Virtual Private Networks, or VPNs, are the safest way to connect computers or computer networks over the internet. Once a VPN connection is established, the data between the systems on either side of the VPN tunnel exchange data that has been wrapped in encryption. This prevents evil doers from accessing the data while it’s in transit.
Unfortunately, while VPNs are an extremely secure way to connect computers, configuring the VPN connection often borders on rocket science. The routing, IP protocols, and assortment of encryption options often keep even the advanced computer users needlessly spinning their wheels for days. In many cases, people simply give up on the concept of security and fall back to more conventional and much less secure means of transferring data.
In a previous post on this site, I detailed how to configure the VPN service built-in to OS X Server. The article explained how to configure the VPN server so that remote clients (telecommuters or portable computer users) could access a secure LAN over the internet using a VPN client. And while the story was very well received, it became obvious that I wasn’t the only one stumbling to get a VPN server working correctly.
A conventional VPN connects a remote user to a secure network, be it home or corporate. Once the VPN connection is in place, all data between the remote client and the VPN server is wrapped in a tunnel of encryption. It’s impervious to anyone trying to eavesdrop as the data is transmitted over the internet. This is what makes it a virtual private network. The VPN allows the remote user access to all of the network resources of the home or corporate network as if the remote user where plugged into a network port right on the LAN.
Several problems plague people trying to setup a VPN server. First, firewall rules must be set to allow communication between the remote user and the VPN server. This is very often much easier said than done. Next, there is the unyielding configuration of the VPN server and its clients. Additionally the remote user can be at the mercy of NAT translation issues and the access controls set by the network providers at the remote user’s location. In short, there are a lot of things that can go wrong.
All of these issues left me thinking that there must be another way. And, it turns out that there is. Hamachi was design to resolve nearly all of these issues.
What is Hamachi?
Simply put, Hamachi is a peer to peer software VPN solution. It is very easy to install, easy to configure, and just as secure as a conventional VPN. As far as its functionality, it really only differs from a conventional VPN connection on one simple way. A typical VPN connection allows a remote user access to an entire network using the VPN server as a secure gateway to the network and its resources. Instead, Hamachi establishes a point to point VPN tunnel connecting two (or more) computers. The two computers then have full and complete communication with each other via the tunnel, but neither acts as a gateway to the LAN on either side of the connection. The VPN tunnel is considered to be peer to peer.
What makes Hamachi so revolutionary is that it is extremely easy to install, configure, and use. Hamachi is a product of Applied Networking Inc. of Vancouver, Canada. The goal was to create a secure VPN solution that used time tested industrial grade encryption and was still easy enough for anyone to use.
Hamachi’s early releases supported only Windows XP and Linux. But even from the beginning, the developer intended a version for the Mac OS. It took some time, but a beta version is finally available for OS X. Unfortunately, the current version of Hamachi for Mac is run from the command line and is not very easy to use. This was a big problem until a creative and unnamed mind over at hamachix.com took it upon himself to write a GUI for the Hamachi software. With the graphical interface Hamachi finally become accessible to the average Mac user.
Installing and using Hamachi
To install Hamachi, just copy the application from the disk image to the Applications directory on the hard drive. Upon first launch, Hamachi will check to see if the command line resources the HamachiX relies upon are installed. If they are not, HamachiX will install them.
In order to use Hamachi, the computer must be a member of a virtual Hamachi network. Users can either join an existing network, or a new network can be created at any time. Since Hamachi networks are virtual, the network has no physical presence. The networks exist only within Hamachi and are a means to separate users into secure groups.
To create a network, simply click the Add button in the HamachiX toolbar. A case sensitive network name must be assigned to the network. The same goes for a password. Since this is all of the information other users will need in order to join the virtual network, it is important to choose a strong network password. It might be more appropriate to think of the network password as a pass-phrase because a phrase is typically much more difficult to guess or crack. The longer the word or phrase, the better. It should be entered in mixed capitalization and include numbers, letters, and special characters. And, it goes without saying that any password found in the dictionary is out of the question. Finally, select the option to Create a Network.
Once the network is created, HamachiX automatically adds the client to that network. Other users, or computers, will want to join the existing network. To do this, simply click the Add button and enter the networks name and password (or phrase) exactly. Both are case sensitive. Then select the option to join a network.
Once more than one client is a member of the network, a list of network members will be listed under the Peers tab when the network name is selected. If the computer is signed onto the network, a green light will appear beside the computers name and IP address. Hamachi offers a great deal of flexibility in that computers can be members of more than one network at the same time.
The list of Hamachi peers shows who is active on the network at any given time. If the remote computer has a green light beside it, it’s an active member of the VPN. Just right click on the computer in the peer list and select a connection option from the contextual list of choices. This list makes it easy to open up a file share or FTP connection with the remote computer provided they have the necessary services enabled.
Keep in mind that users are not limited to the 3 connection options shown in the contextual menu. More can be added, and any networking that can be negotiated between two computers can also be done over a Hamachi connection.
Additionally, according to the Hamachi web site, Apple’s Bonjour protocol is also supposed to work over Hamachi. This is interesting because Bonjour is designed to only broadcast over the computer’s local subnet. In theory, this would allow people to share their music with friends, or listen to their home music collection from work. Unfortunately, in my tests, I have been unable to get iTunes music sharing to work. At this point, I’m not sure if there is a bug, or I’m doing something wrong. As I understand it, Bonjour should just work once the Hamachi network is in place. With luck, this is a bug and it will be resolved in an update release.
Hamachi really is a great VPN solution for the rest of us. Once the software is installed on each computer, the encryption and security become transparent to the user. And while other VPN solutions often have difficulty traversing NAT enabled networks, Hamachi makes short work of these typical trials and tribulations associated with Virtual Private Networks.
Since both Hamachi and HamachiX are still in an active beta stage, it’s wise to keep an eye out for updates. For more information on how Hamachi works behind the scenes, be sure to checkout the support forums. The developers at Applied Networking Inc. have been extremely forthcoming regarding the security protocols used in Hamachi. And, for a security expert’s take on Hamachi, checkout the Security Now! podcast #18. Steve Gibson does a great job of explaining how Hamachi works and why its an extremely secure and functional VPN solution.
Update: 6/29/06 7:55am
One of my primary goals in this story was to explain why Hamachi really is a great alternative. Anyone who has tried to set up their own VPN server will appreciate the ease of use. But for the rest of us, it is just a great solution for doing a few things that we haven’t been able to do before. To that end, my second goal was to share iTunes and iPhoto libraries outside of the local network.
I made mention of this only briefly in my original post. Since Hamachi’s VPN network joins computers as if the VPN is a separate local area network, it should be possible to share iTunes music using iTunes built-in sharing feature (which uses the zero configuration Bonjour protocol). While I knew this should work as soon as Hamachi was installed, for some reason I simply couldn’t see other users music. Last week I couldn’t see a remote share music library. Last night I still had no luck. This morning, when I sat down at my computer, I could see several remote music shares!
Why did Hamachi start working? I’m still not sure. My MacBook has 10.4.7 freshly installed, but my tower still has 10.4.6. I’m still running the same version of Hamachi on all of the machines. It’s just a mystery.
I invite everyone to leave comments below. Is Hamachi letting you share iTunes and iPhoto libraries over Bonjour or is this hit and miss for everyone? As of right now, I can play remotely hosted music with no noticeable delay. Yet another reason to fall in love with Hamachi!
Update: 7/13/06 11:03pm
A new version of HamachiX has been released. In includes the latest build of the Hamachi command line components.
Update: 7/14/06 11:40am
With either the update to 10.4.7, or iTunes 6.05, it looks like the Bonjour music sharing has stopped working. Reinstalling tuntap support does appear to resolve the issue.
The Universal Binary tuntap installer can be downloaded here:
Thanks to all who helped resolve this issue! Their comments are listed below.