Virtual private networking sounds like a daunting topic. It isn’t even immediately clear what it means. But the concept is easy to understand, and the technology can be extremely useful.
Simply put, a virtual private network (VPN) lets two or more computers that are already on the same physical network – which might be a LAN or the internet – communicate and share resources securely. It’s virtual because it doesn’t have any physical infrastructure of its own: traffic is sent over the existing connection. But it uses encryption to prevent unauthorised clients from connecting to the virtual network, and also from accessing the contents of data packets that are used by the VPN – hence “private”.
The benefits of a VPN may not be immediately obvious. If you simply want to exchange secure traffic between network clients, there are certainly ways to do it without having to set up an entire secondary network. You could, for example, use applications that support SSL encryption, or simply encrypt files and messages locally before moving them across the network.
But a VPN is more versatile. It allows you to share volumes and printers over a virtual link, and support multiple protocols, such as HTTP and FTP, with complete transparency to the operating system and applications. To all intents and purposes, members of the VPN are simultaneously connected to two entirely separate networks.
For office-based networks, where access to LAN resources can be locally managed, a VPN may not sound particularly useful. But it comes into its own in situations where implementing a secure physical network would be impractical. For example, if a working team is spread out across the country, all members might want to
access shared private resources – but sharing confidential data across the public internet is asking for trouble, and building a secure WAN using dedicated leased lines would be an expensive way to proceed. With a VPN, the workgroup can tunnel a secure virtual network connection over each member’s regular internet service.
A virtual private network can also serve as an extension of a physical private network, with the assistance of a VPN gateway server. If a business executive needs access to the company LAN while travelling, he can simply use his hotel’s internet service to connect to this gateway server, which in turn – when provided with the right credentials – conveys network services to the executive’s laptop, exactly as if it were connected directly to the LAN.
This isn’t to say that VPNs are useful only to geographically diverse workers and jet-setters. The potential for regular office workers to work from home easily and securely is less glamorous but no less practical. A VPN can also be useful for more casual purposes, such as sharing private documents and media between friends in different houses, or students in different blocks. A virtual LAN can be used for gaming, too, enabling you to set up private multiplayer online tournaments.
SETTING UP A VPN
The theoretical merits of virtual private networking should now be apparent, but it’s challenging enough to administer one network, let alone a second virtual one on top of it.
And the truth is, VPN technology inescapably adds complexity to a regular networking setup. Private traffic must be transported via a protocol such as L2TP (Level 2 Tunnelling Protocol), which encodes VPN packets into UDP datagrams. Security is provided by a separate protocol, typically IPsec. All of this must be configured correctly – in the operating system and potentially on the router as well – to enable VPN clients to communicate securely, or at all. An extra challenge is that VPN clients are often geographically remote, so a “try it and see” approach may not be convenient.
Happily, you don’t need to be a professional network engineer to implement a VPN. Precisely because the process is too complex for the average computer user to configure, several networking specialists – including hardware manufacturers such as Cisco and Cyberoam – offer software VPN clients that handle the technical side of things for you. There’s also Hamachi, produced by LogMeIn, the Massachusetts-based developer better known for its remote desktop service. You can grab the trial version of this here.
Hamachi, in Japanese, is a type of fish – a Japanese amberjack, to be precise. Happily, no such esoteric knowledge is required to use it. In fact, as with LogMeIn’s remote access system, there’s no need to worry about technical networking concepts at all, although to get the best from Hamachi you do need to get to grips with a few key ideas.
Hamachi has a few restrictions. First, it’s an internet-based service, so you can’t use it to create a secure communication network within an isolated home or company LAN. If you want to do that you’ll need to invest in a more advanced VPN system.
If you only want to create a small personal VPN of up to 8 computers, you can install the software and run the software for free. For up to 32 computers, you’ll pay $19 a year for a standard network subscription.
However, if you want to use Hamachi in a business environment – which is where VPNs are generally most useful – you’re only permitted to evaluate the service free for 14 days. After that, you’re obliged to pay for a premium network subscription, at $119 per year, for each subscription. This isn’t exactly pocket money, but it does entitle you to create a VPN of up to 256 clients, so if you work in a large group environment the per-seat cost is very low indeed.
DIFFERENT TYPES OF VIRTUAL NETWORK
Since virtual networks work in the same way as physical ones, they can be arranged in the same types of topology. Hamachi supports three different organisational models for a VPN. The most simple is a “mesh” network, in which every computer is connected to every other one, creating a peer-to-peer virtual LAN. A mesh VPN requires no administration: it can be created in moments, and will persist as long as two or more computers are joined to it.
A more sophisticated type of network is what Hamachi calls a “hub-and-spoke” network. By contrast with the fully connected mesh arrangement, hub-and-spoke networks are partly or entirely centralised. Each member is designated either as a hub or a spoke, and while every member can connect to every hub, spokes can’t connect to each other. This means clients can share central resources, such as databases or storage volumes, while remaining securely isolated from other clients. In practice, a hub-and-spoke network with only one hub constitutes a conventional star topology. A hub-and-spoke network in which every member is a hub is functionally the same as a mesh network; a hub-and-spoke network with no hubs isn’t, effectively, a network at all.
The third type is a gateway network – the type of network used in the above example of the itinerant executive. In this model one computer, designated the gateway, is connected to an existing LAN, and also hosts a VPN. Remote clients connect via this VPN to the gateway, which then forwards access to the resources on the LAN.
FREE VPNS FOR FREE SPEECH
A VPN isn’t only a way to share private resources. Coupled with a remote network proxy, it can be a valuable tool for gaining access to restricted sites and services.
For example, in some countries websites critical of the local government may be blocked, or access may be monitored. By using a VPN to connect to a proxy server outside the country, someone inside that country can access verboten websites without anyone being able to tell where they’re browsing from – and without any danger of their traffic being spied upon as it travels to and from their PC.
Similarly, browsing via a VPN-connected proxy enables secure transactions – such as online shopping or banking – when you’re connected to an otherwise insecure network, such as a public wireless hotspot. Without the VPN, wireless traffic can be intercepted by a packet-sniffing interloper and transactions logged by the hotspot administrator.
Although the VPN is a vital part of this formula, it isn’t sufficient on its own – you also need someone to run an accessible proxy. Happily, there are several online services you can use, often for free, although some may restrict bandwidth or impose a monthly data transfer limit. You’ll find the free Hotspot Shield client on the cover DVD, under Resources | Security, or downloadable fromhttp://hotspotshield.com. Other options include CyberGhost and OpenVPN.
CREATING A MESH VPN
The process of creating a VPN with Hamachi depends on which sort of network you want to create. A mesh network is suitable for most domestic purposes, and appealingly simple to set up. To get started, simply install the client and click on the big “Power on” button. You’ll be asked to give your computer a name on the Hamachi network: the default suggestion is the name your computer uses on your existing Windows network, but since the Hamachi network is completely separate you can choose a different name if you wish.
Once you’ve done this, your computer will be assigned new IPv4 and IPv6 addresses for Hamachi (you’ll see them at the top of the window). These are only used on the Hamachi network, and won’t ordinarily interfere with your existing network connections. The only exception is that while Hamachi is active you’ll be unable to connect to any internet site that uses an IPv4 address in the 5.x.x.x range: Hamachi uses this range for VPN connections, but it’s also used by an internet registry based in the Netherlands. In practice, though, this affects a tiny number of specialised sites, so you’re extremely unlikely to have a problem.
Once your PC is registered with Hamachi, you can create a new mesh network by clicking the blue “Create a new network” button and entering a new name and password for your network. The network name must be globally unique – so it may take a few goes to find a valid one – and the password should naturally be something that’s difficult to guess.
You can now establish a VPN connection to this PC from any other internet-connected PC – or Mac – in the world. Simply install the software on the remote system, click the power button and give this client a name. Click “Join an existing network”, enter the network name and password and you’ll be connected – it’s as simple as that.
In the main Hamachi pane you should shortly see the name and address of the other computer, and if you go back to that first computer, you should see your new client listed there. To the left of each client’s name you’ll see a coloured indicator. Green means the client is successfully connected to your VPN; blue means there might be a problem with port forwarding on your router: in this case, see the Hamachi documentation for a guide to configuring a static TCP or UDP port. If the indicator is red, something is blocking communication between the two clients – right-click for more details. A grey indicator means there’s no connection at all.
COMMUNICATING ACROSS THE VPN
Once your client is visible in the Hamachi interface, you can right-click on its name to see various menu options. Ping simply sends a TCP packet to the client to confirm it’s really alive and responding. Chat lets you open a window to communicate directly with whoever is using the other PC. The person who created the network can also Evict a client from the network, if necessary.
A more useful option is Browse, which opens a new Explorer window showing available network resources on the selected computer. All VPN traffic that passes through Hamachi is encrypted with 256-bit AES encryption – in LogMeIn’s phrase, it “uses the same encryption as banks” – so you can consider this connection as secure as a local LAN. Note, however, that Hamachi provides only the bare connection: you still need to have a valid user account on the remote PC to access shared volumes, and you may be prompted for a password. If you’re trying to access shared resources stored on a Mac from a PC client, make sure SMB sharing is enabled.
If you want to perform more advanced networking tasks, you can use the remote computer’s name and Hamachi IP address, as shown in the client list, to access it directly, just as if it were on your home network. In this way, you can easily access shared documents, plus printers, media and other resources such as web pages. You can also easily configure games and network tools to work with one or more VPN-connected PCs.
MORE ADVANCED NETWORKS
The mesh network type is the most convenient for casual use because it’s so simple to set up and administer. If you want to create a hub-and-spoke network, more advanced configuration is required. This is done through the LogMeIn web interface – an interface you’ll be familiar with if you’ve used the company’s remote desktop service. From the web console you can create a new network, approve or reject requests to join, and configure access permissions.
It’s a similar story if you want to configure a gateway network. Here you must use the web administration interface to nominate a network node to act as the gateway server, and to manage client access. There are some technical restrictions to take into account too: Macs can’t currently act as gateway nodes, and nor can workstation PCs that are members of a domain. For more details on creating and managing hub-and-spoke and gateway networks, you’ll find extensive documentation on the LogMeIn website.