[Woody]

Does anyone have additional information on the "Back To My Mac" feature within Leopard and .Mac? Will it function as a true VPN service if I am on the road? Is it configurable to use the secure connection to my home computer as the gateway for internet browsing?
Any info beyond the apple movie appreciated.
Thanks

[cybergoober]

No one really knows as it is not out yet. Those who may know are under NDA. Maybe ask again in a week or so.

[mduell]

I doubt it will be a VPN... more like FolderShare (which is secured with 256-bit AES), except it costs money.

Actually, using the on-demand syncing in FolderShare, you could just share your users folder and mostly achieve the same thing.

[Simon]

If you're worried about security on the road use ssh to log in onto your home Mac. Close all router ports except 22. Tunnel all your other traffic (like AFP, VNC, etc.) through ssh and you'll be fine.

[Kevin]

Does that work on both gravel and concrete roads?

[adamfishercox]

Umm... what about dirt roads? Dirt roads aren't legacy yet, are they? Or did Leopard leave them in the dust, too?

[awaspaas]

My question is if it works to multiple different computers through a NAT router. As it is now, I can only access one computer from outside the router (the one I have my router forward the ports to). This would be tremendously useful if it can route itself to any of the computers inside the router's local network (like the way iChat AV chats can). A VPN would be one way to accomplish this but I doubt Apple would implement something that complex in the OS.

[mduell]

Originally Posted by awaspaas 

My question is if it works to multiple different computers through a NAT router. As it is now, I can only access one computer from outside the router (the one I have my router forward the ports to). This would be tremendously useful if it can route itself to any of the computers inside the router's local network (like the way iChat AV chats can). A VPN would be one way to accomplish this but I doubt Apple would implement something that complex in the OS.

You can do more with a little port forwarding; have some other port incoming (like 8022) forward to the same port (22 or whatever) on another machine.

But when you have software on the target computer talking to a server on the internet (.Mac or Foldershare), that's no longer a problem.

[Simon]

Originally Posted by awaspaas 

My question is if it works to multiple different computers through a NAT router. As it is now, I can only access one computer from outside the router (the one I have my router forward the ports to). This would be tremendously useful if it can route itself to any of the computers inside the router's local network (like the way iChat AV chats can). A VPN would be one way to accomplish this but I doubt Apple would implement something that complex in the OS.

Another thing ssh does easily. Set up a "LocalForward" on your machine. Then log in to the one machine your router forwards port 22 to. Since that machine is on your home LAN it will be able to forward connections to any other computer on your home LAN. A single line in your ~/.ssh/config is enough to then route connections to any computer on your home network even if your router only allows port 22 connections to a single machine. Needless to say that's also the most secure way to set stuff up.

[awaspaas]

Originally Posted by Simon 

Another thing ssh does easily. Set up a "LocalForward" on your machine. Then log in to the one machine your router forwards port 22 to. Since that machine is on your home LAN it will be able to forward connections to any other computer on your home LAN. A single line in your ~/.ssh/config is enough to then route connections to any computer on your home network even if your router only allows port 22 connections to a single machine. Needless to say that's also the most secure way to set stuff up.

Sorry, that is NOT an elegant solution, especially if one just wants a list of computers to manage in Remote Desktop and doesn't want to start an ssh connection in the terminal every time. No way.

[Simon]

Originally Posted by awaspaas 

Sorry, that is NOT an elegant solution, especially if one just wants a list of computers to manage in Remote Desktop and doesn't want to start an ssh connection in the terminal every time. No way.

Obviously you don't know how this works. LocalForwards are not the same thing as ssh tunnels (ssh -L). Are you sure you know what you're talking about here?

You enter the remote machines into your ~/.ssh/config file once. You open up one single ssh connection. You then log onto as many remote Macs as you want using the normal ARD/VNC method. If anything, it's a very elegant way to get all the flexibility while maintaining a high level of security through strong encryption as well as closing router and client ports.

[Simon]

On second thought, rather than discussing what it does and does not require I'll just make a simple example.

Your Mac at work is Mac1. Your router at home has only one open port: 22. It forwards that to port 22 of Mac2. The other Macs on your home LAN are Mac3-Mac9.

On Mac1 you enter the following into ~/.ssh/config:

Host Mac1
User yourName
Hostname Mac1_dyndns_name.dyndns.org
LocalForward 5902 Mac2.local:5900
LocalForward 5903 Mac3.local:5900
...
LocalForward 5909 Mac9.local:5900

5900 is the VNC port. Of course this works for other services if you use the according port number.

At work all you then have to do is open one single ssh connection:

ssh Mac2

And then you'll be able to connect to all your Macs at home as long as you use the right port. So for example to log onto Mac7 you just enter localhost:5907 into VNC. At the same time you can open other VNC connections to other Macs. All over just one ssh connection and to one open port on your router. It's that simple.

[awaspaas]

Hey, that is pretty simple. Cool! Is this only TCP? I believe remote desktop needs two UDP ports too.

[Simon]

Ever since ARD v2 they switched to TCP ports (better reliability). The current ARD version uses TCP ports 3283, 5900 and 5988. I think ARD 3 can still use UDP port 3283, but it doesn't require it AFAIK.

[macintologist]

My computer in my dorm room is behind the big university firewall, and it's impossible to connect to it from off campus. I wonder if Back to My Mac will have some sort of VPN functionality so that I can actually connect to my dorm Mac even though it's behind a corporate firewall?

THis is what a dude on TUAW said about this

I can't believe that only one person has hit on the key point here: as most of the western world sits behind NAT and firewalls and a vast proportion of Mac users aren't hugely technically savvy, this is RDC + tunnelling without having to configure either your router, firewall, or manage DynDNS.

If Apple's been smart about it, a Mac that's enabled for this will maintain an outbound connection to .Mac which will be then used to tunnel the traffic back the way (in other words, provided your Mac can open an OUTBOUND connection to .Mac on the right port, you'll be able to access it from anywhere). Of course, I've not seen or tried this feature yet, and Apple may not have gone down this route—but given the proliferation of badly-behaved, awkward and downright painful networking kit and configurations out there, it's really the only way to accomplish it reliably.

So yes, you could do this yourself. You could even employ reverse-tunnelling through some SSH magic and a shell script. Most people (even a lot of Mac gurus) wouldn't know where to start, though, but would be happy to pay for it if it means they don't have to drive over to $familymember's house, or gets them access to their iMac when they're at work.

Basically, it turns .Mac into “remote access to your Mac, plus some disk space, a mailbox, and syncing stuff”—companies sell remote access solutions like this on their own, and often more expensively.

Granted it's speculation, but I hope this is the case.