Do you sometimes want to access your home computer from an outside network? Maybe you use another system, but you do not trust it and would prefer your home computer for some workflows?
This post outlines the steps to make such access possible.
Working through this requires intermediate to advanced expertise (or alternatively, curiosity and persistence) in computers and troubleshooting. But the requirements are otherwise minimal:
- Your home computer is on a broadband connection (ADSL).
- Your remote network allows
sshinto another system. This is usually not a problem.
- Your untrusted computer does not have agents that take screenshots of your desktop or monitor your keystrokes.
The Big Picture
- We’ll set up the WiFi router at home for remote access.
- We’ll use SSH tunnel to access our home computer from remote network.
- We’ll use Mac’s “Screen Sharing” to access our home Mac’s desktop.
WiFi Router Setup
The IP address your home computer has, say
192.168.1.10, is known as
a private address. You cannot access it from the internet. We will
Additionally, your home computer may get a different IP address from your WiFi router every time you connect. We will fix this as well.
Finally, your public address itself is on a lease and can change. To fix this, We will sign up for a service that gives your computer an easy name such as yourname.no-ip.com, that never changes.
Here are the steps.
Log in to your router administration page, usually http://192.168.1.1/
Then, consult your manual to do the following (I just browsed through all the pages on their Web interface until I found what I wanted):
Reserve an IP address for your computer. The router will provide a way to reserve an IP address, say
192.168.1.5, to the hardware (MAC) address of your home computer.
Set up the router to forward port
Sign up for a dynamic DNS service (e.g., no-ip.com). The basic plan is free of charge.
After you set these up, connectivity may still be broken, because we have not set up the home computer for SSH yet. We will do that next.
We’ll set up your home computer for remote access.
Under System Preferences > Sharing, enable ‘Remote Login’. This allows SSH access to your home computer.
No other services are needed.
Next, we will set up the SSH server to allow access only:
- from your remote network computer
- when presented with a long key that’s computationally hard to fake
First, on your remote network computer, generate a 4096-bit key:
ssh-keygen -b 4096
Use a long, complicated passphrase to protect your key. Then copy your public key to your home Mac:
Afterwards, ssh again. Note that you are asked only for your key passphrase.
We next harden the SSH server on your home computer for enhanced security.
- Disable password-based access
- Disable system-login authentication
- Enable host-based authentication
- Copy your remote network computer’s host key to the home computer’s known hosts file
The relevant file is
/etc/ssh/sshd_config. You can read the
comments above the configuration statements for more information.
The config lines are:
# Disable password-based access PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no # Enable host-based authentication HostbasedAuthentication yes IgnoreUserKnownHosts yes IgnoreRhosts yes
You can copy your remote network computer’s host key in
/etc/ssh/ssh_host_foo_key.pub to the known hosts file
/etc/ssh/ssh_known_hosts on your home computer.
After making these changes, restart the SSH service: uncheck the box on System Preferences > Sharing, then check it again.
The steps above will restrict who can access your home computer. It does not prevent flooding your computer with connection attempts. To fix this, we will use the Mac’s firewall to limit how quickly connections may be opened.
You will need the following configuration in
table <bruteforce> persist block quick from <bruteforce> pass in inet proto tcp to any port ssh \ flags S/SA keep state \ (max-src-conn 5, max-src-conn-rate 5/5, \ overload <bruteforce> flush global)
See this Mac PF page for more information around this. It is OK if you don’t want to do this now, but mark it for later.
Keep your home computer updated with Security Updates from Apple.
Finally, go to System Preferences > Energy Saver > Power Adapter, check on ‘Wake for Wi-Fi network access’. Without this, you may find your home computer inaccessible because it went to sleep.
Remote Desktop Sharing
We now come to the exciting part. We will use the SSH connection to tunnel remote desktop connections.
Add the following to your
~/.ssh/config file. Create it if it does
not exist already.
Host some_fancy_name Hostname yourname.no-ip.com User your_home_mac_user_id IdentityFile ~/.ssh/id_rsa_or_something_like_that LocalForward 5910 127.0.0.1:5900 ServerAliveInterval 30
Start an SSH session:
Use your key passphrase to authenticate.
Now open Screen Sharing, and connect to
127.0.0.1:5910. This should
connect to your home computer via SSH, and from there to the remote
desktop server running on your home computer. You should see the login
screen from your home computer.
I always start an SSH session manually. I have not automated this. I also keep my remote desktop under full screen, which makes it easy to swipe it away when I need focus or privacy. I try to use wired Internet if available.
Is a Mac needed at home?
Not really. It is possible to use a Linux system and I’ve used it in the same way. I pay for a Linux VM on Linode.com; I sometimes use it as a backup.
Be aware that this comes with some limitations: I could only get TigerVNC to work on it to any degree of satisfaction, and even then, media was a problem. It does not work for “bring my own laptop” or conference call situations. Besides, in general, Linux can be quirky and frustrating to use as a primary personal desktop.
Also be aware that you’d still need to harden this VM. I’ve seen reams of login attempts within a day of creating a VM.
Those are the steps, as an outline. Some of the topics above merit separate posts by themselves (SSH tunneling anyone!?), but again, I’ve kept the post focused on the goal. I hope it is helpful in that regard.