asked on
How can I get Remote RDP access to my Windows Server WITHOUT a publicly routable IP Address?
I have a few remote workers who need to access our Windows Server using Remote Applications over RDP protocol. I need to allow RDP access to the Server, but my ISP cannot provide a public IP Address, therefore I cannot ping my router's IP address and cannot set up port forwarding.
This is a follow-up to my previous question here:
https://www.experts-exchange.com/questions/29238813/Lost-REMOTE-connectivity-to-Windows-Server-via-RDP-but-can-connect-from-local-network-What-are-troubleshooting-steps.html
Previously, as detailed in the above link, I was using port forwarding on my Router to send external RDP requests to the server on my internal network. But, a few weeks ago my ISP was bought out, and as a result, I am now unable to get a public IP address from them.
I realize the security implications of using an open RDP port on the server, and I'm trying to find a solution like a VPN or port re-direction which will improve security, but it needs to be accessible over a non-public external IP address.
ExpertsExchange member itguy565 ( https://www.experts-exchange.com/members/itguy565.html ) helped me out in the last question, and provided the suggestion to use OpenVPN in conjunction with https://portmap.io/
link here:
The issue with this is that I'm using an old Windows server running Server 2008 Foundation (basically a stripped down version of 2008 R2), and I don't see any easy way to load the OpenVPN host software onto the server.
I'm open to getting back to basics and building this RDP connection as securely as possible, but I am constrained for now by the old hardware and OS. And I do want to be able to continue using the windows Remote Application function to make the access as seamless as possible to my users. As a stop-gap, I have been able to set up a TeamViewer web link for them to access the server, but this is slow and requires them to have full access to the server rather than just running the Remote Application.
I'm hoping:
A:) there is an easier way to make a secure RDP connection,
or
B:) that someone can provide a link to a basic step-by-step tutorial for setting up the OpenVPN on this old server.
Thanks
ASKER
my new ISP is behind a NAT service and I cannot ping the External IP of my own router.Apologies, didn't see that in the OP.
IMO using PortMap will work, but it's not secure in the slightest. If you want/need to go down that route, I'd use something like a pfSense firewall (will run on a lightweight PC) to establish the OpenVPN tunnel to PortMap, then you can use the pfSense box to firewall/NAT/redirect clients to your RDP box a little more securely than by just exposing your server straight to the internet. Also, you'd need to use the paid plan as you can specify the port to expose - the free plan uses a random port which will change every time the VPN connects.
Based on the limit, you can not setup a VPN either.
you should test it on an RDS system to see whether it will let multiple sessions to connect with a different windows session.
The only options you would have would be what arnold suggested - third party products where the third party software initiates the connection OUT to their servers and allow you and your staff to connect in via them. Products such as RipMeOff, RipMeOff's GoToMyPC, TeamViewer, and Screen Connect are all options, but again, as Arnold points out, they only allow one user per system to access so you wouldn't be able to use a terminal server.
If your ISP is limiting you like that, much as I generally loath it, it sounds like you really need to move your network to a cloud like AWS or Azure. That way, everything lives there and you can setup services like VPN.
Edit: One quick thought I had that MIGHT work (but your asking for something that 99.99% of people DON'T DO, so getting someone experienced with this to guide you will be difficult if not impossible), if you create a cloud based VPN and then connect your server to the VPN and have your staff also connect to the VPN. A VPN is a virtual private network, so having multiple connections into the same VPN should, IN THEORY, allow all those connected to access each other. But again, this idea is unique to your situation and is NOT COMMON!
ASKER
Thanks very much for taking the time to respond. As you might have read, I have set up web-based access over TeamViewer, but as mentioned it does limit the remote access to single user sessions since it is literally as if they were sitting at the server keyboard.
ASKER
I am continuing to try to get the public IP address from my ISP, but it's been almost a month with no results. We are rural, so this is currently the only ISP available.
We're working with the TeamViewer option, but it is challenging. :-)
To.Lee's point try https://openvpn.net/cloud-vpn/
One thing the VPN needs to be system level
https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/
ASKER
ASKER
ASKER
I will look into the cloud VPN. It seems daunting, but might have potential.
To explain..I have an ISP that for some years is NATing IPs and so..you guessed no Public IP
BUT
when you call and you say "I have a security system and I want to have external access to my cameras...e.g. monitoring my house"...presto Public IP assigned...this is what I did...and don't overexplain to them...probably the low level operators don't have idea about Public IPs and connectivity...all they have is some sort of cheat paper that has the most common Q-A.
So have you asked ?
Else...probably is better to change ISP.
ASKER
The Hamachi option looks very interesting on first glance at the link you provided. I'll look into it.
Thanks
John,
I have talked to them at least 20 times over the last three weeks. Haven't tried that approach, but I will next time I call. It just bamboozles me that this simple request is taking so long. As I said before, there really is no other internet option in this location.
ASKER
for example the server can run a vpn client or
ssh user@host -R rdpport:rdpprivateaddr:rdpport and the client would need to rdp to localhost. with adequate ssh keys and host fingerprint, this could be made reasonably secure.
you can script or setup multiple sessions to fixed or dynamic addresses or rely on a separate hop server with a fixed address. this is reasonably easy to setup. or you can change isp.
note that many other options can be setup such as mtls or your own raw protocol with an initial challenge response.
ASKER
Maybe if you could link to some step-by-step tutorials that would work for my Windows Server 2008 box I could be better able to evaluate the possibilities.
I as always appreciate all the help, but please consider that I'm far from proficient in the current technologies.
And to your suggestion to move to a different ISP, I have been investigating, but the only other options seem satellite or radio wave based which only yield about 15 Mbps.
ASKER
I must need an older version, which I cannot seem to find.
the choice vastly depends on the number of users and wether they have fixed ips. if they are all in a single location, you need a simple vpn to that location.
There are only a few ways to get past the "NAT" issue that the OP is experiencing as stated in my last response in the other question..
OpenVPN comes in two flavors (Windows and Linux)
https://openvpn.net/access-server/pricing/
You can use my previous article and use the windows version to setup the openVPN if you so choose.. Otherwise you can also use the Hamachi VPN Server application to accomplish the same..
Regardless of the solution you use, please ensure that you DO NOT open 3389 to the internet.. Use your firewall to redirect traffic from port **** to 3389.
So essentially Create a Policy
Firewall
Anything WAN(Hamachi, OpenVPN) --> DENY
Anything WAN - LAN (Hamachi VPN, OPEN VPN) on port (Port you choose) ALLOW
Rules
Anything WAN - LAN (Hamachi VPN, OPEN VPN) on port (Port you choose) ..> Redirect to (Server object) on port 3389
Make sure to create the Reciprocal Rules
Use your firewall to redirect traffic from port **** to 3389.Security by obscurity doesn't make it any safer. It's easy to identify RDP no matter what port is used to redirect.
There currently no public access due to lack of a public address.
do they change often ?
do they have fixed addresses ?
do you own a machine somewhere else with a fixed address and reasonable bandwidth ?
there are different ways to deal with this issue and the most adequate one will depend on the above
the core of the issue is the server needs to be the one initiating the connection.
ASKER
2-3 users who need regular remote access, plus 3-4 more occasionally.
They are stable employees and should not change very often.
Not sure what their ISP situation is, but probably not fixed addresses.
I don't currently have a fixed address machine off site, but that might be a possibility.
If I was in your situation, I would definitely use an offsite 'server' that can be accessed via a public IP (fixed or dynamic can both work - if dynamic, you can use a free Dynamic DNS Hostname to find it) - could even be an old PC located at your home if you have a reasonable internet connection there.
I would then tunnel out from your network to that machine using SSH Remote Forwarding, which will allow connections to that remote machine (from your users) to get into your network.
The costs could be minimal for an old PC (you likely have one lying around, but if not, it might only cost $100 or so), the cost of running that machine (fairly minimal too). The software can be free (Ubuntu and SSH).
The only real 'expense' would be your time to understand how to set it up, and then implement. If you haven't used Linux before, I would suggest using Ubuntu simply due to it having a large user base and plenty of support forums, but almost any Linux would be fine.
Guides for all of that can be found all over the internet, but if you are going from a standing start, it might take you some evenings of homework to get it working. For me, that would not be a hardship - I enjoy learning new stuff like that, but if you are not that way inclined (and fair enough if not!) then this probably won't be the solution for you.
Alan.
1/ setup sshd on the client machines or jump server
2/ setup ssh keys (easy and widely documented)
3/ try connecting with
ssh -R 3389:localhost:3389 destination
4/ change ssh to autossh and run it as a service, job, startup task... whatever
5/ connect from the remote host to localhost:rdp
---
if you use a jump server
the remote host is the jump server. you will need to forward extaddr:3389 to localhost:3389 so users can access the tunnel remotely.
or you can use stunnel, a vpn or whatever seems convenient so you use ssl to the jumphost.
if you do not
you need to perform the same setup for each client. you can rely on dynamic dns if needed and if the clients change locations. dynamic dns reacts within minutes and autossh will connect quite agressively so the rdp would typically be available within minutes. about 1 in most cases. 10 if you are unlucky.
--
other hackish ways that do not rely on tunnel may work depending on the isp. for example, it is possible that throwing one udp packet every few seconds from port 3388 to port x would let you connect back from your port x to the origin ip port 3389. in this scenario i assumed the isp nat has very limited session handling.
obviously, ssh is not a requirement but rather a convenience. socat and similar tools can do the same.
the remote host is the jump server. you will need to forward extaddr:3389 to localhost:3389 so users can access the tunnel remotely.The problem is there is no external IP to port-forward. The ISP doesn't provide a fixed exernal IP and NATs all clients to a private RFC1918 IP. This is why we're exploring using a central public VPN service that would hub-and-spoke connect everyone, including the server, together.
wether you use ssh, a vpn, or whatever ptp tunelling solution, the issue is the same : the connection must be initiated by the server.
--
note that the udp hack would work fine to allow incoming openvpn traffic over udp. combined with noip, it can be reasonably transparent.
setup a regular udp server on the server. setup noip on the server. setup noip on every client. have the server send udp probes to all clients using the same port as openvpn. the clients will be able to vpn into the server using the existing "udp session"
setup a regular udp server on the server. setup noip on the server. setup noip on every client.This is the problem. Dynamic DNS can't be used because the ISP won't provide an exernal IP that the customer can use. The link between customer and ISP uses RFC1918 addressing, so not routeable.
ASKER
And, to make matters more difficult, I'm completely clueless about jump servers, ssh, anything Linus related, and VPNs in general for the most part.
But I do sincerely appreciate all of you experts giving me all these new ideas to research.
1 : setup a jump server with a fixed address as described above. this is rather easy but you will need to pay about 10 bucks monthly. a windows based server would work but not be simpler to setup. the jump server only needs sshd with trivial config which is provided with most linux based oses.
2 : setup reverse connect to each and every client machine. this is more difficult but you can start with one machine which wilk also give you clues regarding #1.
there are no significantly simpler solutions besides the cloud based equivalents such as team viewer.
I think a central cloud-based VPN will do what you need. Essentially the server inside your network would create a VPN connection to a cloud-based VPN server, then the home-based users would do the same. That would enable them all to see the server.
I think the flaw in your plan is the fact that regular users need to be able to connect as simply as possible, and also the OP doesn't have the skills or confidence to stand something up in Linux that would be reliable or secure. We both know that it's relatively simple to do, but others don't, and it's not our a$$ on the line if something goes wrong :-)
Hince the reason I originally mentioned linux in his previous post..
That being said, no-one ever said "Security by obscurity" is the best approach.. There are multiple ways to secure this connection once he gets it working.. But to start with get a "Working Model" in place in the simplest manor possible and then work on securing it.. The ISP NAT is doing exactly what it was designed to do, we on the other hand are trying to put a square peg in a round hole. There are ways to do it, but it requires un-orthodox out of the box thinking that is why I suggested the open-vpn solution.
But to start with get a "Working Model" in place in the simplest manor possible and then work on securing it..Not sure I agree with that in this scenario. I mean, let's just turn the firewall off and then start working out how to stop people getting in :-)
Sure, if it was just a LAN and we needed to enable people to use a particular service hosted internally, for example, I'm all for that, but not when it's external access coming inbound to a private network. That's a big no IMO.
The ISP NAT is doing exactly what it was designed to doAgain, not sure I agree. The ISP NAT is not designed to hide or protect devices. Its implementation here is designed to conserve external IP addresses so the ISP doesn't have to allocate a public IP to each customer.
I do agree with the OpenVPN solution though, if it can be hosted in the cloud, as no other way is really viable. That's what many of us here have been discussing, or similar alternatives such as NordLayer (which is a ready-made solution).
But to start with get a "Working Model" in place in the simplest manor possible and then work on securing it..
Not sure I agree with that in this scenario. I mean, let's just turn the firewall off and then start working out how to stop people getting in :-)
Nobody said that disabling the firewall was a good idea.. As if you read my response it is a deny all on the External Hamachi/OpenVPN address and only opening a single Port to the server in question using port redirection even from that to reach the internal server on the network. That is what I would consider the "Least I would go in the way of security"
The ISP NAT is doing exactly what it was designed to do
The CG-NAT that the op's ISP is utilizing "may not" be designed to hide devices intentionally, but it does have that as a added effect.. By failing to to provide a Public Static IP the ISP is effectively crippling the ability to host servers without a fair amount of work involved.
But to start with get a "Working Model" in place in the simplest manor possible and then work on securing itBy very definition, that means get the functionality working, then tighten it up. If you provide any sort of security controls at the outset that isn't the "simplest manor possible".
The CG-NAT that the op's ISP is utilizing "may not" be designed to hide devices intentionally, but it does have that as a added effect.Exactly my point. It's not what it is designed to do.
By failing to to provide a Static IP the ISP is effectively crippling the ability to host servers without a fair amount of work involved.This likely isn't the ISP's intention. It's a by-product of not wanting to provide costly IPv4 addresses to customers. The ISP is likely a community-sized ISP which provides connectivity in a fairly simplistic way.
As I've said, the most admin and user-friendly way to achieve this is to use something like NordLayer, which is a ready-made solution to achieve what is required. No technical expertise is required and no need to worry about securing it as it already is.
lets agree to disagree as continuing like this is unprofessional and not getting the OP any closer to his solution..
Here was my statement above.. This outlines exactly what I mentioned my statement above..
We can both agree that a solution such as OPENVPN, Hamachi, Nord, Or any number of other VPN solutions would work for the OP.. In reality installing Hamachi or some type of Point to Point VPN software might really be all the OP needs as he stated he only needs 4 licenses.. That would eliminate all of this hassle.. Hamachi as @DAVID suggested above would be perfect for this and would require a server application to be installed on the local network and then a client on each of the workstations that would be used to connect.
IMO setting up a cloud-based VPN server isn't the way to go, as the author has stated they aren't great at Linux, VPNs, etc...
I as always appreciate all the help, but please consider that I'm far from proficient in the current technologies.
And, to make matters more difficult, I'm completely clueless about jump servers, ssh, anything Linus related, and VPNs in general for the most part.That leaves a ready-made solution as the only real option.
I did agree that Hamachi was a great solution, but the author has stated that the client won't install on his server - probably because the OS is Server 2008, so it seems like it's not an option either. Therefore an alternative to Hamachi could be tried. I've mentioned one, so if the author is willing to try it I think we should see how that goes.
with a jump server
noip not required unless the jump server ip is not fixed (but not hidden either).
the jump server setup boils to sticking the server ssh key in the right place and adding gatewayports to the config or use an equivalent nat rule.
the clients connect to the jump server instead of the real server.
without a jump server
noip is needed for the server to locate the clients and trigger reverse connections to them.
clients merely need noip and sshd to be configured on their desktops.
they connect to the server by connecting to localhost.
anyway given the above, it seems likely the author will stick to teamviewer
ASKER
I am most definitely taking in all the advice, and trying to formulate a strategy. My hope is still that my ISP will be able to eventually give me a routable IP address, and in the meantime, the TeamViewer stop-gap solution is working adequately.
So, there isn't the immediate burning need to just jump in and try something haphazardly. I'm trying to soak up the ideas and knowledge and make an informed decision going forward.
additionally, this can be made a little secure : you can trigger a reverse connection or open a regular one on demand using an sms as the trigger for example.
ASKER
I truly appreciate ALL the responses, and if anyone feels slighted, please let me know and I will try to fix it!
I'd use a separate box to host OpenVPN. That way you don't risk breaking anything on the server, and it's a little more secure.