Hi all,
I have recently downloaded the NVDA Remote add-on. As there appears to be a couple of different ones available, I will clarify that the one I'm using is from https://nvdaremote.com.
At the moment I do not have the ability to set up port forwarding (lost the admin password for my main router and resetting everything is going to be a nightmare that I don't have the time to go through right now). If I use the nvdaremote.com relay and give my computer a secure key e.g. a password manager-generated random string, is that reasonably sufficient enough from a security point of view to insure that my system is unlikely to be accessed by anyone else?
Secondly, will I need to make sure my computer stays awake in order for me to be able to connect to it remotely, or is there a way to have it wake up when a remote machine connects to it?
Thanks for any help with this.
Comments
Not My Preference to Do Either
I don't know how safe their protocol is, so if I were you I'd arrange a VPN server of some sort (there are quite a few mesh VPN options now that don't require you open a port) and use that, rather than going to either their relay or direct. But, sure, it won't be totally insecure as long as you use a secure password that can't be easily brute-forced. I'm more worried about the confidentiality and integrity of the connection itself, and the security of their relay or server. I doubt you'll be pwned by random wandering demons.
VPN Options
Thanks. I’m not sure what the security of the connection is like especially when going through their relay. I don’t see anything about whether the traffic is encrypted for example, so I would guess it's not.
The VPN route would definitely be my preference as well, but I thought I’d have the same problem as I wouldn't be able to set up the port forwarding rules. What are some of the mesh VPN options you mentioned?
Mesh VPNs
Off the top of my head, ZeroTier, TailScale, Nebula, or CloudFlare Teams (not technically mesh, but might as well be given CloudFlare has presence everywhere). Basically they all do NAT traversal, establishing connections outbound and then use UDP hole-punching to get sessions set up (except CloudFlare, which is just a relay). That way you can pretend to have direct connections to hosts on your network that are really across the Internet. Really rather lovely. If you're not sure which one to begin with, then I'd suggest ZeroTier, which can be completely free if you only have a few (25 max, I think) nodes. If you don't mind self-hosting a server on a VPS, then Nebula gives you bang for the buck (it's free free free). I've heard good things about, but didn't try, TailScale (or the open source management frontend called HeadScale). And CloudFlare is the one you use if you already have a domain registered with them for any reason (a silly requirement, since the tunnel doesn't absolutely require a domain for private networking, but that's how things stand right now; the domain need not actually be used as part of the tunnel).
Have fun.
Thanks
Thanks so much for this, it's really useful info. I already use Cloudflare to improve the speed and security of some of the websites I host, but wasn't aware of their teams offering.
I think Cloudflare for teams is a bit overkill for my use case. I've had a quick look at the ZeroTier website though and it looks spot on for what I need, so will definitely look into that further.
Thanks again!
You're Welcome
I really, really wanted to like ZT, and in fairness I probably should have, seeing as how my particular use case is somewhat fringe. It's layer-2 bridgeable, so I had hoped to join my local LAN to my ZT net. Unfortunately, all I had for a bridge was my Mac Mini, and despite my best efforts, I could not arrange to clamp the MSS of TCP sessions using pf. I should have much preferred to do that in software, at the ZT layer, anyway. Still, it did work, except for the terrible TCP performance when the MTU of the network was limited to 1500 bytes (physical MTU: 1432, logical MTU: 2800). And, at the time, free accounts could host 50 nodes, so if I had not cancelled in frustration, I'd still have that ...
If you just use it properly, going node-to-node, you'll be all right. Mind the inaccessible UI--you'll have to settle for the CLI. Sorry about that. It's no hardship, though.
I use CF Teams now, myself. I am even now investigating Nebula, because I want to have my home server and a VPS communicate, but gate access to my home net via the VPS lighthouse with direct peer-to-peer connectivity. This is the stuff of the future. CF really isn't all that hard—grab the cloudflared binary, install it as directed, tell CF to configure the tunnel to route the subnets you want, then tell the Warp client in its settings to include those routes if not already done. Servers on your internal network see connections as though coming from the box running cloudflared: it's not a router but a mere user-mode proxy, but sufficient for TCP, UDP, and even ICMP. The MTU of the Warp client connection is absurdly low—1280, the minimum for IPv6—but it works at layer 3 using WireGuard. Also, that tunnel daemon lets you expose web services direct, even from behind your NAT, through CloudFlare's front-end CDN; it also lets you connect arbitrary sessions, using another copy of cloudflared, without Warp. It's turned out real nice, allowing me to, among other things, remote control my Mac Mini from Turkey while receiving the audio via SonoBus, latency is very good. I wouldn't pass it up, if you need options.
Much enjoyment.
Tailscale worked well with the NVDA remote add-on.
I did not feel like setting up my own VPN server or key exchange server. I used Tailscale to access my desktop and it worked well. The only issue I had was that when I was gone the desktop lost power. Once someone turned it on I was not able to connect since I had not gone through the steps of running Tailscale as a Windows service.
PiVPN
I used to use PiVPN on a VPS and it works as long as you add an iptables rule to allow devices to talk to each other. I use sudo iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT to do this. I don't know what Nebula and Tailscale are.