About Jeroen
Contact
FAQ
Status
Todo in my life
His Blog
Articles
Photo Gallery
Outdoor:
  Recumbing
  Running
Software:
  jnitodo
  squidefender
  Wormwarner
Latest books read:
  • Lincoln Child - Deep Storm
  • Lee Child - The Hard Way
  • Mike Lawson - Dead on Arrival
  • Preston & Child - Still Life with Crows
Latest movies seen:
  • Death Race
  • The Objective
  • Deception
  • Hellboy - The Golden Army


23 September 2008

yellowbullet 20:55: Today it is 5 years ago that I registered the jeroen.se domain.
more

25 August 2008

yellowbullet 17:46: Since a few weeks I use the jnitodo todo list manager for managing my todo list. jnitodo was written by myself, so it matches my requirements quite well and it might match yours!
more

13 August 2008

yellowbullet 12:51: Yesterday I ran into a bug in my Samsung S1060 digital camera. If you press the view photos button while the red-eye flash pictogram is flashing white and red it hangs and becomes unresponsive.
more

11 August 2008

yellowbullet 12:59: While migrating my account to another machine which uses openldap authentication I ran into the problem that cron were not working on the new machine. A quick look in the logs revealed the following error:
more

29 July 2008

yellowbullet 17:50: I often get the question how I manage to survive my long commute time during the week. This question is often raised when in a conversation it becomes clear that I travel over 4 hours per day by train. In this blog post I will try to give a small insight in how I manage this.
more

09 July 2008

yellowbullet 13:23: Just a quick blog post about how to run a command like uptime in more than one screen window. Just do crtl-a then
:at "#" stuff "uptime\015"
more

28 June 2008

yellowbullet 21:58: I just reached the 1000 kilometer mark with my recumbent bike. It took me 46 hours and 24 minutes, averaging a 21.55 km/h speed. The last month however my average cycling speed is increasing, so I should do the next 1000 kilometer in less time.
more

Setting up wifi at my home with OpenVPN

By Jeroen van Nieuwenhuizen

After having bought a laptop I saw the advantages of having a wireless network at home. However during my study in computer science I focused on computer security, that is why I also have some concerns using wifi technology. After thinking a while about it I decided to implement the following solution using OpenVPN for the VPN part.

The requirements

When I made the design of my wireless network at home I had the following requirements:
  • Unauthorized users of my AP should not be able to reach my servers.
  • Unauthorized users of my AP should not be able to use my Internet connection.
  • I should be able to reach my servers without any problem.
  • Guests should not be able to reach my servers.
  • When my bordergate router breaks I must be able to fix it within a reasonable time.

The design

The design I came up with is the following: The internal network is divided in 2 parts. Part 1 is connected via a gateway (heimdall) to the Internet using NAT. This part has IP addresses in the 192.168.0.0/24 range. Part 2 has the IP range 192.168.2.0/24 and is connected by a router (Garm) to Part 1. Garm blocks all traffic coming from the 192.168.2.0/24 range unless it is from an IP with an user authenticated by authpf.

Below is a picture of the final layout of the network I have in mind. The blue lines are wifi links. The Green line indicates a VPN tunnel.

Picture of the wifi network

Configuring Heimdall

For the above configuration to work 2 things have to be changed on Heimdall (192.168.0.254). Heimdall has to know it should NAT for the 192.168.2.0/24 range and the 192.168.0.0/24 range. Hence in the pf configuration of heimdall the following rules are needed:
nat on $ext_if from 192.168.0.0/24 to any -> ($ext_if)
nat on $ext_if from 192.168.2.0/24 to any -> ($ext_if)
Further more Heimdall should no the route to Garm to reach the 192.168.2.0/24 network. This is accomplished by
route add -net 192.168.2.0/24 192.168.0.4
Note that 192.168.0.4 is the address of Garm in the 192.168.0.0/24 network.

Configuring Garm

Garm is equipped with 2 network cards rl0 with the ip 192.168.0.4 and rl1 with the ip 192.168.2.254. For this article a simplified firewall rule set is used to show the basic setup, in reality the rules are more restrictive. To make a authenticating gateway for the 192.168.2.0/24 network you need at least these rules:
pass in on rl0 all keep state
pass out on rl0 all keep state
This allows all traffic on rl0 (192.168.0.4)

block in on rl1 all
pass out on rl1 all keep state
pass in on rl1 proto TCP from 192.168.2.0/24 to 192.168.2.254 port = 22 keep state
These rules allow by default ssh traffic from the 192.168.2.0/24 network to 192.168.2.254 so that users can authenticate them selves and block all other traffic.

anchor authpf in on rl1
This rule indicates that per user rules are loaded here. My personal default is the following rule, set in /etc/authpf/jnieuwen/authpf.rules.
pass in on rl1 all keep state
Which let me use all ports. One point to note when configuring authpf on OpenBSD is that the file /etc/authpf/authpf.conf MUST exists otherwise authpf will not work and ssh sessions will be disconnected immediately.

Setting up the access point

Setting up the access point was quite easy. I just had to plug it in to a switch and give it a SSID and an IP. The IP had to be in the 192.168.2.0/24 range so 192.168.2.1 was chosen. How to do this depends on your access point, so I don't put it here. Note that I however did not enable WEP encryption partly because it is not secure and the plan is to use an VPN tunnel for all traffic.

Encrypting all traffic

After setting up the access point it was necessary to setup the VPN tunnel. I decided to use OpenVPN because its very easy setup. Furthermore OpenVPN is available for a broad range of operating systems.

First I created a static key with the following command
openvpn --genkey --secret wifi.key
After that I had to make a connection point in the 192.168.0.1/24 network. In my case I choose the host at 192.168.0.1 (Hermod). For the laptop in the wifi network I decided to use the 192.168.2.2 IP. On 192.168.0.1 the OpenVPN tunnel is started with
openvpn --remote 192.168.2.2 --dev tun1 --ifconfig 192.168.3.1 192.168.3.2 --secret wifi.key --daemon
Note that I use the 192.168.3.0/24 range for the VPN Network. Where the VPN tunnel has the 192.168.3.1 on heimdall and 192.168.3.2 on the laptop.

I also have to add IP forwarding to Hermod to be able to use the VPN tunnel to connect to the Internet. Furthermore Heimdall should have a route for the 192.168.3.0/24 network which is accomplished by:
route add 192.168.3.0/24 192.168.0.1
the NAT rules for the 192.168.3.0/24 network which should be added to the pf configuration of heimdall are the following:
nat on $ext_if from 192.168.3.0/24 to any -> ($ext_if)

Connecting a laptop to the network

After all this has been done it is quite easy to connect the laptop securely to the wifi network. First you need to configure the wifi interface with an IP, in our case 192.168.2.2. For my FreeBSD system where the wifi interface is wi0 this is accomplished by:
ifconfig wi0 inet 192.168.2.2 netmask 255.255.255.0 ssid jeroen.se channel 6
Where jeroen.se is my SSID and my AP is listening on channel 6. After that you need to authenticate yourself to the gateway 192.168.2.254 with ssh to be able to establish a connection to the VPN tunnel on 192.168.0.1. After having authenticated ourselves to the gateway a route to 192.168.0.1 is added to make sure we never use our VPN tunnel to reach the VPN tunnel. Hence the command
route add 192.168.0.1 192.168.2.254
has to be issued. Now that we know how to reach the other end of the VPN tunnel we can establish a VPN connection by executing
openvpn --remote 192.168.0.1 --dev tun1 --ifconfig 192.168.3.2 192.168.3.1 --secret wifi.key --daemon
After the VPN connection is established it is quite easy to use the VPN tunnel for all traffic not on the 192.168.2.0/24 network and not going to 192.168.0.1 by making the default route 192.168.3.1 which can be accomplished with
route add default 192.168.3.1

Summary

The setup mentioned here shows that OpenVPN can be easily used to secure a wifi network. Although the network setup is not the most efficient this choice was made to be able to quickly dismantle the wifi network and use the router of the wifi network as the default router when the default router fails.

Picture of me

Everything I say on these pages are opinions, they are not necessarily the truth.
Commercial use of the data on this site without permission is strictly prohibited.
Unique number: fc38fc2c1347a9824cef263d20748ced
6:00AM up 40 days, 20:28, 4 users, load averages: 0.35, 0.08, 0.03 		XML
Powered by FreeBSD Generated by a bunch of M4 macros on Wed Oct 1 03:09:02 CEST 2008
$Id: wifi.m4 2194 2008-06-27 20:09:03Z jnieuwen $
© 2002 - 2008 Ir. Jeroen van Nieuwenhuizen
I know I'm not perfect but I can smile.