Playing with VPNs
After listening to the recent Security Now podcasts that have went over various VPN techniques, I decided that I would play with them a little bit. Understand that most of my VPN experience is with both Check Point VPN-1/FireWall-1 and Nokia IP VPN, so I do have some hardcore experience with this stuff. It was nice to see a couple of different takes on this.
Hamachi is an interesting VPN tool. It calls itself a Zero Configuration VPN utility and Secure peer-to-peer. Since it’s not exactly open source, we can’t exactly verify that (even if Steve Gibson says it sounds like it’s secure). And at least with my routers, I can’t exactly say the configuration was “zero,” but then again I don’t have your typical consumer-level router so I had some issues making the VPN traffic work. However, with typical consumer-level gear, Hamachi would be pretty cool. It uses a third party server to work through the typical NAT problems. Once both computers “phone home” to the Hamachi server, the clients talk directly. Each computer is assigned a “permanent” 5.x.x.x address, which is a reserved and currently unused netblock.
The big problem I had with Hamachi is that it is peer-to-peer only. That is to say, you can only communicate between computers with the Hamachi client installed and configured on your “private” network. You cannot currently use a Hamachi tunnel to talk to other computers. According to the developer (who was very responsive on their forums), this is by design. They plan on addressing this in the 1.0 release.
Hamachi is not entirely cross-platform either. Clients are available for Windows and Linux currently with a Mac OS X client coming soon. The 1.0 client will be out for Windows first, then the Mac OS X version, then they will upgrade the Linux client in the Spring of 2006.
Between those two problems, I decided Hamachi wasn’t for me. Besides, at least one of the endpoints I need to talk to has static addressing. So instead I gave OpenVPN a shot.
OpenVPN requires a bit more setup. I had to slog through the documentation a little bit, but it didn’t take me long to get a functional server configuration as well as a functional client configuration. I pretty much used the sample files. I had to work around a lack of routes issue on the remote network temporarily until I could obtain passwords for the router to add in the necessary static routes.
I was able to get OpenVPN working on both Linux and Windows clients, a friend of mine managed to get it working on a Mac using Tunnelblick. We wrote some instructions and that was that.
Setting up OpenVPN was a little more involved, but it supports lots of platforms today, and that’s a good thing. Besides, I’m not afraid to roll up my sleeves and get my hands dirty.
