Hamachi - zero-configuration virtual private networking

Tom Metro blu at vl.com
Mon Dec 19 11:20:35 EST 2005 

I heard about this on Steve Gibson's "Security Now!" podcast
(http://www.odeo.com/audio/523556/view):


http://hamachi.cc/

   Hamachi is a zero-configuration virtual private networking
   application with an open security architecture and NAT-to-NAT
   traversal capabilities.


It's a VPN that takes about 5 minutes to set up. Perhaps a decent 
alternative to OpenVPN.


The implementation combines aspects of peer-to-peer networks and remote 
access services like GoToMyPC. Similar to the latter both the client and 
the server make outbound connections to an intermediary server that 
brokers the connection. This allows it to be a quick and simple 
installation that requires no configuration, and doesn't need ports to 
be opened on your firewall.

Unlike GoToMyPC it isn't a remote desktop tool, it's a full VPN.

Another important distinction is that instead of using TCP connections, 
it tunnels the VPN through UDP packets, which they briefly talk about here:
http://hamachi.cc/howitworks

The big deal about this is that, once the connection has been brokered, 
  it allows them to setup direct peer-to-peer connections between the 
two end-points, traversing NAT routers on both ends. Compare that to 
GoToMyPC that uses TCP connections: GoToMyPC's servers not only broker 
the connection, but remain in the middle, sort of like a proxy, which 
uses up their bandwidth and is partly why their service carries a 
monthly fee.

They don't explain it, but I believe the reason why this works has to do 
with the firewalling rules typically used for UDP. Because UDP is a 
connectionless protocol, when your computer sends a UDP packet to some 
remote computer, your firewall opens up a window (period of time) in 
which it will accept any UDP packet from that remote computer directed 
at the originating port.

So what Hamachi probably does is have both ends connect to a brokering 
server, have them learn of each other's public IP address and agree on a 
set of ports, then they both start firing UDP packets at each other 
directly, which causes each firewall to open up for packets from the 
other party. (Theories or facts to the contrary are welcome. I'm 
guessing there are other P-to-P tools that use this same technique.)


The software is available for both Windows 2000/XP (won't install on NT) 
and Linux. I gave it a spin and it is a trivial install. The 
installation process creates a new network interface, and the first time 
you run the app. you get assigned a permanently static private IP 
address. It comes with an interactive tutorial that walks you through 
joining a test network.

You can then create your own virtual network by supplying a network name 
and a password, and with those credentials any machine can be joined to 
the network (no need for IP addresses or any other information). Each 
machine can be joined to multiple virtual networks.

Hamachi is under a proprietary commercial license, is closed source, but 
free. Their business model is to charge for premium services, such as a 
version that runs as a Windows service (so the machine stays joined to 
the network even when no one is logged in), or a service that provides 
something similar to the GoToMyPC-style proxying for users with more 
restrictive firewalls. They also plan to make the brokering server 
software available - probably for a fee.

Steve Gibson gave their security architecture his approval, for whatever 
that might be worth.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

More information about the Discuss mailing list