For remote desktop on two LAN hosts, intranet penetration is necessary. frp is a good option for this. However, it can be actually done without relying on external tools. We could use SSH, which may be better in terms of security.
Final Architecture
Steps
Suppose we now have a macOS computer (O) in the office, and we wanna connect to a macOS computer (H) at home.
- Purchase a public server (V) with a public IP from VPS Provider. Its bandwidth might have to be larger, see below. Assume the public IP is 123.1.2.3, and its sshd port is 22.
- Turn on VNC server in home computer (H): Go to
System Preferences->Share, checkScreen Share. It will listen at 127.0.0.1:5900. - Turn on sshd server in home computer (H): Go to
System Preferences->Share, checkRemote Login. It will listen at 127.0.0.1:22. - Start SSH reverse tunnel in home computer (H):
ssh -gNTR 127.0.0.1:7000:127.0.0.1:22 root@123.1.2.3. It means a sshd proxy server is listening at port 7000 in public server (V). 7000 is a sample port, you could change it yourself.
At this point, we can log into home computer (H) from public server (V), and access all network services on home computer (H). This is how we get intranet penetration. Next, let’s see how to support remote desktop.
- Open VNC proxy server in public server (V) via the sshd proxy server:
ssh -p 7000 -N -L 127.0.0.1:5900:127.0.0.1:5900 admin@127.0.0.1. Admin is a sample login name in home computer (H), please change it to your own. - Open VNC Proxy server in office computer (O) via ssh tunnel:
ssh -N -L 127.0.0.1:5900:127.0.0.1:5900 root@123.1.2.3. - Connect VNC server in office computer (O):
open vnc://127.0.0.1:5900. You could also useFinder->Go->Connect to Server, and fill invnc://127.0.0.1, and then enter your login name and password of home computer (H).
When remote desktop is connected, the data flow of operation like mouse moving is:
Office computer H: 127.0.0.1:5900
↓
Public server (V): 123.1.2.3:22
↓
Public server (V): 127.0.0.1:5900
↓
Public server (V): 127.0.0.1:7000
↓
Public server (V): 123.1.2.3:22
↓
Home computer (H): 127.0.0.1:22
↓
Home computer (H): 0.0.0.0:5900
Result
All of the ports above are listened at localhost, except that the public server (V) should expose its sshd port (22). Using SSH to encrypt data is safe.
But there are also some issues. One of the biggest problems is lagging. If the bandwidth of public server (V) is 1Mbit/s(which is 100KB actually), then:
- Typing will be ok.
- Transferring files will cause the VNC client losing response totally as the bandwidth is taken up.
- Web browsing is also a bit lag, you can see the significant delays, especially while scrolling the web page.
The free version of Team Viewer is much better than this. This is probably due to the fact that VNC protocol is not as good as Team Viewer’s proprietary protocol.
But if you increase the bandwidth up to 10MBit/s, it will go better enough. Also you should make sure the home computer (h)as enough upload bandwidth, which could be tested by http://www.speedtest.cn/.
Other issues
- SSH connections are sometimes unstable. Consider using something like
autosshor adding Keep Alive option into ssh. - There is a large caret when you’re typing, which might be a bug.
- If you wanna transfer files, you can only use drag & drop in macOS VNC client. CMD+C and CMD+V is not working for this.
- It will be really slow when you wanna cancel the screen saver of remote computer. At this time, disconnecting first then reconnecting is a good choice. It may be related to the bandwidth.
This is generally fine as a backup for the free version of Team Viewer. For example, it will be unable to connect with Team Viewer when the screen of remote computer is lock or Team Viewer in remote computer is minimized, then you could use this method to connect to the remote computer to troubleshoot the problem.