RE: VPN and Screen Sharing...
Can you point me toward a good reference source to learn about this, perhaps a "VPN with Screen Sharing for Dummies?"
Hi Maui19,
As jtara indicates, some routers have their own VPN service available, so you might look into using whatever router you have to see if you can setup VPN with it. While my router does do VPN, I don't use it but rather setup VPN on my server (I like the better control and logging of the server versus the router).
If you are using Mac OS X Server, the VPN service is relatively easy to setup and it saves a Configuration Profile that your client can use for easy setup of the client. Personally, I would choose L2TP VPN (more secure). I also choose my own Shared Secret instead of using the automatically generated one, just so that I can remember it and thus use it to VPN in from any machine, even ones for which I don't have access to my Configuration Profile file. Select an IP address range for your VPN clients that does not "step on" the IP addresses that you use for your machines on your LAN. Make sure the DNS servers are correct. I would setup your own caching DNS server first of all to give your local machines reasonable hostnames. If you are using Open Directory, make sure you set that up too. Then start the VPN service and save the configuration file for your client. Personally, I use 10.6.8 Server for VPN instead of 10.8.2 Server, mostly because 10.6.8 has a better GUI to serveradmin; I find that under 10.8.2 Server I use the commandline serveradmin command a fair amount for chores that are available in the ServerAdmin GUI under 10.6.8. If you don't use the Configuration Profile file, then it is still fairly simple to setup the client using the Add "+" button in the Network System Preference pane. Select VPN and enter your home's DNS name (if you have one) or its IP address along with the Shared Secret, etc.
To use Screen Sharing, the app is in the /System/Library/CoreServices/ directory. I drag this Screen Sharing.app to my Dock in order to have it readily available. On your home's server, or any machine that you wish to Screen Share with, first switch on the Remote Management and Remote Login (but not the Screen Sharing) by checking the On buttons in the Sharing pane of System Preferences. I would setup the "Allow access for: Only these users:" and add yourself; give yourself all of the options for Remote Management (Observe, Control, etc.) by checking every box available in the "Options..." button. If you are using VNC from Windows or Linux, then you might want to setup the "Computer Settings..." "VNC viewers may control screen with password:" setting, but this is a security risk. Close the Sharing pane when finished with your setup. On your client computer, click on the Screen Sharing.app and enter the hostname/IP address of the machine, say your home's server, that you wish to Screen Share with. Enter your password, and voila, a window opens showing your server's display. That's all there is to it. From "outside", i.e., the Internet, you should first VPN into your home's LAN and then use Screen Sharing to connect to your home's server's display. This keeps everything encrypted and secure.
Good luck,
Switon
P.S. I see that a number of others have suggested third party solutions to VPN and SSH. I don't have much experience with these, so I won't comment on them, but the setup of VPN and SSH is already fairly straightforward using Mac OS X Server. If you are using an Airport Extreme as your router, the VPN and SSH setup also automatically opens the appropriate ports on your router. If this does not happen, it is a simple matter to port forward the appropriate ports for both VPN and SSH. And, as I see jtara does also, I too setup my SSH to use a non-standard port (the standard SSH port 22 will get "hit on" by those hackers attempting to guess your usernames/passwords) that eliminates the username/password guessers. [Never use simple/common/default/personal information/none passwords, as these will likely get you into trouble.]
One further hint concerning security and unsecured machines: If you find yourself in the position of needing to VPN into your home LAN from a machine that is not yours (say public or from your customer's company), then I would use a "throw-away" account. By this I mean that before going to my customer's company or using a public computer, say at an university, I first setup a dummy account on my server. I give this dummy account the ability to VPN in, and I use a strong password for it (do not use a Guest account or one without a password - frankly, you should disable your Guest accounts). When I need to VPN from an insecure machine (say one that might be keystroke recording), I use this dummy account. I use it for a single VPN session, and then I delete the account afterwards. I also check my log files to make certain that the dummy account only VPNed in a single time. This way I am more protected when using VPN from a potentially insecure machine -- if a keystroke recorder sent my login and password somewhere else to a hacker, it doesn't matter since the account has been deleted. You can also check your logs to see if some hacker attempted to VPN in using the dummy account (which no longer exists since you deleted it).
