Update: Due to protocol changes instituted by LogMeIn on or around July 30 2012, the linux-hamachi client version referenced in the post can no longer be used to login to Hamachi servers. This post will be retained for archival purposes.
In this post I’ll discuss how to install and configure Hamachi and SSH on a machine running FreeBSD. If you’re not familiar with LogMeIn Hamachi (formerly known as just “Hamachi”), it is a hosted VPN service that is capable of establishing secure LAN-like links between computers, even if they’re behind Network Address Translation (NAT) devices. You can use it to create secure virtual networks on demand, across public or private networks.
In order for Hamachi to work, a “mediation server,” operated by the LogMeIn, is required. The mediation server stores machine nicknames, statically allocated 5.0.0.0/8 IP addresses and the associated authentication token of the user. Hamachi is free for non-commercial use. However, the Hamachi security implementation is closed source and as such is not available for review by the general public.
The versions for the software used in this post were as follows:
- FreeBSD 9.0-RELEASE
- linux-hamachi-0.9.9.9.20
Install Hamachi
Hamachi requires Linux binary compatibility which is not turned on by default in FreeBSD 8.2-RELEASE. The easiest way to enable this functionality is to load the linux KLD object (“Kernel Loadable Object”) by typing the following as root:
1 |
kldload linux |
Then add the following line to /etc/rc.conf:
1 |
linux_enable="YES" |
Now we’re ready to install Hamachi. If you’ve installed the FreeBSD ports collection then run the following as root to install the Hamachi port:
1 2 |
cd /usr/ports/security/hamachi/ make install clean |
Otherwise you can grab the binary package and install it:
1 |
pkg_add -r linux-hamachi |
Now, let’s configure Hamachi and create our VPN. Hamachi requires the tap kernel driver to create and manage its virtual Ethernet network interface. No worries though, Hamachi adds the script /usr/local/etc/rc.d/hamachi that will automatically load the tap driver if_tap.ko. This driver must be loaded and running before starting Hamachi itself. You can have it load automatically when FreeBSD starts by adding the following line as root to /etc/rc.conf:
1 |
hamachi_enable="YES" |
If you want only to run Hamachi periodically and not start the tap driver automatically at boot time, you can use forcestart/forcestop as root, which will ignore the setting in /etc/rc.conf:
1 |
/usr/local/etc/rc.d/hamachi forcestart |
Our next step generates the cryptographic key pair and creates a directory at ~/.hamachi where Hamachi will store these keys, as well as its configuration and state. This step only needs to be performed once per Hamachi install; however, it must be done for each user account that you plan to use Hamachi from, including root. Consequently, we’ll run the following commands from our user account:
1 |
hamachi-init |
Okay, now let’s start Hamachi. First, make sure the tap driver is loaded by rebooting the machine (assuming the hamachi_enable=”YES” line is in /etc/rc.conf as described above) or by using the forcestart command, then:
1 |
hamachi start |
When Hamachi is run for the first time, the Hamachi daemon stays offline. Let’s bring it online:
1 |
hamachi login |
Next, create a nickname for the FreeBSD machine so that we can identify it easily from another machine on your Hamachi VPN:
1 |
hamachi set-nick <nickname> |
Now, let’s create our Hamachi VPN. In this step you’ll need to enter a unique name for your network as well as a password for it. If your network name is already in use somewhere you’ll need to keep trying until you land upon one that’s unique. If you’ve setup a Hamachi VPN previously and simply want to add your FreeBSD machine to it, then substitute join for create in the following command:
1 |
hamachi create <network> <password> |
Now let’s put the FreeBSD machine online on the VPN:
1 |
hamachi go-online <network> |
That’s it. Your Hamachi VPN should now be up and running with your FreeBSD machine added as one of the hosts. What if we reboot, do all these commands need to be entered again? The answer is no. Once the Hamachi VPN is created/joined, the nickname established, and the machine added with the go-online command, should you need to reboot your box, you can simply restart the tap driver (assuming you elected not have it start automatically) and then start Hamachi, you’ll then be back online. However, you can also have Hamachi start automatically at boot time by adding a shell script in your system startup sequence. You will of course want to have the tap driver start automatically as well for this to be of any benefit. Here’s a generic version of the script I use:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
#!/bin/sh ### START OF SCRIPT USER=<your user name> case "$1" in start) su - $USER -c "hamachi start" ;; stop) su - $USER -c "hamachi stop" ;; reload) /bin/su - $USER -c "hamachi stop" /bin/su - $USER -c "hamachi start" ;; *) exit 1 ;; esac exit 0 ### END OF SCRIPT |
To use this script simply add your account user name, save it as hamachi_start.sh in /usr/local/etc/rc.d/ and make it executable. You’re free to choose a different name, however, note that scripts within /usr/local/etc/rc.d/ are executed in lexicographical order. Since it is desirable that the existing script hamachi start first in order to load the tap driver, you should name the hamachi start script something that will ensure it starts after hamachi. Numbers may be used as a prefix to the filename.
You can display the status of the Hamachi daemon at any time by running the command hamachi without any arguments:
1 2 3 4 5 |
hamachi version : hamachi-lnx-0.9.9.9-20 pid : 846 status : logged in nickname : bsd |
The following commands will retrieve the nicknames and print a list of the hosts that are currently members of your Hamachi VPN, as well as their Hamachi IP addresses (you will not see the machine you issued the command from listed):
1 |
hamachi get-nicks && hamachi list |
And if needed, you can stop Hamachi with the command hamachi stop:
1 2 |
hamachi stop Shutting down .. ok |
Now then, to initiate a terminal session with another host on your Hamachi VPN:
1 |
ssh <hamachi-IP address-for-remote-host> |
If this is the first time connecting, you’ll likely receive a warning concerning the authenticity of the host you’re trying to reach along with a fingerprint of its public RSA key, and asked if you’re sure you want to continue connecting. Accept by typing yes and you’ll be presented with the login and password prompt (this warning prompt will only occur once per machine). The public key from the remote host will be stored in ~/.ssh/known_hosts. If you don’t want to have to remember the Hamachi IP address each time you want to run a session with another host, simply add this IP address along with a name (e.g. home-server-ssh) to your hosts file (/etc/hosts). Next time you use Hamachi/SSH to connect to this host, use the name instead of the IP address and the host file will resolve the IP address for you.
SSH Server
Now that we’ve installed Hamachi, created or joined a VPN, and perhaps tested it by connecting to another host on the VPN. Let’s make sure there’s a running SSH server on our FreeBSD machine so that incoming SSH requests can be answered:
1 2 |
/etc/rc.d/sshd status sshd is running as pid 811. |
Should you need to install sshd, type sysinstall. Select Configure ->Networking and select sshd from among the options. Make sure sshd enabled by checking the /etc/rc.conf file for the line sshd_enable=”YES”. This will load sshd the next time your system starts. You can also start sshd manually as root through the /etc/rc.d/sshd script:
1 |
/etc/rc.d/sshd start |
Conclusion
This post described how to install and configure Hamachi on a machine running FreeBSD. The reason I like using LogMeIn Hamachi is that it allows me to connect via SSH, SCP or SFTP to my FreeBSD machine at home from essentially anywhere I have an internet connection without the need to make any changes to my router/gateway. To learn how to install and configure Hamachi on Linux or Windows machines, as well as how to improve the security of the connections over the Hamachi VPN using public key authentication, please see my previous post.
References
http://www.openssh.com/
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/
iceflatline many thanks for your kindness in helping others. I first did your install today with the config below and then installed the new Hamachi and connected it to a network using the web logmein hamachi config. The script is below:
objective -> access a samba file server from remote when my ISP blocks ports
server -> Ubuntu 10.10 server
clients -> windows 7
See the following to get it running with the new Hamachi version
wget https://secure.logmein.com/labs/logmein-hamachi-2.0.0.12-x64.tgz
tar -xvf logmein-hamachi-2.0.0.12-x64.tgz
cd logmein-hamachi-2.0.0.12-x64
sudo ./install.sh
sudo tuncfg
sudo /etc/init.d/logmein-hamachi start
sudo hamachi login
sudo hamachi set-nick
sudo hamachi attach # then go online to accept the request and set up the network as hub and spokes
sudo hamachi # to see IP and other info
algomoo, brilliant! Thanks for sharing this.
Hi iceflatline.
This is a great post.
I follow the steps of your post but my hamachi (in freebsd 9, and tested in 8.2 too) no login.
All ok until:
# hamachi start
When I wrote:
# hamachi login
I received this message:
Logging in…failed
And can’t continue.
According to my search, I believe that problem is in file tuncfg.c, line 310:
ifconfig %s %u.%u.%u.%u “, ctx[i].dev,
Missing /sbin/ before ifconfig.
Would look like:
“/sbin/ifconfig %s %u.%u.%u.%u “, ctx[i].dev,
I could not change the patch in /usr/ports/security/hamachi/files/patch-tuncfg_tuncfg.c for include this.
And my hamachi no works.
Do you can help me, please?
Thanks.
Sendoh
Sendoh, it appears LogMeIn is using a new protocol that is not compatible with their client referenced in this article. See http://community.logmein.com/t5/Hamachi/Upcoming-Protocol-Changes/td-p/78963
Time permitting I will search for alternatives.
iceflatline, I managed to change the patch n ports but did not work. As you said, the version that is in ports does not really work anymore because it was changed to protocol version that uses hamachi.
For my tests, I’m using the new version on ubuntu, unfortunately, not wanting to use another operating system, only the freebsd.
I follow this:
http://www.informatiksupport.eu/?p=214
Work fine.
But I want to use FreeBSD. If you can make it work on freebsd, please post here in the post.
I appreciate your help. Thanks for all!
Sendoh
Sendoh, okay, thank you. This is helpful. I’ll see what I can do about getting it to work in FreeBSD.
[…] Ich moechte unteranderem auch Hamachi drauf machen jedoch klappt das nach dieser Anleitung nicht: Install and Configure Hamachi on FreeBSD | iceflatline […]