Remote desktop access between 2 Ubuntu 20.04 devices over the internet
I have a workstation at my home office running Ubuntu 20.04 (i.e. the remote), this is connected to the internet with an ethernet cable. While traveling, I typically carry a lighter device along, a laptop also running Ubuntu 20.04 (i.e. the client).
My goal is having remote desktop access to my workstation (i.e. access to files, terminal, etc) from my laptop over the internet.
My first attempt was setting up a VNC using Remmina as described here. This worked, and I can now access my workstation from my laptop, when both devices are connected to the same network. I searched how to use the VNC when the devices are NOT connected to the same network and found out that I could do that by 'setting up a virtual private network (VPN) server on the network with the remote Ubuntu system'.
Thus, I bought a VPN service from VyprVPN with a 30-day money-back guarantee. I configured a VPN connection on both remote and client, as described here. Both devices can now connect to the VPN and surf the web without any issue, but I cannot use the VNC anymore.
When asked for clarifications to the VPN provider, the customer service (a bot) informed me that 'Remote access is currently not supported with VyprVPN' and suggested to install their app on my router. To the best of my knowledge, my home router does not meet the requirements of the VPN provider. Purchasing a new router to meet VyprVPN requirements would be ok to me, but neither I am sure that this would solve my problem, nor that it's the most suitable solution for my case. It seems a little of an overkill, considering that I simply aim to establish remote desktop access to one device from another.
What solution would you recommend for remote desktop access to one workstation (Ubuntu 20.04) from one laptop (Ubuntu 20.04) over the internet? Open-source solutions are preferred.
Thank you in advance for your kind support!
Two uses of VPN
1. Enterprise VPN
VPN is used by enterprises (corporations) to allow remote users access to the office network and computer resources. For example a remote employee of a corporation can access the office's internal network drives using VPN. In this context when a remote users logs in to the corporate VPN server, their remote computer becomes a part of the office local network. Then the remote employee can use VNC to access an office desktop computer.
I think this is the kind of VPN use you envisioned. However, your remote computer is at home while you travel and you don't have an IT department to setup a personal VPN server for you. You can set it up yourself, but I think it is too much trouble for securely connecting one remote computer in the home network context.
2. Consumer VPN
Consumer VPN service providers such as VyperVPN provides slightly different kind of service to home users using the same technology. These service providers setup VPN servers in different locations and countries and allow home users to login to these servers.
This allows home users to hide their internet activities from their own Internet Service Providers, government, etc. This also allows the home users to "pretend" to be in another country and "fool" video streaming services.
Consumer grade VPN service providers do not setup a VPN server in your home network. In fact, if you use a VPN client, say from VyperVPN in your home desktop, then you may not be able to remotely connect to that desktop when you travel. This is because the VPN service makes your desktop "pretend" to be somewhere else! Therefore, you will have to turn the VPN service off in the desktop at home when you travel before you can remotely connect using VNC.
Why not just use VNC?
It is not safe. VNC is rather old protocol and its security is not up to the modern standards. Setting up the VNC server in your home desktop to accept connections from outside your own home network is possible. However, doing this is not recommended, as anyone from the Internet can easily break into your home desktop.
VNC over SSH
You will need to setup ssh
server in your home desktop computer first. See Connect two computers with SSH in a home LAN for how to do this.
Once you have ssh
working within your home network and you can ssh
from your laptop to the home desktop while both are connected to the home network, you will need to setup Remmina to use VNC over SSH.
Open the Remmina desktop preference window you have already created in your laptop to VNC into the desktop from within your home network:
Note, the Server field is filled with an LAN IP address above. Yours will be different. Go to the SSH Tunnel tab:
Check all the boxes as in the picture above. Port 22 is the default port for ssh
. For simplicity we will use this port. You can read about how to change the default to some other port and set it up differently later.
Note, I have setup a Public key during my ssh
setup. If you have done so, choose Public key as the method of authentication.
Otherwise choose Password.
Try it out and make sure you can VNC from your laptop to your desktop using the SSH tunnel when both the computers are connected to your home network.
When Traveling
There are two things you will need to figure out if you want to VNC over SSH when you are outside your home.
- Port Forwarding
- Dynamic Domain Name System (DDNS)
1. Port Forwarding
This is part of your router setup. You need to tell your router which device the remote connection requests should go to when the request comes through port 22.
In the picture above, my home desktop has the IP address 192.168.0.101. This is a local IP address within my home network. It has no meaning outside my home network. The router assigns this IP address to my home desktop.
You should setup your router to forward all packages sent via port 22 to the port 22 of your home desktop's local IP address.
The exact process varies from router to router, and how to do this exactly is beyond the scope of this site, as it has nothing to do with Ubuntu.
2. Dynamic Domain Name System (DDNS)
Most home Internet service do not get a static IP address from their Internet Service Provider (ISP). If you have a static IP address assigned by your ISP then ignore this section.
You can copy the Remote desktop Preference in Remmina to a new one, and change the Server IP address to your ISP provided static IP address.
If your ISP dynamically assigns your home an IP address, then your home (external) IP address can change from time to time. You can find your external IP address by Googling what is my ip address when you are connected to your home network.
The problem is when you are traveling and your ISP changes your external IP address, you have no way of knowing what it is. Thus, you won't be able to connect to your home desktop.
You need to use a DDNS service provider. There are some free ones, like duckdns.org You will need to create an account in one of them. Once you have an account, you will need to setup your home desktop to periodically communicate with the DDNS service provider of your choice and update the any changes to your home IP address. The DDNS service provider will create an internet address for your home, such as ivapshome.duckdns.org, where ivanpshome
is something you will choose.
The exact method setting up the DDNS client in your home desktop depends on the DDNS service provider. Please search this site, and ask another question (if needed) if you have trouble setting up the DDNS.
Note: Some routers can update some specific DDNS services. You have to check your router and the specific DDNS service you use. The exact methods vary and is beyond the scope of this site.
In Remmina, under the Server field, enter the DDNS provided Internet address such as ivapshome.duckdns.org
.
Now you should be able to connect to your home desktop computer from your laptop while traveling.
Hope this helps
You do not need to use any VPN to remote connect from device in one network to device in another network. What you need to do is to set up port forwarding on the router where the target machine is located (how exactly to do it depends on the router, you should check the router's manual).
If you have working VNC server on port 5900 of your target machine, just set up port forwarding from port 5900 on internal IP address of that machine to port 5900 (or any other port) on your router's external interface.
Then, from the other system, connect with Remmina to the public IP address of your target router, port 5900 (or another port number you have set up).
This should work, assuming your ISP does not firewall incoming connections on their side.
Regarding comments below that VNC protocol is not secure: that's right, it isn't. I have only described the simplest solution here.
As someone already mentioned, you can tunnel VNC trafic through ssh. That is, install a ssh server on your target machine and forward not port 5900, but port 22 (the ssh port).
On the other machine, just connect via ssh to your public IP address and forwarded port and tell ssh to tunnel port 5900 on the target machine to, say, port 5901 on the local machine (the one you are connecting from). You can do this with the following command:
ssh -L 5901:localhost:5900 -l <username> <ip_address>
where <username>
is your username on the target machine (if it is the same as on the local machine, you can skip the -l <username>
part) and <ip_address>
is the public IP address of the target router.
(If you have forwarded port 22 of your target machine to some other port than 22 on the router, then you need to additionally include the -p <port>
part in the above command).
After you establish a ssh session, use Remmina to connect to port 5901 on your local machine. Port 5901 on your local machine will be securely connected via ssh to port 5900 on your target machine.
Remmina has an option to use ssh tunneling internally, without manually establishing a ssh session first, but for me it is always easier to do the tunneling explicitly, as I have shown here, than trying to decipher how is the particular application configured and what parameters I need to type in :)