Re: Home VPN - Hamachi

["Mark Harrison (Groups)" <mph@xxxxxxxxxxxxxxx>]

On Mon, 2005-12-19 at 10:23 +0000, Simon Ryley wrote:
> Excuse the uneducated amongst us, but I take it from the conversation
> that we should all be using a vpn to access our home systems?  Can
> someone give a short reply as to the why and how to do this?

Here's my go at explaining. Note that in my typical
"pointy-haired"
style, I'm willing to sacrifice the odd bit of technical purism for
"getting the message across", so the big-brain super-techy types
on the
list may wince once or twice.


The benefits of connecting up your PC to the Internet are obvious. Fast
surfing, email, IRC, whatever. However, the Internet is full of Bad
People, who would like to get at your PC, either because they think it's
funny, or to prove some or other so-called "point".

In some cases, your PC, whenever connected to the Internet, will be
attacked directly by these Bad People. In other cases, the Bad People
will have written viruses / other malware that infects the PCs of
Innocently Ignorant People, turning those PCs into so-called zombies
that can attack your PC, even though the PC owners aren't aware that
they're being used to do so.

The easiest way to protect your PC from infection is to configure
"stuff" (the combination of configuring your PC, plus your router
if you
have one, and a firewall, if you have one) so that the PC can ONLY make
outgoing connections. No data is allowed into your PC from the Internet
unless it has positively identified itself as a response to a request
that your PC just made (eg - your PC says, "give me this web
page", and
the return data is allowed back in.) High-end firewalls use something
called "stateful inspection" to REALLY keep track of these
requests, low
end kit uses "port inspection" to work out what is going on.

If this is all you need, then well and good. The problems, however, come
when you want to be able, from time to time, to access your PC from
"out
there" because YOU are visiting somewhere with an Internet connection,
and need data on your PC.

Configuring this securely is much harder. Not least because some of the
protocols used by PCs to share data were never designed with strong
security in mind - they were intended (because of WHEN they were
designed) for use on a private network with no connection to any foreign
networks.

A VPN is one of a group of technologies that allows you to make a SECURE
connection back into your PC. The systems that you want to access will
typically require a password to get into anyway - what a VPN adds is the
ability to make the connection, including sending the password, in a way
that is encrypted. Thus, even if a Bad Person wants to get your
password, they can't listen in even when you're typing it. It's worth
noting that countries, even quite small ones, DO have enough computing
power to break this encryption, and therefore the French Government,
say, would have the capability to listen in on all your private traffic.
Whether they would be allowed to under their own laws is another
question - generally the rule of thumb is "don't make a Western
government believe that you're a terrorist, and they won't hack your
network." Different cultural norms, hwoever, exist in other parts of
the
world.

The "Easy" way to set up a VPN is between a single PC (your
server) and
a single roaming PC (your laptop.) By using a piece of software like
OpenVpn (www.openvpn.org) you can configure your laptop to makes secure
connections over the Internet.

The medium-sized problem is to set up a VPN between your entire LAN
(home network) and a single roaming PC (your laptop). OpenVPN can do
this as well, but it's harder (and if you can concentrate everything on
a single server, not actually always needed.)

The "hard" way to set up a VPN is between your network (whether
one or
more PCs) and an arbitrary device out there on the Internet, to which
you probably don't have the rights to go and install software like
OpenVPN. (Think web cafe, think your employer's/clients' PCs). It's this
problem that Hamachi is trying to solve - by creating a "middle
layer"
on their servers that allows you to access your home network via their
webservers.

Andy and Ian have two different (valid) concerns about this. Andy's
concern was broadly that "how do I know I can trust Hamaci?".
Ian's
concern is that they're breaking some of the rules about how you're
meant to use IP addresses, and while they can get away with it at the
moment, that won't always be true. (It's a bit like assuming that you
CAN speed at 100mph down that section of B-road every morning because
there's no speed camera there - once there is, the points will stack
up.)

Hamachi have responded to these concerns in different ways. Firstly they
have invited some self-styled security experts to come and look at their
systems, and got broadly positive feedback. How much these experts can
be trusted is the big unknown - everyone gets it wrong from time to
time, no matter how hard they try. Secondly, they admit that the "IP
addressing" problem is going to bit them, but believe that they have
enough time to come and sort it out as and when it bites. Only time will
tell on that :-)


What do I do:

- I run openvpn (www.openvpn.org) on my server and laptop.

- I use www.logmein.com to give remote control of my office PC from
anywhere on the Internet. This (in the free version) DOESN'T give me the
ability to copy files - but if there's a file I need on the road, I take
control of my desktop, and copy the file up to my website, from which I
can download it again.

- The link Andy posted "SSL-Explorer" seems interesting, and
potentially
a better way to get at files remotely, but not a "2-minute"
install to
get running.

Regards,

MArk