Secure Remote Access with Hamachi and VNC
---------------------------------------------
----
Update: 4/19/06 - Added 'Single User' configuration instructions for Hamachi and installation of gHamachi (Hamachi gtk GUI).
----
By KingOfNowhere
This is a How-To for setting up a secure VNC server by tunnelling it through a Hamachi virtual private network. By setting up VNC this way, it allows you to access your machine securely (using Hamachi's encryption) and makes your machine accessable from anywhere on the net. Before I jump right in, here is some background:
Hamachi is a zero-config VPN client for Windows and Linux (currently Beta for Mac). It allows you to, very easily, create a virtual private network that can be logged into and accessed for all over the net. It does this by creating IP tunnels to each VPN client, making them directly accessable to all the other clients on the VPN. Hamachi also encrypts the connections it creates to allow for secure access.
VNC is a widely used, cross-platform application that allows for remote desktop access.
Together, these apps can allow for secure, remote access to you machine from anywhere.
Lastly, before I begin the guide, I would like to give credit to those I referenced for this guide:
HOWTO: Hamachi Linux Guide (2.4.x and 2.6.x) By Kamel
and
HOWTO: Set up VNC server with resumable sessions By Tichondrius
thx guys. Anyway on to the guide.
---------------------------------------------
Part 1: Hamachi
1.A) The 'tun' Module
The very first part of the Hamachi installation is to enable IP Tunnelling support in your kernel. This can be done like this:
then open your /etc/modules file and add tun to the list of modules:
Code:
sudo gedit /etc/modules
If you are using a standard Ubuntu kernel, this should be all you need to do. However, if you compiled your own kernel, you made need to recompile it with IP Tunnelling support (only if you recieve an erro with 'modprobe'). If anyone needs help installing the module, see HOWTO: Hamachi Linux Guide (2.4.x and 2.6.x) By Kamel
1.B) Installing Hamachi
Okay, now on to the actual Hamachi software. But first, we need to make sure that a valid tunnelling node has been created in /dev. This is done like this:
If you get a "No Such File or Directory" error, you need to create a new node like this:
Code:
sudo mkdir /dev/net
sudo mknod /dev/net/tun c 10 200
Okay, now that we have a valid IP Tunnel node, time to install Hamachi.
Download the latest version of Hamachi from http://www.hamachi.cc/download.
Enter the directory where you downloaded it and here is how to install it:
Code:
#Extract the archive
tar -zxvf hamachi-0.9.9.9-x.tar.gz
cd hamachi-0.9.9.9-x/
#install Hamachi
sudo make install
sudo tuncfg
#Hamachi is installed
1.C) Setting User Permissions
For security sake, we are going to set the permissions of Hamachi so that it can only be started by members of the 'hamachi' group. This is done like so:
Code:
#Create the 'hamachi' group
sudo groupadd hamachi
#Add your user to the group
sudo gpasswd -a user hamachi
#Add root to the group
sudo gpasswd -a root hamachi
#Set socket permissions
sudo chmod 760 /var/run/tuncfg.sock
#Finally, changing the group of the file
sudo chgrp hamachi /var/run/tuncfg.sock
Now that permissions are done, on to configuration.
1.D) Hamachi Configuration - System Service
Follow this section if you want Hamachi to run as a system service (in the background). I chose to list this method of configuration first because it seemed most relivant to the guide. If you want to have Hamachi run as a user application and install the gtk frontend, skip to section '1.E'.
1.D.1) Base Configuration
Creating an initial configuration can be done like so:
Code:
sudo hamachi-init -c /etc/hamachi
the result should be something like this:
Code:
Initializing Hamachi configuration (/etc/hamachi). Please wait ..
generating 2048-bit RSA keypair .. ok
making /etc/hamachi directory .. ok
saving /etc/hamachi/client.pub .. ok
saving /etc/hamachi/client.pri .. ok
saving /etc/hamachi/state .. ok
Authentication information has been created. Hamachi can now be started with
'hamachi start' command and then brought online with 'hamachi login'.
Okay, next is to start Hamachi:
Code:
sudo hamachi -c /etc/hamachi start
Now that we are up and running, you need to set your nickname:
Code:
sudo hamachi -c /etc/hamachi set-nick "YourNickHere"
Next, we need to login to Hamachi and then either login to an existing network or create a new one. Like this:
Code:
#Login to Hamachi
sudo hamachi -c /etc/hamachi login
#To join an existing network
sudo hamachi -c /etc/hamachi join network password
#Or to create a new network
sudo hamachi -c /etc/hamachi create network password
#Lastly, to go online to the network you joined
sudo hamachi -c /etc/hamachi go-online network
*NOTE ABOUT NETWORK PASSWORDS*
I would recommend visiting http://grc.com/passwords for a random string password. They are very strong passwords and adds to the security of your setup.
Now your machine is up and running on it's own Hamachi VPN. The last part of the installation is a script written by Kamel that will allow Hamachi to run on startup.
1.D.2) Hamachi Startup Script
Open gedit and save the following as /etc/init.d/hamachi
Code:
#!/bin/sh
hamachi_start() {
echo "Starting hamachi..."
/sbin/tuncfg
/usr/bin/hamachi -c /etc/hamachi start
/bin/chmod 760 /var/run/tuncfg.sock
/bin/chgrp hamachi /var/run/tuncfg.sock
}
hamachi_stop() {
echo "Stopping hamachi..."
killall tuncfg
/usr/bin/hamachi -c /etc/hamachi stop
}
hamachi_restart() {
hamachi_stop
sleep 1
hamachi_start
}
case "$1" in
'start')
hamachi_start
;;
'stop')
hamachi_stop
;;
'restart')
hamachi_restart
;;
*)
hamachi_start
esac
Lastly, you need to make the script executable and add it to startup:
Code:
sudo chmod +x /etc/init.d/hamachi
sudo update-rc.d hamachi defaults
1.E) Hamachi Configuration - User Application
Follow this section if you want Hamachi to run as a user application and to use the pretty gtk frontend. If you want to have Hamachi run as a system service in the background, go back to section '1.D'.
1.E.1) Base Configuration
Creating an initial configuration can be done like so:
the result should be something like this:
Code:
Initializing Hamachi configuration (/home/user/.hamachi). Please wait ..
generating 2048-bit RSA keypair .. ok
making (/home/user/.hamachi directory .. ok
saving (/home/user/.hamachi/client.pub .. ok
saving (/home/user/.hamachi/client.pri .. ok
saving (/home/user/.hamachi/state .. ok
Authentication information has been created. Hamachi can now be started with
'hamachi start' command and then brought online with 'hamachi login'.
Okay, next is to start Hamachi:
Now that we are up and running, you need to set your nickname:
Code:
hamachi set-nick "YourNickHere"
Next, we need to login to Hamachi and then either login to an existing network or create a new one. Like this:
Code:
#Login to Hamachi
hamachi login
#To join an existing network
hamachi join network password
#Or to create a new network
hamachi create network password
#Lastly, to go online to the network you joined
hamachi go-online network
*NOTE ABOUT NETWORK PASSWORDS*
I would recommend visiting http://grc.com/passwords for a random string password. They are very strong passwords and adds to the security of your setup.
Now your machine is up and running on it's own Hamachi VPN. The last part of the installation is to install the GUI for Hamachi. Here is how that is done.
1.E.2) Hamachi GUI (gHamachi) Installation
First, visit the Hamachi forums and download the most recent version of the gHamachi frontend for either gtk 2.0 or gtk 1.2 (whichever you prefer).
gHamachi can be found here.
Second, simply unpack the gHamachi tarball, copy the binary to /usr/bin, and give it permission to run (chmod +x).
Code:
tar xfz gHamachi_gtk2.tar.gz
sudo mv ghamachi /usr/bin/
sudo chmod +x /usr/bin/ghamachi
Once that is done, the Hamachi GUI is completely installed.
Start the GUI like this:
Hamachi is all set up now, now on to VNC.
Part 2: VNC
This section of my guide is largely based on Tichondrius' Guide, nice guide man. This part of the guide is currently intended only for those using the Gnome desktop. For those of you using KDE or something else, please refer to other threads on this forum or the VNC Homepage.
2.A) Enabling XDMCP in Gnome
There are a few settings that need to be set inside Gnome before we begin:
System -> Administration -> Login Screen Setup
Security Tab -> Enable XDMCP
XDMCP Tab -> Disable "Honor Indirect Requests"
Next we need to install the required packages.
2.B) Installing VNC and xinetd
First, make sure you have the Universe repository added to your apt.sources. If you dont know how to do that, look here.
Next, install VNC and xinetd:
Code:
sudo apt-get install vnc4server xinetd
Next, set a VNC password:
Code:
sudo vncpasswd /root/.vncpasswd
Then, open gedit and save the following as /etc/xinetd.d/Xvnc:
Code:
service Xvnc
{
type = UNLISTED
disable = no
socket_type = stream
protocol = tcp
wait = yes
user = root
server = /usr/bin/Xvnc
server_args = -inetd :1 -query localhost -geometry 1024x768 -depth 16 -once -fp /usr/share/X11/fonts/misc -DisconnectClients=0 -NeverShared passwordFile=/root/.vncpasswd
port = 5901
}
Lastly, restart xinetd and it is all setup:
Code:
sudo /etc/init.d/xinetd stop
sudo killall Xvnc
sudo /etc/init.d/xinetd start
You can test the VNC server with this:
Code:
vncviewer localhost:1
At this point, both Hamachi and VNC have been installed and configured on your machine. Next are some recommended firewall settings to keep you secure and keep everything runing smoothly.
Part 3: Settings and Usage
3.A) Firewalls
To keep your machine secure with these newly installed services, I recommend these additional settings in your firewall:
For XDMCP -> only allow incoming connections from 5.x.x.x (Hamachi subnet) to Ports 6000-6009
For VNC -> only allow incoming connections from 5.x.x.x (Hamachi subnet) to Port 5901
Filtering these ports this way, will only allow Hamachi connections to connect to these services.
*NOTE FOR FIRESTARTER USERS*
If you use the Firestarter firewall, then you must add these two lines to your '/etc/firestarter/user-pre' file to accept connections on the Hamachi interface:
Code:
$IPT -A INPUT -i ham+ -j ACCEPT
$IPT -A OUTPUT -o ham+ -j ACCEPT
Then restart Firestarter:
Code:
sudo /etc/init.d/firestarter restart
I do not know if there are similar configuration changes required by iptables. If anyone can comment, please do.
3.B) Usage
Now that your machine is all setup and configured, accessing your machine remotely becomes as easy as a few simple steps.
- On the Connecting Machine -
You need to install Hamachi on the connecting machine and join the network your destination machine is on.
Then, you need to install a VNC Viewer on the connecting machine.
Once Hamachi is setup and VNC Viewer is installed on the connecting machine, all you need to do now is open a VNC connection to your destination machine's Hamachi IP address (ex. 5.x.x.x) on display 1 (ex. 5.x.x.x:1).
For Example:
Server = 5.18.36.109:1
*Do not forget to specify the ':1' after the IP address, otherwise you won't connect.
Then, all you have to do is enter your VNC password, then login as your user.
Now that you are logged into your machine remotely, my guide is done here.
----------------------------------------------
I hope everyone finds this informative. Any corrections are welcome. And thanks again to Kamel and Tichondrius for their guides, they really helped me out.
- KingOfNowhere