by a public RSA key, and should be saved as "webservices". This file should be stored in this folder structure: webservices\hosts\webservices
under the tinc directory in Program Files. Note:
the final "webservices" in this path is a text file without an extension. A sample of this zip file is included in the repo.
tinc.conf (stored in webservices\tinc.conf) can remain as it is listed in the repo.
Zip this structure up in a zip file called webservices.zip, and store on a publically accessible URL. (A sample webservices.zip is included in this repo).
Setup the Environment.
1. Set cscript as the default vbs script interpreter: From the command line:
cscript //h:csccript //s
2. Create a directory: **C:\Util**, and copy all three *.vbs* scripts into that directory.
3. Add C:\Util to the path of your system (we need access to utils that are in there!)
4. Run the utils in the following order:
get-coreutils.vbs (Downloads GNU Core Utils so you can have access to wget and unzip for downloads)
getputty.vbs (Downloads PuTTY and pscp so we can copy the encryption keys to the server)
setup-web-services.vbs (Downloads and installs your pre-configured tinc and uvnc software)
How Installation Works (setup-webservices.vbs)
1. First, we download tinc.zip, and extract it to %PROGRAMFILES%\tinc.
2. Next, we download webservices.zip and extract it to %PROGRAMFILES%\tinc\webser
3. The script then prompts you for a unique name for this computer and the network, and what IP address you would like to use for the local computer on the VPN network.
4. The Name and IP address are written to tinc.conf
5. The same name and IP address are also recorded in %PROGRAMFILES%\tinc\webser
s\name, where "name" is the network name that you entered at the prompt.
6. tincd.exe is called to generate your private keys for this computer. When prompted to "Please enter a file to save private RSA key to", accept the default by pressing enter.
7. Next, you should be prompted to save the public key for this computer. The application should give you the full path as %PROGRAMFILES%\tinc\webser
s\name, where "name" is the name you entered when prompted. If you do not see this full and complete (and accurate) path, then you have not set something up correctly. Otherwise, just press enter.
8. Next, the script will call pscp to securely copy the public key for the local computer to the primary tinc node (/etc/tinc/webservices/hos
ts/name, where "name" is the name you entered into the script above.) Enter your password to allow it to copy. Note:
You'll likely need to use the root
user on the system so you can have write access to the /etc/tinc/ directory.
9. Next, the script will install the OpenVPN virtual network adapter for you. It will try to determine if you are running the 64-bit version of an operating system or the 32-bit version, and install the corresponding adapter. When it has completed the installation, it will tell you "Press any key to continue..." Press enter. Enter's a good key to press.
10. Next, the script will attempt to change the name of the adapter that was just installed to "VPN". It gives you a chance to verify this before continuing. I suggest you verify it, and then press enter.
There are three scripts required to setup the system:
1. get-coreutils.vbs (Downloads GNU Core Utils so you can have access to wget for downloads)
2. getputty.vbs (Downloads PuTTY so we can copy the encryption keys to the server)
3. setup-web-services.vbs (Downloads and installs your pre-configured tinc and uvnc software)
Setup Procedure (Abbreviated):
For those of you who just want to skip to the end, these are the steps that you'll take once the initial work of building your network is done:
1. Create the directory: C:\Util. (This is hard coded in the scripts. Feel free to update the scripts to make this configurable)
2. Save the three .vbs scripts in that directory.
3. Set cscript as the default vbs script interpreter: From the command line: cscript //h:csccript //s
4. Run get-coreutils.vbs
5. Run getputty.vbs
6. Run setup-web-services.vbs
LogMeIn is a good product. But their elimination of their free product has left a gaping hole in the market that (I believe) should be filled with free, open-source solutions. For occasional tech support, $99 / year just isn't worth it. And, when you're like most IT professionals who need to access a large variety of computers during the year, but many of them only once or twice, it just doesn't make fiscal sense.
Using tinc and UltraVNC in the configuration above is a proven method to manage computers all over the internet. The VPN handles encryption and connectivity allowing you to securely manage remote computers over VNC. It took me an entire weekend to devise the working schema, but I now have it deployed on 20 computers throughout the United States and it works like a charm.
Be sure to read the README.md in Github and post questions and support issues to the GitHub page so they can be properly addressed. Kudos and consulting type questions can be posted in the comments below.