WirelessVPN

Revision 3 as of 2006-12-27 13:39:48

Clear message

Rede Wireless segura usando VPN

Summary

While Wifi encryption generally provides a first protective layer for a wireless network, it is far from being perfect:

  • WEP is still widely used and must be considered as very insecure
  • WPA can also be broken (it requires more efforts), and many devices are still not WPA-enabled

This document intends to provide a complementary approach to secure a wireless network, by using an additional encryption level using a Virtual Private Network (VPN). It is assumed that the reader understands basic IP networks routing and Linux system administration. However, in an attempt to widen the audience to non-experts, this document will not cover many technical aspects of VPN.

This document contains instructions to setup a routed VPN using a static key, which will work with one client only. Multiple-clients setup requires a public key infrastructure (PKI), which is slightly more complex, and is not treated here.

Routing

Ideally, the wireless access point, as well as the Wifi machine, have no direct Internet access. It should be connected to the VPN server, so that all the routing can be handled by the router. In practice, the VPN server would be connected to the LAN_SUBNET with one network interface, and to the wireless access point with another network interface. It is highly recommended to configure different subnets for these two interfaces.

In the document, the network topology is expected to look like:

[WIFI_MACHINE]----(WIFI)---->[WIRELESS_ACCESS_POINT]----(LAN)---->[VPN_SERVER]----->INTERNET (potentially via a local gateway)

Example:

  • The Internet gateway: eth0 inet adr:192.168.0.10 bcast:192.168.0.255 (LAN_SUBNET)
  • The VPN server: eth0 inet adr:192.168.0.1 bcast:192.168.0.255 (LAN_SUBNET)
  • The VPN server: eth1 inet adr:192.168.1.1 bcast:192.168.1.255 (WIFI_SUBNET)
  • The wireless access point: eth0 inet adr:192.168.1.2 bcast:192.168.1.255 (WIFI_SUBNET)
  • Wifi machine (SYSTEM): eth0 inet adr:192.168.1.3 bcast:192.168.1.255 (WIFI_SUBNET)

The following [:IptablesHowTo:iptables] configuration could be installed on the VPN server to route the traffic:

# Default declaration, with DROP as a default INPUT policy
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Enable full access from localhost
-A INPUT -i lo -p all -j ACCEPT

# Allow connections initiated from this machine
-A INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT

#######################################################
# WIFI --> LAN
#######################################################

# Preventing Wifi to reach LAN_SUBNET
# LAN_SUBNET: Ethernet LAN subnet. Ex: 192.168.0.0/24
-A FORWARD -d LAN_SUBNET -j DROP

# Enable VPN
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT

# Force the machine(s) identified as SYSTEM to use VPN.
# This means that without using VPN, SYSTEM will NOT access the Internet
# SYSTEM: A Wifi machine, or the whole Wifi subnet. Ex: 192.168.1.3
#
# -A FORWARD -s SYSTEM -j DROP

# Allow access to the VPN service
-A INPUT -p udp --dport 1194 -j ACCEPT


#######################################################
# INTERNET/WIFI -> LAN services
#######################################################

# Internal services on the VPN server can potentially
# be made available to LAN_SUBNET
# LAN_SUBNET: Ethernet LAN subnet. Ex: 192.168.0.0/24
-A INPUT -s LAN_SUBNET -p all -j ACCEPT

# Allow SSH from the Internet AND from the Wifi
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# DHCP may also be useful
# -A INPUT -p udp --dport 137:138 -j ACCEPT

# Log all rejected packets to syslog (useful for debugging)
# -A INPUT -j LOG --log-level warn --log-prefix "[DENIED] "

COMMIT

Configuring OpenVPN

Setting up the server

  • Install OpenVPN

Install the following package: openvpn (see InstallingSoftware).

  • Generate a shared static key

cd /etc/openvpn/ && /usr/sbin/openvpn --genkey --secret static.key
  • Comment all the lines from /etc/default/openvpn, and add:

AUTOSTART="openvpn"
  • Populate the configuration file /etc/openvpn/openvpn.conf with:

dev tun
# Network interface used by the VPN server on WIFI_SUBNET
# eth1 (192.168.1.1) in the previous example
local 192.168.1.1
# The following line defines two new VPN interfaces
# ifconfig VPN_SERVER VPN_CLIENT
ifconfig 10.1.0.1 10.1.0.2
up ./office.up
secret static.key
ping 15
tun-mtu 1200
mssfix 1400
verb 3
  • /etc/openvpn/office.up should be executable and contain:

route add -net 10.0.1.0 netmask 255.255.255.0 gw $5
  • Finally, we can complete the routing for the wireless network in the [:IptablesHowTo:iptables] configuration:

#######################################################
# ROUTING WIFI -> LAN/INTERNET
# Route the Wifi traffic to the Internet
#######################################################
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Route all the Wifi traffic -even without VPN!- to the Internet
# WIFI_SUBNET: Wifi subnet. Ex: 192.168.1.0/24
# -A POSTROUTING -s WIFI_SUBNET -o eth0 -j MASQUERADE

# Route traffic from VPN_HOST to the LAN/Internet
# VPN_CLIENT: VPN host (or VPN subnet for multiple-clients setups). Ex: 10.1.0.2
-A POSTROUTING -s VPN_CLIENT -o eth0 -j MASQUERADE
    
COMMIT
  • Start the OpenVPN service:

 /etc/init.d/openvpn start

Setting up the client

  • Install OpenVPN

apt-get install openvpn
  • Copy the static key /etc/openvpn/static.key to the client system in /etc/openvpn.
  • Comment all the lines from /etc/default/openvpn, and add:

AUTOSTART="openvpn"
  • Populate the configuration file /etc/openvpn/openvpn.conf with:

dev tun

# Network interface used by the VPN client (SYSTEM) on WIFI_SUBNET
# eth0 (192.168.1.3) in the previous example
local 192.168.1.3
# Network interface used by the VPN server on WIFI_SUBNET
# eth1 (192.168.1.1) in the previous example
remote 192.168.1.1
nobind
# The following line defines two new VPN interfaces
# ifconfig VPN_CLIENT VPN_SERVER
ifconfig 10.1.0.2 10.1.0.1
up ./home.up
down ./home.down
secret static.key
ping 15
tun-mtu 1200
mssfix 1400
verb 3
  • /etc/openvpn/home.up should be executable and contain:

route add -net 10.0.0.0 netmask 255.255.255.0 gw $5
route add -net 0.0.0.0 netmask 0.0.0.0 dev tun0
# In the following, eth0 is the network interface 
# used by the VPN client (SYSTEM) on WIFI_SUBNET
route del -net 0.0.0.0 netmask 0.0.0.0 dev eth0
  • /etc/openvpn/home.down should be executable and contain:

# In the following, eth0 is the network interface 
# used by the VPN client (SYSTEM) on WIFI_SUBNET
route add -net 0.0.0.0 netmask 0.0.0.0 dev eth0
  • Start the OpenVPN service:

 /etc/init.d/openvpn start

  • If the following ping commands do not return an error, it worked!

ping 10.1.0.1
ping 10.1.0.2

CategoryTraduzir