Scribd
Upload
192 views

Vpnserver: Securing A Small Wireless Network Using VPN

This document provides instructions for setting up a VPN server and client to securely route traffic from a wireless network. The VPN server is configured with OpenVPN and iptables to accept VPN connections on one interface and route traffic to the local network on another. The client installs OpenVPN and connects to the server, routing its traffic over the VPN. Configuration files and routing rules are defined to establish the VPN and direct wireless traffic through the secure tunnel.

Uploaded by

pichuski
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
192 views

Vpnserver: Securing A Small Wireless Network Using VPN

This document provides instructions for setting up a VPN server and client to securely route traffic from a wireless network. The VPN server is configured with OpenVPN and iptables to accept VPN connections on one interface and route traffic to the local network on another. The client installs OpenVPN and connects to the server, routing its traffic over the VPN. Configuration files and routing rules are defined to establish the VPN and direct wireless traffic through the secure tunnel.

Uploaded by

pichuski
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
You are on page 1/ 5

VPNServer

Parent page: Internet and Networking


Tabla de Contenidos
1. Summary
2. Routing
3. Setting up an OpenVPN server
1. Other considerations
4. Setting up an OpenVPN client
Securing a small Wireless network using VPN
TODO: this document should be split into VPN and wireless specific parts.
TODO: Reorganize this page with other VPN pages, especially the OpenVPN page. Use categories?

Summary
While Wifi encryption generally provides a first protective layer for a wireless network, it is far
from being perfect:
WEP is still widely used and must be considered as very insecure
WPA can also be broken (it requires more efforts), and many devices are still not WPAenabled
This document intends to provide a complementary approach to secure a wireless network, by using
an additional encryption level using a Virtual Private Network (VPN). It is assumed that the reader
understands basic IP networks routing and Linux system administration. However, in an attempt to
widen the audience to non-experts, this document will not cover many technical aspects of VPN.
This document contains instructions to setup a routed VPN using a static key, which will work with
one client only. Multiple-clients setup requires a public key infrastructure (PKI), which is slightly
more complex, and is not treated here.

Routing
Ideally, the wireless access point, as well as the Wifi machine, have no direct Internet access. It
should be connected to the VPN server, so that all the routing can be handled by the router. In
practice, the VPN server would be connected to the LAN_SUBNET with one network interface,
and to the wireless access point with another network interface. It is highly recommended to
configure different subnets for these two interfaces.
In the document, the network topology is expected to look like:
[WIFI_MACHINE]----(WIFI)---->[WIRELESS_ACCESS_POINT]----(LAN)--->[VPN_SERVER]----->INTERNET (potentially via a local gateway)

Example:

The Internet gateway: eth0 inet adr:192.168.0.10 bcast:192.168.0.255 (LAN_SUBNET)


The VPN server: eth0 inet adr:192.168.0.1 bcast:192.168.0.255 (LAN_SUBNET)
The VPN server: eth1 inet adr:192.168.1.1 bcast:192.168.1.255 (WIFI_SUBNET)
The wireless access point: eth0 inet adr:192.168.1.2 bcast:192.168.1.255 (WIFI_SUBNET)
Wifi machine (SYSTEM): eth0 inet adr:192.168.1.3 bcast:192.168.1.255 (WIFI_SUBNET)

The following iptables configuration could be installed on the VPN server to route the traffic:
# Default declaration, with DROP as a default INPUT policy
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Enable full access from localhost
-A INPUT -i lo -p all -j ACCEPT
# Allow connections initiated from this machine
-A INPUT -p all -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#######################################################
# WIFI --> LAN
#######################################################
# Preventing Wifi to reach LAN_SUBNET
# LAN_SUBNET: Ethernet LAN subnet. Ex: 192.168.0.0/24
-A FORWARD -d LAN_SUBNET -j DROP
# Enable VPN
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
#
#
#
#
#

Force the machine(s) identified as SYSTEM to use VPN.


This means that without using VPN, SYSTEM will NOT access the Internet
SYSTEM: A Wifi machine, or the whole Wifi subnet. Ex: 192.168.1.3
-A FORWARD -s SYSTEM -j DROP

# Allow access to the VPN service


-A INPUT -p udp --dport 1194 -j ACCEPT
#######################################################
# INTERNET/WIFI -> LAN services
#######################################################
# Internal services on
# be made available to
# LAN_SUBNET: Ethernet
-A INPUT -s LAN_SUBNET

the VPN server can potentially


LAN_SUBNET
LAN subnet. Ex: 192.168.0.0/24
-p all -j ACCEPT

# Allow SSH from the Internet AND from the Wifi


-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# DHCP may also be useful
# -A INPUT -p udp --dport 137:138 -j ACCEPT
# Log all rejected packets to syslog (useful for debugging)
# -A INPUT -j LOG --log-level warn --log-prefix "[DENIED] "
COMMIT

Setting up an OpenVPN server


Install OpenVPN
Install the following package: openvpn (see InstallingSoftware).
Generate a shared static key
cd /etc/openvpn/ && sudo /usr/sbin/openvpn --genkey --secret static.key

and change its permissions because now it can't be read by other users but root:
sudo chmod 644 /etc/openvpn/static.key

Comment all the lines from /etc/default/openvpn, and add:


AUTOSTART="openvpn"

Populate the configuration file /etc/openvpn/openvpn.conf:


dev tun
# Network interface used by the VPN server on WIFI_SUBNET
# eth1 (192.168.1.1) in the previous example
local 192.168.1.1
# The following line defines two new VPN interfaces
# ifconfig VPN_SERVER VPN_CLIENT
ifconfig 10.1.0.1 10.1.0.2
script-security 3
up ./office.up
secret static.key
ping 15
tun-mtu 1200
mssfix 1400
verb 3

Note: be carefull to change the IP in the line local 192.168.1.1 to match the server's IP.
Create /etc/openvpn/office.up and put in it:
# office.up
#!/bin/sh
route add -net 10.0.1.0 netmask 255.255.255.0 gw $5

Make it executable:
sudo chmod +x /etc/openvpn/office.up

Finally, we can complete the routing for the wireless network in the iptables configuration:
#######################################################
# ROUTING WIFI -> LAN/INTERNET
# Route the Wifi traffic to the Internet
#######################################################
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Route all the Wifi traffic -even without VPN!- to the Internet
# WIFI_SUBNET: Wifi subnet. Ex: 192.168.1.0/24

# -A POSTROUTING -s WIFI_SUBNET -o eth0 -j MASQUERADE


# Route traffic from VPN_HOST to the LAN/Internet
# VPN_CLIENT: VPN host (or VPN subnet for multiple-clients setups). Ex: 10.1.0.2
-A POSTROUTING -s VPN_CLIENT -o eth0 -j MASQUERADE
COMMIT

If you are trying to start OpenVPN the first time and you want to check everything is OK,
then execute:
cd /etc/openvpn
sudo openvpn openvpn.conf

If you have tested OpenVPN, then it's better to start it as a service with:
sudo /etc/init.d/openvpn start

Other considerations
OpenVPN's default port number is now 1194, based on an official port number assignment by
IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

Setting up an OpenVPN client


Install OpenVPN
sudo apt-get install openvpn

Copy the static key /etc/openvpn/static.key to the client system in /etc/openvpn.


Comment all the lines from /etc/default/openvpn, and add:
AUTOSTART="openvpn"

Populate the configuration file /etc/openvpn/openvpn.conf with:


dev tun
# Network interface used by the VPN client (SYSTEM) on WIFI_SUBNET
# eth0 (192.168.1.3) in the previous example
local 192.168.1.3
# Network interface used by the VPN server on WIFI_SUBNET
# eth1 (192.168.1.1) in the previous example
remote 192.168.1.1
nobind
# The following line defines two new VPN interfaces
# ifconfig VPN_CLIENT VPN_SERVER
ifconfig 10.1.0.2 10.1.0.1
up ./home.up
down ./home.down
secret static.key
ping 15
tun-mtu 1200
mssfix 1400
verb 3

Create /etc/openvpn/home.up with this content:

# home.up
#!/bin/sh
route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
route add -net 0.0.0.0 netmask 0.0.0.0 dev tun0
# In the following, eth0 is the network interface
# used by the VPN client (SYSTEM) on WIFI_SUBNET
route del -net 0.0.0.0 netmask 0.0.0.0 dev eth0

Make it executable:
sudo chmod +x /etc/openvpn/home.up

Create /etc/openvpn/home.down with this content:


# home.down
#!/bin/sh
# In the following, eth0 is the network interface
# used by the VPN client (SYSTEM) on WIFI_SUBNET
route add -net 0.0.0.0 netmask 0.0.0.0 dev eth0

Make it executable:
sudo chmod +x /etc/openvpn/home.down

Start the OpenVPN service:


sudo /etc/init.d/openvpn start

If the following ping commands do not return an error, it worked!


ping 10.1.0.1
ping 10.1.0.2

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy