I would think ssh would be simpler. On the Linux box, firewall everything
except ssh and do everything via tunnels. If you use PuttySSH on Windows,
you can set the hostname, tunnels and pubkeys as one of the saved sessions
and have 1-click access.

But different strokes for different folks; if you can wrap your brain
around VPN better than ssh, then it may indeed be simpler.

To answer your two questions, VPN is encrypted from your Windows laptop
to your LAN. LAN to LAN-client could be unencrypted depending on where your
LAN-side VPN endpoint is located. Using ssh, you'd be encrypted from Windows
laptop to Linux box assuming a single ssh session. Just be sure to disallow
VNC connections from eth0, eth1, etc and only allow through lo.

-Dennis

Using VNC on both would not be end-to-end encryption, but the only
unencrypted traffic would be on sonic.net's internal network, in the
subnet that contains the two ip addresses provided by the VPN
concentrator. In theory someone could be sniffing packets there, but I
think that would require physical access to sonic.net network
infrastructure. Unless you are super-paranoid that isn't something to
worry about.

On the other hand, you would have to set up something so that your
server advertises the external ip address that the VPN provides it so
that the laptop can find it. Perhaps you could do that using a dynamic
DNS service, but that sounds a lot more complicated than ssh tunneling.
I disagree about simplicity. SSH would be dead simple, and understanding
the security of the system would be easier. You configure the VNC server
to only allow connections from localhost (127.0.0.1). That immediately
closes off any vulnerability to someone connecting from outside without
having to set up any other special configuration. You run an ssh server
on your desktop. For extra security, have it listen on something other
than the standard port 22 so that people scanning for ssh servers to try
to guess passwords or any newly discovered exploits won't notice it.
For more extra security, set it up so that it only accepts key based
logins, not password based, and generate a public/private key pair to
let your laptop log in to it. That has the extra advantage that you can
have a script on your laptop do the login without you having to type a
password each time.

Then you ssh from your laptop to your desktop, using port forwarding to
forward the VNC port on localhost to the VNC port on the desktop's
localhost. With that running, you can run the VNC client on the laptop
to localhost and it will see the desktop machine.

In that configuration the connection is end-to-end encrypted, and the
security of the setup is that of an ssh login, which is well thought out
and debugged, better than any ad hoc double-VPN thing you might invent.

-- sidney

Some great insights from Dennis and Sidney - thanks to both.

I was thinking that VPN might be simpler only because I already use it
(on the laptop) for another app. And I spent a couple of hours last
night working through several Putty-SSH tutorials and blogs, without
much success, but - just for yucks - I'll revisit it today.

Jeff

Since I already have my own experience with this, I skipped the other
responses so you can know what I know simply enough. Useful comments
appreciated.

In article <453cfe9b$0$88705$***@news.sonic.net>,
jeff <***@spam.invalid> wrote:
" I've got a VNC server running on my home desktop Linux box, and I'd
" like to be able to occasionally access it from a remote hotspot on a
" Windows laptop. Doing this without encryption would be nuts, so I'm
" looking for a reasonable approach, and the two that I've come up
" with use SSH or VPN tunneling.
"
" First question: If I enable Sonic's VPN on both the desktop and
" laptop, will that ensure that my VNC session will be encrypted
" end-to-end? If so...

Nope. Sonic.net's VPN is only between you and Sonic. Between Sonic
and whereever else, it is not encrypted. This includes from
Sonic.net's VPN to your host machine, even if just via the Public
Switched Network's ATM cloud (all of which is assembled in big spy
databases run by untrustworthy entities, so quite the opposite of
secure).

OTOH if you VPN from both hosts to Sonic.net's VPN computer, the only
connection unencrypted would be from the VPN computer at Sonic.net to
the VPN computer at Sonic.net, then back again in the other direction.
The benefit there is that that connection is most likely pretty short
(although that's not guaranteed??) and should be harder to hack.

" Second question: Is either of the two approaches markedly better
" from a security point of view? (From a *simplicity* point of view,
" VPN would be my first choice.)

Odd. I found SSH easier. I already had it configured and knew how it
worked, so that probably made a big difference.

VPN is REALLY easy to accidentally do insecurely: simply forget, or if
VPN shuts off, it just reverts to no VPN without much (or any) notice
at all. SSH will kill your connection along with the tunnels you are
depending on, thus causing security within the connection to be
preserved almost no matter what. (That's why I do alwaysshared so
that I can simply reconnect again whenever the connection goes away,
and my session is saved, much like "screen -xRR" in tty sessions.)

" Thanks for any insights!
"
" Jeff

vncserver :1 -geometry 1000x740 -alwaysshared -httpport 8080

A second sshd with sshd_config line "Port 80" helps to get around many
library port filters.

U.ARIZONA.EDU

your.ip.number.or.host.name:80
login
password

Options -- encryption
Options -- SSH2
Options -- compression
Options -- simple forwardings ... 5901:127.0.0.1:5901
Options -- simple forwardings ... 8080:127.0.0.1:8080

New window: 127.0.0.1:8080

PASSWORD PROTECT YOUR VNC!!!! There is a flaw here: if you have bad
passwords, that can be broken sometimes, but not always.


All you need is JAVA in your Browser -- gets around filters, and is
encrypted. COULD BE HACKED by libary personnel, though, since your
security is in the library computer. (This is why bringing your own
laptop is good.)


Ok, let's say you have your own computer with XP, and you can install
your own programs. Putty SSH. Options: SSH2, compression, forwarding
5901:127.0.0.1:5901 or 5903:127.0.0.1:5903 or whatever. You can
usually do something like 5905:127.0.0.1:5902. Connect and log in.
(Sounds like put pot on oven and cook.)

Then, get the XP version of VNC (look for Google VNC download XP). Do
VNC Viewer, e.g., :1. :1 is alias for 127.0.0.1:1. Of course that
goes via SSH tunnel.

Security ideas: only allow connections from local host, since SSH is
the only protocol going interhost. You only allow from local host in
both VNC (server) and SSH (both sides since doing forwarding). Read
both documents for how to do this, as well as /etc/hosts.allow and
/etc/hosts.deny. Use all methods, and TEST each breach method (both
before and after to see what it does).




VPN? That would also work. What I know is SSH since it's so easy.

I have a couple of cents to add to all the many replies:

1) From the command line, I use: "ssh -L 5900:<ip>:5900 <ip>" (This is
for screen 0 on the server and client--add screen number for other
screens.) Then I connect to localhost:0 from the client using vncviewer.

2) x11vnc allows you to access an already running X session so you don't
need the overhead of an additional VNC server.

--
Daniel