Hamachi: Keep Dreamin'

There's a lot of talk in today's security circles in regards to VPN solutions that don't require an arm+leg contract with Cisco. Steve "my webserver runs on an 8086" Gibson spoke heavily on this subject on his "Security Now!" podcast. He outlines three potential VPN solutions: OpenSSH port forwarding (which you can have now), OpenSSH VPN tunneling (which you can have when v.4.3 hits the mirrors), or Hamachi (which you can have at www.hamachi.cc).

Hamachi is a free VPN client for Windows and Linux. Seriously? Save your money. Hamachi's home page insists that the Hamachi application "is a zero-configuration" VPN.

Wrong.

I have a stricter firewall than normal, but the Hamachi folks don't seem to care. There's a single checkbox I can click to change Hamachi's broken behavior, and guess what? It doesn't help. Hamachi's problem is that it tries to be too clever. You install Hamachi, you run Hamachi, Hamachi phones home. At some point, a serious of queries are sent to your Hamachi-enabled machine in order to gauge what kind of Internet connection you have.

This queries, called "probes", are meant to be completely firewall agnostic. That's total bullshit.

Bottom line: Hamachi isn't zero-configuration yet. I'd argue that it isn't anywhere close. Sure enough, I'm toying around with version 0.9.9. Don't waste your time on this software because the only real advantage it offers over OpenSSH's forthcoming VPN tunneling is its utility in running over UDP.

It would be easier to make OpenSSH speak UDP than it would be to make Hamachi actually do its job. If I had a rating system, Hamachi would get my lowest rating, the one reserved for Gator, USave.exe, and *.tar.gz packages that don't compile out of the box (I'm lookin' at you, CRM114). No matter how shiny the software looks, no matter how great it might run on a state-of-the-art XP machine (with no packet filtering of course), if it doesn't work for me, for my needs, it's not worth one thin dime.