Tom Eastep | 5 Feb 17:21 2006

Re: RE: Hamachi's VPN solution and Shorewall

On Friday 03 February 2006 20:53, Tom Eastep wrote:
> Guilsson,
> You want to use this VPN solution. You have the Shorewall documentation
> regarding VPN. What are you waiting for?
> We will look forward to your HOWTO that describes how to use Hamichi with
> Shorewall.
> In case you need initial direction:
> Remember -- Open Source works best when people who have a need for a
> solution develop that solution and share it with others.

This thing looks trivial to configure with Shorewall. It's not a configured 
tunnel -- it's a mediated means of establishing a secure UDP link.

From the Hamachi FAQ:
Hamachi connects to a central server on port 12975 using TCP. It
also uses dynamic local and remote UDP ports for communicating
with other Hamachi peers.

What you can do is to fix local UDP port.

Open Hamachi Preferences, System page and enable Magic Option in
Troubleshooting section. The number next to it is UDP port value.

Fixing UDP port is normally used in conjunction with configuring port
forwarding on your NAT/router device to resolve 'yellow status issue'.

Yellow status means that Hamachi cannot establish direct p2p tunnel
toward respective peer. This is not a bug or an error, it is an artefact
of core Hamachi technology, which occurs in approximately 5% of
all cases.

Currently there is only one way to resolve this issue, which is to use
Magic Option and to configure port forwarding on your router:

      Select some UDP port, say, 12975

      Forward this port from the network interface on your router
      that hooks up to the Internet to the machine that is running

      Enable Magic Option and set it to the selected port

      Reconnect Hamachi
What this means in Netfilter/Shorewall terms is that you can only run Hamachi 
on one system behind your masquerading gateway. To do that:

a) If your loc->net policy is ACCEPT, then you don't need to do anything to 
enable connection to the Hamachi servers. Otherwise, you need:

	ACCEPT	loc	net	tcp	12975

b) You need to forward the UDP port to your local system. Assuming that you've 
selected port 12975 as mentioned in the FAQ:

	DNAT	net	loc:<your local IP>	udp	12975


Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \
Washington USA  \ teastep <at>
PGP Public Key   \

This email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!