Remote Desktop and VPN



  • Goal
    My goal is to provide easy remote assistance to laptop users in the field, while also adding the feature of being able to see what IP address they are connecting from (if the laptop is stolen) and remotely disable the laptop through the use of PsTools ( link ) if it is missing, unaccounted for, or stolen.  I know there are a lot of paid applications out there which can do the same thing, but my company is cheap and doesn't want to pay for IT tools, so this is what I have come up with.

    Theory
    The key to making this work is having an automatic VPN connection from every laptop to the pfSense firewall.  The purpose of the VPN connection is not to allow the laptops to access anything, but rather to ensure a system admin can access the laptop through Remote Desktop and PsTools.  It should be as invisible to the user as possible, in order to avoid the eyes of a would-be thief.  It should also be able to establish the VPN connection without user intervention because the primary audience I will be supporting can barely use a computer, let alone establish a VPN connection.  Those two requirements make me think Windows built-in VPN client would likely be the best option.

    Questions
    1.  Is all of this possible?  Are there any glaring flaws in my idea?

    2.  Is it possible for Windows built-in VPN to connect to pfSense, or do I need a different client program?  If I do, is there a VPN client that works with pfSense, but is invisible and automatic?

    3.  Is Windows VPN as invisible and automatic as I would like, or are there issues with it automatically establishing a connection when internet becomes available, or giving error messages to the user?

    4.  Are there any major security concerns I should be aware of?



  • You should just have the laptop ping your server often and leave an SSH port open on the laptop.  It will be less noticeable and easier to do than having a full blown VPN running.  You could even set up a dyndns client on the laptop, but thats more obvious as a process.

    Give me one open SSH port and an Admin password, and I'll have whatever I want on that laptop.  ;)

    I will say, however, that any thief in his right mind is not going to boot a stolen laptop connected to the web.  More likely, they are going to wipe the drive post-haste and your clever plan will have been for nothing.



  • @kejianshi:

    You should just have the laptop ping your server often and leave an SSH port open on the laptop.  It will be less noticeable and easier to do than having a full blown VPN running.  You could even set up a dyndns client on the laptop, but thats more obvious as a process.

    Give me one open SSH port and an Admin password, and I'll have whatever I want on that laptop.  ;)

    I have only used SSH to control a Linux machine with command prompt.  How would that work if I want to access the desktop and configure applications for the user?  I think if the laptop is behind a NAT, it might not work due to the port not being open.

    Also, I need to select a specific laptop to support/control/lock down, and these move around a lot.  I would have no method of identifying which laptop is pinging me.



  • There is only one thing that I know of that is easily configured to allow remote access to a machine with changing NAT conditions and little set up.  Teamviewer.  It can be configured to allow remote access even from a locked screen and it can be locked such that a password is needed to change its configuration, however - when you log in the user will be aware.

    However - a simple process that pings your IP will give you the IP, location etc of a stolen laptop and would be hardly noticable by anyone who isn't on their game.



  • I am aware of TeamViewer and other products which are similar to it.  They use a proxy server to relay the session, which isn't based on Windows Remote Desktop.  Instead, they use their own proprietary technology.  I currently have a VNC relay set up which does the exact same thing, and traverses NAT quite easily.  I want to get away from using VNC though, as it isn't quite as secure as using a VPN tunnel to secure a session.  In addition, I would have a log of what IP address people used to connect from, which can be translated into locations if a laptop gets stolen.  That wouldn't work if a laptop just pinged my firewall, as I would have no idea who was pinging.

    The purpose of having remote desktop is to allow me to provide technical support, not lock a machine down.  For anti-theft measures, PsTools allows me to run command-line programs on the remote machine without them noticing.  For example, I could create a bat file which changes the password to the local user account (we don't use passwords on our field laptops) and shuts the machine down.  A lot of things can be done through command-line, and the thief would never know I'm doing something.

    Back to my original questions…
    Please refer to the first post if you have answers.  The suggestions by kejianshi did not provide an alternative solution.


  • Banned

    This has absolutely nothing to do with pfsense.

    http://preyproject.com/



  • @doktornotor:

    This has absolutely nothing to do with pfsense.

    http://preyproject.com/

    I am aware of it and similar commercial products.  My company does not want to pay for IT solutions.  I had a hard enough time getting them to pay $300 for the pfSense firewall hardware which replaced their DDWRT router.


  • Banned

    @Syntax42:

    I am aware of it and similar commercial products.  My company does not want to pay for IT solutions.

    Not our problem. You are totally off-topic here. Accessing/tracking remote laptops located in random places has nothing to do with pfsense firewall.



  • @doktornotor:

    @Syntax42:

    I am aware of it and similar commercial products.  My company does not want to pay for IT solutions.

    Not our problem. You are totally off-topic here. Accessing/tracking remote laptops located in random places has nothing to do with pfsense firewall.

    I am not off-topic.  My questions were about VPN capabilities and if it is possible to use Windows VPN with pfSense.  Please refer to my original post.


  • Banned

    There is no way to ensure any automated VPN connection either, considering port blocking, double/triple/… NAT, random private subnet overlaps, or simply people wiping the OS. What you are trying to do is just extremely naive.



  • What is so naive about it?  I am trying to implement something I intend to use for remote support, primarily.  I have no illusions about this being extremely effective at preventing intelligent thieves from bypassing my systems.  I would only expect this to give me options if the laptop is stolen by someone who knows too little about computers to reinstall Windows.

    Again, please refer to my original questions.

    2.  Is it possible for Windows built-in VPN to connect to pfSense, or do I need a different client program?  If I do, is there a VPN client that works with pfSense, but is invisible and automatic?

    3.  Is Windows VPN as invisible and automatic as I would like, or are there issues with it automatically establishing a connection when internet becomes available, or giving error messages to the user?

    4.  Are there any major security concerns I should be aware of?


  • Banned

    Already answered. There is no invisible VPN (route print, ipconfig /all), there is no way to ensure the VPN will work (reasons stated), there is nothing preventing people from merely reformatting the drive. There are good reasons laptop vendors are offering encryption and remote tracking/wipe solutions independent of the running OS. And finally yeah, there is major security concern of giving automated access to (at least part of) your company infrastructure via the VPN.



  • @doktornotor:

    Already answered. There is no invisible VPN (route print, ipconfig /all), there is no way to ensure the VPN will work (reasons stated), there is nothing preventing people from merely reformatting the drive. There are good reasons laptop vendors are offering encryption and remote tracking/wipe solutions independent of the running OS. And finally yeah, there is major security concern of giving automated access to (at least part of) your company infrastructure via the VPN.

    You seem to misunderstand the scope of what I am trying to achieve.  I don't expect anything to be completely invisible to an educated computer user.  I also don't expect anything to work in unusual situations such as the few you mentioned.

    To me, "invisible" to the user just means an average or uneducated computer user would not see anything running in the taskbar and would not see any error messages about not being able to connect.  It just needs to connect when it can and not let the user know what is happening.  OpenVPN does not do this, as far as I can tell.

    The typical situation I expect is for the laptop to be behind a single NAT at a hotel, or connected to a mobile (cell phone) data network.  Neither situation has posed a problem for me with OpenVPN or VLC (separately), so I would expect any form of VPN to be able to connect to the firewall as long as the port isn't blocked on the laptop's side.

    As far as security goes, I think the VPN firewall (in pfSense) can easily limit the access to a single IP address on the internal network, or prevent all access to the internal network.

    Again, I would like to have my original questions answered.  Most importantly, I would like to know if Windows VPN can connect to pfSense's IPsec VPN.  That would be the only technical hurdle I have to deal with.


  • Banned

    @Syntax42:

    Most importantly, I would like to know if Windows VPN can connect to pfSense's IPsec VPN.

    Yeah of course it can. It's documented. Such as using the Shrew Soft VPN client. There is absolutely no guarantee it's gonna work in a random hotel, or over a mobile network. Not to mention that it still is extremely bad idea to connect to a VPN without any sort of authentication required from the user. Well, this clearly is heading nowhere. Final advise here: invest time in user education, instead of trying to invent whacky "solutions" because your company is "cheap". Is the company data cheap as well?  ::)



  • Windows has a built-in VPN client, which is what I have been asking about.  I would prefer not to use a program which runs in the taskbar.  Does ShrewSoft's client leave an icon in the taskbar?

    I would love to use commercial products, but as I said, my company won't pay for anything.  That's why I have to try to implement something "whacky," as you put it.  The size of our business is fairly small, so our internet connection is as well.  With around 20 people in the office, we are fine with a 50/10Mbps connection from the cable company.  You might consider that "cheap" but it is all we need for now.

    Not everyone has the computer knowledge it takes to troubleshoot everything.  That's why companies have IT departments.  The people I'm supporting have to focus on their jobs, and using a computer is just a tiny part of their work.  If I told their manager that they all need computer training, he would laugh in my face and call it a waste of time and money.  Doktornotor, you seem like you know a lot about networking, but you don't seem to be very good at understanding others or the situations they present.  Instead of answering the questions, you are giving me situations and suggestions which are not practical, don't apply to me, or I have already considered.


  • Banned

    There is no L2TP IPsec support on pfSense, so… NO. You are stuck with OpenVPN or third-party IPsec clients.

    If people cannot be taught to type in their password, if people get confused by taskbar icons, well... lost cause, fire and hire someone capable of using a computer as computer, not as a typewriter. Also not my fault your manager is an idiot who considers education of employees to be "waste of time and money", to put it absolutely honestly.



  • @doktornotor:

    There is no L2TP IPsec support on pfSense, so… NO.

    I don't understand your statement.  I am using 2.1-RC0 due to the driver support for my NICs and I can clearly see L2TP and IPsec as VPN options.  Are you saying those aren't working, or they don't work with Windows VPN client?



  • Oh well.  I wasn't trying to be contradictory myself.  I was just thinking how to get to a laptop in the least obtrusive way possible.  Actually, this is not the first time someone asked about having a VPN client be used this way.  VPN client as to be accessed as if its a server…

    Anyway, Its certainly possible to load a VPN client on the laptop, have it use DNS to find a pfsense/openvpn server, dial in without a password using a cert and maintain a connection whenever possible.  However, that little icon will be right there to see, and its quite a heavy process to hide.

    My brother's laptop does this by the way - Every time he turns it on.

    I have a few computers out there running as clients to my VPN - I'll see if I can remote into one that way, but I doubt it.


  • Banned

    @Syntax42:

    I don't understand your statement.  I am using 2.1-RC0 due to the driver support for my NICs and I can clearly see L2TP and IPsec as VPN options.  Are you saying those aren't working, or they don't work with Windows VPN client?

    The native Windows "client" requires L2TP/IPsec. This is NOT implemented. IPsec alone is not usable with native Windows client. L2TP alone is useless since it offers no encryption whatsoever.



  • @kejianshi:

    I have a few computers out there running as clients to my VPN - I'll see if I can remote into one that way, but I doubt it.

    As far as I can tell, you just have to make sure Terminal Services (Windows 7/8) is running and accepting connections on the VPN interface.  If you want to use the PsTool program, that requires a registry tweak to allow it to work if they are not on a domain.  See this page:  http://www.brandonmartinez.com/2013/04/24/resolve-access-is-denied-using-psexec-with-a-local-admin-account/

    I haven't tested it on a VPN, but it should be the same as being on a local network as long as the firewall is set up to allow connections between the VPN client and the computer inside the network.

    After reading about this more, it looks like it might be possible to hide the OpenVPN taskbar icon and notification balloons.  I might be able to set up scheduled tasks to start up the VPN connection.



  • NAT is very transparent in one direction - and very non-transparent in the other.  I doubt its as easy as you think, but I'm going check it shortly.



  • OK - You will be happy to know that if I lower my firewall rules and allow communication between clients that my windows 7 VM and my ubuntu machine CAN browse the shares of the remote client.  I can also ping the virtual IP assigned to the distant windows 7 client.  Communications seem completely open in both directions as long as I deactivate my firewall rules that are in place to prevent such things.

    That distant computer is a Windows home machine and did not support RDP out of the box, but every other service on that laptop which is 2000 miles away, was open to any computer on my LAN.

    So, assuming you load a VPN client on the laptop, and only load 1 configuration and put a link to the openvpn client file in the startup folder as I have done, you should be in business.  I'll give it a shot with a Vista Ultimate machine in California.  If the communication is open and 2 way like the win7 machine I don't expect any issues.

    HAHA - Actually that machine is home premium…  Anyway - Try it.  (My fault - I have taken as many people off Windows as possible)
    I can't imagine that RDP is the only service running that wouldn't be accessible when everything else is.



  • For anyone who comes across this in the future, my solution requires me to set the OpenVPN service to automatic in services.msc.  After doing so, the OpenVPN service attempts to connect to any configuration in the folder specified by the affiliated registry entry, and it does not need the use of the GUI.  Adding "auth-user-pass passwordfile.txt" to the configuration, and creating passwordfile.txt with the user name on the first line and password on the second line allows it to connect.  This can be a security vulnerability if you do not restrict what the VPN clients are allowed to access and is not suggested for most applications of VPN.

    I haven't tried it, but I'm fairly sure the GUI won't work after setting the service to automatic.  It doesn't bother me much, and it just means we will have to use IPsec on the computers which need a VPN connection to access our internal network.


Log in to reply