RDP over VPN

[Col_panic]

Ive been managing a small but growing network for my wife's company and need to set up a Remote Desktop option.

Their network consists of a QNAP TS509, N66 router and 4-5 PCs running windows 7 or 8.1. The software they use (Revit) really needs files to be on a LAN to work correctly so I'm looking at Remote Desktop rather than Dropbox or something similar.

I turned on Remote Desktop, forwarded the port and it worked fine but forwarding ports to all of the PCs exposing them to the WAN seems like a bad idea, so I setup a PPPT VPN server on the router. This worked, but seems to noticeably slow things down. Is running a VPN server asking too much of that router? Would it be better to run it from the NAS, or would upgrading to one of the newer AC routers with ARM processors be better?

 

[System Error Message]

what router depends on how much throughput you're looking for. if below 100Mb/s than a dual core ARM a9 will do fine, if above you will need to start looking at other solutions such as PPC, TILE, x86.

The other solution you can use is to port forward different ports. For example you can port forward 1000 to 500 and another host 1001 to 500. Hopefully remote desktop lets you specify ports.

 

[Col_panic]

Throughput to or from the WAN is far, far less than 100 Mbps with or without VPN. More like 20. Would there be an appreciable speed difference between a VPN run on a dual core ARM or the cpu used in the older N66U?

 

[System Error Message]

speed difference can be massive for PPTP but not much different for openVPN. OpenVPN is limited to 1 core. a dual core ARM A9 can do up to 100Mb/s of pptp VPN whereas i would expect the MIPS based CPU to do about 30Mb/s depending on the MIPS CPU.

cisco RV uses 64 bit dual core MIPS and there is a table on this website on different throughputs for different models but in general they run around 1 Ghz. Using that as a baseline, you can check the CPU on your N66U which will be a 32bit MIPS CPU, probably a smaller MIPS running at around 400 or 600Mhz. If you find VPN to be slow in a sense that you arent getting your WAN's throughput than you will need to get a faster router.

The ASUS AC56U is one of the cheapest dual core ARM A9 routers. If you have the skill the other choice is to go for a mikrotik RB850gx2 that costs a bit more which can give you up to 500Mb/s of PPTP VPN over 2 clients and fast enough for gigabit internet since it uses a dual core PPC that is much faster than ARM A9.

you can also go for a router that has a faster MIPS CPU too. I would advise against getting cisco RV because their stability and throughput is not worth the cost.

 

[YeOldeStonecat]

Or just keep it easy.
Ensure the Administrator account on each PC has a strong password.
Ensure any/all local user accounts have strong passwords.
Put a local policy in place to halt RDP host after XX amount of failed login attempts.

Unless you're using something ancient and non-updated like Windows XP pre-service pack 2....Microsoft RDP is secure. The "man in the middle exploit" exploit was done in a lab environment which is pretty much impossible to due in the real world.

 

[System Error Message]

He needs to port forward multiple computers to the same port so i suggested either using different ports to port forward to the same port or use of vpn.

 

[Col_panic]

This is becoming very annoying!

I decided to just try forwarding ports but it's not working as expected. I'm starting to think the ATT Uverse 5031, which showed up in the middle of this process, is the problem. I put the ATT router in "DMZplus" mode and turn off the firewall settings. That gives my router an outside IP but ports don't seem to forward like they should. RDP wants to use port 3389, so I setup forwarding so that if a RDP connection comes in on port 5000 it gets forwarded to 3389 on PC #1s internal IP, 5001 to #2, etc... But it doesn't work. It only works if 3389 is the specified port on both ends.

I then tried changing the RDP port in regedit so it would just be 5000 with no forwarding needed (and created a rule in windows firewall to allow it), but still no luck. All of which leads me to think that DMZplus may not actually be exposing everything it claims to be.

 

[System Error Message]

im confused are you using double NAT? If the ATT router is supplied by your ISP try to use it in bridge mode. It is known that routers supplied by ISPs tend to be crappy and not work properly. If you do manage to get it working than the port forwardings should work.

It seems like RDP just doesnt support using other ports so it seems like VPN is your only option. The other better solution i found is teamviewer which is much easier to manage and use.

 

[Col_panic]

Thanks. The ATT router has a DMZplus mode that is as close to bridge mode as it will get. What exactly it does isn't documented but it does still block some ports. I was able to get port forwarding to work. The problem was that during all of the changes the PCs had changed the network type from private to public and not allowing RDP. Took me a long time to notice it.

Teamviewer is easier but it's much less responsive than RDP.

 

[YeOldeStonecat]

Try SplashTop or AnyConnect...they're both quite fast. Pay for product for multiple/business use, but you ditch the annoying multiple port forwarding and crippled ISP CPE crap gateways, dynamic IPs, all that stuff. And sometimes port forwarding to multiple internal devices gets tricky and unreliable with some of those (like the 2Wire gateways some DSL/fiber providers use)..and the DMZ Plus mode sometimes kicks out of them..resulting in double NAT again. Overall..just a pain to manage on some models.

Or if your wifes company has a server...maybe it's Small Business Server where you have the very good "Remote Web Workplace"...or perhaps a 2012 server with Essentials role (has same nice remote desktop proxy).

 

[Col_panic]

Thanks. I use splashtop and love it for remote support or light use but all of those services have to route the traffic to their servers. The difference in responsiveness is huge if you spend 8-10 hours a day zooming in and out of drawings. For drafting it has to be direct to be useful.

They don't have a real server yet. Just a QNAP NAS but the Remote Desktop proxy sounds interesting.

 

[YeOldeStonecat]

Thanks. I use splashtop and love it for remote support or light use but all of those services have to route the traffic to their servers. The difference in responsiveness is huge if you spend 8-10 hours a day zooming in and out of drawings. For drafting it has to be direct to be useful..

Ahh..drawing and drafting. That definitely narrows things down. Is this for graphics design? If so..are these fully proper graphics design workstations? Like Dell Precision, or HP Z Workstations? Proper ISV certified hardware, graphics cards, and options such as HP's "RGS"....which is a very high performance version of remote desktop for professional graphics workstations. Makes vanilla RDP seem like old pokey VNC or PcAnywhere.

 

[Col_panic]

It's architecture and they use autodesk products. Revit mostly. The PCs aren't HP but they are "real" workstations with supported graphics cards (but that's a whole other can of worms). Ive build them all myself so far. Ive ever heard of RGS but it seems like everyone has their own versions of RDP. Autodesk even has one but it's slower than RDP.

I did upgrade the win 7 machines to use RDP V8.1 which uses both TCP and UDP packets. If the PC on both ends have UDP enabled (or use Win 8.1 or up) it makes a huge difference. This with no VPN and port forwarding will get the job done but eventually they'll need something more scalable and secure. (Eventually they'll probably need real IT support too)

I have also been looking at Server 2012 R2 mostly for other uses but I'm not sure the Remote Desktop services it offers would be any better or even different.

Edit: in case someone else runs across this, here are instructions for enabling RDP V8 and UDP on Win 7.http://www.thecadmasters.com/wordpr...nd-microsoft-remote-desktop-protocol-rdp-8-0/

 

[stevech]

Teamviewer (free or licensed) is great too.

 

[YeOldeStonecat]

I have also been looking at Server 2012 R2 mostly for other uses but I'm not sure the Remote Desktop services it offers would be any better or even different./

One of the many functions of the "Essentials Role" is an HTTPS (port 443) web portal that remote users log into....to get access to various things that are published in the dashboard page. There is an old sharepoint "windows explorer" interface to browse files on designated shares on the server...so you can download/upload files. There is also a button for computer(s) that your user account is allowed to log onto...that launches RDP and proxies it to your workstation. Multiple users can connect to their workstations at the same time via this portal. You don't need to worry about multiple port forwards for each workstation, port redirection, all that stuff. Just the basic port forwarding for the "Remote" page on the server. Standard RDP performance...quite good. mostly up to performance of the router you choose (NAT performance, handling multiple connections, QoS to certain traffic types such as RDP)...and the internet connection.

Other alternatives...PPTP VPN is slow, has high overhead. No matter what acts as the server. IPSec is faster...but, with fat clients to manage...can be a pain in the arse to support a bunch of remote users. Clientless SSL VPN is the way to go for ease of support, ease of deployment, and good performance. Most of them just use a little java applet that gets installed the first time a remote user logs in, (so it's not really clientless..but it's a tiny program with zero configuration that gets intalled. Client launches their browser, hits the sign in page...logs in...sees a little VPN icon in their systray..and they're in. We've used Junipers SA VPN appliances (now PulseOS) with great success. Expensive..yes. But very reliable, and very very fast! It's a dedicated VPN appliance that sits behind the edge firewall (router). The CPU of the SA VPN appliance is dedicated to VPN throughput. Much better performance than a router that also does a little VPN.
https://www.pulsesecure.net/products/connect-secure/