UltraVNC

[B]

supey, check out the mod forum.

[ich]

Did this project die off? Sounds super cool...

[SkyBeam]

Really sadly it looks like this thread died. I am desperately looking for this nat2nat solution as I am using UltraVNC curently for remote support (including some unattended machines). At the moment I have to use UVNC repeater with some drawbacks:

- Requires to relay all traffic via external server (both, client and server running behind NAT)
- On repeater restart automatic re-connects does not work
- There is no authentication in repeater mode

The last point is pretty annoying and really affects security. Unlike TeamViewer which requires the ID (basically like the NAT2NAT connection ID) and then requires authentication using UVNC in repeater mode does only require you to know the ID to get direct access. This is a no-go for having several unattended servers connected to repeater while connecting from different clients. Anyone knowing the repeater address could find out server IDs and hijack them unless I put a lot of effort securing repeater connections.

The NAT2NAT reloaded tools (natserver.exe, natviewer.exe) seem to work fine. But the NAT helper utility code seems not have been released ever. So I can not operate one on my own infrastructure. Moreover I would like to launch natserver.exe/natviewer.exe unattended on command-line. This would allow to run it along with the winvnc.exe service:

- Launch winvnc service (also allows user switches and UAC control)
- Launch natserver unattended to allow establishing NAT2NAT tunnel from outside (should re-connect to NAT helper service also in case DSL router is restarted etc. So keep persistent TCP connection to NAT helper and re-establish it if lost)
- On client launch natviewer with known ID and simply connect to local natvierwer listener
- Default authentication of winvnc will take place since winvnc will threat connection like direct incoming connection

So this way basically someone could figure out the NAT2NAT ID of some machines but UVNC can still be secured using windows or password authentication which works pretty fine.

Both, natserver.exe and natviewer.exe aren't very complex tools. The code could be integrated directly in winvnc.exe allowing too open NAT2NAT connection directly at winvnc.exe startup.
For example adding "-id:<desiredID> -nathelper <IP:port>" command-line or any INI setting. The "ID" concept already exists and in NAT2NAT operation it could be used to define the connection ID. Similar to this the vncviewer could be enhanced to support also NAT helpers. So entering "ID:<desiredID>" and checking the "[x] NAT-helper <hostname:port>" would establish a NAT2NAT connection.

[supercoe]

Sad to see if this project died as it was really fun testing it with Rudi.

Skybeam,

The repeater is just a relay and has nothing to do with encryption, if you encrypt the traffic it will still relay it.
You may want to look into my ChunkVNC project as it allows you to easily setup the repeater with encryption and the ability to reboot (after installing as a service).


Bummer about nat2nat, it was interestingly scary how it penetrated NAT firewalls.

[SkyBeam]

The repeater is just a relay and has nothing to do with encryption, if you encrypt the traffic it will still relay it.

This is clear to me and my point was not about encryption but about authentication. Authentication and encryption are two different aspects. I was very surpised to have my WinVNC service configured with "MS Logon" authentication and found it to connect without any type of authentication when connecting to the given ID on the repeater. I see this has been discussed already and to me it's clearly an issue/bug while UVNC developers seem to think that authentication is not required in repeater mode.

Anyway this is getting off-topic since this topic is about nat2nat only. There seems to be working nat2nat tunneling utilities but I couldn't find any code on CVS/SVN as well ass no code for the NAT helper service.

You may want to look into my ChunkVNC project as it allows you to easily setup the repeater with encryption and the ability to reboot (after installing as a service).

I will perhaps have a look at it but it looks like it also does not use nat2nat but traffic relaying.
Thanks anyway.

I also found an interesting project on SF: http://n2nc.sourceforge.net/reference/index.html
It seems to do basically everything I am looking for. I will have a closer look here as well. If I am able to find or implement a tunneling service for NAT2NAT connectivity then this would be entirely fine:

• Server starts nat2nat connectivity tool
• nat2nat connects to helper service
• helper service provides unique ID. Client might ask for preferred ID. This way it could store its ID locally. Just similar to what DHCP server/clients do.
• Client stars nat2nat connectivity tool
• Client will either know the server nat2nat unique ID or ask for it on different channel (via mail, phone or other channel)
• Client asks to be connected to known nat2nat helper ID
• Helper tool provides public IP addresses of both parties to each other. Depending on NAT type additional information might be required. Maybe discovery protocol like STUN could be used to detect NAT type.
• Clients start sending UDP packages to each other trying to establish reliable tunnel (perhaps UDT based)
• Clients also try to keep the tunnel up (keep-alive packages on idle). On disconnect/timeout the tunnel shall be auto-re-established (e.g. router reboot, IP change) via NAT helper service

The NAT helper service does not really need a database because in case of NAT helper service connectivity loss clients shall re-connect and re-register desired ID. Connection between client 1 and NAT helper service needs to be persistent in order to allow the NAT helper service to respond to client 1 if client 2 is known (on connect). Using TCP this would require severe amount of TCP sockets (one for each client) to be blocked. Alternatively also for initial NAT helper announcement UDP might be used. Keep-alive packages (on UDP) might be sent to NAT helper in order to assure the NAT-table entry does not get wiped out due to idle timeout so NAT helper service can send connection information when client 2 connects.

[supercoe]

This is clear to me and my point was not about encryption but about authentication. Authentication and encryption are two different aspects. I was very surpised to have my WinVNC service configured with "MS Logon" authentication and found it to connect without any type of authentication when connecting to the given ID on the repeater. I see this has been discussed already and to me it's clearly an issue/bug while UVNC developers seem to think that authentication is not required in repeater mode.

Sorry, I had a brain lapse there as I use the SecureVNC plugin for encryption and authentication while utilizing the repeater.



I will perhaps have a look at it but it looks like it also does not use nat2nat but traffic relaying. Thanks anyway.

PCHelpware v2 uses nat2nat but that might not be your cup of tea.
http://www.uvnc.eu/download/pchw2/


Good luck finding what you're looking for, keep us posted if you come across anything good.