Last week, I discussed Microsoft's Secure Socket Tunneling Protocol (SSTP) VPN technology, which will debut as part of Windows Vista Service Pack 1 (SP1) and Longhorn Server Beta 3. The VPN will work over standard Web ports and ease client-to-server connectivity. If you missed that editorial, you can read it at
This week, I learned about another VPN technology that I hadn't heard of before. LogMeIn Hamachi is a relatively simple tool that lets you connect systems together to build a VPN where such connectivity might not otherwise be possible.
A couple really great features of Hamachi make it a very useful tool. The first is that it runs on Windows 2000, Windows XP, Windows Server 2003, Linux, and Mac OS X. The second interesting feature is that it's a UDP-based VPN technology, where most other VPNs are TCP-based. Because it's UDP-based, it can work in networks where other VPNs might not because it can traverse some overly restrictive policies and can operate behind networks that use Network Address Translation (NAT).
The real "magic" of Hamachi is that it takes advantage of UDP operational characteristics. As you know, in order for TCP connections to take place, ports need to be open on firewalls, and when NAT is in use (with or without a firewall), the NAT router needs to forward traffic to the proper endpoint. In contrast, a NAT device (and sometimes a firewall) can be coaxed into accepting UDP traffic even when specific rules don't exist to allow that traffic.
To get an idea of how Hamachi works under the hood, we can take a look at the Skype VoIP technology because Skype also uses UDP to traverse NAT networks and firewalls. If you head over to the heise Security Web site, you'll find a very interesting article, "The hole trick," (at the URL below) that explains what's happening under the hood of a Skype client. If you read the article, you'll come away with an understanding that applies to Hamachi.
I've heard that Hamachi is especially useful for Windows administrators who need to use Microsoft Remote Desktop connectivity but can't due to restrictions on the network on which they happen to be at the moment, whether that network is at a hotel, conference center, library, coffee shop, or elsewhere. Hamachi can establish a VPN between two endpoints, and then Remote Desktop can be used over the Hamachi VPN. The same principle undoubtedly applies to many other tools that are useless without a VPN.
There is at least one downside to Hamachi, though: It doesn't work when a system is behind a proxy server. Nevertheless, it looks like an incredibly useful tool and I intend to give it a try soon. You can learn more about it and download a copy at the URL below.
If you're interested in more technical, nitty-gritty details about how tools like Hamachi and Skype work, then take a look at RFC3489, "Simple Traversal of User Datagram Protocol Through Network Address Translators" at the URL below. The document explains the technique in considerable detail.