Using RDC and Terminal Services

JAB

I am starting to use RDC and Terminal Services but i do not know what i have to do to let users through the firewall when connecting from home to there work pc.

cheesyboofs

I think you mean RDP (Remote desktop protocol) you could just open up port 3389 but you would be mad.

The best thing to do is set up Openvpn and then when a user fires up the RDP client on their desktop at home the RDP session will be encrypted and sent down the tunnel. Its very easy to setup and works very well. You can do the same with the PPTP vpn server which you can use the standard windows vpn client to connect to but I find the openvpn server to be more stable and efficient but will require an extra bit of software on the users machine.

http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN

Bern

I do this quite a bit and (at the moment) PPTP is probably better suited to this task than OpenVPN.

The reasons include:

• No software install required on the home PCs.

• Considerably easier PPTP configuration at the server.

• You can set firewall rules for PPTP on pfSense, allowing in ONLY RDP and DNS (etc.), whereas with OpenVPN it's all or nothing. You REALLY don't want random home PCs having unfettered access to your LAN.

I personally use OpenVPN but I run Linux on my laptop, so complexity isn't a barrier for me and I can trust my laptop not to have malware on it.

cheesyboofs

with OpenVPN it's all or nothing. You REALLY don't want random home PCs having unfettered access to your LAN.

Not strictly true as you can force a client to a specific IP then lock down via firewall rule as to what that IP has access to, But I think the point has been made.

Bern

@cheesyboofs:

Not strictly true as you can force a client to a specific IP then lock down via firewall rule as to what that IP has access to, But I think the point has been made.

Well, I'm using 1.2 and 1.2.1 and my experience differs!

My laptop's OpenVPN endpoint:

6: tun0: <pointopoint,multicast,noarp,up,lower_up>mtu 1500 qdisc pfifo_fast qlen 100
    link/[65534]
    inet 192.168.102.6 peer 192.168.102.5/32 scope global tun0

My client's LAN firewall rule:

* 192.168.102.6 * * * *

(ie. block, protocols = all, source = my OpenVPN ip etc. )

This should block everything where source is my OpenVPN IP, but I can do whatever I like!

lt-bern ~ # telnet 192.168.100.9 25
Trying 192.168.100.9…
Connected to 192.168.100.9.
Escape character is '^]'.
220 mailserver.xxx.com ESMTP Exim 4.63 Fri, 24 Oct 2008 15:47:03 +0100
^]quit

telnet> quit
Connection closed.
lt-bern ~ # ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=127 time=74.3 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 74.316/74.316/74.316/0.000 ms

Perhaps there's something I've overlooked?</pointopoint,multicast,noarp,up,lower_up>