2017-07-03 07:49:19 (edited by Sebby 2018-03-19 20:29:56)

For those who need it, I've just set up a VPN that's peer-to-peer and works for all games that support direct connections (not using a remote server), and it should even work when you are behind two layers of NAT or other unfriendly firewalls. It works a lot like Hamachi and uses the 25.0.0.0/8 address space. It's free and fun, and doesn't require you do anything once it's set up. Follow these instructions to use it.

Update: thanks to Chris we have some nice, step-by-step directions (downloads a text file), which are probably more approachable to new Windows users. Below are my original instructions, which you should probably still read, but Chris's instructions will get you up and running.

WARNING WARNING WARNING WARNING WARNING: pay attention to the following as it's very important, before you even get started.

1.  There is no security. Anyone who can read this forum thread can join. You can't rely on this VPN for anything sensitive. Not that I'd expect otherwise, and it's good practice to just assume the whole world is out to get you all the time, but remember that this is a public network and anybody can see anybody else. You should imagine that you have a public IP address, for all the good that does, and act accordingly. Do not host or transmit stuff on here that you'll regret. Most operating systems nowadays are robust on public networks, and do include firewalls. And of course you should be keeping your software up-to-date, and only expose services you need, and password-protect all important shares or resources. You should already be doing all this stuff, of course, but here's a reminder to be careful.

2. Although I've tested it independently and found it to work from my Windows VM, please follow directions carefully and bear in mind that things might fail for odd reasons. There is an easy bailout no matter what, and I don't imagine anything tragic will happen, but understand you are ultimately on your own here. Of course, feel free to ask for help if you need it.

And now, the instructions:

1. Get the latest stable version of Tinc for Windows. We assume you are on Windows because that's where all the games are, but if you need help with another OS do let me know. The server in fact runs Linux.

2. Run the installer. Install everything, except that you may, if you wish, uncheck the tap adaptor driver for the platform you do not use (if you are 32-bit, you could uncheck 64-bit, for instance, or vice-versa).

3. Install the tap driver for your platform. In the tinc program folder, find the tap-win32 or tap-win64 directory, and run the addtap.bat file. You need to have elevated privileges. If you're successful, a message will appear in your console, followed by a prompt to press a key to continue. Press enter to exit the console window.

4. Find the tap device, and rename it to "gamers", exactly as shown and without the quotes, obviously. You must find the network object and rename it. How you do this depends on your OS, but I'm fairly confident I don't know the procedure for anything later than XP as M$ are determined to make it as stupidly hard as possible. But I believe newer versions of Windows now call this something like "Network and Sharing Centre", and there's an option to "Change Adapter Settings". And indeed, here's a wonderful guide, which also incidentally talks about the different types of exposure I was warning you about earlier. Read and understand it, please.

5. Next, grab this file, and unzip it. Copy the contents into your tinc program folder. Specifically, the tinc.conf file must be in the same place as the tincd.exe file, and the hosts directory should be a subdirectory of your tinc folder.

6. Open tinc.conf with notepad or another text editor. Change the second line, as directed by the first, and save it. Specifically, replace the name with a unique name for you. It doesn't matter what, as long as it has just letters and numbers and _ characters.

7. Next, open an elevated command prompt, and switch to the tinc directory. As in

cd c:\program files\tinc

(or whatever is appropriate).

Now, generate your keypair, by typing this and then pressing enter:

tincd --generate-keys

It should be safe for you to press enter twice more, to select the default locations. If you did step 6 right, you'll notice that the proposed file in your hosts directory, for the second prompt, now matches the name you have picked, and the private key and public key files should appear in your tinc and tinc\hosts directories, respectively.

8. Finally, it's crash test time! Still in your command prompt, type this, to start the client and register it is a Windows service for future restarts:

tincd --bypass-security

If you did everything right, your network adaptor list should show you that you have a 25.0.0.0/8 address. You can try to ping the DHCP server by typing this into a command prompt:

ping 25.0.0.1

If you receive replies, you are connected!

Now simply play your games, and instead of worrying about port forwarding and all that, simply hand out the address you have been assigned.

Any questions, just follow up here. And sorry it's such an annoyingly advanced procedure. It would be easier if the software was designed for client-server authentication, but it was really meant for mutual setups where both sides were under the user's control. If I can figure out a way to make it easier, I will, but this should get us going.

Enjoy!

Further notes.

1. Port forwarding and firewalls. It would be helpful if you could forward and/or unblock TCP and UDP port 655 to your machine from the outside. It is not mandatory, but it will certainly decrease connection setup time, whether from you to another person, or another person to you, and it will also help the network in case somebody is not so lucky as you. I cannot explain how to port forward because it's different for each router, but try portforward.com for many routers. Also, you need to manage any host firewall software you have on your computer. If you use the stock Windows firewall, add tincd.exe to the exceptions list, or a port exception for both TCP and UDP ports 655. Moreover, the Windows host firewall will, in the default posture, which is typical for public network profiles that are not otherwise configured, be very strict in preventing access or discovery, so you might have to wrestle with it in order to see incoming packets from the VPN interface or offer discoverable services.

If you don't have access to your router's configuration interface, you can try to use UPnP. It is not attempted for you automatically. However, if UPnP is available, Windows should show it to you as an "Internet Connection" in your network connections list. Get properties, and there's an interface to add port mappings in this way for the tinc ports (TCP/UDP ports 655).

2. Starting and stopping. You can use the services control panel to start and stop tinc, if required.

3. Uninstallation. Use the deltapall.bat file to remove all instances of the tap driver from your system. Next, in an elevated command prompt, type these two commands:

cd c:\program files\tinc
tincd --kill

That removes the Windows service. You can now uninstall tinc with the Control Panel, and delete the tinc directory.

4. IPv6. IPv6 is supported. Peers that have IPv6 communicate directly with one another, but incur higher latency communicating with IPv4-only peers. On the other hand, communicating only using IPv4 will disadvantage constrained IPv4 peers, whose only direct connectivity is IPv6 or, in the worst instance, peers without IPv4 connectivity at all, whose only connectivity is IPv6. It is up to you to choose who should suffer more, and it is undoubtedly true that IPv4 is still the more ubiquitous protocol at the moment, but I'm for the future. If you disagree, change the "address" line in the "Mintaka" file in the hosts directory to use the IP address 173.203.201.199 directly, instead of the hostname "mintaka.sabahattin-gucukoglu.com".

5. Virtual machines. Run this setup in the virtual machine guest, and not on the host system, unless you know very well otherwise and understand advanced routing. Ideally, your guest virtual machine should be bridged to your LAN, but this is not absolutely necessary, if you don't have the option.

Edits: various clarifications, mostly to make things completely unambiguous. IPv6 notes. Clarify that firewalls and/or NATs should be opened up to TCP/UDP 655 where possible, and explain the role of Windows Firewall in handling the VPN interface. Notes on virtual machines. Link Chris's instructions at the top of the post for people who need it. Update Windows download link to 1.0.33 (from 1.0.31).

Just myself, as usual.

2017-07-04 03:58:13

hi.
I am in the process of trying this right now, and don't know how to thank you enough. If this works, i'll be able to host games without having to port forward, which is something i've been wanting to do for a long time.

proud to be a patreon of liam erven. Become a patreon today at patreon.com/liamerven

2017-07-04 04:15:11

ok guys, so I need some help.
I am wondering how to rename that driver that you need to rename. I go to my network and sharing center, but I don't see any obvious place that it would be. Can someone that knows how the network and sharing center in windows 10 works give me some help with this? Thanks.

proud to be a patreon of liam erven. Become a patreon today at patreon.com/liamerven

2017-07-04 07:33:14

I'm afraid I don't have Windows 10 in front of me, however "Change Adapter Settings" sounds familiar. You should get a list of all of the adapters on the system, and you'll be able to find and rename the tap device. Hopefully. The new interface is a total disaster IMO; why Microsoft can't just let sleeping dogs lie I don't know.

Just myself, as usual.

2017-07-04 08:12:09

hmm, I went in there and saw a bunch of microsoft adapters, but nothing that is the one I need for this. What is it's name by default? There's a chance I missed it but I don't think so.

proud to be a patreon of liam erven. Become a patreon today at patreon.com/liamerven

2017-07-04 09:30:25

On my VM it just shows up as "Local Area Connection 2", i.e. just as a second Ethernet adaptor would if it were real hardware. You might have to open up each adaptor's properties to see which one is the tap driver, which will clearly be indicated as something like "Tap Win32 Adaptor v9" (in my case).

Just myself, as usual.

2017-07-05 03:44:50 (edited by Chris 2017-07-05 06:44:55)

I've got a couple questions.

1. Do all involved parties have to join the VPN or just the one hosting?

2. Is it possible to view all the other devices connected?

edit

Okay, I followed all your steps and this thing doesn't work. When I look at the virtual network adapter, it says no internet access under IPV4 and IPV6. Either the server is down or I screwed something up somewhere.

Bryant, you need to run the .bat file in an administrator command prompt. Press the windows key, type cmd and press control shift enter on the command prompt result to open the administrator command line. You then need to navigate to the directory containing the .bat file and run it. A Windows security alert will come up. Just press the install button and the install will finish.

What did I do wrong? Did the generate keys command not work since Microsoft made changes to program files so that it's right protected? I did run it in the administrator command prompt, but I don't know if it worked. Any help?

Grab my Adventure at C: stages Right here.

2017-07-05 13:46:45

@Chris to answer your questions:

1. Yes, all must join. I don't own 25.0.0.0/8 (but wish I did!). That belongs to the Ministry of Defence in the UK, but it is not publicly routed, so we are rather naughtily squatting on it. It's what Hamachi does, too.

2. You can use whatever discovery protocol you want, since you are essentially connected to a giant, Internet-spanning Ethernet network. The network's your oyster. You could use UPnP, SLP, Bonjour, WSDiscovery, NetBIOS ... anything that works over Ethernet will work here.

I suppose that, if it were really helpful, I could set up a script to pull the DHCP server's lease table and dump it over the web. But that would not tell you anything but the number of devices, and the (virtual) MAC address and the IP address associated with it. It might also risk the privacy of those would rather keep quiet on the network. Still, if people think that might be good for something, I could set that up, but it won't help you find gamers or anything.

If Windows says you have no Internet access, it must be true. smile In fact, it is: I have explicitly not enabled routing to the Internet, and there is no default gateway nor DNS service. It seems overkill to me to set that up, especially when you can use other means of doing discovery that work, and most gamers seem to use IP addresses anyway. But maybe I'll reconsider if there's a case for it. Of course, offering public Internet access would be out of the question.

Having said that, somebody has connected. Could that be you? Check your adaptor to make sure it has an IP address assigned. Or if you don't mind, tell us what your computer name is, as specified in the conf file, or as assigned to your computer by Windows.

Try pinging 25.0.0.1. If you do not see replies, there's a problem. What is the last thing you definitely remember working?

You can tell if --generate-keys worked. You'll see two prompts, asking you where to store both your private and public key files. If you have a rsa_key.priv file in your tinc directory and a file in your hosts directory that matches your computer name, as given in the conf file, then this stage completed successfully and you need to install the service using "tincd --bypass-security" as instructed.

I updated the first post, hopefully to make it even clearer. Let me know how you get on.

Just myself, as usual.

2017-07-05 19:10:15

I got it to work. Turns out I just had to reboot my machine. The ping command worked like a charm. I'll just have to ignore the no internet access message in Network and Sharing Center. I also set the Tinc service to manual in the services.msc control panel so that I can start it when ever I want to play games instead of having it load when Windows boots. Now I'm wondering if it's a good idea to install this into my Bootcamped Windows XP on my Mac Mini. The only reason would be to play Top Speed 3, since it appears that the networking feature seems permanently broken in the latest version of 10.

Grab my Adventure at C: stages Right here.

2017-07-05 21:28:59

I really like this idea. Lets suppose I wanted to run irc on your vpn would I set the address to my address given by the vpn? Or maybe I could previde you with a ftp over the vpn or maybe even a mail server. smile Really love this idea.

Bitcoin Address:
1MeNca7h6m8du4TV3psN4m4X666p6Y36u5m

2017-07-05 22:10:54

I am connected to the vpn my address is 25.237.101.106. How do I test this out? Is there anything I can connect to?

Bitcoin Address:
1MeNca7h6m8du4TV3psN4m4X666p6Y36u5m

2017-07-06 10:26:01 (edited by Sebby 2017-07-06 13:16:08)

@Chris nice one.

It works just fine on XP. In fact there are fewer hurdles, and you aren't told about network connections that don't have Internet connectivity. Presumably because XP was a version of Windows that predated Microsoft's grand plan to own your life, and your data.

@hurstseth205: you can run whatever you like on here. Knock yourself out. smile

But remember what I was saying earlier. It is really unsafe to presume that this VPN is any kind of access control. Sure, someone has to read this thread, understand it, and do the steps you did. But that's hardly a problem for a troublemaker. So, don't run anything you would not normally open up to the public, and don't implicitly trust the people on this network. Having said that, have fun, and go crazy doing things like running FTP servers without all the worry of NAT and port forwarding, sharing your iTunes libraries across the Internet, or doing peer-to-peer file transfers without pain. It's all to play for. smile

There are no real ways to test, I'm afraid, apart from pinging. The services running on Mintaka are just infrastructure for my domain so nothing exciting, and nothing you can't already reach from the public Internet. You need others on board to mess about.

Edit: OK, I put my Mac on the network. See if you can find some services now. Can you guess which? smile

Just myself, as usual.

2017-07-06 20:22:11

I don't know what they are, but I'm connected.

Bitcoin Address:
1MeNca7h6m8du4TV3psN4m4X666p6Y36u5m

2017-07-08 08:58:19

Yeah, looks like we're all on board now.

As for services running, try browsing for file shares on the network or, if you have iTunes installed, firing that up and looking for shared libraries.

Just myself, as usual.

2017-07-08 17:07:43

So If I wanted to run a service would I set my server to listen on the 25.237.101.106 address?

Bitcoin Address:
1MeNca7h6m8du4TV3psN4m4X666p6Y36u5m

2017-07-08 18:44:38 (edited by marro 2017-07-08 19:20:01)

hey guys,
so, i have a little problem. When i open the bat file to rename the thing to gamers, i just get an empty terminal window and nothing else. What to do? I have windows 7 64 bit

kind regards and have a nice day,
marro

2017-07-11 00:12:04 (edited by turtlepower17 2017-07-11 01:01:58)

Would it be ok to host a Team Talk server using this configuration? Just want to make sure I won't be restricting bandwidth usage or anything like that if I do. I did test it already, but that can easily be done away with if need be. Either way, it does work very well, so thanks for setting this up.

Also, does anyone know what the deal with Acefire is? My friend and I just tried to play, using the IP address that was supplied, and he says that there was an error when he tried to connect. I did get a prompt from Windows Firewall the first time he tried. I allowed access, but he still says he can't connect. Unfortunately, I can't test it with something else like RTR, at least not right this second, since he's having some trouble getting that to work apparently, and no one else I know is available to test it with me. I did create a server that I've successfully connected to, though, so I guess it's not a total disaster. I just feel better about things when I know for sure that they work. It's possible that something is broken in Acefire, or that it requires something special that I don't know about.

The glass is neither half empty nor half full. It's just holding half the amount it can potentially hold.

2017-07-11 13:30:33

@hurstseth405: you could do that, although it's probably easier to just listen to all interfaces since that will include the VPN. It's up to you, really, but I think listening to all interfaces is just more convenient and most applications don't really give you much flexibility in that regard, only server software.

@marro: sorry, but I'm not entirely sure where you are. What is the last thing you did? Perhaps you forgot to run the batch file with elevated privileges. Or perhaps you have done it, and you were at the "Press a key to continue" prompt and just don't know it, in which case just pressing Enter should do it. Check you have an object in your adapter settings, and if you have, you've made it.

@TurtlePower nice one. You can host whatever you want. The network tries to route directly when it can.

As for AceFire, I've played the game before, but don't have it in front of me right now. However if you're getting messages from Windows Firewall it sounds like the battle is with the firewall. The important precondition here is that no central server is used to negotiate the player connections, but just manually configured server and clients, so games like VIPGamesZone will sadly not work using this method. Perhaps when I'm next in my Windows VM I'll grab the game and play it. I have Palace Punch-Up and it's working just fine, so there's another game if you need someone to play.

Just myself, as usual.

2017-07-14 01:58:28

Hi!
I'm not sure I'm ready to proceed with this, as I already have a Windows VPS that I can install games on, and since there are no routers, there is no need to worry about port-forwarding.
Just curious, what VPS service, are you using, and are you using cPanel? I am interested in learning more about servers as long as it is explained with the KISS principle.

Ulysses, KJ7ERC
She/they
Reedsy

2017-07-17 09:39:34

@GGF correct, if you have a server and it has a public IP address, and if you can knock holes in firewalls to reach it, you're all set. You don't need this.

The VPN runs on a Rackspace Cloud VPS, though in theory it can run anywhere. I do not use CPanel or other web-based admin tool; I do all my configuring manually over ssh.

Servers are programs or computers that service requests from clients, or users. What information in particular are you after?

Just myself, as usual.

2017-07-17 09:45:26

I heard of SSH. I thought cPanel was a Linux distro that you'd access with SSH. So if that's not the case, what kind of Linux distro are you using? Also, I heard of SSH being used on Dos to dial into places like e-mail and the internet.

Ulysses, KJ7ERC
She/they
Reedsy

2017-07-17 12:29:55

Ah, I see. Some confusion. Right, let's see if we can clear things up a wee bit.

CPanel is a web-based administration tool. Web hosters and lazy sysadmins install it on their boxes so their customers, or they themselves, can change things about their accounts--web presence, database servers, email services, domain name services, and the like--without having to manually manipulate the server software responsible for providing those services. So instead of changing configuration files using ssh (more on that in a minute) at a command line shell on the remote system, they can just clicketty click all over the place. Not my idea of fun, but important if the machine is shared by multiple users and/or you're dealing with the everyman or everywoman or whatever the technological equivalents of those are.

Ssh (secure shell) provides remote command-line access to a remote computer. You can also use it for the exchange of arbitrary binary data, in file transfers, using sub-protocols called scp (secure copy) or sftp (secure file transfer protocol). These are all replacements for traditional protocols, like telnet, rlogin or ftp, which have existed since the dawn of time for similar purposes, except that ssh, and everything on top of it, is encrypted. Certainly once you have used ssh to log in to a remote computer, you can do many things on that computer, including browsing (in a very limited way) and handling your email. But maybe that made more sense during the DOS days than it does now, in a world of graphical programs. Still, using ssh allows you to do many, many things, and all good server operating systems (i.e., not Windows) allow you complete remote control over them using a command line over ssh.

A Linux "distro" (distribution) is a collection of programs assembled into a unique, whole operating system. CPanel is therefore not a distro. Debian, RedHat, Fedora, Ubuntu--these are distributions. I use Debian, myself. I used to use and love Gentoo, but then I discovered that life was too short for that sort of thing, and took it back, before anything really bad happened to it. My life, that is. Gentoo allows you to recompile--that is, completely rebuild from the original text listings of the programs--the entire system. It was slow and involved. Most distributions are binary--that is, they are pre-built collections of precompiled software, and you simply use the binaries supplied.

Right. Any further questions? Perhaps another OT thread is in order, so others can find it.

Just myself, as usual.

2017-07-17 12:54:45

There is already a thread called Linux Assistant Centre, I believe.
When I signed up with http://www.vps.net/ One of the options under select your OS was cPanel, so I thought it was just another operating system. Under the other options, we had Ubuntu, SentOS, and Windows. There was no Debian anywhere.
Since I use Windows Server 2008, I was informed that I could use Remote Desktop Connections to control the operating system just as if I were controlling my machine. I wouldn't have to use any FTP clients as long as I had a good connection to transfer files from my main machine to the server.
I had also launched two other VPS-related threads about two or three weeks ago. Feel free to comment on those. I am totally new at this, so I am not fully familiar with the techno lingo used to communicate complex ideas.

Ulysses, KJ7ERC
She/they
Reedsy

2017-07-17 17:06:35

It sounds like CPanel was just a choice for an OS preconfigured to be administered using a web browser, irrespective of what it ran. Windows is always the exception: it uses RDP (Remote Desktop Protocol) and you do your work in a GUI. The only other server, which has ssh but still ultimately needs a GUI, is macOS Server.

I'll look into those threads when I can.

Just myself, as usual.

2017-07-18 10:46:45

Thanks for your explanation. I very much appreciate it. I sent you an e-mail with some questions. If you can answer those that would be great. :-)

Ulysses, KJ7ERC
She/they
Reedsy