[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Securing *all* traffic over a wireless network - how?


  • Subject: Re: [Openvpn-users] Securing *all* traffic over a wireless network - how?
  • From: David Mallwitz <dave@xxxxxxxxxxxxx>
  • Date: Sun, 12 Dec 2004 22:32:51 -0500

Louis wrote:

> I would like to use OpenVPN over my public wireless access point, and
> have *all* traffic encrypted.  Right now it appears that some traffic
> (DNS/..) is routed in clear text.
>
> cat /etc/openvpn/client.conf
> remote 192.168.3.1
> port 5000
> ;dev tun
> dev tap
> ping 10
> ;comp-lzo
> verb 4
> mute 10
> tls-client
> ca my-ca.crt
> cert client.crt
> key client.key
> pull
> verb 4
>
> If anyone can tell me how to get the local flag working, or what I need
> to do to get all traffic going over the TAP/TUN links please let me
> know, thanks,

First thing you'll want to do is change from a bridged (dev tap) setup
to a routed one (dev tun). Basically, you want to run a DHCP server on
your access point to hand out addresses so that your wireless clients
can initiate udp/ip communication with the OpenVPN server. Set the DHCP
 server up so that it doesn't hand out default route or DNS settings
(i.e no 'option routers' or 'option domain-name-servers' entries), as
they'd just be overwritten. Since DHCP works on an ethernet level you
won't need any firewall rules for this part to work, but you will need
to leave a UDP port open for the OVPN server, and allow any traffic you
want to let through on the tun device. Configure your OVPN server like this:

port <whatever>
proto udp
dev tun
daemon

ca /path/to/ca.crt
cert /path/to/server.crt
key /path/to/server.key
dh /path/to/dh1024.pem
crl-verify /path/to/crl.pem

server x.x.x.x y.y.y.y
push "redirect-gateway"
push "dhcp-option DNS x.x.x.x"

client-to-client <optional, might be a security risk for your clients>
keepalive 10 60
cipher <pick one, AES-128-CBC is what I use>
mute-replay-warnings

user nobody
group nobody
persist-key
persist-tun

status openvpn-status.log
verb 4
mute 4

...and your clients like this:

dev tun
client
proto upd
port <whatever>
ifconfig-nowarn <optional>

remote <use the numeric IP address of your OVPN server, not the FQDN>
nobind

mute-replay-warnings
ca /path/to/ca.crt
cert /path/to/client.crt
key /path/to/client.key

verb 4
mute 3

Anyone able to connect to your wireless signal will be unable to route
packets through your access point until they establish a VPN connection,
at which point all traffic should be encrypted.

Anyway, that's how I'm doing it for my Linux and Mac clients. I don't
have any wireless Windows users, so I can't say categorically that the
above configs will work unchanged for them, but I think it should be OK.

Best,
Dave





____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users