Sponsored Links

Remote desktop to home from Internet

Going away for a few days next week. I thought it would be good to get my desktop set up for remote access. Must admit I thought this would be tricky and I haven't been disappointed.

Firstly, the desktop is Windows 10 Pro and I've enabled Remote Desktop access on it. Works on the internal LAN.

Networking - we have this setup:

Desktop PC (the target) < ASUS Router < Huawei B593 < Internet (EE 4G)

In this order then, working "outwards":

Desktop - Check Firewall allows RDP 3389 and verified can connect via the LAN, so: Desktop PC < ASUS Router < Laptop = this works

Router - Fixed IP for WAN, check. Fixed IP for desktop, check. Set up Port Forwarding port 3389 "joining those two together". Port Range 3389 remote to 3389 local fixed IP of target machine, TCP. Check.

Router - Disable Firewall for testing. Check.

B593 Modem - disable firewall to test, check.

Plug separate 4G dongle into laptop, disable wireless. So now "coming in" from an external IP, not the LAN.

Disable the VPN we use (I'll get to that bit later). So a "raw" connection from an external IP to the externally presented IP of the home network. No "IP filtering" going on as yet.

Can't connect.

Try the "nuclear option" of DMZ in the B593 modem for the router, so exposing everything. Still won't work.

No error as such, though I'm not sure where I should be looking.

Laptop just times out the RDP attempt and says "Can't connect".

I knew this was never going to work ;)

Any ideas..
 
Good grief..

If I connect the LAN back to the VPN service, and then try to "come in" on the fixed IP that presents, it works.

Presumably EE 4G won't forward ports inbound, it has to go over a VPN.

Was going to do that anyway.

So now, I need a second VPN IP address for the laptop, to use when out and about, given that:

1. I can't connect the laptop to the internet with the same VPN IP Address as the machine I want to connect to, and
2. I don't want to allow just anyone on the internet to be able to make RDP connections to our LAN

?
 
I'm a bit confused about your intentions? I would think what you want to to run a VPN server somewhere on your LAN and use your laptop as a client to connect. Is your LAN VPN a server or client? I think some ASUS routers allow you to create a VPN server and will do the hard work of creating a certificate and creating the VPN config file - if you have such a router you are lucky as most consumer routers don't.

I am not familiar with the Huawei B593, is this just a modem or does also do NAT? If it does NAT then that is probably your issue when not connecting over VPN as you would need to port forward there as well.

EE can't stop you port forwarding, that is something you do on your own equipment and EE have no control over it. They could block the port altogether and this is something you can test - I think there are websites for checking open ports. Normally port 25 is blocked outbound for example.
 
Sponsored Links
Thanks - I think I have it sorted now.

It works when the VPN Client is switched on in the ASUS Router - that's the "internal" router of the two.

But then it would, since that's "punching a tunnel" through the Huawei B593's settings. So what you do on that matters not. It isn't "seeing" what that traffic is anyway.

(We use a VPN client configured in that router so that everything in the house goes via the VPN for security and also to have a fixed IP address, and resolve the problems that EE's CGNAT causes).

So I've ordered another fixed VPN IP address and put that address in the firewall on my desktop - RDP 3389 scope - all local, but for external - only that IP.

I then configure the new VPN client on the laptop, connect to that VPN (different IP address to the one at home and both are fixed IPs), and I can then remote to my desktop PC at home when out and about, protected with IP address security.

I honestly never thought that this would work and I would spend fruitless hours on it :)
 
Ok, so your issue you had is known as 'dual NAT'. Ideally you would put the Huawei B593 in bridged modem mode so it does no routing. As for your VPN setup, it does not sound so safe to me. If I understand correctly you are still exposing port 3389 to the Internet by your fixed IP VPN-WAN. How is this any safer than exposing it on your non-VPN WAN (which may not have a static IP address which would be a problem)?

The ideal solution is to create a point to point VPN between a VPN server on your LAN to a VPN client on your laptop. You could use dynamic DNS so you know what your WAN IP address is. However, the issue is that a lot of equipment does not support VPN servers. I run a VPN client and server on my router. The client is so I can protect my network with the PIA service. The server is so I can connect securely when away. For what it is worth I also run a VPN client on my mobile devices when I am out and about to stop man in the middle attacks.

Thinking about it a bit more, I don't expect your router would support VPN client and VPN server at the same time. I can do this on my router but it is a rather complex (read pain to configure) pfSense device.

C.
 
If anything its more risky using a know VPN provider end point IP as it will be well known and likely to get scanned more often.

My main question is, your going away only for a few days and by the sound of it a non business trip so why do you want to stay connected to work. Have a few days away and relax and not stay "plugged in".

If you really need it

WAN router port forward 3389 to other router then port forward that port 3389 on the second router to the computer you want as the least important, then set to the 2nd PC up to respond to RDP to the 1st PC only no external connection.

Dont leave 2 IP's open to the outside world.

If you want a hand or some one to help you test give me a PM.

LeeH
 
Last edited:
I thought about what I had posted and thought I would correct a miss-leading comment I made. I don't use PIA to protect my network. A public VPN service does not really protect a network, it helps obscure your IP address from your Internet activity. It can be used to help stop snooping - think internet snooping charter, it helps keep your anonymity on p-2-p activities, it helps obscure what you do from your ISP so they will struggle to shape stuff like p-2-p traffic. Don't expect it to hide yourself if you are doing really bad stuff though, although if you are doing really bad stuff then you deserve what you get.

I use PIA because I don't like the idea of being snooped on.
 
Last edited:
Sponsored Links
I love the idea of setting up something like this to access your home computer network, if purely from the geek standpoint. But I personally take a different approach. All my main work apps are of the "portable" variety except MS Office. So when I go away I just copy all the directories over to an encrypted USB drive and then just copy them back again on return, job done :) . As a bonus I get to backup my work at the same time.
 
To answer a few points. The Remote Desktop configuration is better illustrated by this:

Laptop > EE 4G (CGNAT) Dongle via VPN with fixed IP (#1)

Me with my laptop "on the road". Connecting to the internet through a VPN to get a fixed IP.

Office Desktop > ASUS Router configured as VPN Client with fixed IP #2 > Huawei B593 modem > EE 4G (CGNAT)

Office setup. ASUS router configured as VPN client to get fixed IP which bypasses the CGNAT issues, basically CGNAT renders the internet useless in some respects. To illustrate:

Office Desktop ]
Apple TV Box ]
Panasonic TV ] -- > ASUS Router > VPN (Fixed IP) #2 > Huawei B593 > Internet EE 4G
Phones etc ]
iPaid etc ]

Without the VPN, if you try to use one of the phones to control the YouTube TV app, the phone client will keep dropping the connection. This is because the following configuration now applies:

Office Desktop ]
Apple TV Box ]
Panasonic TV ] -- > ASUS Router > Huawei B593 > Internet EE4G CGNAT
Phones etc ]
iPaid etc ]

.. and so the IP address of the TV and the phone keep changing thanks to the CGNAT. The phone YouTube app is now no longer able to maintain the connection to the TV.

So the fixed IP is essential for all of this to work properly, even though it shaves about a third off the download speeds.

Actually, it need not be a VPN. That's a "red herring". What is essential is that the phones and the TV present the same external IP. However EE don't offer a fixed IP option with 4G, so this is a workaround.

Now, coming back the other way:

Internet > (through & bypassing Huawei B593 thanks to VPN tunnel) > ASUS Router > Desktop

Desktop now has to be protected because with port forwarding on the ASUS Router, although any other protocol/port will "die at the ASUS router" because it isn't forwarded anywhere, there's now a clear route from "anyone" on the internet to attempt to RDP to my desktop.

So I've put Fixed IP #1 in the Firewall scope (Remote connections, only that IP) on my desktop so it only permits someone with that IP to RDP to it affording a layer of protection. OK I know it's not flawless but it's the best option I can see.

Does this all make sense.. I was quite pleased to get it working at all ;)

I do still need to have access as I run my own company (IT services) and I don't give the Administrator server passwords to my team. Only I have those. In the event of some catastrophe in those few days away I need to be able to get onto the machines, so remote > Desktop > servers locked to fixed IP #2.

I'm sure there's some better way.. I don't expect anything to go wrong, but you never know :)
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £24.00
132Mbps
Gift: None
Shell Energy UK ISP Logo
Shell Energy £26.99
109Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
145Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £15.00
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
150Mbps
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All

Helpful ISP Guides and Tips

Sponsored Links
The Top 15 Category Tags
  1. FTTP (5473)
  2. BT (3505)
  3. Politics (2525)
  4. Openreach (2291)
  5. Business (2251)
  6. Building Digital UK (2234)
  7. FTTC (2041)
  8. Mobile Broadband (1961)
  9. Statistics (1780)
  10. 4G (1654)
  11. Virgin Media (1608)
  12. Ofcom Regulation (1451)
  13. Fibre Optic (1392)
  14. Wireless Internet (1386)
  15. FTTH (1381)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules