Remote Desktops Rock 5

Posted by JD 10/23/2012 at 16:00

Remote Desktops Rock! Sometimes an ssh shell into another box just isn’t enough.

Just a few minutes ago I wanted to add a new TV recording on PBS. Normally, I do that through a web interface to Windows7 Media Center, but due to recording conflicts, that wasn’t possible. Remoting into the virtual machine where Windows7 Media Center runs was needed. Simple enough since that VM runs Windows7 Ultimate AND has RDP, the Windows Remote Desktop Server, running.

RDP Script

From my Linux desktop, I have a script that makes the connection … I believe rdesktop is used. It also has my preferred settings for color depth and resolution. Heck, here’s that script:


\#!/bin/bash
RDP_OR_REMOTE=“$1”
RES=“1280×800”
\# ###
Usage()
{
MSG=“$0 [vpn|lan|help] If the connection fails, try setting up the corp VPN and using the ‘vpn’ option.”

if [ “$RDP_OR_REMOTE” = "" ] ; then echo $MSG exit 1 fi if [ ${RDP_OR_REMOTE:0:1} = “h” ] ; then echo $MSG exit 1 fi

}
\#####
\# main()
Usage

if [ ${RDP_OR_REMOTE:0:1} = “v” ] ; then
rdesktop -u userid -g $RES localhost:3389 &
else
rdesktop -u userid -g $RES win7ult &
fi

Good enough? It is just the very last line that does the work. Everything else is a reminder if I tried to do this command when out of the office. Sorry about the leading \ characters. The blog software doesn’t like comments inside code.

So I’m quickly connected and handling the conflict – Frontline will need to be recorded some other time. Done, so I disconnect.

Nothing fancy was happening and it worked with extreme speed on the GigE network here.

Remote Desktop within a Remote Desktop

Then I realized something. My Linux desktop is actually running on a different physical machine about 2 rooms away and on a different level of the house. I already use the NX protocol to remote from my laptop to my desktop VM. Perhaps a diagram would help?


laptop
|____via_NX
|____Linux-VM
|____via_RDP
|____Win7-MC-VM

I’ve written about RDP and NX before, but it is so commonplace for me to use that I forget.

NX vs RDP vs VNC

RDP is the native remote desktop for Windows. It is not secure enough for use over the internet without adding a full VPN. OTOH, NX uses ssh for the secure tunnel and the NX protocol seems to be about 10x more efficient with desktop refreshes than what RDP or VNC support. It is the best of both worlds – more efficient AND more secure. Of course, NX servers don’t run on Windows. However, nxclients are available for almost every desktop platform. There is a free beta NX Client for Android too.

Local Coffee Shop or Around The World

BTW, being able to access the same desktop, securely, from anywhere in the world is pretty cool. Just last weekend, I attended a Ruby training class and remoted back to my normal desktop running on the same VM from 15 miles away. About 20 other people were sharing the wifi connection. The tiny lag in response (laptop-wifi-lan-WAN-WAN-GigE-VM) was just a tiny bit more than when sitting at home on the wired GigE network.

This works just as well from the coffee shop wifi around the corner or around the world. Just as secure as being at home. The coffee shop (or government) only sees 1 connection, encrypted with a private key, back to your remote desktop at home. Private key-based VPNs are impossible to crack by brute force. They don’t trust the public SSL infrastructure, so even an extremely capable government can’t crack it directly. They would need some other method or they’d have to block it completely. Even if they installed SSL certs on your system to proxy other web SSL traffic, this connection would still be encrypted. That’s as secure as we can get without a 100% private network. Good enough.

Original Idea Stolen

A few months ago, my Linux desktop was running inside a VM on my laptop, then I read this article about a guy using his iPad as a portable desktop into a cloud-based VM . Clearly, I was intrigued enough to try it myself, but I’m a little more paranoid than he is, so using my own hardware at home was required. A man’s home is still his castle, after all.

Move VM from Laptop to Server

I could move the VM onto a cloud VM provider if that ever became necessary, like he did. I had to convert the VirtualBox VM HDD into a raw .img file (easy with VboxManage), then move that 15G file over to a KVM machine, create a VM shell, connect the storage and boot. I didn’t bother removing the Guest Additions from VirtualBox. It all just worked as it was. I did tweak the storage settings for better performance – no caching and I used virtio drivers for both the disks and networking. The virtual HDD was already 100% pre-allocated, so disk performance was already going to be 95% of native. The vboxmanage -h explains the options to convert it. I did the conversion on a WindowsPC on my first attempt. It was easy.

Anyway, the fact that we can access a remote desktop from a remote desktop without any issues at all just struck me as pretty great. UNIX X/Windows users are used to machine-hopping. It has been commonplace for 20+, perhaps 30 years. It is nothing special at all.

Of course, I remote into other machines all the time, but usually over ssh and a terminal. It has been a recent change to place my daily desktop VM onto the network. Video works … sorta, but it isn’t worth it. Audio doesn’t work over this connection at all, but I’m hoping that SPICE will change all this soon.

Have you done something like this? Is it a common thing?

  1. fireshadow 10/23/2012 at 16:38

    I’d like to, but I have a bottleneck at my main DSL connection with 1 Mbit/s outgoing (incoming is ok with 16 Mbit/s) . Works, but is too slow for pratical use (at least with VNC, didnt try any other method).

  2. JD 10/23/2012 at 20:51

    I’ve used NX over a 28.8Kbps dialup successfully.

    I’ve also used NX over the super-cheap DSL – 128Kbps to Mom’s house when I needed to see the GUI she was seeing. That happened for a few days thanks to a proprietary Linux printer driver with a GUI, but never since.

    VNC is a hog compared to NX. Just sayin’. Plus if you use VNC, then you need to have the VPN too.

    @fireshadow – any interest in an account here? Today there were about 20 blog spams sitting in the queue to be reviewed before I saw yours. No more delay in your comments and since I’m running the latest version of the blog software and have cleaned up all the issues I knew about, seems like opening it up could be handy.

    Ok – 1 bug. The preview button isn’t working. That funny to me. ;)

  3. fireshadow 10/24/2012 at 00:13

    Seems I should try this NX thing. I actually had pondered that before, based on one of your articles here, but there are just too many things that seem interesting to try …

    Wasn’t there some kind of open source / closed source controversy concerning NX? I vaguely remember reading something in that direction.

    I actually used double encryption for my VNC experiments. You’re not the only paranoid one ;-). I used (commercial) RealVNC, which provides an AES encrypted connection, and tunneled that through IPsec between my iPad (built-in IPsec client) and my Fritzbox (one of the most widely used router brands in Germany, which has a built-in IPsec server).

    And, yeah, I surely would like to have an account. What do I have do?

  4. Mike 10/31/2012 at 17:57

    Never heard of NX, so I learned something today.

    This isn’t uncommon in the Windows world if connecting directly isn’t an option due to firewalls, etc. Most of the time it isn’t needed though.

    I used to do Citrix administration a long time ago and ICA is much more efficient than RDP. RDP was originally designed for LAN connections, while ICA on Citrix Winframe 1.7 or 1.8 servers would work across a 14.4 kbps modem.

    Just for fun I once connected to a Citrix server via ICA and then connected with VNC back to my Windows workstation. In a nutshell: don’t ever do that. :)

  5. JD 11/07/2012 at 15:53

    So I just returned from a trip overseas through 3 countries. 2 of them were for less than a day, but one was for 10 days. The NX solution worked perfectly over port 443. I think it would have worked over other ports too, since I was able to ssh into other machines using high ports, unlike my last few trips to Europe. I spent most of this last trip in Istanbul and amazing place even with the heavy sales push from locals to

    • sell a carpet
    • sell city guides
    • over charge for taxis
    • expensive tourist site fees

    When I got home, I noticed that the recent Amazing Race shows seemed to be from Istanbul and that Rick Steves was in Florence around the same time I was last April. I can’t wait to watch these recordings. From the previews, it appears that I missed going up into some of the most famous parts of Istanbul’s towers.

    Anyway, having a 100% remote desktop was nice. I took only a netbook with me with the HOME directory encrypted. I did use hugin on the netbook to stitch some of the many photos together. It worked well.

    Anyway, here’s a stitched photo of the Blue Mosque.