Wednesday, November 22, 2006

Easy Private Networking with Hamachi

Problem: If you have ever wanted to connect two or more computers together over the Internet, you will have experienced the difficulties of configuring network firewalls and routers. Difficult as this is from within your own home, doing peer-to-peer activities such as file-sharing or gaming between computers when inside someone else's network can be nearly impossible. Not only might you not have privileges to configure their network (i.e., inside a corporate LAN), but the network from which you may have Web-browsing access may have absolutely no accessible IP addresses to the Internet.

Problem: when using a public Internet connection (i.e., from a commercial "hotspot" or hotel access service), your network traffic may be exposed to all the other computers on the network. Any user on that network with readily-available "packet sniffing" software can anonymously and continuously monitor and even record the entire network's traffic - eventually extracting any content sent and received by any users. Unlikely? Probably not as much as you'd think. Anyone predisposed to this kind of malicious "black-hat" hacking activity would certainly fire up the packet sniffer on their laptop whenever they were staying in a hotel with WiFi access - the question is whether one of these people is in your hotel at the time. Ditto any public access point: the neighborhood Starbucks or McDonald's HotSpots are likely targets as well.

Problem: Your home ISP (Internet Service Provider) "blocks ports" for certain services over the Internet. They may do this for a variety of reasons:
  • They wish to limit the amount of bandwidth users use. Bandwidth is a finite commodity, more so for certain kinds of ISP with inherently lower bandwidth limitations (such as wireless- or satellite-based ISPs).
  • They with to sell users a service which the user could otherwise do free. A common example is VOIP (Voice Over Internet Protocol) services, which allow users to make phone calls over their Internet connection rather than using their telephone carrier. Many ISPs offer their own VOIP service for an additional fee. Because they compete with commercial VOIP services such as Vonage and Skype, some ISPs deliberately prevent their users - who are paying for the Internet bandwidth through the ISP - from using VOIP alternatives, including free computer-t0-computer voice chat solutions such as iChat, AIM and Skype. This is the heart of a consumer controversy known as "net neutrality" - and representatives of the U.S. government, ISPs and consumer interest groups are gathering for battle.
    • I've recently encountered filtered ports with ClearWire, a wireless broadband provider. While I don't know their motives, their filtering prevented my remotely controlling my mother-in-law's computer, and prevented her from using voice chat features. ClearWire support would only tell me that those ports were blocked, and that they could not un-block them. ClearWire does sell a VOIP telephony service, so that's definitely suspect. When radio signal propagation issues (brought on by increasing foliage at the end of winter) led to service interruption issues, she gratefully canceled the service.
A solution to both configuration and privacy issues is to utilize a Virtual Private Network, or VPN, tunnel. VPN tunnels have long been used by corporate entities to encrypt sensitive information which has to travel over public networks. In typical practice, an corporate employee would connect from the field over public telephone or, later, broadband Internet connections to the corporate "VPN server" - a service running on a computer which negotiates and encrypts the subsequent private connection. When this encrypted traffic is viewed by a "man in the middle" with network analysis software such as packet sniffers, the traffic appears to be random noise.

Unfortunately, VPN servers require resources that most consumers don't have or want: dedicated IP addresses, 24/7 server machines, and the VPN server software itself.

Solution: Hamachi - To the rescue comes Hamachi. With this free open-source software, anyone can securely connect two more computers into an ad-hoc network as though they were geographically and topographically on the same LAN.

Most importantly, in all but a few rare possible cases, this virtual network can be created and joined by users having minimal Internet access privileges. If a user has Web browsing access, they can probably use Hamachi.

As the Hamachi site suggests:
  • Think:
    • File Sharing (Windows, Macintosh, etc.)
    • iTunes (sharing music over the Internet, disabled by Apple since v4.0)
    • Remote Desktop (controlling another computer at a distance)
    • Remote Assistance
    • Gaming
How Hamachi Works (my simplified view):
  • Users download and install software on their computers (Windows, Mac OS X and Linux are currently supported).
  • Hamachi mediation server(s) run 24/7 somewhere in the world.
  • A user configures their Hamachi software client with a personal "nickname" - which represents that user/computer.
  • A user launches the Hamachi client on their computer and either creates or re-connects to a "network" they have already created - using an arbitrary name and password. This creates a new virtual network interface on the computer (i.e., appearing and behaving similarly to an Ethernet or wireless networking port).
  • Any subsequent users connect to that same "network" (identified by the creating user's chosen name and logged in using an agreed-upon password).
    • The HamachiX client for Mac OS X (an independent project to provide a Mac-like application not yet developed by the original Hamachi developers) provides a nice feature to allow a user to send a small "invitation" file via email or IM client. The recipient (who must also have HamachiX installed) merely opens the invitation file, and the network connection is added to their HamachiX list of networks - very slick.
  • The Hamachi mediation server takes the "loose ends" of each user's connection and binds them within an encrypted peer-to-peer VPN tunnel. Not only is this extremely secure, but you become peers on a virtual LAN. No port filtering or forwarding issues exist (though you still have to consider software firewalls on the computers themselves).
  • The Hamachi application now provides a list of other users also connected to your network(s) (you can maintain multiple network connections in your list). Each user is identified by their chosen nickname, and the Hamachi server has assigned each user a special IP address in the 5.x.x.x range, such as: 5.92.110.102 logjam
  • Users can now use these Hamachi IPs to represent the computers of other users on Hamachi networks to which they are connected.
For me, this has been a Holy Grail: some computers I manage are topologically inaccessible from the Internet - inside corporate LANs. But with Hamachi, I just need any one machine on an isolated LAN to have a Hamachi connection - then I can remotely control that machine and, in turn, remotely control any other machine's on that LAN to which I have already configured remote control privileges.

HamachiX
I've recently discovered that the newest release of HamachiX (a package with an OS X front-end for some Unix code to run Hamachi) has an extremely simple installation method. You just open the disk image and drag the app somewhere. When you launch the app, if it doesn't find Hamachi system files already installed, it (without any real feedback while it's doing it) installs necessary Unix files (this had to be done in the Terminal before).

Use of HamachiX is simple, but not terribly obvious. When you "Add" a network, you have the opportunity to join and existing "network" or create your own. These are really just accounts on the Hamachi mediation server, and they are permanent. (NOTE: The "Add network" assistant has a bug - after entering a Network Name and Network Password and checking one of the three options, the "Add" button remains greyed out - just hit the key and the button will highlight. Odd.)

INTEL MAC CAVEAT
In the most current version's ReadMe, they state:
  • Intel macs are not working very well to date since not all of the underlying components are in universal binary format already. You can find more information on the support forum, check out < http://hamachi.cc>.
I can't quite tell if that means there's _no way_ to make it work or not. Actually, there are threads on the Hamachi Forums about Intel Macs, I just haven't dug through them.

Conclusions: Hamachi is a uniquely useful and free (for 16-user networks or less) solution to many networking problems for consumers and pros alike. It's a little obtuse to configure and use, but its immense popularity provides a rich online support community.

2 comments:

Anonymous said...

Don't like the Hamachi mediation server(s) authentication.. What if the servers go offline(if the company stop "working" ?) I'll tell you what then, you'll searching for another hamachi-like program

Ellsworth said...

Hamachi was purchased in August by LogMeIn, Inc., so they have a professional incentive to maintain their servers - like any business.

When my shoes wear out, I have to shop for new ones. If they stop making shoes forever, I don't know what I'll do. I'll have to stop wearing shoes now, just in case.