Just how secure is Hamachi, really?
As you may recall, I’ve mentioned Hamachi quite a bit over the last year or two. It’s a slick little service that allows one to easily and quickly establish point to point VPN tunnels between machines. For example, I use it a lot to interconnect the various computers I use. As long as my laptop has an Internet connection, it can have a secure connection to my desktop(s).
Recently, we needed to setup a training server for a client. They just tossed the Hamachi client on the server and let me know the password to join it’s Hamachi network. That was way easier (and quicker) than jumping around doing yet another lan-to-lan VPN tunnel (like this).
Now I’m pondering the idea of rolling it out to more of our servers at work — especially the production ones. The promise of easy, fast and secure access from just about anywhere is very enticing. But I’m also hesitant… I love it, I trust it, but as soon as I start talking about my live production servers, a whole ‘nother level of paranoia comes in to play!
The hamachi security page helps assuage my fears.
Security architecture seems well thought out (keeping in mind I’m a casual crypto guy, not a nuts & bolts expert).
The security white paper (PDF alert) lays it out nicely as well.
Steve Gibson seems to like it. However, his last mention of it from the latter link concludes with, “And, you know, I’m sure Alex has told me the truth, but I have no proof of it. So listeners should certainly be aware of that.”
See, there’s the rub — it isn’t open source so code reviews are unlikely or unexistant.
I’d like to find a link from a “creditable” 3rd party blessing it.
And hey, anyone else using Hamachi? If so, how are you using and how do you like it?
Possibly Related posts:
June 16th, 2007 
Tags: 
you may want to look at the talk page of hamachi’s wikipedia article. there is an interesting discussion between an original author of hamachi and an open source freak. rather enlightening.
Thanks “nomatter” If anyone’s curious, the link is here: http://en.wikipedia.org/wiki/Talk:Hamachi
Some good discussion there and it gave some things to ponder. Just have to filter out the weinie-waving to get to it.
Hi I use hamachi on many production servers: I started off with windows versions on mini and mid range customers. I had a few problems with windows servers as per their DNS name: server1 replies on 192.168.x.x but also on 5.x.x.x. If I contact the server by name like \\server1 if dns is not specifically configured it will occasionally reply on 5.x.x.x hamachi interface.
This has been a problem on windows mail and app servers. On linux i did not have this problem as I create manual dns entries for it and do not work with netbios craps.
I have it running on various linux machines and a few windows.
It is great having hamachi installed on my nokia MID tablet n810 (maemo linux) and windows mobile (tytn 2 occasional issues starting up the app).
I managed reachin high end production servers from up a hill before and after paragliding and while at the beach.
The real risk is loosing the device: removable memory encryption on win mobile is crap and using ofte is an annoying alternative. I’d appreciate a startup password that decrypts the appdata dir on win mobile and truecrypt similar enclosed solution for linux maybe.
Great job negotiating connections but I must say occasionally I had certainty of being able to let an it spec work on a server but the tunnel was not created. A port 80 tunnelling would solve a few big companys firewall blocks.
BTW ever thought how bad is users accessing work pc’s from outside? TeamViewer on windows is even worse.. no admin execution required.
There are solutions but the should be deployed.
Hi Jo, thanks for stopping by and dropping some thoughts. The thought about losing my hamachi enabled phone or laptop has certainly got me thinking…
Yep but as said solutions exist and lie in our knowledge. Easy on laptop and nokia’s tablet (linux is just more manageable), less on a win mobile pda (for me as I never even tried executing a bat on it as I do not have a terminal for it… command line encryption sw exist and should only be set up once)…
BTW… openvpn on a public server (I use an unmanaged dedicated server) is really great too but still is not as easy as installing hamachi and having dozens of servers all in your hand at once…
HamachiRocks! (and I should be parsing my to-do list!)
GG