If you are working remotely, there is a lot to be said about remote access to an office-based desktop. For a start, assuming you already use a desktop, you have everything installed and setup and ready to go. Who wants to reinstall everything at home?

Secondly, the security perimeter is much more well defined in the office. There is (or should be) an unwritten rule that everything that happens in the office is for business purposes only, you don't have random visitors using your devices or children randomnly clicking on dodgy internet sites while wasting away their evening. Basically the hygiene is good by default and since most of us should have a decent broadband or 4G signal, why not remote into work?

So why don't we usually opt for remote desktop style working from home?

Expensive


Firstly there is the cost. If you search for remote access etc. you are likely to find everything from the expensive (TeamViewer) to the unecessarily complicated and expensive (like Citrix). TeamView is designed (and priced) for remote support rather than remote access for normal working. Citrix is designed to allow a single piece of server hardware to support hundreds of clients who just want similar desktops (probably Office and nothing else).

VPN

Secondly, people often think of VPN for remote access without really understanding what a VPN is designed for and then getting overwhelmed with the cost and complexity of setting it up.

VPN is a family of procotols designed to extend the office network onto a remote machine securely. Imagine you have a laptop that you wish to use from home to access office network drives. The drives could not simply be opened to the world and its dog so instead by running the VPN, your laptop can be given an IP address as-if it was in the office network. It can then access whatever is permitted to cross between the VPN network and the normal network.

Personally, I don't think VPN is a great solution for most things partly because it is very confusing to setup and therefore easy to get it wrong. Secondly, you effectively spill your private network onto a remote machine which might or might not be secure and which might have other networks open at the same time.

Remote Desktop

Remote Desktop is a windows technology that is free and relatively secure (in later versions). It works simply by opening the Remote Connection and entering the IP address or name of the remote PC to connect to and assuming you are authorised to connect, you log in remotely as if you were logged in to the machine directly. By default, no-one else can use the machine at the same time.

So why not just use this directly from home? If we exposed the RDP port directly, we would have a relatively easy attack vector against our machine that might exploit either an RDP vulnerability or a weak password. You would naturally use a non-default port but it might still be discoverable so instead we want to add a much stronger "gateway" in front of it.

There are various products that might do this in return for some hard cash but there is a relatively easy way to do this using something called an SSH tunnel connecting from home to work and through which our RDP can be "tunnelled". In fact you can tunnel most things over SSH but we are looking only at RDP for now.

SSH

SSH or Secure SHell is a mechanism that uses encryption to protect the login mechanism and then the "session". It was designed for securely connecting remote unix sessions but now that we have PuTTY for Windows, we can also use it to connect to any ssh server (usually Linux) from our Windows home machines.

We have a number of options to login but the two common ones are normal username/password and public key authentication which uses randomly generated keys to provide the equivalent of an extremely strong password.

RDP Gateway

To make our system work, we firstly need to create an RDP gateway visible on the public network of our office router. In most cases, I simply use an Ubuntu Linux virtual machine. The one we use is only 1 core, 2GB RAM and 20GB disk. It barely does anything (CPU 0 to 1%), even with 20 people connected via tunnels.

On this box, we simply install ssh server and nothing else.

We add a file for public keys under ~/.ssh/authorized_keys and into this file we put a public key for each user of the system. They generate this in PuTTY for their client machine. If they are only using the box for tunnelling (not the it admins) then we prefix the key with  restrict,port-forwarding,command="/sbin/nologin" so that they are not allowed to access the console.

We then edit /etc/ssh/sshd_config to disable password authentication (you could setup a second port for internal use if you wanted).

We also then need to open this ssh port to another port on the public internet. I tend to change default ports not because we rely on obscurity but it reduces the random attack noise significantly where script kiddies port known well-known ports across the entire internet.

Remote Desktop

You can enable remote desktop on each machine or via Group Policy, whichever floats your boat. You need to enable remote access from your pc advanced settings. You also need to open the two "user mode" remote desktop rules in the firewall and ensure that the person logging in is permitted to access over RDP. By default, only Administrators are allowed.

Client Setup

The nice thing about the client setup is that since you will be opening a remote desktop, you don't have to have a perfect client machine. It should have an anti-virus installed for good practice but you won't be exposing the office to your machine.

After downloading and installing PuTTY, you should create a private key and it is highly recommended that you add a passphrase to stop anyone else casually using it. You then need to save the private key locally and arrange for the public part to be added to the RDP gateway key file. It is worth adding a tag to the end so you know whose key it is.

You then need to setup a PuTTY session that you can simply run up when needed. This needs to set the remote IP address and port of the office, tick the box to not run a command on login, set the autologin username to the RDP username (usually "ubuntu") and then setup the tunnel, which should point a local port, like 12345 to the office IP address of your office PC and port 3389 (the default for RDP). You should end up with something like 4L12345 192.168.0.10:3389. You also need to point it to your local private key file and then save the session with a suitable name.

Using the tunnel

This is as easy as double-clicking the saved session in Putty and entering the passphrase for your key. The first time you connect, you will see an SSH warning with a random looking fingerprint. You should ideally check the fingerprint is the correct one.

Once that is running, you then run Remote Desktop Connection and enter localhost:12345 into the box. When you click login, you will see a warning the first time you connect to your windows machine.

You can set it up to use all monitors in the options for the Remote Desktop Connection.