Menu
homeFiles and folders

Consolidation of remote offices. VPN (Virtual Private Networks). VPN connection: what is it and what is a VPN channel for?

In this article, we will take a closer look at the process of setting up a VPN server in the Windows Server operating system, and also answer the questions: What is a VPN and how to set up a VPN connection?

What is a VPN connection?

VPN (Virtual Private Network) is a virtual private network that is used to provide a secure connection to the network. A technology that allows you to connect any number of devices into a private network. As a rule, via the Internet.

Although this technology is not new, it has recently gained relevance due to the desire of users to maintain data integrity or privacy in real time.

This connection method is called a VPN tunnel. You can connect to a VPN from any computer, with any operating system that supports a VPN connection. Or a VPN-Client is installed, which is capable of forwarding ports using TCP/IP to a virtual network.

What does a VPN do?

VPN provides remote connection to private networks

You can also safely combine several networks and servers

Computers with IP addresses from 192.168.0.10 to 192.168.0.125 are connected through a network gateway, which acts as a VPN server. Rules for connections via the VPN channel must first be written on the server and router.

VPN allows you to safely use the Internet when connecting even to open Wi-Fi networks in public areas (in shopping centers, hotels or airports)

And also bypass restrictions on displaying content in certain countries

VPN prevents cyber threats by an attacker intercepting information on the fly, unnoticed by the recipient.

How VPN works

Let's look at how a VPN connection works in principle.

Let's imagine that transmission is the movement of a packet along a highway from point A to point B; along the path of the packet there are checkpoints for passing the data packet. When using a VPN, this route is additionally protected by an encryption system and user authentication to secure the traffic containing the data packet. This method is called “tunneling” (tunneling - using a tunnel)

In this channel, all communications are reliably protected, and all intermediate data transmission nodes deal with an encrypted package and only when the data is transmitted to the recipient, the data in the package is decrypted and becomes available to the authorized recipient.

VPN will ensure the privacy of your information along with a comprehensive antivirus.

VPN supports such certificates as OpenVPN, L2TP, IPSec, PPTP, PPOE and it turns out to be a completely secure and safe method of data transfer.

VPN tunneling is used:

  1. Inside the corporate network.
  2. Consolidation of remote offices, as well as small branches.
  3. Access to external IT resources.
  4. For building video conferences.

Creating a VPN, selecting and configuring equipment.

For corporate communications in large organizations or combining offices remote from each other, hardware is used that is capable of maintaining uninterrupted operation and security in the network.

To use the VPN service, the role of the network gateway can be: Linux/Windows servers, a router and a network gateway on which the VPN is installed.

The router must ensure reliable operation of the network without freezes. The built-in VPN function allows you to change the configuration for working at home, in an organization or in a branch office.

Setting up a VPN server.

If you want to install and use a VPN server based on the Windows family, then you need to understand that client machines Windows XP/7/8/10 do not support this function; you need a virtualization system, or a physical server on the Windows 2000/2003/2008/ platform 2012/2016, but we will consider this feature on Windows Server 2008 R2.

1. First, you need to install the “Network Policy and Access Services” server role. To do this, open the server manager and click on the “Add role” link:

Select the Network and Access Policy Services role and click next:

Select "Routing and Remote Access Services" and click Next and Install.

2. After installing the role, you need to configure it. Go to Server Manager, expand the "Roles" branch, select the "Network and Access Policy Services" role, expand it, right-click on "Routing and Remote Access" and select "Configure and enable routing and remote access"

After starting the service, we consider the configuration of the role complete. Now you need to allow users access to the server and configure the issuance of IP addresses to clients.

Ports that VPN supports. After the service is raised, they open in the firewall.

For PPTP: 1723 (TCP);

For L2TP: 1701 (TCP)

For SSTP: 443 (TCP).

The L2TP/IpSec protocol is more preferable for building VPN networks, mainly for security and higher availability, due to the fact that a single UDP session is used for data and control channels. Today we will look at setting up an L2TP/IpSec VPN server on the Windows Server 2008 r2 platform.

You can try to deploy on the following protocols: PPTP, PPOE, SSTP, L2TP/L2TP/IpSec

Let's go to Server Manager: Roles - Routing and Remote Access, right-click on this role and select “ Properties", on the “General” tab, check the IPv4 router box, select “local network and demand call”, and IPv4 remote access server:

Now we need to enter the pre-shared key. Go to the tab Safety and in the field Allow special IPSec policies for L2TP connections, check the box and enter your key. (About the key. You can enter an arbitrary combination of letters and numbers there; the main principle is that the more complex the combination, the safer it is, and remember or write down this combination; we will need it later). In the Authentication Provider tab, select Windows Authentication.

Now we need to configure Connection security. To do this, go to the tab Safety and choose Authentication Methods, check the boxes EAP and Encrypted Authentication (Microsoft version 2, MS-CHAP v2):

Next let's go to the tab IPv4, there we will indicate which interface will accept VPN connections, and also configure the pool of addresses issued to L2TP VPN clients on the IPv4 tab (Set the Interface to “Allow RAS to select an adapter”):

Now let's go to the tab that appears Ports, right-click and Properties, select a connection L2TP and press Tune, we will display it in a new window Remote access connection (incoming only) And On-demand connection (incoming and outgoing) and set the maximum number of ports, the number of ports must match or exceed the expected number of clients. It is better to disable unused protocols by unchecking both checkboxes in their properties.

List of ports that we have left in the specified quantity.

This completes the server setup. All that remains is to allow users to connect to the server. Go to Server Manager Active Directory users – we find the user we want allow access press properties, go to the bookmark incoming calls

building a VPN channel

Hello everyone, today in this article we will look in detail at how to set up a VPN channel between offices using OpenVPN with the possibility of additional password protection. It's no secret that OpenVPN has recently become very popular in many organizations, and the point here is not that it is completely free, but the point is the efficiency with which you can connect remote offices with VPN channels. We will set up a VPN tunnel between offices with additional password protection on the Windows platform.

Task: Set up a VPN channel between two branches of your company. The network in the first branch is called N_B1) and the network in the second branch is called N_B2. OpenVPN installation in both offices will be on Windows 7 OS. Let's get started with the task at hand.

Network N_B1 contains:

The computer or server where the OpenVPN server is installed has 2 network interfaces, one, as you can understand, for the wan ip address, and the second for the internal network..
It also has a proxy server installed that distributes the Internet to the local network, thereby serving as the main gateway for all machines on the local network (192.168.2.100)
192.168.2.100 looks into the local network
192.168.2.3 this interface looks to the Internet through a router that has a static IP, say 123.123.123.123. Forwarding is done on it, or as it is also called forwarding port 1190 (for example, port 1190 is forwarded on the network interface with IP address 192.168.2.3)
User on the network has 192.168.2.100

Network N_B2 contains:

The computer or server where the OpenVPN client is installed also has 2 network interfaces.
It also has a proxy server installed that distributes the Internet to the local network, thereby serving as the main gateway for all machines on the local network (172.17.10.10)
172.17.10.10 looks into the local network
192.168.2.3 looks out to the world through the router.
Online user: 172.17.10.50

Task: A person from an office with network N_B1 (192.168.2.100) should see shared resources on the computer of a person from network N_B2 (172.17.10.50) and in the opposite direction.

In other words, everyone should see everyone and have the opportunity to visit, in case someone shares the new photos with their colleague from another branch.

The organization of VPN channels between company branches is of great importance in the work of any IT specialist. This article discusses one of the ways to implement this task based on the OpenVPN software product.

Below we will look at the network topology in which we will organize a VPN tunnel, analyze the features of configuring the OpenVPN program and step by step configure routing for our offices. The article was written based on the assumption that OpenVPN will be installed on the Windows 7 and Windows Server 2008 platforms.

Network topology.

The network topology we used is standard. There is a Central Office Network (let's call it SCO) and a Branch Network (let's call it SF). The task is to connect the offices in such a way that the end user computer (hereinafter referred to as PC1) of the SSC office has access to the shared resources of the user computer (hereinafter referred to as PC2) of the SF.

The SSC includes:

  • Internet gateway (let's call it ISH1) with two network interfaces:
    • 111.111.111.111 - issued by the provider, looks on the Internet.
    • 192.168.0.1 - assigned by us, looks at the service center.
  • OpenVPN Server (hereinafter referred to as OS) on which we will install OpenVPN with one virtual and one physical interface:
    • 10.8.0.1 - address of the virtual interface (the interface is installed during the installation of the OpenVPN program). The address for this interface is assigned by the program. You and I should not change the address ourselves from managing network adapters.
    • 192.168.0.2 - physical interface, parameters are set by us, looks at the central station.
  • PC1 - user computer 1, with network interface 192.168.0.3, looks the same in the service center.

The Federation Council includes:

  • Internet gateway (hereinafter referred to as ISH2) with two network interfaces:
    • 222.222.222.222 - issued by the provider, looks on the Internet.
    • 192.168.1.2 - appointed by us, looks to the Federation Council.
  • OpenVPN Client (hereinafter OK) on which we will install OpenVPN with one virtual and one physical interface:
    • 10.8.0.2 - address of the virtual network interface (the interface is installed during the installation of the OpenVPN program). The address for this interface is also assigned by the OpenVPN program.
    • 192.168.1.2 - physical interface, parameters are set by us, looks at the SF.
  • PC2 - user computer 2, with network interface 192.168.1.3, looks at SF.

Setting up an OpenVPN server.

Now let's move on to the program itself, the basics and features of its configuration. OpenVPN is available in Linux and Windows versions. You can download the installation package from .

The installation process itself will not cause any problems. The only thing is to disable the antivirus during installation in order to avoid additional problems. At the time of writing, for example, Kaspersky Lab products did not block the installation, but only raised suspicions about some installed components.

During the installation process, a virtual network adapter is installed on the system. TAP-Win32 Adapter V9 and, accordingly, the driver for it. The OpenVPN program will assign an IP address and OpenVPN virtual network mask to this interface. In our case, it is assigned the address 10.8.0.1 with a mask of 255.255.255.0 on the OS server and 10.8.0.2 with a similar mask on the OK client.

According to the standard, the program is installed in C:\ProgramFiles\OpenVPN. In this directory you should immediately create an additional folder keys(this is where we will store the authentication keys) folder ccd(here will be the server settings configs for the client).

In the directory C:\ProgramFiles\OpenVPN\sample-config standard configs are presented. The configs that we will create must be placed in the directory C:\Program Files\OpenVPN\config.

Setting up OpenVPN begins with generating keys. The generated keys are divided into:

  • master CertificateAuthority (CA) certificate and key used to sign each server and client certificate.
  • public and private keys for the server and each (this is important) client separately.

The sequence for creating keys is as follows (the names of certificate and key files are indicated in parentheses):

  • We generate the main CA (ca.crt) certificate and CA (ca.key) key.
  • Generating a tls-auth key (ta.key) for packet authentication.

Let's look at each point in more detail.

Generate the main CA certificate and CA key:

Let's go to Start - Run dialing cmd, click OK, go to the command line. We write:

Cd C:/Program Files/OpenVPN/easy-rsa

So we are in the directory easy-rsa:

During all key generation steps, you must be in it. We execute the command:

Init-config

Without closing the command line, let's go to C:\ProgramFiles\OpenVpn\easy-rsa and edit the file vars.bat, filling in the following parameters (indicating, of course, your data):

KEY_COUNTRY=RF
KEY_PROVINCE=MO
KEY_CITY=Malinino
KEY_ORG =Organization
[email protected]

Now let's create a CA certificate and a CA key. We open the command line, which has been hanging somewhere on the desktop all this time, and continue to enter the commands:

Vars
clean-all
build-ca

The last command is what generates the CA certificate and CA key. During the process of creating a key, you will be asked questions, which you can answer simply by pressing Enter"a (then the values ​​will be taken from the vars.bat file that we edited above) or enter your own. It is worth paying attention to the question:

Common Name (eg, your name or your server's hostname): OpenVPNS

Here you must specify a name for the server - in the example we entered OpenVPNS.

We generate a certificate (server.crt) and a key (server.key) for the server.

Without leaving the directory, we will continue to enter commands in our command line. Let's generate a server certificate and key with the command:

Build-key-server

We answer the questions in the same way as in the first paragraph. To the question:

Common Name *: server

Let's enter: server. For questions:

Sign the certificate?

1 out of 1 certificate requests certified, commit?

you must give a positive answer: Y.

We generate a certificate (office1.crt) and a key (office1.key) for the client.

Obviously, there can be many clients, in our example there is only one - office1. Depending on the number of clients, the following command on the command line is executed several times, and also change the names of the generated keys:

Build-key office1

if more certificates and keys are required, say for the second client, then enter:

Build-key office2

In the process of answering questions, do not forget that each client CommonName should get a unique name, for example: office1, office2, etc.

Generate DiffieHellman parameters (dh1024.pem).

We enter on the command line, find it in the same easy-rsa directory:

Build-dh

Generating a tls-auth key (ta.key) for packet authentication

At the end, we create a key for tls authentication with the command:

Openvpn --genkey --secret ta.key

Now let's figure out which files to leave on the server and which to transfer to the client. On the server (OC) only the following files should be in the keys folder we created:

  • ca.crt
  • ca.key
  • dh1024.pem
  • server.crt
  • server.key
  • ta.key

On the OK client, similarly to the OS server, we will also create a keys folder, there should be:

  • ca.crt
  • office1.crt
  • office1.key
  • ta.key

All files with the .key extension are secret. They should only be transmitted via secure channels, preferably on physical media.

Next, let's start creating a config for our OS server and OK client. In the config directory, create a file with the following name and extension: server.ovpn Open it with notepad and start writing the config:

Select the protocol for data transfer - in this case upd:

Proto udp

Standard port for OpenVPN:

Port 1194

The operating mode of the program is L3 tunnel. In this mode, OpenVPN router:

Client-server mode:

Tls-server

This topology is available from version 2.1 and consists in the fact that each client is given 1 address, without virtual router ports:

Topology subnet

Routes are added via .exe - this is important:

Route-method exe

The delay when adding a route can be reduced to 5:

Route-delay 10

This option specifies the network organization. We now have a virtual network 10.8.0.0 /24. The first address from this network, that is, 10.8.0.1, is issued to the server, the subsequent ones (10.8.0.2, 10.8.0.3, etc.) to clients. The DHPC server receives the address 10.8.0.254:

Server 10.8.0.0 255.255.255.0

Set the gateway in the openvpn network:

Route-gateway 10.8.0.1

The directory in which we must place the file with the name of our client, that is, office1 without the extension, and in it write the commands that will be executed on the client:

Client-config-dir "C:\\Program Files\\OpenVPN\\ccd"


cert "C:\\Program Files\\OpenVPN\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\keys\\server.key"
dh "C:\\Program Files\\OpenVPN\\keys\\dh1024.pem"
tls-auth "C:\\Program Files\\OpenVPN\\keys\\ta.key" 0

We set the OS server a route to the entire network:

Route 10.8.0.0 255.255.255.0

Select the compression method:

Cipher BF-CBC

Set traffic compression:

Comp-lzo

OpenVPN reports non-critical network errors to the program's event logging system. In practice, this will reduce the content of the status window that appears when starting the OpenVPN server:

The server pings the opposite side with an interval of 10 seconds and if the side does not respond within 60 seconds, the server will start a reconnection:

Keepalive 5 60

Next, go to the ccd directory and create a file that will contain the commands sent to the client from the server. It should be called the same as we called the client himself, for example office1. The file will have no extension.

We edit it using notepad. All parameters specified below will be automatically transferred to the client:

We set the ip and mask for our client office1:

Ifconfig-push 10.8.0.2 255.255.255.0

We pass it the route for the entire network:

Push "route 10.8.0.0 255.255.255.0"

We set a gateway for it:

Push "route-gateway 10.8.0.1"

This command tells the OS server that behind this client, namely OK (office1), there is a network 192.168.1.0:

Iroute 192.168.1.0 255.255.255.0

Thus, we have finished configuring the server on the OS side.

Client setup.

Next, let's start changing the client parameters. Let's go to the OK folder on the machine config. Let's create a file in it office1.ovpn Let's start editing it; a number of options are similar to those on the server, so we won’t explain them:

Dev tune
proto udp
port 1194

We indicate the external address of ISH1:

Remote 111.111.111.111

The client will work in TLS-client mode:

Tls-client

This option protects against server spoofing by a third party:

Remote-cert-tls server

These options are similar to the server:

Route-method exe
route-delay 10

Set the route to the network 192.168.0.0:

With this command we allow receiving the client configuration from the server:

Paths to the keys:

Ca "C:\\Program Files\\OpenVPN\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\keys\\office1.crt"
key "C:\\Program Files\\OpenVPN\\keys\\office1.key"
tls-auth "C:\\Program Files\\OpenVPN\\keys\\ta.key" 1

The remaining options are also similar to the server:

Cipher BF-CBC
comp-lzo
verb 1
keepalive 5 60

This completes the setup of the program on the client side OK.

Firewall configuration and routing.

And so, we have configured configs for OK and OS. Now let's look at some very important points. Let’s make a reservation in advance: if you use KIS 2011 or similar anti-virus programs, then in the firewall settings you should allow the passage of ICMP packets. This will allow us to seamlessly ping hosts on our networks.

It is also worth adding our virtual interface of the OpenVPN program to the list of trusted networks.

On ISH1 the following actions must be performed:

  • Configured redirection of port 1194 of the UDP protocol from interface 111.111.111.111 to the OS server interface 192.168.0.2
  • The firewall must allow transmission of the UDP protocol on port 1194, otherwise ping will not pass even between the OS and OK.

At IS2, similar actions must be taken:

  • Configure UDP port 1194 redirection from interface 222.222.222.222 to client interface OK 192.168.1.2
  • Check if UDP port 1194 is open in the firewall.

In Usergate 5.2, for example, setting up packet forwarding on port 1194 of the UDP protocol looks like this:

At this stage, we are already pinging OK and OS to their OpenVPN addresses, that is, 10.8.0.1 and 10.8.0.2. Next, we need to ensure the correct route of packets from the OK client to the remote network 192.168.0.0. We do this in one of several ways:

Or we set a permanent route to this network on the OK client itself:

Route -p add 192.168.0.0 mask 255.255.255.0 10.8.0.1

Or we set this route in the ccd config of the client to the server, namely in the office1 file we add:

Push "route 192.168.0.0 255.255.255.0"

This can also be done by adding a line directly to the OK client config:

Route 192.168.0.0 255.255.255.0

Then you need to provide a route for packets from the OS server to the remote network 192.168.1.0. This is done similarly to the option above with a few exceptions.

Add the command to the OS server config:

Route 192.168.1.0 255.255.255.0 10.8.0.2

or add the command directly on the command line:

Route -p add 192.168.1.0 mask 255.255.255.0 10.8.0.2

It is also necessary to enable the service in the services on the OS server and the OK client Routing and Remote Access, thus ensuring routing to the internal network (forwarding). Without this, internal addresses in the SCO and SF networks of the OK client and OS server will not ping.

At this stage, we can already freely ping the internal addresses of our OS and OK, i.e. typing ping 192.168.1.2 on the OS server and OK ping 192.168.0.2 on the client, we get a positive result in the form:

Thus, OK and OS mutually ping using their OpenVPN and internal SCO and SF addresses. Next, we need to register the route on the command line to network 10.8.0.0 on our PC1 and PC2. This is done with the following commands:

Route -p add 192.168.1.0 mask 255.255.255.0 192.168.0.2

Route -p add 192.168.0.0 mask 255.255.255.0 192.168.1.2

As a result, the shared resources in PC1 and PC2 will be available at their intranet address:

  • Tags:

Please enable JavaScript to view the

Although the topic is hackneyed, nevertheless, many often experience difficulties - be it a novice system administrator or simply an advanced user who was forced by his superiors to perform the functions of an Enikey specialist. It’s paradoxical, but despite the abundance of information on VPNs, finding a clear option is a real problem. Moreover, one even gets the impression that one wrote it, while others brazenly copied the text. As a result, search results are literally cluttered with an abundance of unnecessary information, from which something worthwhile can rarely be extracted. Therefore, I decided to chew on all the nuances in my own way (maybe it will be useful to someone).

So what is a VPN? VPN (VirtualPrivateNetwork- virtual private network) is a generalized name for technologies that allow one or more network connections (logical network) to be provided over another network (including the Internet). Depending on the protocols and purposes used, VPN can provide three types of connections: node-node, node-network And network-network. As they say, no comments.

Stereotypical VPN scheme

VPN allows you to easily combine a remote host with the local network of a company or another host, as well as combine networks into one. The benefit is quite obvious - we can easily access the enterprise network from the VPN client. In addition, VPN also protects your data through encryption.

I don’t pretend to describe to you all the principles of VPN operation, since there is a lot of specialized literature, and to be honest, I don’t know a lot of things myself. However, if your task is “Do it!”, you urgently need to get involved in the topic.

Let's look at a problem from my personal practice, when I needed to connect two offices via VPN - a head office and a branch office. The situation was further complicated by the fact that there was a video server at the head office, which was supposed to receive video from the branch’s IP camera. Here's the task in brief.

There are many solutions. It all depends on what you have on hand. In general, a VPN is easy to build using a hardware solution based on various Zyxel routers. Ideally, it may also happen that the Internet is distributed to both offices by one provider and then you will not have any problems at all (you just need to contact the provider). If the company is rich, then it can afford CISCO. But usually everything is solved using software.

And here the choice is great - Open VPN, WinRoute (note that it is paid), operating system tools, programs like Hamanchi (to be honest, in rare cases it can help out, but I don’t recommend relying on it - the free version has a limit of 5 hosts and another significant disadvantage is that your entire connection depends on the Hamanchi host, which is not always good). In my case, it would be ideal to use OpenVPN, a free program that can easily create a reliable VPN connection. But, as always, we will follow the path of least resistance.

In my branch, the Internet is distributed by a gateway based on client Windows. I agree, it’s not the best solution, but it’s enough for three client computers. I need to make a VPN server from this gateway. Since you are reading this article, you are probably sure that you are new to VPN. Therefore, for you I give the simplest example, which, in principle, suits me.

The Windows NT family already has rudimentary server capabilities built into it. Setting up a VPN server on one of the machines is not difficult. As a server, I will give examples of Windows 7 screenshots, but the general principles will be the same as for old XP.

Please note that to connect two networks, you need to they had different range! For example, at the head office the range could be 192.168.0.x, and at the branch – 192.168.20.x (or any gray IP range). This is very important, so be careful. Now, you can start setting up.

Go to the VPN server in Control Panel -> Network and Sharing Center -> change adapter settings.

Now press the Alt key to bring up the menu. There, in the File item, you need to select “New incoming connection”.

Check the boxes for users who can log in via VPN. I highly recommend Adding a new user, giving it a friendly name and assigning a password.

After you have done this, you need to select in the next window how users will connect. Check the box “Via the Internet”. Now you just need to assign a range of virtual network addresses. Moreover, you can choose how many computers can participate in data exchange. In the next window, select TCP/IP version 4 protocol, click “Properties”:

You will see what I have in the screenshot. If you want the client to gain access to the local network in which the server is located, simply check the “Allow callers access to the local network” checkbox. In the “Assigning IP addresses” section, I recommend specifying addresses manually according to the principle that I described above. In my example, I gave the range only twenty-five addresses, although I could have simply specified two or 255.

After that, click on the “Allow access” button.

The system will automatically create a VPN server, which will lonely wait for someone to join it.

Now all that's left to do is set up a VPN client. On the client machine, also go to the Network and Sharing Center and select Setting up a new connection or network. Now you will need to select the item "Connecting to the workplace"

Click on “Use my Internet connection” and now you will be thrown out a window where you will need to enter the address of our Internet gateway at the branch. For me it looks like 95.2.x.x

Now you can call the connection, enter the username and password that you entered on the server and try to connect. If everything is correct, you will be connected. In my case, I can already ping any branch computer and request a camera. Now its mono is easy to connect to a video server. You may have something else.

Alternatively, when connecting, an 800 error may pop up, indicating that something is wrong with the connection. This is either a client or server firewall issue. I can’t tell you specifically - everything is determined experimentally.

This is how we simply created a VPN between two offices. Players can be united in the same way. However, do not forget that this will still not be a full-fledged server and it is better to use more advanced tools, which I will talk about in the following parts.

In particular, in Part 2 we will look at setting up OPenVPN for Windows and Linux.

The Internet has firmly entered our lives, and if earlier, during the years of the dominance of analog modems, in order to access the Internet it was necessary to take into account both the volume of traffic and the connection time, but today an unlimited Internet connection has become the norm. That is, if there is no Internet at any time and in any “volume,” then this is already something out of the ordinary. Moreover, if previously the availability of unlimited Internet was considered a de facto standard for corporate networks, today it has already become the norm for end users. As the Internet develops, the conceptual model of its use also changes. More and more new services are appearing, such as video on demand and VoIP, peer-to-peer file-sharing networks (BitTorrent), etc. are developing. Recently, the organization of virtual private networks (VPN) over the Internet with the ability to organize remote access to any computer as part of this network has become very popular. How this can be done will be discussed in this article.

Why is this necessary?

Organization of VPN networks over the Internet or within a local network has many use cases: network games on the Internet bypassing game servers (just like games over a local network), creating a network closed from outsiders for transmitting confidential information, the ability to remotely and securely manage computers (full control over a remote PC), organizing secure access for employees on a business trip to corporate network resources, communication via a virtual network of individual offices (local area networks).

The traditional approach to deploying such a virtual private network is that a VPN server (usually based on Linux OS) is installed and configured in the corporate network and remote users access the corporate network via VPN connections.

However, this approach is not applicable when the user needs to gain remote access to his home computer. It is unlikely that a situation where a separate VPN server is installed at home can be considered normal. However, don't despair. The task of creating a VPN network is solvable and even a novice user can do it. For this purpose, there is a special Hamachi program, which can be freely downloaded from the Internet (http://www.hamachi.cc/download/list.php). What is especially pleasing is the presence of its Russified version, so that any user can master the program.

Hamachi 1.0.2.2

So, Hamachi (current version - 1.0.2.2) is a program that allows you to create a virtual private network (VPN) over the Internet and connect several computers in it. After creating such a network, users can establish VPN sessions among themselves and work on this network in the same way as on a regular local (LAN) network with the ability to share files, remotely administer computers, etc. The advantage of a VPN network is that it is completely protected from unauthorized intervention and is invisible from the Internet, although it exists on it.

Hamachi must be installed on all computers that are to be connected to a virtual private network.

The virtual network is created using a specialized Hamachi server on the Internet. To connect to this server, ports 12975 and 32976 are used. The first port (12975) is used only for establishing a connection, and the second - during operation. However, ordinary users are unlikely to need such detailed information.

After a virtual network is created between selected computers using the Hamachi server, information exchange between VPN clients occurs directly, that is, without the participation of the Hamachi server. The UDP protocol is used to exchange data between VPN clients.

Program installation

The Hamachi program is installed on computers with the Windows 2000/XP/2003/Vista operating system. There are also console versions of the program for Linux and Mac OS X. Next, we will look at installing and configuring the program using the Windows XP operating system as an example.

Installing the Hamachi program is quite simple and does not cause problems (especially considering that the interface of the installation wizard launched is Russian). After you begin installing the program on your computer, the installation wizard starts, prompting you to agree to the license agreement, select a folder to install the program (Fig. 1), create an icon on the desktop, etc.

Among the useful optional features that can be activated during the installation process of the program are the automatic launch of Hamachi when the computer boots and the blocking of vulnerable services for Hamachi connections (Fig. 2). In the latter case, the Windows File Sharing service for the Hamachi virtual network adapter will be blocked. As a result, other users of the VPN network will not have access to files and folders that are shared on your computer. At the same time, these files and folders will remain accessible to ordinary users of the local network, to connect with whom a VPN connection is not used.

Rice. 1. The Hamachi installation wizard allows you to specify the folder
to place the program, create an icon on the desktop
and select the optional option to automatically start the program
when the computer boots

In addition to blocking the Windows File Sharing service, blocking vulnerable services for Hamachi connections also blocks remote access to certain Windows services that are frequently attacked. Accordingly, if you use the Hamachi program to connect to reliable clients that you trust, then it is better to disable the option to block vulnerable services.

Rice. 2. The Hamachi installation wizard allows you to block
vulnerable services for Hamachi connections

At the last stage, the installation wizard will ask you to choose which version of the program to install: basic version or Premium. Hamachi comes in two versions. The basic version is free, and the Premium version, which has more advanced features, is paid for. Note that for most users the free basic version of the program is quite sufficient (we will talk about the detailed differences between the basic version and the Premium version a little later), but the standard approach is as follows: first the Premium version is installed for 45 days (free), and after this period it automatically there is a transition to the basic version.

After installing and launching the Hamachi program on your computer, if this is the first time you have installed the program, a short guide to Hamachi will launch, which describes how to work with the program.

First launch of the program

When you launch the program for the first time, your account will be created. At this stage, you need to set the computer name under which it will be visible to other users of the VPN network (Fig. 3).

Rice. 3. Specifying the name of the computer under which
it will be visible to other users of the VPN network

When the computer name is specified, the program establishes a connection to the Hamachi database server and requests an IP address, which will be assigned to the Hamachi virtual network adapter and will be used later to establish a VPN connection. Each Hamachi client is assigned an IP address in the 5.0.0.0/8 range (subnet mask 255.0.0.0), which is not generally reserved for Internet use. These ranges reserved for private use on local networks include the following ranges: 10.0.0.0/8 (range from 10.0.0.0 to 10.255.255.254), 172.16.0.0/12 (range from 172.16.0.0 to 172.31.255.254) and 192.168.0.0 /16 (range from 192.168.0.0 to 192.168.255.254). However, the 5.0.0.0/8 range has been reserved for more than 10 years by the IANA (Internet Assigned Numbers Authority - an American organization that manages IP address spaces) and is not used as public (external) Internet addresses. Thus, the range 5.0.0.0/8, on the one hand, refers to the range of external (public) Internet addresses, that is, the possibility is excluded that the IP address assigned to you is already used in your local network (in local networks only those reserved for private application of an IP address), and on the other hand, these addresses are not yet occupied by anyone.

After assigning you an IP address from the range 5.0.0.0/8, it becomes a kind of identifier for your computer in a virtual private network. This IP address is assigned to the Hamachi virtual network adapter. So, if you type the ipconfig / all command on the command line, then in addition to the network interface settings of the real network adapter (which is physically present in your PC), you can find that another Hamachi virtual Ethernet adapter has appeared with a MAC address and IP address assigned to it , subnet mask, gateway IP address, etc. (Fig. 4).

Rice. 4. After the first launch of the program, the virtual network adapter
Hamachi is assigned an IP address from the range 5.0.0.0/8 and configured
network interface

So, after the Hamachi program has configured the virtual network adapter, you can start working with the program.

At this point, your computer is not yet a member of any virtual private network, so the first step is to connect to an existing virtual private network or create a new VPN network.

Working with the program

The program interface is very simple (Fig. 5). There are only three function buttons: “on/off”, network menu button and system menu button.

Rice. 5. Program interface
Hamachi is very simple -
only three function buttons

To create a new VPN network or connect a computer to an existing one, click on the network menu button and select the appropriate item (Fig. 6).

Rice. 6. The network menu button allows you to
create a new VPN network or join
computer to an existing one

Joining a PC to and leaving an existing virtual network

If you need to connect your computer to an existing virtual network and you know its name and password (if one is used), then in the network menu select Login to an existing network... Next, a window will open in which you need to set the network name and password (Fig. 7).

Rice. 7. Adding a computer
to an existing virtual network

After this, the name of the network and a list of computers connected to it (except yours) will appear in the program window - Fig. 8.

Rice. 8. After connecting the computer
to the virtual network in the program window
a list of connected ones is displayed
computers to her

If there is a green dot or star next to the computer name, this means that a connection with the computer has been established. A flashing green dot indicates that the connection is in the process of being established. A light circle around the green dot indicates that information is being exchanged with this computer.

The worst thing is when there is a yellow dot next to the computer name - this means that for some reason a direct connection to it could not be established. If the name of the computer is displayed in yellow, this means that the connection with it has been lost.

The appearance of a blue dot indicates that a direct connection to the computer could not be established and communication is carried out through the Hamachi server. The problem is that in this case the communication channel with the computer has very low bandwidth and long delays.

If the name of the computer and the dot next to its name are displayed in gray, this means that the computer, although connected to this virtual network, is inaccessible (for example, the PC is turned off, there is no Internet connection, or the Hamachi program is not running).

In order to leave the network, just right-click on its name and select the item from the drop-down list Disconnect or Leave the network. In the first case, you only temporarily leave the network and the list of computers connected to it remains visible to you. In the second case, to enter the network you will have to repeat the entire procedure of connecting the computer to the existing network.

Creating a new network and deleting the created network

If you need to create a new virtual network, then in the network menu select Create a new network... A window will open in which you need to specify the name of the network being created and the password that other users will use to join this network (Fig. 9).

Rice. 9. Create a new VPN network

After creating a new network, you can connect user computers to it. If the network is created by you, then you are its administrator and receive full control over it, which other users are deprived of. It is important to remember that the created network can only be managed from the computer on which it was created. More precisely, the network can only be managed from a computer that is assigned exactly the same virtual IP address as the one that was used to create the virtual network. Why is this remark so important? Imagine this: you installed Hamachi and created a new VPN network. Then you completely uninstalled (including all configuration files) the Hamachi program and after some time installed it again. You will be assigned a new virtual IP address, but using it, you will no longer be able to control the VPN network you created earlier.

If you are a network administrator, you can delete it. To do this, right-click on the network name and select the item from the drop-down list Delete. Note that when a network is deleted, all connections between its other users are completely destroyed.

Other actions with network computers

If you have joined a network, you can perform the following actions on the computers connected to it:

  • accessibility check;
  • folder browsing;
  • sending a message;
  • copying address;
  • blocking;
  • setting the label.

In order to perform one of them, right-click on the computer name and select the appropriate item from the drop-down menu (Fig. 10).

Rice. 10. List of possible actions
with the selected computer on the network

When selecting an item Check availability the usual ping command will be executed to the address of the corresponding computer.

Paragraph Browse folders allows you to access shared folders on your computer.

Paragraph send a message makes it possible to exchange messages between individual computers on a network, similar to how it is done in ICQ.

Paragraph Copy address inserts the IP address of the selected computer into the clipboard, which is convenient if you want to use this address in other programs (for example, remote administration).

Paragraph Block allows you to temporarily block the selected computer, that is, your VPN channel with it will be blocked and information exchange will be impossible.

Paragraph Set label allows you to select the format for displaying computer attributes on the network. By default, the computer's IP address and its name are displayed. You can choose to display only the computer name or only the IP address.

Setting up the program

In order to access the program settings, you must click on the system menu button and select the item Settings…(Fig. 11).

Rice. 11. Accessing settings
programs

After this a window will open Status and configuration, which allows you to make detailed settings of the program (Fig. 12).

Rice. 12. Detailed program configuration window

Actually, everything here is quite simple, and detailed comments are unlikely to be needed, so we will simply list the features that can be implemented in the configuration window. So, in this window you can change the computer name, make detailed connection settings, set the program startup type, block or unblock vulnerable Windows services, block new network members and implement other, less significant options. Among the important features, we note the disabling of encryption when transferring data between individual computers on the network. In order to do this, you need to click on the icon Window and in the group Appearance check the box Show "Advanced..." per menu item(Fig. 13).

Rice. 13. Adding an Advanced item...
to the drop-down menu

After this, if you right-click on the name of a computer connected to the network, an item will appear in the drop-down menu Advanced… If you select it, a window will open Tunnel Configuration, which allows you to change the VPN tunnel settings. To disable encryption at Encryption you need to select a value Off. In this case, data from your computer will be transferred to the selected PC in unencrypted form. However, in the opposite direction, the data will be transmitted encrypted. To completely disable encryption for a VPN tunnel between two computers, it must be disabled on both computers.

Note that encryption should be disabled only in exceptional cases, since the encryption procedure itself is unlikely to affect traffic. The fact is that traffic will be determined by the bandwidth of your Internet channel, and not by the use or lack of encryption. Only if a VPN tunnel is formed between computers within the same local network and its throughput is about 100 Mbit/s, the use of encryption can slightly reduce the maximum transfer speed (to 70-80 Mbit/s).

Conclusion

Hamachi is a powerful tool that allows you to create VPN networks very quickly. Note that it was originally created to allow users to play online games by bypassing game servers. However, the possible scenarios for using this program are much wider. Thus, having created a virtual network and connected computers to it, you can, using standard remote administration programs, gain remote access to any computer in the virtual network, since each computer in such a network has its own dedicated IP address.

At the same time, it should be noted that it is not always possible to establish a direct connection between individual computers. And despite the fact that the manufacturer’s website claims that the program easily “breaks through” routers and NAT devices, in reality everything is not so optimistic. The documentation for the program states that in 5% of cases a direct connection between individual computers cannot be established, however, it seems to us that this figure is clearly underestimated. The real situation is this: if we are talking about connecting two computers that are assigned a dynamic or static public IP address, then there are no problems. That is, if you have only one computer with Internet access at home and you need to connect to a user who also has one computer with Internet access, then there will be no problems. As practice shows, there are no problems establishing a connection between a user’s computer with a dynamic or static public IP address assigned to it and a computer on a local network protected by a router. However, if a connection is established between two computers belonging to different local networks protected by routers, then problems are possible and it is not a fact that a direct connection will be established. That is, a connection can be established, but most likely it will not be direct, but through the Hamachi server. Accordingly, the speed of such a communication channel will be very low and there will be little use from such a connection. For example, in your home, Internet access is achieved using a wireless router, that is, your computer is part of the home local network and is assigned an IP address from the range of addresses reserved for private use, and a public address is assigned to the WAN port of the router through which you go online. If you are trying to establish a connection with another computer that is also part of the local network (for example, with a work computer in the office or with a user’s computer who has a local network deployed at home and uses a router), then in most cases problems arise.

The Hamachi User's Guide describes how you can avoid these problems. To do this, it is suggested to use a fixed (rather than dynamic) UDP port and implement port forwarding on the router. However, as practice shows, port forwarding or using a demilitarized zone in the router does not always help.