[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] openvpn and WEP again, sorry.


  • Subject: Re: [Openvpn-users] openvpn and WEP again, sorry.
  • From: /dev/rob0 <rob0@xxxxxxxxx>
  • Date: Thu, 1 Sep 2005 16:06:34 -0500

On Thursday 2005-September-01 06:38, Daniel Banyasz wrote:
>  This is all new to me, but it sounds like I can simply assign a
> second IP (on a different subnet) to my internal NIC.

Yes, using iproute2 (/sbin/ip) or just plain ifconfig(8). It's quite 
simple. Have your OS bring up the main address as 192.168.4.1, then 
this will add the second IP:

ip addr add 192.168.2.1/24 label eth1:wifi dev eth1

>  Could I then not just use this second subnet for the wireless AP and
> all its clients?

Yes, anything DHCP'ing through the AP should be given addresses in 
192.168.2.0/24, not given a default gateway, and not allowed routing 
through the firewall.

>  Then I would bridge this second IP address on eth1 to the TAP device

I don't do bridging so I am not sure about this, but IIUC you probably 
cannot do this. I think bridging is done on the basis of interface, and 
I wouldn't think it could work per virtual interface. But using 
ebtables(8) you can probably enforce the separation between the two 
virtual interface subnets.

Consider this attack model: someone connects via wireless and assigns 
themself an unused IP in the "secure" subnet, 192.168.4.0/24. You need 
to recognise that somehow, and refuse to do routing for the intruder.

> IP as I previously described, and those clients that didn't have
> openvpn installed and were just using my wireless after cracking WEP

(You might as well disable WEP anyway.)

> wouldn't be on the bridged network, but on the separate wireless
> subnet, and the firewall would drop all packets???

Right.

>  But how do I set up a DHCP server on the eth1 interface to hand out
> IP's from 2 different  ranges on two different subnets?

ISC dhcpd(8) has a lot of tricks in its bag. See dhcpd.conf(5) and 
dhcp-options(5).

>  And how do I know which range and subnet a particular client IP will

I think the simplest approach is to enumerate all your known hosts in 
dhcpd.conf host declarations. Known Ethernet and OpenVPN hosts are in 
the "secure" subnet, 192.168.4.0/24, and all others get addresses from 
a pool in 192.168.2.0/24.

> be. Or should I just forget about this 2 IP's per physical interface
> idea and implement virtual interfaces as originally suggested.

"Virtual interface" was the term I used to describe the idea of two IP 
addresses in distinct and separate logical subnets. I am thinking that 
it can be made to act like a "virtual interface" but I am not sure.

>  ps. I am having trouble replying to the list and having the message
> appear, so apologies if there is a double post.

Sometimes the sourceforge list servers are slow. Also, please keep the 
HTML turned off.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users