A problem same ntop users how to face with, is the ability to remote access a ntopng instance running behind a firewall. This can be solved using a VPN or other means that often require to deploy an additional network service. Some of our ntop users are familiar with n2n, an open source peer-to-peer VPN ntop developed and maintains. With n2n in essence is possible to create a network overlay that allows you to access your assets in a secure way, this regardless of your network configuration. For this reason we have merged n2n in ntopng, to enable you to remote connect to your ntopng instances. The idea is not to create a permanent access (thing you can do when you setup n2n), but rather to enable temporary ntopng access for troubleshooting and support.
When remote assistance is enabled, the local host where ntopng runs will create a virtual adapter with IP address 192.168.166.1, it will register with then n2n supernode (daemon that enables communications between two peers behind a NAT: conceptually it is like a router but it is unable to decrypt packets, but just to deliver them to peers), and it will provide a script used to run on a remote end for allowing administrators to connect to the ntopng instance. Both peers can be (or even just ntopng) behind a NAT, and n2n will take care of the communications, this regardless of the local IP address of the remote user willing to access itself, and ntopng itself. When you install a recent ntopng development package (the next stable release will include it), you will notice a new menu entry
that will allow you to configure it.
Using a simple user interface you will be able to enable ntopng access from remote in a matter of clicks. Once remote assistance is enabled, you will be able to download a connection script that you need to send to those who want to remote connect to this ntopng instance. The script requires n2n to be installed, and it connects to the remote ntopng instance as depicted above in this post. ntop provides a public supernode that everyone can use, but in the preferences you can configure your supernode for implementing a fully remote access not using external nodes.
Please note that:
- ntop does NOT have access to you remote instances, only you.
- ntop is NOT responsible for security violations, intruders etc. Make sure you understand the risks of allowing remote access.
- By providing remote assistance, you allow remote users to access the host where ntopng is running (i.e. you can copy files etc) and not just the ntopng web interface.
- Enabling remote assistance you enable external users to bypass firewall, NAT etc. so make sure you network policies allow you to do that.
- You should enable remote access only for the time you need to troubleshoot your remote instance. By default, noting will disable remote access after 24 hours, this to prevent unwanted/permanent remote access. For permanent access, please setup a VPN including n2n.
Happy remote troubleshooting!