iceflatline

In my post Remote Access to Your Ubuntu Server using PuTTY, Hamachi and SSH, I discussed how to set up a secure virtual private network (VPN) between a remote Windows and Linux client, and a Ubuntu home server using LogMeIn Hamachi. In this post, I’ll discuss how to install and configure Hamachi and SSH on a machine running FreeBSD so it too can be added to your Hamachi VPN.

If you’re not familiar with LogMeIn Hamachi (formerly known as just “Hamachi”), it is a hosted VPN service that is capable of establishing secure LAN-like links between computers, even if they’re behind Network Address Translation (NAT) devices. You can use it to create secure virtual networks on demand, across public or private networks. In order for Hamachi to work, a “mediation server,” operated by the LogMeIn, is required. The mediation server stores machine nicknames, statically allocated 5.0.0.0/8 IP addresses and the associated authentication token of the user. Hamachi is free for non-commercial use. However, the Hamachi security implementation is closed source and as such is not available for review by the general public.

The versions for the software used in this post were as follows:

FreeBSD 7.2 RELEASE

Hamachi (Linux) v0.9.9.9-20

OpenSSH vSSH-2.0-OpenSSH_5.1p1

Install Hamachi

If you’ve installed the FreeBSD ports collection then run the following to install the Hamachi port:

# cd usr/ports/securityhamachi/
# make install clean

Otherwise you can grab the package and install it:

# pkg_add -r linux-hamachi

Note that Hamachi requires a Linux emulator in order to run on FreeBSD. Either install method described above will satisfy this dependency by also installing linux_base-fc4 (/usr/ports/emulators/linux_base-fc4), a set of packages that form the basis of the Linux compatibility environment needed by Hamachi in order to run on FreeBSD.

Now, let’s configure Hamachi and create our VPN. Hamachi requires the tap kernel driver to create and manage its virtual Ethernet network interface. No worries though, Hamachi adds a script (/usr/local/etc/rc.d/hamachi) that will automatically load the tap driver (if_tap.ko). This driver must be loaded and running before starting Hamachi itself. You can have it load it automatically when FreeBSD starts by adding the following line to /etc/rc.conf:

hamachi_enable=”YES”

If you want only to run Hamachi periodically and not start the tap driver automatically at boot time, you can use forcestart/forcestop, which will ignore the setting in /etc/rc.conf:

# usr/local/etc/rc.d/hamachi forcestart

Our next step generates the cryptographic key pair and creates a directory at ~/.hamachi where Hamachi will store these keys, as well as its configuration and state. This step only needs to be performed once per Hamachi install; however, it must be done for each user account that you plan to use Hamachi from, including root. In this case we’ll run it from our user account:

$ hamachi-init

Okay, now let’s start Hamachi. First, make sure the tap driver is loaded by rebooting the machine (assuming the hamachi_enable=”YES” line is in /etc/rc.conf as described above) or by using the forcestart command, then:

$ hamachi start

When Hamachi is run for the first time, the Hamachi daemon stays offline. Let’s bring it online:

$ hamachi login

Next, create a nickname for the FreeBSD machine so that we can identify it easily from another machine on your Hamachi VPN:

$ hamachi set-nick <nickname>

Now, let’s create our Hamachi VPN. In this step you’ll need to enter a unique name for your network as well as a password for it. If your network name is already in use somewhere you’ll need to keep trying until you land upon one that’s unique. If you’ve setup a Hamachi VPN previously and simply want to add your FreeBSD machine to it, then substitute join for create in the following command:

$ hamachi create <network> <password>

Now let’s put the FreeBSD machine online on the VPN:

$ hamachi go-online <network>

That’s it. Your Hamachi VPN should now be up and running with your FreeBSD machine added as one of the hosts. What if we reboot, do all these commands need to be entered again? The answer is no. Once the Hamachi VPN is created/joined, the nickname established, and the machine added with the go-online command, should you need to reboot your box, you can simply restart the tap driver (assuming you elected not have it start automatically) and then start Hamachi, you’ll then be back online. However, you can also have Hamachi start automatically at boot time by adding a script in your system startup sequence. You will of course want to have the tap driver start automatically as well for this to be of any benefit. Here’s a generic version of the script I use:

#!/bin/sh
#
### README
# Date:
# Description: sh script to start hamachi at boot
# Author:
# Process(s): hamachi
# Configuration: none
#
### START OF SCRIPT
USER=<user name>
case "$1" in
start)
su - $USER -c "hamachi start"
;;
stop)
su - $USER -c "hamachi stop"
;;
reload)
/bin/su - $USER -c "hamachi stop"
/bin/su - $USER -c "hamachi start"
;;
*)
exit 1
;;
esac
exit 0
### END OF SCRIPT

To use this script simply add your account user name, save it as hamachi_start.sh in /usr/local/etc/rc.d/ and make it executable. You’re free to choose a different name, however, note that scripts within /usr/local/etc/rc.d/ are executed in lexicographical order. Since it is desirable that the file hamachi start first in order to load the tap driver, you should name the hamachi start script something that will ensure it starts after hamachi. Numbers may be used as a prefix to the filename.

You can display the status of the Hamachi daemon at any time by running the command hamachi without any arguments:

$ hamachi
  version  : hamachi-lnx-0.9.9.9-20
  pid      : 846
  status   : logged in
  nickname : bsd

The following commands will retrieve the nicknames and print a list of the hosts that are currently members of your Hamachi VPN, as well as their Hamachi IP addresses (you will not see the machine you issued the command from listed):

hamachi get-nicks && hamachi list

And if needed, you can stop Hamachi with the command hamachi stop:

$ hamachi stop
Shutting down .. ok

Now then, to initiate a terminal session with another host on your Hamachi VPN:

ssh <hamachi-IP address-for-remote-host>

If this is the first time connecting, you’ll likely receive a warning concerning the authenticity of the host you’re trying to reach along with a fingerprint of its public RSA key, and asked if you’re sure you want to continue connecting. Accept by typing yes and you’ll be presented with the login and password prompt (this warning prompt will only occur once per machine). The public key from the remote host will be stored in ~/.ssh/known_hosts. If you don’t want to have to remember the Hamachi IP address each time you want to run a session with another host, simply add this IP address along with a name (e.g. home-server-ssh) to your hosts file (/etc/hosts). Next time you use Hamachi/SSH to connect to this host, use the name instead of the IP address and the host file will resolve the IP address for you.

SSH Server

Now that we’ve installed Hamachi, created or joined a VPN, and perhaps tested it by connecting to another host on the VPN. Let’s make sure there’s a running SSH server on our FreeBSD machine so that incoming SSH requests can be answered:

/etc/rc.d/sshd status
sshd is running as pid 811.

Should you need to install sshd, type sysinstall. Select Configure ->Networking and select sshd from among the options. Make sure sshd enabled by checking the /etc/rc.conf file for the line sshd_enable=”YES”. This will load sshd the next time your system starts. You can also start sshd manually through the /etc/rc.d/sshd script:

# /etc/rc.d/sshd start

Conclusion

This post described how to install and configure Hamachi on a machine running FreeBSD. The reason I like using LogMeIn Hamachi is that it allows me to connect via SSH, SCP or SFTP to my FreeBSD machine at home from essentially anywhere I have an internet connection without the need to make any changes to my router/gateway. To learn how to install and configure Hamachi on Linux or Windows machines, as well as how to improve the security of the connections over the Hamachi VPN using public key authentication, please see this post Remote Access to Your Ubuntu Server using PuTTY, Hamachi and SSH

References

http://www.openssh.com/
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/

Tags: freebsd, server, Unix