|At a glance|
|Product||LogMeIn Hamachi2 () [Website]|
|Summary||Cloud-based VPN solution ideal for setting up quick and easy secured networks for non-technical users.|
|Pros||• Quick setup |
• Multiple network types
• Free version has access to all major features
• Fairly fast connection in free version
• Support for all users
|Cons||• Web portal is a little confusing |
• Documentation is lacking for using the web portal
• Security technologies used not documented adequately
• Some network types not available on all OSes
Typical Price: $33
Setting up secure VPNs (Virtual Private Networks) usually involves purchasing special routers that secure in and outbound traffic for your LAN. Or if you want encryption all the way to your notebook or mobile device, the installation and configuration of a VPN client.
But, like many other applications, VPNs can now be purchased as a cloud service. I'll be taking a look at one of the original hosted VPN services, LogMeIn Hamachi2.
Actually, the "Hamachi" part of LogMeIn Hamachi2 is the "oldie", which was around when "cloud" still meant those fluffy things in the sky. SmallNetBuilder took at look at the pre-LogMeIn Hamachi a few years back, when setup was considerably more involved.
The service was originally created to help PC gamers play LAN games over the Internet. The evolution into a SMB product began with the purchase by LogMeIn.
Hamachi2 thankfully hasn’t strayed too far from its roots. The design is simple: initial connectivity happens via a central server. Once connection is established, Hamachi2 will try to start up a VPN directly between peers running its client.
If Hamachi2 can establish this connection, traffic will use the peer-to-peer network instead of relaying through LogMeIn’s servers. LogMeIn has added to Hamachi's original framework with additional connectivity modes that I'll explore in a bit.
Before I get into the account types, I think it’s important to explain a little better how Hamachi2 works. It creates an entirely separate network connection on your computer by creating a virtual network adapter through a special driver.
This driver, called a TUN/TAP driver, is assigned a special IP address from the Hamachi network in the 5.x.x.x range. Incidentally, this range was recently allocated to a European Internet Infrastructure agency called RIPE NCC which has begun announcing subnet allocations for the range.
If you have Hamachi installed, any addresses or domains that resolve to that address will be sent to the Hamachi network instead. But if you happen to be a machine on a 5.x.x.x network, you could have a problem at some point.
Once your machine has a 5.x.x.x address, its network parameters are adjusted to properly route Hamachi2 traffic. You then set up a “Network” of computers. These networks are the fundamental feature of Hamachi and come in three flavors: Mesh; Hub and Spoke; and Gateway.
Three Hamachi2 Network types
Mesh is the original Hamachi network type. All computers joined into a mesh network can talk to each other, just as if they were connected on a LAN, only securely. This configuration is ideal for quickly setting up encrypted connection between two machines running the Hamachi client.
Hub and Spoke networking is a more secured version of mesh networking. The Hamachi2 Getting Started Guide says:
In a hub-and-spoke network, one or more computers act as hubs, while other clients connect as spokes. Spokes connect to hubs, but never to each other.
Hub-and-spoke is typically used when a workstation (spoke) needs to connect only to servers (hubs).
Hub-and-spoke is ideal if you want strict control over connections between network members.
The third type, Gateway, is most similar to a traditional VPN setup. Users connect to a dedicated (this is required) gateway machine running a Hamachi client, and all items available on the local network are then accessible, even those not running a Hamachi client. Note that, as with any other gateway-based VPN, the encrypted tunnel does not extend past the gateway.
With all that out of the way, account types will make a little more sense. Free accounts (for non-commercial use only) have full access to all features but are limited to 16 connected computers per network. Commercial account members get upgraded to 256 computers per network, and have access to high speed relay servers in the event a normal peer to peer connection cannot be made.
Commercial accounts cost $199 / year or $33 / month. So you save about half by buying a year upfront. I’m going to be reviewing the free version.
Installation for a centralized platform is a two step process. After creating an account and logging into the backend web portal, you then choose to create a network or add clients. The recommended path is to create a network first.
This starts a wizard where you pick what type of network you want this to be. I chose Mesh to keep it simple, and required that all people trying to join the network would have to be allowed by me. Other options are: clients can automatically join, or only clients in a list are allowed to join. You can also add a network password for additional security. You can see this configuration process in the Gallery.
Once the network was set up, I set about installing the client, which is just like installing any other application. All the Gallery screen shots were taken from the Mac OS client, which is the same as the Windows client for installation and setup purposes.
Windows clients have a view features Mac clients don’t, which isn’t directly explained unless you read the manual (who does that anymore?). Windows clients can also route IPX traffic for everyone looking to play games made pre-Y2K. More importantly, Mac OS clients cannot act as gateway servers, which may put a kink in some networks.
Once installed, the client connects and gets its IP address. You can then choose to associate it with an account, which will have it join all the networks on that account. Or you can join a network using the 9 digit network ID, or create a mesh network right within the client. I chose to associate it with my account, and connected to my mesh network easily.
I also tested the Windows client, and it seemed to automatically associate with my account when I installed it. I’m unsure if this is just additional polish on Windows, or a fluke. Both my friend, who helped me for remote testing, and I did not get an automatic association when we launched our Mac OS clients.
Speaking of my friend, I tried out the personalized client installer feature for his setup. Personalized installations create a unique URL that you then send out for people to download the client from. This allows you to track client installs, and expire the URL after a time period for increased security. In addition, personalized client installations allow clients to automatically join networks that the administrator sets for them to auto-join through the backend.
While he installed and joined the network just fine, LogMeIn’s web portal never updated to show that he downloaded the client. This could be problematic for trying to keep people with Macs from downloading too many client installations.