Hamachi is a very very easy (zero-configuration) VPN point-to-point solution to establish a connection from Linux/Windows hosts to other Linux/Windows hosts. It''s FREE. It''s also enable to connect NATed/firewalled hosts. It uses (I think) a TUN device on Linux. Does anyone tried to integrate it into Shorewall ? Can I consider it in the ''tunnels'' file as ''generic'' ? Guilsson PS: http://www.hamachi.cc/
Guilsson, You want to use this VPN solution. You have the Shorewall documentation regarding VPN. What are you waiting for? We will look forward to your HOWTO that describes how to use Hamichi with Shorewall. In case you need initial direction: http://www.shorewall.net/VPNBasics.html http://www.shorewall.net/GenericTunnels.html Remember -- Open Source works best when people who have a need for a solution develop that solution and share it with others. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Guilsson wrote:> Hamachi is a very very easy (zero-configuration) VPN point-to-point > solution to establish a connection from Linux/Windows hosts to other > Linux/Windows hosts. > It''s FREE. > It''s also enable to connect NATed/firewalled hosts. > It uses (I think) a TUN device on Linux. > > Does anyone tried to integrate it into Shorewall ? > Can I consider it in the ''tunnels'' file as ''generic'' ? > > Guilsson > PS: http://www.hamachi.cc/ > >I haven''t used it on my shorewall box (no reason too), but I have it running on several of the other boxes on my lan (windows and linux) and have connected to other people outside. You don''t need to do anything to shorewall to make it work. On linux, yes you need the tun/tap driver. Although if by integrate you mean to setup the shorewall box as a proper bridge so you can install hamachi on it and then access it''s hamachi network from anyone on your lan without putting hamachi on them, that would be quite interesting (and useful). Mark II -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFD5NjnqPQAgxvwHGERAugiAJQK7Foaic09ryO8iD3voSUrCS6ZAJ0e4BTw TRnckOW6fkolmIS6m9OZPw==7FUh -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Friday 03 February 2006 20:53, Tom Eastep wrote:> Guilsson, > > You want to use this VPN solution. You have the Shorewall documentation > regarding VPN. What are you waiting for? > > We will look forward to your HOWTO that describes how to use Hamichi with > Shorewall. > > In case you need initial direction: > > http://www.shorewall.net/VPNBasics.html > http://www.shorewall.net/GenericTunnels.html > > Remember -- Open Source works best when people who have a need for a > solution develop that solution and share it with others.This thing looks trivial to configure with Shorewall. It''s not a configured tunnel -- it''s a mediated means of establishing a secure UDP link. From the Hamachi FAQ: --------------------------------------------------------------------------- Hamachi connects to a central server on port 12975 using TCP. It also uses dynamic local and remote UDP ports for communicating with other Hamachi peers. What you can do is to fix local UDP port. Open Hamachi Preferences, System page and enable Magic Option in Troubleshooting section. The number next to it is UDP port value. Fixing UDP port is normally used in conjunction with configuring port forwarding on your NAT/router device to resolve ''yellow status issue''. Yellow status means that Hamachi cannot establish direct p2p tunnel toward respective peer. This is not a bug or an error, it is an artefact of core Hamachi technology, which occurs in approximately 5% of all cases. Currently there is only one way to resolve this issue, which is to use Magic Option and to configure port forwarding on your router: Select some UDP port, say, 12975 Forward this port from the network interface on your router that hooks up to the Internet to the machine that is running Hamachi. Enable Magic Option and set it to the selected port Reconnect Hamachi ---------------------------------------------------------------------------- What this means in Netfilter/Shorewall terms is that you can only run Hamachi on one system behind your masquerading gateway. To do that: a) If your loc->net policy is ACCEPT, then you don''t need to do anything to enable connection to the Hamachi servers. Otherwise, you need: ACCEPT loc net tcp 12975 b) You need to forward the UDP port to your local system. Assuming that you''ve selected port 12975 as mentioned in the FAQ: DNAT net loc:<your local IP> udp 12975 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Sunday 05 February 2006 08:21, Tom Eastep wrote: Note that this last part *may* not be necessary -- until someone tries this thing with Shorewall, we won''t know. If it works ok without this part then it would seem that you could run multiple instances of Hamachi behind your firewall.> > b) You need to forward the UDP port to your local system. Assuming that > you''ve selected port 12975 as mentioned in the FAQ: > > DNAT net loc:<your local IP> udp 12975 >HTH, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Sunday 05 February 2006 08:27, Tom Eastep wrote:> On Sunday 05 February 2006 08:21, Tom Eastep wrote: > > Note that this last part *may* not be necessary -- until someone tries this > thing with Shorewall, we won''t know. If it works ok without this part then > it would seem that you could run multiple instances of Hamachi behind your > firewall. > > > b) You need to forward the UDP port to your local system. Assuming that > > you''ve selected port 12975 as mentioned in the FAQ: > > > > DNAT net loc:<your local IP> udp 12975 >Note that I haven''t taked about running Hamachi on the firewall itself. To do that, you would need additional stuff: /etc/shorewall/zones: ham ipv4 # Host(s) on the other end of the P2P link /etc/shorewall/interfaces: ham <tap device> - # Hamachi documentation is almost non-existant # on their web site but I get the impression # that they may name their devices ''hamN'' for # N = 0,1,2,... /etc/shorewall/policy: ham all REJECT:info # I won''t touch this thing with a 10-foot pole all ham ACCEPT # Fools rush in where wise men never go /etc/shorewall/rules: ACCEPT $FW net tcp 12975 #Only if your $FW->net policy #isn''t ACCEPT ACCEPT net $FW udp 12975 #You may not need this... <rules allowing the traffic from ham that you are willing to permit> Again, if someone wants to play with this thing I''ll be glad to advise -- I just have no interest in using it myself or in spending any of my time trying to understand the thing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Thanks everybody. Linux to Linux worked fine. I configured exactly like an OpenVPN tunnel. OpenVPN creates a tun0: interface. Hamachi creates a ham0: interface. So the configuration is almost the same: zones, policy, rules, etc as OpenVPN. Some obvious differences: OpenVPN is client/site and site/site connection. Hamachi is host/host or hosts/hosts conection. OpenVPN is Open Source. Hamachi is closed and free up to 16 participants in the same network. OpenVPN is true point to point. Hamachi uses a third party to start connection. Afterwards. it''s point to point. Curiosly, Hamachi on Windows clients behind NAT firewalls in both sides, can able to talk directly. I tested this using Kerio Personal Firewall on both sides and it showed as outgoing connections in both machines, without a third party intermediation after connected. Stop..., this is the point ! I went deeper and discover this: "UDP hole punching" ( http://en.wikipedia.org/wiki/UDP_hole_punching) As a Firewall Administrator, I''m afraid about this. Why? 1) Skype uses similar technique and I cannot find a way to block Skpye using Shorewall/IPtables. If you leave an IP TOTALLY blocked (no DNS, no HTTP, etc) except TCP/443, Skype still connects. Only two companies are able to block it: Versa and Sonicwall. There is a way using Squid/CONNECT via IP address but it''s useless for me. 2) How many clients (P2P, messengers, etc), from now on, will start use techniques like these and bothering firewall administrators to stop them ? -Guilsson On 2/5/06, Tom Eastep <teastep@shorewall.net> wrote:> > On Sunday 05 February 2006 08:27, Tom Eastep wrote: > > On Sunday 05 February 2006 08:21, Tom Eastep wrote: > > > > Note that this last part *may* not be necessary -- until someone tries > this > > thing with Shorewall, we won''t know. If it works ok without this part > then > > it would seem that you could run multiple instances of Hamachi behind > your > > firewall. > > > > > b) You need to forward the UDP port to your local system. Assuming > that > > > you''ve selected port 12975 as mentioned in the FAQ: > > > > > > DNAT net loc:<your local IP> udp 12975 > > > > Note that I haven''t taked about running Hamachi on the firewall itself. To > do > that, you would need additional stuff: > > /etc/shorewall/zones: > > ham ipv4 # Host(s) on the other end of the P2P link > > /etc/shorewall/interfaces: > > ham <tap device> - # Hamachi documentation is almost > non-existant > # on their web site but I get the impression > # that they may name their devices ''hamN'' > for > # N = 0,1,2,... > > /etc/shorewall/policy: > > ham all REJECT:info # I won''t touch this thing with a 10-foot > pole > all ham ACCEPT # Fools rush in where wise men never go > > /etc/shorewall/rules: > > ACCEPT $FW net tcp 12975 #Only if your $FW->net > policy > #isn''t ACCEPT > ACCEPT net $FW udp 12975 #You may not need this... > > <rules allowing the traffic from ham that you are willing to permit> > > Again, if someone wants to play with this thing I''ll be glad to advise -- > I > just have no interest in using it myself or in spending any of my time > trying > to understand the thing. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >