.comment-link {margin-left:.6em;}

Friday, December 16, 2005


VPN software to end all VPN software

Well, somebody has come up with something that I have to say is incredibly cool. It also seems to render all other VPN software obsolete. It is called Hamachi, and to sum it up it is free fully encrypted peer-to-peer VPN software that can create a connection between even two fully NAT'ted computers with no open ports.

The encryption is public/private key, and the peer-to-peer aspect means that there is no server involved (Computers on a Hamachi VPN send data directly to eachother). It gets past NAT by using UDP and a mediation server. The idea as I understand it is that the client sends bootstrap UDP packets to the mediation server, opening a port on the NAT router (which expects replies by UDP). The mediation server then reports to the second computer which outgoing port is open on the first computer, and the second computer can then send data directly to that port. Repeat for vice-versa and you instantly can get through almost any NAT router and many firewalls. The program then encapsulates the original TCP packets inside a UDP datagram. After all, there is zero need for a TCP transport layer, because if a packet is lost or mangled, the TCP data stream will perform the usual resending. In other words, it behaves exactly like TCP because the end point computers think they are using TCP. Of course you can also encapsulate UDP packets, that is just even simpler.

Now, that is certainly the coolest part of the software, how it can create a connection between two computers with no open ports. But there are other cool things. For one thing, when you set up a computer with Hamachi you actually get a permanent IP on the 5.x.x.x network. Technically they are internet IPs, but they have never been assigned, and probably never will be (I think IANA owns them). So effectively they are non-internet and non-LAN IPs. So all computers using Hamachi have their own permanent Hamachi IP.

Another cool thing is that even though everybody has "public" IPs on the Hamachi network, communication is totally private and solicited because you create LANs involving specific computers on Hamachi. You add a bunch of computers to a LAN and then they only send data to eachother, ignoring all data from foreign computers.

Also? Full public/private key encryption, with the public key being required to join a LAN.

And they made it dead simple, with almost no setup required. Heck, it even has an instant messenger like function that lists the computers on the various LANs you are part of, along with their online/offline status. Here's a great screenshot:

And get this: IT IS CROSS PLATFORM!! There are current Windows and Linux clients out, and a Mac OS X client is coming as soon as the Windows and Linux clients exit beta (They are apparently in very late almost-done beta).

I just can't get over how cool this is. I mean, I know that only people from NITI read this blog, but damn, why use TunnelVision when you've got Hamachi?

The guy apparently intends to introduce a shareware version that adds additional professional-level features that a business might require, such as running the software as a service. The core functionality, though, what I've described above, that is free. Because most people won't want this running as a service.

Seriously, check it out, this is the coolest VPN software I've ever seen: http://www.hamachi.cc.

Also the guy is in Vancouver.

EDIT: Oh, and another cool thing, when you run the software it behaves like a network card. It even creates a virtual NIC in Windows, so really Windows apps have no way of knowing that they are not over a LAN. It even shows up in Network Connections, though I guess under Linux it just shows up under ifconfig. Of course it is a NIC that only supports TCP/IP. No IPX.

EDIT2: Actually, it DOES work with IPX. My bad.

The firewalls must be pretty weak if they allow UDP packets from the peer's address sent to the originator's port number. Only the mediator should be allowed to respond. Isn't the purpose of the stateful firewalls to deflect such attempts?
"Binary only code is so eighties". Jon "maddog" Hall.
P2P friendly routers (virtually all these days) allow such things, it would seem. Perhaps I was too enthusiastic with extending that to firewalls. I would imagine that some firewalls would allow this, but it is certainly possible to block it easily.

I'm also probably vastly oversimplifying what Hamachi is actually doing. It still solve the problem of direct communication between two NATted computers, anyhow.

Binary only code is unavoidable to sustain most business models. I'd love to see an opensource version of Hamachi without the limitations that require the Premium version (such as the 16-client-per-network limit), but then program would not be nearly as user-friendly.

As an unrelated comment, the Google word verification for this post is "catsmp". I find the concept of a cat supporting SMP quite amusing.
Does hamachi transmit broadcasts over its VPN path? Most if not every VPNs don't. Broadcasts are important for SMB browsing and LAN game servers advertisement.
Yes, it handles UDP broadcasts without trouble. SMB works fine, and I was able to mount an ISO off somebody elses share. Horrendously slow, though, mounting a CD over the internet ;)

The author seems to have taken special care to ensure games work, and gaming is currently the primary use of Hamachi (Gamers make good beta testers I guess, due to the application). The only game that has issues is Counter-Strike and other HL1/HL2 based games. This is because the game requires that IPs in LAN games be on the same class-C subnet while other games don't care. So there is a kludge in place in the beta of Hamachi 1.0 that allows aliasing people to another IP to trick CS.

I played a game of Warhammer 40000: Dawn of War over Hamachi the other day. It worked wonderfully. I joined the Hamachi network, launched the game, saw the person's game under the LAN section, joined it, and played. It felt like I imagine playing the game over the internet might. Hamachi doesn't really have any impact on latency since it is peer to peer, and the UDP overhead didn't seem to affect performance.
Post a Comment

Links to this post:

Create a Link

<< Home

This page is powered by Blogger. Isn't yours?