Remote Administration Based on VPN for Home Networks

Rafael Palacios and José Daniel Muñoz Frías

Because of recent improvements in communications, telework is increasing in all developed countries. One of the major problems associated with telework, from the technical point of view, relates to network and computer configuration. Although these problems are usually easily solved by systems administrators in the office, they can sometimes be impossible to address without going to the employee's home.

In this article, we describe a method that allows for remote administration of home computers and network, with minimal user interaction. The system is called Remote Administration Kit (RAK), and it is based on a portable computer preconfigured with the Windows or Linux operating system. When the computer is connected to the home network, it automatically establishes a VPN tunnel with the main office, thereby providing a direct connection for local network management.

RAK has been used to configure the home router and to access home computers. Potential applications for this system include remote support for teleworkers or small affiliated offices, maintenance services for SOHOs that can be arranged for a fixed monthly fee, and remote assistance offered by telephone companies or ISPs that provide Internet access.

Introduction

Telework is increasing at a rate similar to the number of home Internet connections. Motivated by the improved bandwidth of DSL and cable connections, along with decreasing fees, more people are signing up for high-quality home connections. Employees who want to access corporate services from home do not have any problems as long as those services are accessible using Web-based interfaces.

Things get more complicated when inexperienced users must configure applications such as a mail client, particularly because, instead of accepting default protocols, companies have a tendency to force secure protocols for any operation involving the use of personal passwords. One step forward would be to allow users to create VPN connections with their offices, hence giving full access to the intranet. The complexity of VPN configuration, however, surpasses most non-technical users, especially if the VPN requires the use of personal certificates generated by a corporate public key infrastructure not trusted by the home computer.

If the employee has a notebook computer for office, travel, and home, then most configuration problems can be solved by the IT team at the office. Nonetheless local network parameters, such as router configuration or home desktop computer configuration, traditionally require on-site action. Additionally, naive users have many common daily problems that require local attention and real-time demonstrations.

Remote Administration Approaches

There are several remote administration approaches that allow support personnel to access users' computers to see their screens and perform keyboard and mouse actions. Some of these approaches are valid for any operating system, and others are specific to Windows. It is rather obvious that equipment for perimeter security will make it difficult for remote assistance programs to access the local network.

For security reasons, most Internet providers supply a modem/router configured to block inbound traffic from the Internet into the local network. Consequently, router configuration must be modified to permit remote access. Typically, it must be modified in two ways: opening TCP ports for inbound traffic, and adjusting Network Address Translation (NAT) tables to translate a private IP address and port number to a public IP address and port number.

In general, Unix systems are easier to maintain remotely because most configuration adjustments can be performed using commands to modify text files. Additionally, the X Window System is universally supported in Unix systems, including Linux and Mac OS X. The X Window System uses a protocol based on graphic objects and events that allow remote execution of graphical applications with reasonably low bandwidth use. The simple method for allowing remote administration is to activate Secure Shell and configure the router to open port 22.

One approach for remote access of any operating system is to use a KVM switch with IP connectivity. Such devices are oriented to the remote management of data centers, and some examples are provided by Adder Technology [1] and Xceedium. These devices allow a support person to use the remote computer as if his or her own keyboard, mouse, and monitor were connected to the remote computer. These devices are quite expensive (around $1000) and not very easy to install. One advantage is that no software installation is required, but the user must disconnect the keyboard, the mouse, and the monitor to install the KVM in between. Cable handling might be an important obstacle for many users, but the main drawback is the necessity to change router configuration to open some ports and define NAT tables. Another disadvantage is that the communication could be very slow because the screen must be sent as an image.

Another, less expensive, solution is to install specific software for remote administration. A popular option is VNC, which is open source and has been developed for different platforms:

http://www.realvnc.com/

Another alternative, which is only valid for Microsoft Windows systems, is to use the Windows Remote Desktop [3], which communicates through TCP port 3389. This software, like VNC, allows a remote expert to get control the novice user's home computer. The main advantage over VNC is that is comes pre-installed in Windows XP and can be activated very easily (it is also available for other versions of Windows, but not preinstalled).

Windows XP includes another tool, called Remote Assistance, designed to request help from an expert [4]. This tool uses remote desktop protocol and allows a novice user to request help via MS Messenger or email. By using MS Messenger to request Remote Assistance, it is possible to establish a remote administration connection without modifying router configuration. But according to Microsoft TechNet [5], one can skip router configuration of NAT tables only in certain circumstances (UPnP NAT devices).

Description of the System

The RAK consists of a personal computer (running Linux or Windows) that is configured to establish a VPN connection to the main office. The employee carries this laptop home and connects it to the local network, preferably by cables, although wireless connection is also possible. Then, any systems administrator can enter the home network through the personal computer, typically using SSH for Linux administration or Windows XP Remote.

Desktop Connection for Windows Administration

The default router configuration blocks any incoming connections from the Internet into the home network, consequently there is no way for systems administrators to perform any maintenance (or attackers to perform any mis-configuration) unless directly connected to the private network. However, it is possible to establish a connection with outside servers if originated within the local home network. For this reason, the portable computer directly connected to the home network is able to establish outside connections.

The system is configured to create a VPN connection with the main office, therefore getting a corporate IP address in addition to the home IP address assigned by the DHCP server of the router (see Figure 1). In practice, RAK is seen as a home computer by home equipment and as an office computer by other corporate computers (as if the system were also physically connected to the office local network).

After all connections have been established, any communication with home equipment is performed using the home IP address, while any traffic with the office is performed through the VPN tunnel. Consequently, systems administrators can use SSH or Remote Desktop to gain control of the laptop and contact other machines. The support person must know router and desktop passwords to perform administration; these passwords must be provided by the user, although default router passwords are easy to find on the Internet.

If the RAK is built on a Linux system, the straightforward method is to use SSH to get into the laptop. Then, it is possible to enter another Unix system using SSH or the router using telnet or Web interface. The latter option also requires activating X, which is a default tunnel for most SSH clients. If RAK is built on a Windows system it is easier to use Remote Desktop, although SSH is also possible by installing SSH server (based on OpenSSH) over Cygwin [6].

The system was designed at the University Pontificia Comillas (Madrid, Spain) to fill a need for professors of the Instituto de Investigación Tecnológica who often want to access University resources from home. This system is very convenient to help our faculty/staff solve problems with their home computers, and it could also be very useful for any organization in which employees can work at home. Once the laptop is connected to the home network of the user, it is possible to perform remote administration from the university or even from the home of a systems administrator (if another VPN connection were established); see Figure 2.

The system is very useful for the following types of tasks:

• Configuring routers, for example, checking security parameters and configuring wireless access to allow connection of corporate laptops.
• Installing or configuring special software in the desktop computer for accessing corporate services, such as SSH clients, mail clients, or even VPN connections.
• Configuring the home desktop computer to share folders and printers with corporate laptop computers.

Tuning Configuration Parameters

There are a few configuration parameters that make RAK more interesting and easier to use. Auto-startup features are used to facilitate connection and startup; the user is only required to connect cables and press one button. Auto-locking is provided as a security feature for protecting the laptop computer from user interaction. These tricks are not necessary if RAK is running Linux; in that case, the only installation requirement is to configure the creation of the VPN at startup.

Auto-Startup

For Windows XP, Microsoft provides a PowerToy (tool) called Tweak UI that allows access to systems settings and options not normally exposed in the user interface. Among these options, there is a parameter called "Autologon" that can be used to define the name of the default user that will log on automatically at system startup, bypassing the initial login dialog box.

After login, the system will execute the programs found in the Startup folder of the user, hence allowing us to create a BAT (script) file that will establish the VPN connection. This connection can be started by running the following command, which must be copied into the BAT file:

rasdial connection_name

Auto-Locking the Computer

It is not a bad idea to lock the computer after starting and establishing the connection. Locking the computer is not a real security feature, but essentially prevents user interaction by mistake (or by children). One good way to lock Windows XP is by using the following command [7]:

rundll32.exe user32.dll, LockWorkStation

Special Security Considerations

If you plan to use Remote Desktop, it must be activated in the Control Panel/System, Remote tab. It may also be necessary to adjust the firewall software, for example, if Win XP SP2 has been applied. These adjustments are necessary in the RAK system and also in the desktop home computer if remote administration is required on it.

One interesting option is to restrict connectivity for the RAK computer within the office network. In the case of our University, VPN access is limited to a few advanced users, and the connection is established using EAP protocol and personal certificates for higher security. To minimize the effect of a possible break through the VPN access configured in RAK, the same office IP address is always assigned to the laptop computer by the VPN server, and that address is configured to connect only a selected group of computers (local or also VPN) under the control of expert support people.

Conclusion

A prototype of the RAK system has been implemented and tested at the Universidad Pontificia Comillas. It has been used to change the wireless settings of Wi-Fi routers just by opening a navigator in a Remote Desktop of the RAK. It has also been used to change configuration parameters in desktop computers by opening a Remote Desktop of the home computer from the Remote Desktop of the RAK. The latter procedure was quite slow, but it is also be possible to change the router configuration to allow for a direct Remote Desktop connection to the home computer.

Instead of using a standard notebook computer, it would be more appropriate to develop a dedicated system, for example using a PC/104 or Mini-ITX board, which would be less expensive. In terms of security, such a dedicated system would be less vulnerable, mainly because it would not have a keyboard or display. Additionally, it would be lighter, smaller, and more robust, and therefore more easily transported.

References

1. Stevens, Alan. November, 2004. "Adder Adderlink IP Simple, Effective IP-based remote control", Personal Computer World.

2. Olson, Adam. 2005. "Branded VPN Deployment and Seamless Remote Management". Sys Admin 14(6)8-13.

3. "Working Remotely with Windows XP". Microsoft. http://www.microsoft.com/windowsxp/using/mobility/default.mspx

4. "Using Remote Assistance to Get Help When You Need It". Microsoft. http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/remoteassist/intro.mspx

5. "Administering Remote Assistance", Microsoft TechNet. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/adminra.mspx

6. Fong, Nicholas. May, 2005. "How to install OpenSSH sshd server and sftp server on a Windows 2000 or Windows XP or Windows Server 2003". http://pigtail.net/LRP/printsrv/cygwin-sshd.html

7. Ferri, Vic. August, 2002. "Different Ways to Lock Windows XP", TechTrax. http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=70.

Rafael Palacios is an Assistant Professor at the School of Engineering, Universidad Pontificia Comillas, Madrid, Spain. He has taught computer programming since 1996 and is an advisor on network and Web security at the Institute of Research in Technology. He can be reached at: palacios@mit.edu.

José Daniel Muñoz Frías is an Assistant Professor at the School of Engineering, Universidad Pontificia Comillas, Madrid, Spain. Since 1991 he has taught digital electronics, computer architecture, and computer programming. He has been hacking with Linux since 1995, using it for real-time control and embedded systems.