Remote administration over NAT
July 22, 2010 2:23 PM Subscribe
How can I have a standing invite to remotely administer my friend's computer if his broadband uses Network Address Translation?
I have recently refurbished a PC for a friend, maxed out the RAM, etc., and set him up a Windows XP box to replace his underpowered, RAM-starved PC. He is roughly a hundred miles away and is therefore out of easy driving range. To cap it all off, the sad, low broadband out in the sticks uses Network Address Translation (NAT), although, given the area, I should be grateful that transmission does not involve two styrofoam cups and a string.
My friend is not great with computers and does not plan to be. He's at the level where he just learned to attach a document to email.
How can I have a "standing invite" to administer his computer? He doesn't have a static IP address. He's behind NAT. I get that he could probably make a Remote Assistance request on a case-by-case basis, but he is hoping I can just throw things on there as needed. It seems like LogMeIn.Com also requires user-initiated connections. Generally, this is a Good Thing, but we'd like it if I could get in there and fix things, add things, and such, without having to play the "Are you there? Are we both there?" game, as he works some odd hours.
Yeah, I've set up automatic updates, defrags, and malware signatures refresges. Obviously, I am not expecting KVM over IP. I'll never be able to get into the BIOS this way, and if he runs into a situation with malware so nasty that it can only be removed by booting from a safe disk or something besides the copy of Windows which will be corrupted by self-protecting malware, I'll have to drive there.
The NAT looks like the sticking point to me.
For everyone following along at home, next week's question will be with our same cast of characters, but more exciting!
I have recently refurbished a PC for a friend, maxed out the RAM, etc., and set him up a Windows XP box to replace his underpowered, RAM-starved PC. He is roughly a hundred miles away and is therefore out of easy driving range. To cap it all off, the sad, low broadband out in the sticks uses Network Address Translation (NAT), although, given the area, I should be grateful that transmission does not involve two styrofoam cups and a string.
My friend is not great with computers and does not plan to be. He's at the level where he just learned to attach a document to email.
How can I have a "standing invite" to administer his computer? He doesn't have a static IP address. He's behind NAT. I get that he could probably make a Remote Assistance request on a case-by-case basis, but he is hoping I can just throw things on there as needed. It seems like LogMeIn.Com also requires user-initiated connections. Generally, this is a Good Thing, but we'd like it if I could get in there and fix things, add things, and such, without having to play the "Are you there? Are we both there?" game, as he works some odd hours.
Yeah, I've set up automatic updates, defrags, and malware signatures refresges. Obviously, I am not expecting KVM over IP. I'll never be able to get into the BIOS this way, and if he runs into a situation with malware so nasty that it can only be removed by booting from a safe disk or something besides the copy of Windows which will be corrupted by self-protecting malware, I'll have to drive there.
The NAT looks like the sticking point to me.
For everyone following along at home, next week's question will be with our same cast of characters, but more exciting!
If you have access to an always-on network reachable computer, you could:
posted by suetanvil at 2:47 PM on July 22, 2010
- Install cygwin or equivalent on your friend's computer along with your preferred VNC server.
- Using scripts, scheduled tasks and shared keys, make ssh automatically login to the remote server whenever the computer is on and make it forward the necessary ports for your preferred VPN.
- When you wish to login to your friend's computer, ssh to the remote server as well, forwarding the necessary port as well. Then log in through the forwarded ports. This is not likely to be responsive.
posted by suetanvil at 2:47 PM on July 22, 2010
If you don't want to pay for a service you can put something together for free. Start with a reverse-connect VNC client like UltraVNC SC which takes care of the NAT issue but still requires someone on the other end to launch something. Then code or script something that runs on his task scheduler every 'n' minutes and checks a web page somewhere, and if the result is '1' or whatever, then it launches the reverse-connect VNC executable. To use this you launch your VNC client in listen mode, set the flag on the webpage, and wait his PC to connect. If you don't have a webpage you could substitute your own PC in conjunction with dynamic DNS.
posted by Rhomboid at 2:48 PM on July 22, 2010
posted by Rhomboid at 2:48 PM on July 22, 2010
I'll second the nomination for UltraVNC Single Click as being easy to use, but it does require someone to run it.
Get access to the computer how you currently do it... set up a hole in his router to port forward 3389 (RDP) and enable RDP on his machine. If you know the IP address of the router, this would then allow you to remotely login.
Use a service such as dyndns.org to handle the changing IP and translate it into a name. Newer routers will even update this value for you if you supply them with the dyndns account information. Look in the setup screens for your friends router.
posted by MikeWarot at 2:54 PM on July 22, 2010
Get access to the computer how you currently do it... set up a hole in his router to port forward 3389 (RDP) and enable RDP on his machine. If you know the IP address of the router, this would then allow you to remotely login.
Use a service such as dyndns.org to handle the changing IP and translate it into a name. Newer routers will even update this value for you if you supply them with the dyndns account information. Look in the setup screens for your friends router.
posted by MikeWarot at 2:54 PM on July 22, 2010
What Rhomboid and MikeWarot said.
The only downside to dyndns is that if your computer is switched off when you lose your IP (assuming you have a dynamic IP), whoever gets it next will periodically get HTTP requests from your friend's computer until your DNS client updates the name. I'd think those are pretty innocuous these days, though.
posted by suetanvil at 3:07 PM on July 22, 2010
The only downside to dyndns is that if your computer is switched off when you lose your IP (assuming you have a dynamic IP), whoever gets it next will periodically get HTTP requests from your friend's computer until your DNS client updates the name. I'd think those are pretty innocuous these days, though.
posted by suetanvil at 3:07 PM on July 22, 2010
I'll second LogMeIn. They have a free service that works great. I use it everyday to access a computer in my office from home.
And just today I read about Teamviewer which is also a free service, but it looks like the user has to be at the other end to OK the remote takeover.
posted by rsclark at 3:40 PM on July 22, 2010
And just today I read about Teamviewer which is also a free service, but it looks like the user has to be at the other end to OK the remote takeover.
posted by rsclark at 3:40 PM on July 22, 2010
LogMeIn works fine for this. as others have noted, it uses their servers to set up the initial connection, so it doesn't really matter whether or not he has a real IP or not, and you can get in without his OK. it can also wake up the computer if it's asleep. (but not completely off.) they also have Hamachi VPN too; this will create a private network between your computer and his, so you'd be able to do VNC as well as normal file shares and all that too, if you need. I use LogMeIn to do this exact thing you want to do for some folks I support. works fine.
another option is getting into the router or whathaveyou to set up either a DMZ or a port forward to the internal IP his computer's getting; you may be able to do this depending on what specifically he's getting from the broadband company, and then you'd be able to combine it with something like DynDNS.org to have a hostname you connect to with RDC or VNC or whatever. if you can do this, though, it will expose the machine to the Internet at large on those ports.
posted by mrg at 3:53 PM on July 22, 2010
another option is getting into the router or whathaveyou to set up either a DMZ or a port forward to the internal IP his computer's getting; you may be able to do this depending on what specifically he's getting from the broadband company, and then you'd be able to combine it with something like DynDNS.org to have a hostname you connect to with RDC or VNC or whatever. if you can do this, though, it will expose the machine to the Internet at large on those ports.
posted by mrg at 3:53 PM on July 22, 2010
Maybe I'm misinterpreting the question, but the way I read it the NAT is being done by the ISP not by any gear on the consumer's end so configuring port forwarding/DMZ is simply not an option.
posted by Rhomboid at 4:26 PM on July 22, 2010
posted by Rhomboid at 4:26 PM on July 22, 2010
Another vote for Logmein. I use it for family support. I can get in without having them to accept it. They have a few different options but the free one will work.
posted by bsexton at 7:30 PM on July 22, 2010
posted by bsexton at 7:30 PM on July 22, 2010
Any service like LogMeIn, GoToMyPC, etc will work for this. They open persistent outbound connections from the client to the web; you go to the web site and can then manage their computer.
posted by me & my monkey at 11:24 AM on July 23, 2010
posted by me & my monkey at 11:24 AM on July 23, 2010
This thread is closed to new comments.
posted by Runes at 2:39 PM on July 22, 2010