VPN made easy: Meet Hamachi

I’ve been trying to setup a VPN between our company laptops and our HQ since 2004. We use ZyWall boxes for NAT, firewall and wireless connections. They also have IPSEC VPN capabilities, which are very handy when connecting two office branches. The VPN connection between several boxes has been relatively easy and once set up, it’s mostly transparent.

At the same time, as much as I’ve tried, I never managed to setup a VPN connection between a laptop computer and one of the ZyWalls. In three years I’ve tried at least five VPN clients, including SSH Sentinel, Checkpoint SecuRemote and Green Bow. Each one had issues with ZyWall. At best, the connection interfered with other firewall and internal policies as the ZyWall VPN server does not assign IPs to the client computer; or the tunnel was being built but no packets could get through; at worst, the VPN client froze the computer.

I kept trying various setups, different client software, asked on all forums for ideas. I learned a lot about network protocols, encryption and certificatate authorities, but I still couldn’t get the VPN to work without problems. Desperately, I’ve even tried to set up a PPTP VPN on a Windows 2003 server, punch a hole in the ZyWall firewall, forward port 1723 and use the windows built-in VPN client to connect. Still, it wouldn’t work.

A few days ago, my boss said to me "hey, I just read about a zero-configuration VPN, you don’t need to set up anything". At first I laughed at the idea, but then I decided to have a closer look and prepared a test environment.

Hamachi boasts the following (from their website):

• LAN over the Internet Arrange multiple computers into their own secure network, just as if they were connected by a physical cable.
• Remote Access Remote control any machine on your network with Remote Desktop.
• Files and Network Drives Access critical files and network drives.
• Zero-configuration Works without having to adjust a firewall or router.
• Cost Effective Basic version is free to use. Premium begins at $4.95/month.

Sounded too good to be true. Intrigued, I decided to read more. They use a "mediation server" to establish the connection. The mediation server assigns a private IP (e.g. 5.27.000.001) to each client, creating peer-to-peer tunnels. Basically each client computer becomes part of one big LAN via VPN. To separate all the users, one can create a password-protected "network" and various users can then join that network, if they know the password. After that, they can access the shared resources or use Remote Desktop, as in any LAN.

I tested it, and it works flawlessly. The program is incredibly small (under 1Mb) and hardly uses any resources. It’s very easy to set up - the interface has just 5 buttons, including the Close and Minimize. No more Negotiation Modes, Replay Detection settings, SA Life Time and Perfect Forward Secrecy; Hamachi is indeed zero-configuration.

On the downside, it’s not a traditional VPN. I’ve read their Security White Paper and it looks good - on paper. Still, being closed source and untraditional, I still am a little worried about security. IPSEC VPN is proven. When set up correctly, it’s secure. Hamachi is new and relatively unknown. It may prove to be an excellent piece of technology, one that simplifies and enhances access while maintaining security, but it’ll take some more time until I’m convinced. Moreover, you’re dependent on their mediation servers. If they go down (and network outages have happened), it’s bye-bye connectivity. For now, I will keep an eye on it and I’ll test it more before deploying it within our company.

Are you using Hamachi? What is your experience with it?