Printing through SSH or VPN?

Selekt0r · 2 Apr 2008 at 12:28

I've got a Epson R340 printer hooked up to my home PC running XP pro, and want to be able to print to it remotely from my work laptop.

The laptop is connected to the same physical network at home, but all network traffic is directed through a VPN to my work's network. I have SSH set up and can tunnel through the VPN to remote control and file transfer the home PC however I cannot find any way of printing via this route.

Does anyone know whether it is possible? Any help/assistance gratefully received.

Thanks

TrX · 3 Apr 2008 at 01:10

Why SSH tunnel to a pc on the same network, you should be able to add a route to your OS's routing table, telling the OS that all network packets for <The ip of your printer PC> to use the local network interface and not the virtual VPN interface.

On windows, it's the 'route' command, on linux try 'ip route'

For example, your routing table ('route print' on windows 'ip route list' on linux) will probably have:

A route for your local network interface: (example)
192.168.0.0 255.255.255.0 via <IP of Router>
.. A route to allow the VPN to maintain connection after it modifies the default gateway
<ip of your works VPN entry server> via <IP of your router>
.. And then a default route, telling all other traffic to go through the works VPN
Default via <ip of your VPN gateway>

You should be able to use the route command to add a route for your local network subnet, via your local network interface.

Will give you a hand if needbe.

If you don't want to go down that route.. share your printer on your winXP box (which i'm guessing you are already doing) and then ssh tunnel port 445 (The port windows file and printer sharing uses) (actually called the CIFS protocol) to the winxp box

and then typing //127.0.0.1/ in the run box should show the shares (including the printer) of the winxp box you are connecting into.
if //127.0.0.1 shows you your local shares, try //127.0.0.2
If this still dosn't work you will have to disable file and print server on your laptop so that the CIFS port isn't being used locally and the tunnel will then be able to redirect the port.
(this is a much hackyer solution than the routing as you can probably tell)

Hope this helps

Selekt0r · 3 Apr 2008 at 05:40

Firstly, thanks for the help so far, but having looked at a few web pages which supposedly explain routing, and the "/?" help for the route command I think I'm going to need a bit more help.

I've not tried the SSH option yet, as it would be better to keep the network traffic local if possible rather than sending it via our (slow) corporate network.

I've done a route print before and after connecting to the VPN and this is what I get:

Before

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0b db dc 1d 1b ...... Broadcom 570x Gigabit Integrated Controller - Pa
cket Scheduler Miniport
0x3 ...44 45 53 54 42 00 ...... Nortel IPSECSHM Adapter - Packet Scheduler Minip
ort
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.73 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.73 192.168.1.73 20
192.168.1.73 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.73 192.168.1.73 20
224.0.0.0 240.0.0.0 192.168.1.73 192.168.1.73 20
255.255.255.255 255.255.255.255 192.168.1.73 192.168.1.73 1
255.255.255.255 255.255.255.255 192.168.1.73 3 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None

After

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0b db dc 1d 1b ...... Broadcom 570x Gigabit Integrated Controller - Pa
cket Scheduler Miniport
0x3 ...44 45 53 54 42 00 ...... Nortel IPSECSHM Adapter - Packet Scheduler Minip
ort
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 153.65.245.248 153.65.245.248 1
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.73 2
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
153.65.16.12 255.255.255.255 192.168.1.254 192.168.1.73 1
153.65.244.0 255.255.252.0 153.65.245.248 153.65.245.248 30
153.65.245.248 255.255.255.255 127.0.0.1 127.0.0.1 30
153.65.255.255 255.255.255.255 153.65.245.248 153.65.245.248 30
192.168.1.0 255.255.255.0 192.168.1.73 192.168.1.73 20
192.168.1.0 255.255.255.0 153.65.245.248 153.65.245.248 1
192.168.1.73 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.73 192.168.1.73 20
224.0.0.0 240.0.0.0 192.168.1.73 192.168.1.73 20
224.0.0.0 240.0.0.0 153.65.245.248 153.65.245.248 1
255.255.255.255 255.255.255.255 153.65.245.248 153.65.245.248 1
255.255.255.255 255.255.255.255 192.168.1.73 192.168.1.73 1
Default Gateway: 153.65.245.248
===========================================================================
Persistent Routes:
None

The IP address for the laptop which I want to print from is 192.168.1.73 and the IP address for the home PC which has the printer connected is 192.168.1.10.

What will I need to do to direct the traffic from the laptop to the home PC in the way you suggest?

Thanks

jimjamuk · 3 Apr 2008 at 09:33

Hi,

The routing table isnt looked at unless the machine doesnt know where to send packets - therefore if you are directly connected to the home network then the packets will use the locally attached network as it should have arp entries for all local subnet connected boxes. The problem is which way round are you VPN'd - you will either be loacl to your home network or your work network

Q Are you at home VPN'd into work and want to use a local printer OR are you at work VPN'd into your home network?

TrX · 3 Apr 2008 at 09:47

jimjamuk said:
Hi,

The routing table isnt looked at unless the machine doesnt know where to send packets - therefore if you are directly connected to the home network then the packets will use the locally attached network as it should have arp entries for all local subnet connected boxes. The problem is which way round are you VPN'd - you will either be loacl to your home network or your work network

Q Are you at home VPN'd into work and want to use a local printer OR are you at work VPN'd into your home network?

From the setup, he looks like he is at home VPN'ed into work, wanting to use his local printer, and after explaining his problems, it sounded like connecting to his VPN was removing local routes (except route to VPN server via local GW) and chaging the default route to the VPN interface,

However, you are right jimjamuk. This route:
192.168.1.0 255.255.255.0 192.168.1.73 192.168.1.73 20
Shows that your routing table should still know about your local network even when the VPN is up.
can you 'ping 192.168.1.10' from the command line (start > run > cmd)?

jimjamuk · 3 Apr 2008 at 10:20

cool - if he is at home vpn's into work then effectively he is local to work and wont be able to access the printer as the vpn client is tunneling all packets through to the office- to use the local network he would need to implement split tunneling on the VPN - this allows packets to the local subnet to leave the network card unencrypted otherwise all the packets are going to appear on the local subnet at work after going down the tunnel

TrX · 3 Apr 2008 at 12:17

jimjamuk said:
cool - if he is at home vpn's into work then effectively he is local to work and wont be able to access the printer as the vpn client is tunneling all packets through to the office- to use the local network he would need to implement split tunneling on the VPN - this allows packets to the local subnet to leave the network card unencrypted otherwise all the packets are going to appear on the local subnet at work after going down the tunnel

I don't think so, as the VPN seems to be a routed VPN not a bridged VPN, and so the local routing table will still apply.. why wouldnt it? After all, all the VPN client does is create a virtual NIC down which you can route packets (and if it didnt, why would the VPN client have bothered putting information in it)

As said before, please try pinging your printer PC.

bledd · 3 Apr 2008 at 13:16

easiest way is to install hamachi on laptop & desktop, this creates a vpn through it's simple interface

share the printer on the host pc, add it to the laptop

print away

-no config needed on router(s), it just works, and has 256bit encryption

jimjamuk · 3 Apr 2008 at 13:32

agree with you both but "work laptop" normally means a nice corporate VPN solution which isn't normally designed to allow remote devices to access their home network along with work resources - hence my split tunnelling comment (although I doubt that a work solution would let you do something like split tunneling unless it was a small company / no-clue IT department)

TrX · 3 Apr 2008 at 14:10

bledd. said:
easiest way is to install hamachi on laptop & desktop, this creates a vpn through it's simple interface

share the printer on the host pc, add it to the laptop

print away

-no config needed on router(s), it just works, and has 256bit encryption

This would work, but should not be neccessary, the printer is on the guy's local lan, much like the SSH tunnel option, it's a little hacky/OTT.

Guess we can't really know what will / wont work until Selekt0r gets back to us. From the routing table my guess is the local lan is accessible and it's a server config / firewall issue, tho i'm fully prepared to be wrong

Selekt0r · 3 Apr 2008 at 16:21

Thanks for the suggestions so far guys. Unfortunately, I'm going to have to park this for a couple of days, as I'm now out of the country and will need to wait until I'm back home to test it.

I'm pretty sure that I can't ping the local machine (192.168.1.10) and that all traffic is being directed through the VPN (i.e. I assume no split tunnelling allowed).

I'll resurrect the thread in a few days once I can check and take it further.

Selekt0r · 5 Apr 2008 at 21:40

Right, I'm back...

...and I can confirm that connecting to the work VPN does indeed prevent me from pinging the local machine.

Any ideas about how to proceed?

Thanks.

oldbag · 5 Apr 2008 at 21:47

I dont think it's possible since the VPN will direct all traffic down the tunnel to work. The only way of doing it would be to get a VPN router and the router establishes the VPN to work.

jimjamuk · 5 Apr 2008 at 23:38

that what i thought you would have - see if you have the admin rights to enable split tunnelling on the VPN client - I doubt it

If you do - enable it and then define that local addresses do not get encrypted - you might be able to get this to work then

its a slim chance - like i said IT departments using VPN remote access wont normally let you connect to work resourses and local services at the same time - not secure at all and provides a path for viruses etc to enter.

What vpn software is it?

TrX · 6 Apr 2008 at 00:34

jimjamuk said:
What vpn software is it?

Also would like to know this, i am guessing nortel from the route output?

as i'm sure there will be a nicer way around

TrX · 6 Apr 2008 at 00:56

0.0.0.0 0.0.0.0 153.65.245.248 153.65.245.248 1
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.73 2
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
153.65.16.12 255.255.255.255 192.168.1.254 192.168.1.73 1
153.65.244.0 255.255.252.0 153.65.245.248 153.65.245.248 30
153.65.245.248 255.255.255.255 127.0.0.1 127.0.0.1 30
153.65.255.255 255.255.255.255 153.65.245.248 153.65.245.248 30
192.168.1.0 255.255.255.0 192.168.1.73 192.168.1.73 20
192.168.1.0 255.255.255.0 153.65.245.248 153.65.245.248 1 << PROBLEM #1
192.168.1.73 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.73 192.168.1.73 20
224.0.0.0 240.0.0.0 192.168.1.73 192.168.1.73 20
224.0.0.0 240.0.0.0 153.65.245.248 153.65.245.248
255.255.255.255 255.255.255.255 153.65.245.248 153.65.245.248 1
255.255.255.255 255.255.255.255 192.168.1.73 192.168.1.73 1
Default Gateway: 153.65.245.248

These are the parts of your routing table that the VPN client has put in to block local lan access, notice they are a copy of your existing routing entries but with a gateway down the tunnel and a higher priority.
It is very doubtful that they are needed at all for the remote end to work.

When the VPN is up, try the following:
Open command line (start > run > cmd)
type:
route DELETE 192.168.1.0 mask 255.255.255.0

then type:
route print

and you should notice that the line
192.168.1.0 255.255.255.0 153.65.245.248 153.65.245.248 1
has gone from the routing table.

Now try pinging your printer XP box.