- This topic has 7 replies, 2 voices, and was last updated 4 years ago by
.
-
Posts
-
Hi, I am struggling to use NoMachine over internet, could someone please help me out on that? It’s been a week already and I can’t make a basic connection.
I went through all the steps on the documentation, and I get this error on client’s (local)NoMachine: “The connection with the server was lost”. See full log of the client (local) attached. I replaced my ip with “xxx-xxx-xxx-xxx” for obvious reasons.
Error is 108: Connection reset by peer’.
Details
Server/remote pc: connected via ethernet to the internet provider’s router via a switch. No physical display connected, but I can access via [removed].
Client/local pc: connected via wifi to the internet provider’s router. Physical display connected.
Both pcs: Windows 10, 64-bit, home/private network with stable internet access. NoMachine 6.9.2_1 free version
Did you reboot the computer after installation? Logs would be useful at this stage (not the session file) of the server Windows host (the computer you want to connect to). Please follow the guidelines here: https://www.nomachine.com/AR10K00697 You can submit them directly forum[at]nomachine[dot]com making sure you reference the topic title as the subject. Thanks!
Logs received.
I assume that you can connect to the remote computer whilst on the same network? To do that you should use the local IP that we can see in the logs 192.168.1.xxx and try to connect whilst both PCs are on the same LAN. Does that work ok?
For access from outside, from the logs we can see that you have a double NAT, the same scenario as this: https://forums.nomachine.com/topic/double-nat-remote-through-internet (so there are two routers involved and you need to configure port-forwarding rules on both routers to tell the routers what they need to do when you try to access using NoMachine). You are using an external IP of 179.xxx.xx.xxx on port 24244 so you should try forwarding port 24244 to the IP 192.168.15.146. If you tell me the router models, I can try and point you in the right direction for what rules you need to set.
Hi,
Thanks for getting back. I reinstalled NoMachine over the long weekend, and succeeded on connecting over internet.
Then I decided to move forward with configuring SSL to discover at which point it stopped working. So, as soon as I turned on EnableNXClientAuthentication 1 in the server.cfg, it wouldn’t connect anymore, and that apparently was the issue I was having, the SSL wasn’t properly done.
I managed to get it yesterday, it’s all good now. I removed all manual attempts of forwarding, and it works with automatic UPnP now, that I don’t have double NAT anymore.
From the documentation, it’s really not clear to me that just by enabling EnableNXClientAuthentication, I’m actually refusing connections without a correct SSL certificate (is that even the case?!). But perhaps it’s my ignorance in networks/security and I didn’t get it. Anyway, that’s something that could be more clear in the documentation between https://www.nomachine.com/AR10M00866 and https://www.nomachine.com/AR02L00785.
To me it’s not difficult to set a port forwarding and an exception in the firewall once we log in to the router. The difficult bit is to know exactly what ports and IPs are supposed to be in Internal, External, and if it needs tcp and udp.
And in case of a double NAT, should both routers be configured with exactly the same forwarding? As you can see even in the link you shared, that other fellow didn’t know which ports needed to be forwarded, and therefore probably exposed himself as easy target to hackers. Imagine the less tech-savy, how much can they expose themselves by trying to do the same, now that everyone is going online/remote.
I’m working on my own documentation how to set it up, and if you would like I can translate it back to English and share it. Just point me where to. It took me about 80h having different issues, but finally got it right, and I’m happy with that. Documentation was just getting me about half way through.
For the sake of helping others that might come across the same issue, I attached screenshots of the router’s screen when setting up the forwarding/firewall rules (it’s from the ISP), perhaps you could point what should I do to get it to work under double NAT. The secondary router, where the remote computer would be connected to is a TL-WR740N.
Attachments:
Thanks for the feedback. We will certainly take a look at the documentation on how to improve it.
Let’s handle each of the points you raise separately.
1) UPnP – When the NoMachine (server) computer is behind a NAT router or a firewall, NoMachine tries to use the UPnP or NAT-PMP protocol (depending on what is supported by the router) to retrieve the public or external IP of the host machine where it’s installed and configure the router to allow a NoMachine client to connect from outside of the private network. The UPnP or NAT-PMP port mapping service can work efficiently only when it’s enabled in the server configuration, the router supports UPnP or NAT-PMP, UPnP or NAT-PMP is enabled and the router accepts UPnP or NAT-PMP commands for enabling port forwarding.
Those users who have a double NAT doesn’t mean it’s impossible to connect. It means additional configuration is required, which is not always possible especially if one of the routers is not your own.
We fully understand that this is not an ideal scenario for the less tech-savvy user and for this reason we will be releasing NoMachine Network which will eliminate the need for knowing the IP address of the computer and users won’t need to enable port-forwarding on their routers. You can read more about this here: https://www.nomachine.com/FR07J02731.
2) Key based authentication with NX protocol (article AR02L00785), i.e so if you’re a user that doesn’t want to use a password to connect but prefers to use an SSH key certificate when connecting to the server, then this article is for you. It’s a way to authorize the user from whatever client machine they may be connecting.
3) EnableNXClientAuthentication – By setting that to ‘1’ only the devices which have a valid certificate are allowed. This key allows you to specify which client machines can connect. All other connections will fail. So that article “How to enable SSL client authentication for connections by NX protocol” (AR10M00866) is ideal for environments where many client devices are connecting and administrators want to lockdown access to a per-user or per-host basis. It’s not for your average user and hence that article mentions multi-node, clustering and other advanced functionalities.
4) Protocols and ports. Take a look at the article here: https://www.nomachine.com/AR01L00770 (NXD and the NX and UDP protocols). The rules would be like this:
Rule name: NoMachine
External port: 4000 or any unused port that you prefer
External IP: blank
Protocol: It depends on your router version, but it should TCP/UDP or “Both”
Internal port: 4000 (NoMachine’s default)
Internal IP: local IP of the NoMachine serverRule name: NoMachine
Local port: 4000
Local IP: your NoMachine server’s local IP
Action: Accept in both way
Protocol: It depends on your router version, but it should TCP/UDP or “Both”
Remote port: 4000 or any unused port that you prefer
Remote IP: blankThanks a lot @Britgirl, that’s gold!
1. When I said “router’s from the ISP”, I meant that it’s not a regular model from netgear, tp-link, etc. In my case I do have access to it. But I understand now, and probably with the example of forwarding now I’ll be able to set it up under double NAT later on.
Good shout with the default ports article, I hadn’t seen it before. Just a humble thought here, perhaps documentation could have a centralized index page with all the topics divided into categories, and an internal automation tool for you guys that adds a page to that index every time a new functionality is implemented. Like a more simple version of that https://docs.unity3d.com/2019.3/Documentation/Manual/
2. Oh these two articles. They took me a while to understand what was I doing wrong. First I was trying to use the nx_client_key I made with the nx keygen as a private key on the client’s connection (instead of password), whereas this should be the private key generated in putty or alike.
3. Alright, got it now. Indeed, quite a few advanced functionalities there. But well, I eventually plan to get to a federated system, so I guess I’d better learn that by heart (sure, by then I would have purchased the enterprise version.
4. Great, so now I see another mistake I was doing. I wasn’t setting external port to the low range port like 4000, but rather to the high range port number I wanted the server to be.
Example, if the server’s connection would be 179.xxx.xx.xxx on port 24244 (which I defined in server.cfg), I was wrongly setting External port to be 24244 in the port forwarding, which probably caused some weird issues, and prevented me from connecting. Then in the firewall I was trying to set exceptions to port 4000 and 23456, and now I see I only need for 4000.
Thanks again, really helpful breakdown.
This topic was marked as solved, you can't post.