Still No Open Source GoToMyPC / LogMeIn! (Platt)

[B]

It's 2011 and there still seems to be no way of hosting one's own remote control portal with open source software.

This fact is, frankly, astonishing. All the tools are there, and have been for a decade. (If I were a better programmer I would have tried doing it myself by now.) UltraVNC or TightVNC make great base engines, there are no end of available web server frameworks and authentication and encryption and proxy mechanisms, and screen image shuttling still seems to me to be a fairly simple proposition. (The devil is in the OS details I think.)

ChunkVNC approaches this goal, but is limited by the capabilities of the various UltraVNC repeaters. https://forum.ultravnc.net/viewtopic.php?f=50&t=27489 It also lacks the requisite integrated web server and compiler for on-the-fly packaging.

Rob Platt's auto-generating VNC package (and the PHPRemoteSupport.com fork) actually come closest to the operation of LogMeIn, GoToMyPC, and TeamViewer, but they are not being developed. I posted the following to Rob's site last week but the message hasn't even passed moderation yet:

Hey Rob, it’s B from the UltraVNC forums; I commented on your original post.

Your work here is seminal — it’s the closest thing to an open source LogMeIn/GoToMyPC setup we have… and yet neither you nor the PHPremotesupport.com guy is developing or maintaining it.

Do you know of ANYONE who has taken this ball and run with it? (I’m not a great programmer myself.)

Things like VNC engine upgrades, better encryptions, Win7 support, easy customization, are all needed, and more importantly the project needs to become active. Any idea if anyone’s doing that?

http://www.robplatt.com/index.php/2010/ ... -repeater/

http://phpremotesupport.com/

Can someone tell me I'm wrong please? Is there some great (or just decent) open source self-hosting LogMeIn workalike that makes it easy for a company to host and control its own dynamic remote control system?

[B]

Well, it's time for my company to renew our expensive GoToMyPC license, and we're also looking at LogMeIn's corporate options.

It is very frustrating to me that I can't put into place a VNC based solution instead. Our needs are very simple -- have users connect to their respective machines when home or on the road.

NOTHING I know of will do this! I would have to set up my own UltraVNC Repeater, manually install UltraVNC server with a unique SessionID on each office machine, and then manually install the viewer with a hard coded repeater address and SessionID on EVERY possible machine that wants to access the target.

There is NO existing way for the people to use an arbitrary machine (friend's computer, cybercafe) to log in to their office machine, as GoToMyPC and LogMeIn and Teamviewer have made possible for a decade. (Sure I could manually roll up multiple vncviewer packages, each with unique sessionIDs, and publish them on a web site, but that's so kludgy, tedious, and potentially insecure.)

For 10 users, GoToMyPC runs about $1200 to $2500 per year, and LogMeIn runs about $300 to $800 per year. For small and medium businesses this is NOT chump change.

Arrgh.

Again, would someone please tell me I'm wrong?

[shadowfax]

Wouldn't it be better -for security concerns- to run a VPN, and connect though the tunnel with the computer? I used this method in an old job and it works fine (Much cheaper than the licenses you're talking about), however it is certainly more tedious than running GoToMyPC or LogmeIn, but it should be more secure. I find alternatives as TeamViewer or Crossloop more usefull to handle remote support for external users, that is, if the VNC should go the other way around (From the office taking control of the roadwarrior machines). As you already know I'm most of the time focusing on that issue Right now I'm involved on other projects and, on my sparse free time working on a VNC client for iPhone/iPad that would be compatible with uVNC Repeater (Trying to solve the security problem as the modded reapeater won't allow for password authentication).

[B]

Sure, and we maintain a VPN for home users already, but if configuring UltraVNC (or Chunk, Tight, etc.) is difficult to do on a random roaming computer (if you even have permission) then installing a VPN client on demand is an order of magnitude more difficult to deploy. (Cisco's VPN clients are wonky to install, others are worse, most SSL based "VPNs" aren't really VPNs at all, and OpenVPN is a great VPN platform that requires a lot of manual key handling by the admin.)

Not to mention having to trust the machine that just tunneled in -- it might seem backwards, but when you think about it a VPNed machine is considerably MORE dangerous to the network than one that has achieved remote control of a PC on the network. For one thing, with the latter (remote control) the danger is only as great as the trustworthiness of the remote human operating the remote control program at that time. With the former (VPNed PC) the danger immediately extends to EVERY process running on that remote machine that might try to exploit nodes across the dandy new "local" network that just appeared.

For security's sake, it would be great to be using hardware tokens and dedicated locked-down company laptops too, but we don't have the budget for that.

Again, the goal is to have users access company resources that would be awkward or intolerably slow to use across the VPN (fat client stuff like Microsoft Dynamics, stuff we wouldn't even WANT to install directly on a home PC for use across a VPN). We could do a terminal server I suppose, at some additional cost and with different security concerns. The issue with "just using the VPN" isn't even that simple -- AFTER they connect via VPN, one still has the same additional task of connecting them with their target workstation! At that point one could use VNC or RDP, which would be nice, but it's still far more complex than one of the 3rd party services.

It doesn't HAVE to be that way of course. But it is, so far....

Thanks for the reply...

[shadowfax]

The best I could think of, before running into expensive hardware tokens, is creating a VPN to an empty VLAN, then creating a firewall rule in order to access the VNC port of the machines running the VNC service from that VLAN. This way the VNC services get protected through a VPN while the VPN users have limited access to your network (VNC services only).

If I' not mistaken some firewalls -I'm thinking right now of the expensive Firewall One- allows to set dynamic firewall rules based on the user credentials supplied by the VPN user. This setup would further block network access as you could block the user on the VLAN allowing him only access to the VNC services he is allowed to connect to. I think you can do a similar setup using iptables in a similar way as the WiFi hotspots developped for linux where they setup dynamic iptable rules after the user has supplied his credentials to the HTTP server.

If you allow access to the VLAN to an HTTP server you could create dynamic firewall rules allowing access to the specific VNC service allowed to that user. This would be trivial, as once the login is confirmed the script would create the dynamic rules, and give a download to the configuration settings for that user. If the Mime-type is set correctly the VNCClient shall open that file and connect directly to the VNC server.

This would be secure enough, INMHO, for road warrior machines, however, if you wish to give access to someone from a cybercafe or any non-trutable machine I would avoid installing the VPN client on that machine.. In that case I would just create the HTTPS service, and create a dynamic rule based on his credentials, and, on the main page I would leave two links: "Download configuration file" (In case he's got a properlly configured VNC client) or "Use Java Client". I don't remember if the JAVA client allows to supply the port number as a parameter (I guess it is already implemented as port numbers may change). If so it would be trivial to set the firewall rule to allow access to a specific port number, depending on the user credentials, and supply a specific port number to the JAVA viewer based on the user credentials. No specific setup would be required on the remote machine when using the VNC service through the java viewer. Just remember to add a cron task to remove expired firewall rules, create a new web window that shall refresh after a giving time to update the expiry time of the rule, and delete the rule if the user click "logout" on that window. Shouldn't be too complicated as you could reuse some of the code of WiFi hotspots (Just giving it another use).

[B]

True enough, shadowfax, but that sounds like MORE manual administration for moves/adds/changes, not less, and more work for the end user too.

(Are you assuming the firewall is running on Linux/Unix? Like many, our main firewall is a Cisco ASA.)

I want it to be as easy as the commercial vendors; if not on the admin side then at least on the end-user side. But the VNC based solutions just can't "compete" at present. (Particularly if you can get by using LogMeIn Free, which allows unlimited connections with just minor ad nags during login.)

Thank you for the ideas!

[shadowfax]

Not really assuming it is a Linux firewall... Just took it as a cheap example. I recall Firewall-1 also had dynamic rules (never managed a Cisco ASA, but guess it shall be possible).

The setup, from the administrators point of view is a pain in the ass... Configuring the dynamic rules, a secure http server, keeping secure the communications with the firewall, building the scripts, etc... Or maybe looking into the ASA built in capabilities to achieve the task. If the ASA has similar functions as the Checkpoints's firewall, there should be authentication capabilities for services, which could allow the user to open a dynamic rule in the firewall and redirect him to a http service in which you hold the script. (even better than the Linux solution and probablly easier for the admin)

From the users point of view it is as simple as loging in into a web server.

[B]

Exactly, a ton of custom work unique to each admin's environment. Not an attractive prospect. Hey are you still working on your "QuickSupport" app?

https://forum.ultravnc.net/viewtopic.php?t=27995

[B]

Welll, we're trying out LogMeIn Central, and it kind of rocks. SO much better than GoToMyPC Corporate's management options!

Some medium size reservations and quirks (the chief one being how easy it is to accidentally give a new user access to all company machines), but overall it's good stuff.

It's just a web site, really, and goes easy on the AJAX nonsense. Create a "deployment package" (a link to a download). E-mail the link to someone. They install LogMeIn (Pro or Free) and their machine appears in your master account. Then create a "user", assign that user to one or more PCs, and e-mail the invitation. They select their own password, and boom, you've got a machine that can be controlled at will by the admin or the user. The admin sees all the machines in a full management interface, and the user sees only the ones he or she is assigned, in a simpler remote control interface.

Simple, and it works. SO MUCH BETTER than GoToMyPC. (Nearly half the cost too.) I hear that the latest version of GoToMyPC is causing weird connectivity errors too.

Contrast at https://forum.ultravnc.net/viewtopic.php?f=27&t=27661

So if any enterprising VNC developers are looking to make my open source wishes come true, LogMeIn Central is not a bad system to imitate.

The usual 30 day trial is available.

(No, of course I'm not related to the company.)