I would like to use VNC
with two PCs - Both the remote and the local computers
are behind a router in different company networks; they don't have a real ip address.
It would be nice to achieve such a connection without
port-forwarding on the router.
Perhaps you can implement/integrate a
"instant messenger" programm in order to establish the
connection.
With Skype (http://www.skype.com/) i can do such a
connection for internet telephone calls.
hans dattelhuber
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Connections between two PCs - Both behind Router
-
Guest
Skype use their own peer-to-peer technology to allow 2 computers that cant receive incoming connections to connect to each other. Skype re-routes your call through users that *can* receive incoming calls. They do this so they dont need to pay for central servers to do it for you. The quality of the call i sheavily based on the type of connection you have, so if you could enable port-forwarding on either end of the call, the quality will be dramtically boosted.
I think if UltraVNC was to use the same method it would pose as an extra security risk as other people are acting as network nodes and could possibly spoof or sniff connections.
I think if UltraVNC was to use the same method it would pose as an extra security risk as other people are acting as network nodes and could possibly spoof or sniff connections.
-
Guest
-
Rudi De Vos
- Admin & Developer
- Posts: 6838
- Joined: 2004-04-23 10:21
- Contact:
I'm working on it..
The idea is to run 2 help applications on server and viewer.
The helper applications both initiate an outgoing connection.
Both outgoing connections pass the nat router...
Using the helper apps, the server runs as normal, wait for
incoming connection (from the helper), ask passwd ect...
Still in development and can take some time.
The method used is something like kazaa use when you are behind a router..
The connection would require a 3the server to initiate the connection, after initiation, the 3the server is no longer needed,
data go direct from viewer to server.
The idea is to run 2 help applications on server and viewer.
The helper applications both initiate an outgoing connection.
Both outgoing connections pass the nat router...
Using the helper apps, the server runs as normal, wait for
incoming connection (from the helper), ask passwd ect...
Still in development and can take some time.
The method used is something like kazaa use when you are behind a router..
The connection would require a 3the server to initiate the connection, after initiation, the 3the server is no longer needed,
data go direct from viewer to server.
What you are working on isnt possible with NAT. It isnt possible for you to simply pass on a connection.
The way NAT works is an outgoing connection from internal IP to outside internet is tracked, so the rebound packets, coming from the original destination back to the original sender are intillectually rerouted to the IP on the internal network.
For you to pass on the connection, the new packets coming from the intended recipient would be stamped with a different IP and the NAT router wouldnt have a clue what to do with them, treating them as a new connection, and as there is no port forwarding setup, would simply drop the packets.
Even Kazaa can't do this, what kazaa does is pick a random "peer" (a user who has a direct connection, or properly setup port forwarding) as the man in the middle, and this is just for searching, its not for trasnferring files. 2 people on kazaa both behind NAT with no port forwarding wont connect.
The repeater can be used to be placed outside the firewalls/NAT and can be used as a *trusted* man in the middle. The whole kazaa/skype thing uses random "repeaters". I would not trust my VNC connection to a random peer.
The way NAT works is an outgoing connection from internal IP to outside internet is tracked, so the rebound packets, coming from the original destination back to the original sender are intillectually rerouted to the IP on the internal network.
For you to pass on the connection, the new packets coming from the intended recipient would be stamped with a different IP and the NAT router wouldnt have a clue what to do with them, treating them as a new connection, and as there is no port forwarding setup, would simply drop the packets.
Even Kazaa can't do this, what kazaa does is pick a random "peer" (a user who has a direct connection, or properly setup port forwarding) as the man in the middle, and this is just for searching, its not for trasnferring files. 2 people on kazaa both behind NAT with no port forwarding wont connect.
The repeater can be used to be placed outside the firewalls/NAT and can be used as a *trusted* man in the middle. The whole kazaa/skype thing uses random "repeaters". I would not trust my VNC connection to a random peer.
-
Rudi De Vos
- Admin & Developer
- Posts: 6838
- Joined: 2004-04-23 10:21
- Contact:
Not sure...you are right for tcp/ip but as far as i know,
udp ports act different.
Nat router cache ports from outgoing traffic and remember
them for incoming traffic.
Your udp port 10.0.0.1:5900 is translated to 210.0.0.30:6546
The 3the server just tell 210.0.0.30:6546 to the outer site,
sending data to 210.0.0.30:6546 is actual going to 10.0.0.1:5900
Doing this to both connections (server/viewer)
you talk to the 2 translated ports on the routers, which
are auto forwarded to the internal address.
This works with
NetGear RP614 Cable/DSL Router
Linksys NR041 Cable/DSL Router
udp ports act different.
Nat router cache ports from outgoing traffic and remember
them for incoming traffic.
Your udp port 10.0.0.1:5900 is translated to 210.0.0.30:6546
The 3the server just tell 210.0.0.30:6546 to the outer site,
sending data to 210.0.0.30:6546 is actual going to 10.0.0.1:5900
Doing this to both connections (server/viewer)
you talk to the 2 translated ports on the routers, which
are auto forwarded to the internal address.
This works with
NetGear RP614 Cable/DSL Router
Linksys NR041 Cable/DSL Router
-
Guest
But they also cache the destination IP. Otherwise NAT would be insecure allowing traffic from other IPs to pass through ports that had been opened from the inside. The only time it does that is if it supports UPnP.
Aaah, UPnP .. If VNC and your router supported UPnP, and had a central "man in the middle" that just simply allowed you to confer the port designated with UPnP, then a connection could be established.
Aaah, UPnP .. If VNC and your router supported UPnP, and had a central "man in the middle" that just simply allowed you to confer the port designated with UPnP, then a connection could be established.
-
Rudi De Vos
- Admin & Developer
- Posts: 6838
- Joined: 2004-04-23 10:21
- Contact:
Most dsl/routers are unsecure, allow return packets from
a different server.
Even my own brandnew dsl/router "Topcom skyr@cer" allow udp packets from other servers once the nat table is initialized with an outgoing session. The box mention "Firewall protected NAT" but nothing about Upnp.
Just start wondering what they mentioned with "firewall"
Also Check for some technical description
http://www.intel.com/cd/ids/developer/a ... htm?page=5
More "netscreen" alike firewalls will not allow
this technique and require full routing by a 3the server,
slow and eating bandwidth.
You can test your own nat/router with a little utility found at
http://midcom-p2p.sourceforge.net/
a different server.
Even my own brandnew dsl/router "Topcom skyr@cer" allow udp packets from other servers once the nat table is initialized with an outgoing session. The box mention "Firewall protected NAT" but nothing about Upnp.
Just start wondering what they mentioned with "firewall"
Also Check for some technical description
http://www.intel.com/cd/ids/developer/a ... htm?page=5
More "netscreen" alike firewalls will not allow
this technique and require full routing by a 3the server,
slow and eating bandwidth.
You can test your own nat/router with a little utility found at
http://midcom-p2p.sourceforge.net/
Now thats interesting. The original RFC 2663 for NAT states each connection should be uniquely identified by Source IP/Port and Target IP/Port. Some companies must of decided to change this implementation specifically for peer-to-peer when both are behind NAT. Perhaps UPnP is what is being exploited here?
I hope you get everything sorted.
ps. Unfortunately im not behind NAT to try this out, I was just discussing the issue from base interest rather than a problem I was having
pps. I setup a quick NAT rule-base on the debian firewall I'm using here, and unfortunately IPTables (Linux kernel 2.6) doesnt support this double-ping implementation.
Look into UPnP for opening ports, that was the official reply to users wanting to dynamically open ports when behind NAT.
I hope you get everything sorted.
ps. Unfortunately im not behind NAT to try this out, I was just discussing the issue from base interest rather than a problem I was having
pps. I setup a quick NAT rule-base on the debian firewall I'm using here, and unfortunately IPTables (Linux kernel 2.6) doesnt support this double-ping implementation.
Look into UPnP for opening ports, that was the official reply to users wanting to dynamically open ports when behind NAT.
-
Rudi De Vos
- Admin & Developer
- Posts: 6838
- Joined: 2004-04-23 10:21
- Contact:
The strange thing is that it works with vmware and my router.
Started to investigate what is happening...
Could be luck or some bad configuration....
I tried to connect from A to B with the info i got from C.
Strange, B refuse A.....
But as soon as B also try to connect to A, packets from A
to B pass the router.
Somehow, the destination address is used, but by sending
a packet to A, A is added as destination to the same NAT
port used as for sending a packet to C.
Is it possible the the router can add 2 different destinations to
the same port, and accept packets from both?
Started to investigate what is happening...
Could be luck or some bad configuration....
I tried to connect from A to B with the info i got from C.
Strange, B refuse A.....
But as soon as B also try to connect to A, packets from A
to B pass the router.
Somehow, the destination address is used, but by sending
a packet to A, A is added as destination to the same NAT
port used as for sending a packet to C.
Is it possible the the router can add 2 different destinations to
the same port, and accept packets from both?
-
dattelhuber
- Posts: 2
- Joined: 2004-05-11 17:42
Ooops,
to my shame i must say, that i did not followed
the many replies to my request.
I had so much work to do the past few month's - Sorry!!!
I am glad to hear, that you work on a solution
for the NAT-Problem. I do not know much about
TCP, UDP but i think it must be possible
to establish a connection when both users are
behind a NAT.
(If Skype and others can do this there must be a way)
At least with an extra central server that serves as
a "connection broker " between the 2 PCs it should work.
(probably the connections must be tunnel'd over
Port 80 to bypass the NAT)
Worry about secutity?
1. If the Users are allowed to surf in the internet
i see no extra security risk - That's risk enough,
it can't be top'ed.
2. When the VNC-Server and -Client are secure then
there should be no problem.
I whould be VERY pleased to see a solution which
is integrated into UltraVNC and does not require
any manipulations in the NAT-Settings or port-forwarding.
to my shame i must say, that i did not followed
the many replies to my request.
I had so much work to do the past few month's - Sorry!!!
I am glad to hear, that you work on a solution
for the NAT-Problem. I do not know much about
TCP, UDP but i think it must be possible
to establish a connection when both users are
behind a NAT.
(If Skype and others can do this there must be a way)
At least with an extra central server that serves as
a "connection broker " between the 2 PCs it should work.
(probably the connections must be tunnel'd over
Port 80 to bypass the NAT)
Worry about secutity?
1. If the Users are allowed to surf in the internet
i see no extra security risk - That's risk enough,
it can't be top'ed.
2. When the VNC-Server and -Client are secure then
there should be no problem.
I whould be VERY pleased to see a solution which
is integrated into UltraVNC and does not require
any manipulations in the NAT-Settings or port-forwarding.
me tooI whould be VERY pleased to see a solution which
is integrated into UltraVNC and does not require
any manipulations in the NAT-Settings or port-forwarding.
so nice if available next few build
UltraVNC 1.0.9.6.1 (built 20110518)
OS Win: xp home + vista business + 7 home
only experienced user, not developer
OS Win: xp home + vista business + 7 home
only experienced user, not developer
Some interesting links
May be you can have a look at:
http://www.ietf.org/rfc/rfc3489.txt
http://www.pernau.at/kd/voip/bookmarks-sip-rtp-ua.html
It's very instructive sites
Have a nice day..
http://www.ietf.org/rfc/rfc3489.txt
http://www.pernau.at/kd/voip/bookmarks-sip-rtp-ua.html
It's very instructive sites
Have a nice day..
NAt is commpnly used to covet NAT and PAT Pat is Porty Address translation and allows multiple systems to use one external IP address instead of one external IP address per computer connectingstalks wrote:Now thats interesting. The original RFC 2663 for NAT states each connection should be uniquely identified by Source IP/Port and Target IP/Port. Some companies must of decided to change this implementation specifically for peer-to-peer when both are behind NAT. Perhaps UPnP is what is being exploited here?