Hamachi
Encyclopedia
Hamachi is a zero-configuration virtual private network
(VPN) shareware
application that is capable of establishing direct links between computers that are behind NAT firewalls
without requiring reconfiguration (when the user's PC can be accessed directly without relays from the Internet/WAN side ); in other words, it establishes a connection over the Internet that emulates the connection that would exist if the computers were connected over a local area network
. It is currently available as a production version for Microsoft Windows
and Mac OS X
, and as a beta version for Linux
.
Client software adds a virtual network interface
to a computer, and it is used for intercepting outbound as well as injecting inbound VPN traffic. Outbound traffic sent by the operating system
to this interface is delivered to the client software, which encrypts and authenticates it and then sends it to the destination VPN peer over a specially initiated UDP
connection. Hamachi currently handles tunneling
of IP
traffic including broadcasts and multicast
. The Windows version also recognizes and tunnels IPX
traffic.
Each client establishes and maintains a control connection to the server cluster. When the connection is established, the client goes through a login sequence, followed by the discovery process and state synchronization. The login step authenticates the client to the server and vice versa. The discovery is used to determine the topology of client's Internet connection, specifically to detect the presence of NAT and firewall devices on its route to the Internet. The synchronization step brings a client's view of its private networks in sync with other members of these networks.
When a member of a network goes online or offline, the server instructs other network peers to either establish or tear down tunnels to the former. When establishing tunnels
between the peers, Hamachi uses a server-assisted NAT traversal
technique, similar to UDP hole punching
. Detailed information on how it works has not been made public. The vendor claims "...to successfully mediate P2P
connections in roughly 95% of all cases ..." This process does not work on certain combinations of NAT devices, requiring the user to explicitly set up a port forward. Additionally 1.0 series of client software are capable of relaying traffic through vendor-maintained 'relay servers'.
In the event of unexpectedly losing a connection to the server, the client retains all its tunnels and starts actively checking their status. When the server unexpectedly loses client's connection, it informs client's peers about the fact and expects them to also start liveliness checks. This enables Hamachi tunnels to withstand transient network problems on the route between the client and the server as well as short periods of complete server unavailability.
Hamachi is frequently used for gaming and remote administration. The vendor provides free basic service and extra features for a fee.
In February 2007, an IP-level block was imposed by Hamachi servers on parts of Vietnamese Internet space due to "the scale of the system abuse originating from blocked addresses". The company is working on a less intrusive solution to the problem.
from the 5.0.0.0/8 address block when it logs into the system for the first time. This assignment is however unofficial, as RIPE NCC
has the rights to making assignments in that range. Organizations using these address ranges in products or services may experience problems when more specific Internet routes attract traffic that was meant for internal hosts, or alternatively find themselves unable to reach the legitimate users of those addresses because those addresses are being used internally. The IP address is henceforth associated with the client's public crypto key. As long as the client retains its key, it can log into the system and use this IP address.
The 5.0.0.0/8 network is used to avoid collisions with private IP networks that might already be in use on the client side, specifically, 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
Additionally, using a separate network prefix creates a single broadcast domain between all clients. This makes it possible to use LAN
protocols that rely on IP broadcasts for discovery and announcement services over Hamachi networks.
The 5.0.0.0/8 address block was allocated by IANA
to RIPE NCC in November 2010. Some prefixes from the range are currently being announced by the RIPE NCC debogon
project. Hamachi users will not be able to connect to any Internet IP addresses within the range as long as the Hamachi client is running.
Prior to versions 1.0.2.0 and 1.0.2.1 for the Windows release, many Windows Vista
users had experienced compatibility and connection issues while using Hamachi. As of March 30, 2007, the software now includes Vista tweaks, which answer these OS-related
problems, among other specific solutions.
version but the server side is not open source. This means it is difficult to assess the actual robustness of the tool's security. Also, while the tool is free for personal use at this time there are no guarantees that it will remain free.
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
(VPN) shareware
Shareware
The term shareware is a proprietary software that is provided to users without payment on a trial basis and is often limited by any combination of functionality, availability, or convenience. Shareware is often offered as a download from an Internet website or as a compact disc included with a...
application that is capable of establishing direct links between computers that are behind NAT firewalls
Network address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
without requiring reconfiguration (when the user's PC can be accessed directly without relays from the Internet/WAN side ); in other words, it establishes a connection over the Internet that emulates the connection that would exist if the computers were connected over a local area network
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
. It is currently available as a production version for Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
and Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
, and as a beta version for Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
.
Operational summary
Hamachi is a centrally-managed VPN system, consisting of the server cluster managed by the vendor of the system and the client software, which is installed on end-user computers.Client software adds a virtual network interface
Virtual Interface
A Virtual Interface or Virtual Network Interface is an abstract virtualized representation of a computer network interface that may or may not correspond directly to a physical network interface....
to a computer, and it is used for intercepting outbound as well as injecting inbound VPN traffic. Outbound traffic sent by the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
to this interface is delivered to the client software, which encrypts and authenticates it and then sends it to the destination VPN peer over a specially initiated UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
connection. Hamachi currently handles tunneling
Tunneling protocol
Computer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
of IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
traffic including broadcasts and multicast
Multicast
In computer networking, multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source creating copies automatically in other network elements, such as routers, only when the topology of the network requires...
. The Windows version also recognizes and tunnels IPX
IPX
Internetwork Packet Exchange is the OSI-model Network layer protocol in the IPX/SPX protocol stack.The IPX/SPXM protocol stack is supported by Novell's NetWare network operating system. Because of Netware's popularity through the late 1980s into the mid 1990s, IPX became a popular internetworking...
traffic.
Each client establishes and maintains a control connection to the server cluster. When the connection is established, the client goes through a login sequence, followed by the discovery process and state synchronization. The login step authenticates the client to the server and vice versa. The discovery is used to determine the topology of client's Internet connection, specifically to detect the presence of NAT and firewall devices on its route to the Internet. The synchronization step brings a client's view of its private networks in sync with other members of these networks.
When a member of a network goes online or offline, the server instructs other network peers to either establish or tear down tunnels to the former. When establishing tunnels
Tunneling protocol
Computer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
between the peers, Hamachi uses a server-assisted NAT traversal
NAT traversal
NAT traversal is a general term for techniques that establish and maintain Internet protocol connections traversing network address translation gateways. Network address translation breaks end-to-end connectivity. Intercepting and modifying traffic can only be performed transparently in the...
technique, similar to UDP hole punching
UDP hole punching
UDP hole punching is a commonly used technique employed in network address translator applications for maintaining User Datagram Protocol packet streams that traverse the NAT...
. Detailed information on how it works has not been made public. The vendor claims "...to successfully mediate P2P
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
connections in roughly 95% of all cases ..." This process does not work on certain combinations of NAT devices, requiring the user to explicitly set up a port forward. Additionally 1.0 series of client software are capable of relaying traffic through vendor-maintained 'relay servers'.
In the event of unexpectedly losing a connection to the server, the client retains all its tunnels and starts actively checking their status. When the server unexpectedly loses client's connection, it informs client's peers about the fact and expects them to also start liveliness checks. This enables Hamachi tunnels to withstand transient network problems on the route between the client and the server as well as short periods of complete server unavailability.
Hamachi is frequently used for gaming and remote administration. The vendor provides free basic service and extra features for a fee.
In February 2007, an IP-level block was imposed by Hamachi servers on parts of Vietnamese Internet space due to "the scale of the system abuse originating from blocked addresses". The company is working on a less intrusive solution to the problem.
Addressing
Each Hamachi client is assigned an IPv4 addressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
from the 5.0.0.0/8 address block when it logs into the system for the first time. This assignment is however unofficial, as RIPE NCC
RIPE NCC
The Réseaux IP Européens Network Coordination Centre is the Regional Internet Registry for Europe, the Middle East and parts of Central Asia...
has the rights to making assignments in that range. Organizations using these address ranges in products or services may experience problems when more specific Internet routes attract traffic that was meant for internal hosts, or alternatively find themselves unable to reach the legitimate users of those addresses because those addresses are being used internally. The IP address is henceforth associated with the client's public crypto key. As long as the client retains its key, it can log into the system and use this IP address.
The 5.0.0.0/8 network is used to avoid collisions with private IP networks that might already be in use on the client side, specifically, 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
Additionally, using a separate network prefix creates a single broadcast domain between all clients. This makes it possible to use LAN
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
protocols that rely on IP broadcasts for discovery and announcement services over Hamachi networks.
The 5.0.0.0/8 address block was allocated by IANA
Internet Assigned Numbers Authority
The Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
to RIPE NCC in November 2010. Some prefixes from the range are currently being announced by the RIPE NCC debogon
Bogon filtering
A bogon is a bogus IP address, and an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority or a delegated Regional Internet Registry...
project. Hamachi users will not be able to connect to any Internet IP addresses within the range as long as the Hamachi client is running.
Security
The following considerations apply to Hamachi's use as a VPN application:- Additional risk of disclosure of sensitive data which is stored or may be logged by the mediation server — minimal where data is not forwarded.
- The security risks due to vulnerable services on remote machines otherwise not accessible behind a NAT, common to all VPNVirtual private networkA virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
s. - Hamachi is stated to use strong, industry-standard algorithms to secure and authenticate the data and its security architecture is open.
- The existing client-server protocol documentation contains a number of errors, some of which have been confirmed by the vendor, pending correction, with others not yet confirmed.
- For the product to work, a "mediation server", operated by the vendor, is required.
- This server stores the nickname, maintenance password, statically-allocated 5.0.0.0/8 IP address and the associated authentication token of the user. As such, it can potentially log actual IP addresses of the VPN users as well as various details of the session.
- As all peers sharing a tunnel have full "LAN-like" access to each others computers, security problems may arise if firewalls are not used, as with any insecure situation. The security features of the NAT router/firewall are bypassed; this is an issue with all VPNs.
Compatibility
The current builds of Hamachi are available for the following operating systems:- Microsoft WindowsMicrosoft WindowsMicrosoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
2000, XP, Server 2003, Vista and Windows 7. - Mac OS XMac OS XMac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
- LinuxLinuxLinux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
(beta)
Prior to versions 1.0.2.0 and 1.0.2.1 for the Windows release, many Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
users had experienced compatibility and connection issues while using Hamachi. As of March 30, 2007, the software now includes Vista tweaks, which answer these OS-related
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
problems, among other specific solutions.
Source code
Hamachi has a freewareFreeware
Freeware is computer software that is available for use at no cost or for an optional fee, but usually with one or more restricted usage rights. Freeware is in contrast to commercial software, which is typically sold for profit, but might be distributed for a business or commercial purpose in the...
version but the server side is not open source. This means it is difficult to assess the actual robustness of the tool's security. Also, while the tool is free for personal use at this time there are no guarantees that it will remain free.
See also
- Network address translationNetwork address translationIn computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
(NAT) Overview, related RFCs: RFC 4008, RFC 3022, RFC 1631 (obsolete) - Simple Traversal of UDP over NATsSTUNSTUN is a standardized set of methods, including a network protocol, used in NAT traversal for applications of real-time voice, video, messaging, and other interactive IP communications....
(STUN), a NAT traversal protocol defined in RFC 3489 (obsoleted by RFC 5389) - Session Traversal Utilities for NATSTUNSTUN is a standardized set of methods, including a network protocol, used in NAT traversal for applications of real-time voice, video, messaging, and other interactive IP communications....
(Updated STUN, as defined in RFC 5389) - UDP hole punchingUDP hole punchingUDP hole punching is a commonly used technique employed in network address translator applications for maintaining User Datagram Protocol packet streams that traverse the NAT...
another NAT traversalNAT traversalNAT traversal is a general term for techniques that establish and maintain Internet protocol connections traversing network address translation gateways. Network address translation breaks end-to-end connectivity. Intercepting and modifying traffic can only be performed transparently in the...
technique