On Sun, Jan 11, 2009, Marko Vojinovic wrote: >On Saturday 10 January 2009 23:03, John R Pierce wrote: >> Marko Vojinovic wrote: >> > I have a WinXP machine that is to be unattended for a period of 3 years >> > (yes, I know, it sounds ridiculous, but still...). What I need is remote >> > access to it to perform regular system maintenance, virus cleanups, >> > occasional software installations, reboots, config changes, etc. >> > >> > Of course, rdesktop would do it, or vnc server or something else. The >> > problem is that this machine is behind a NAT, and I cannot access it >> > remotely from outside (and I need access from whereever on the planet I >> > may happen to be). >> >> if this remote XP machine is behind a NAT server that you can log onto >> with SSH, then, from your local machine... >> >> ssh -L 3390:private-ip-of-remote-XP-machine:3389 >> username at ip-or-hostname-of-remote-NAT-server > >Well, first, private-ip-of-remote-XP-machine is dynamic, given by my ISP's >dhcp server, so I cannot have 100% guarantee that it will always be the same. >And I have no easy way of finding it out if it does change. We handle this with our *nix clients that are on dynamic IP addresses by assigning them a hostname with proper DNS that resolves to their latest dynamic IP address, then having them check in every fifteen minutes with a cron job that hits a web URL here with this hostname as an argument. On this end, it looks at their real IP, compares that to the one in DNS, and sends a notice of there's a change. It also sends a reply to the http(s) request indicating a change that can be acted up on their end (actually it's an xmlrpc call and the cron job a python script -- which is probably fairly easy to implement using python on the Microsoft Virus, Windows). Using OpenVPN from the dynamic end, it would be pretty easy to have it make sure that there's a current connection after a change is made. We generally use unique /24 subnets in the private 10.0.0.0/8 space for each client machine so the *nix side can route through the appropriate OpenVPN tunnel. >Second, and more serious, I have no access to the NAT server, the ISP controls >it. I may try using my username/password combination, but I am not sure what >structure the ISP has. I mean, they may well have a NAT inside a NAT inside a >NAT... However, I'll try it out to see if this kind of port-forwarding works >in my case. :-) That should not be a problem with OpenVPN connections initiated from the Windows machines. The real issue is how one would script this on the Windows side as the OpenVPN client I've seen for Windows assumes GUI control. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Rights is a fictional abstraction. No one has ``Rights'', neither machines nor flesh-and-blood. Persons... have opportunities, not rights, which they use or do not use. -- Lazarus Long