[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

RE: [Openvpn-users] Securing *all* traffic over a wireless network - how?


  • Subject: RE: [Openvpn-users] Securing *all* traffic over a wireless network - how?
  • From: "Andrew J. Richardson" <andrew@xxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Mon, 13 Dec 2004 11:56:47 -0500
  • Importance: Normal

I use OpenVPN to secure my home WiFi net, while also leaving the access
point available to guests.  I have an all-Windows net and a Netgear
router/ap.  I use TAP interfaces on all machines.  Basically, to accomplish
this you'll need one machine that connects to your LAN by way of a wired
ethernet connection.

On that machine, run an OpenVPN server daemon, preferably using UDP.  On
each client machine, run an OpenVPN session that connects to the wired
server.  Use "redirect-gateway local" on the clients to send all traffic
through the wired machine.  Make sure you turn on packet forwarding on the
wired machine (in the OS, there's a MS knowledge base article on the single
registry change required) as well as provide a return route to the vpn
subnet on your main gateway.  For me, that gateway is my router/ap.  Also
note that there's a registry change required to ensure your DNS lookups go
through the vpn, not directly to the WAN gateway.  It's noted in the 2.0
notes on the OpenVPN web site.

You'll encounter a bottleneck when running traffic both into and out of the
wired server machine, though.  Since your clients will be sending all of
their traffic to the wired server, which decrypts and retransmits back out
the gateway, then all over again in reverse for returned traffic, that
ethernet NIC gets a LOT of use.  My wired server can get about 2.5 Mbps
downstream from the WAN, but my wired clients are chopped down to about 1
Mbps.  Big hit.  Do your big file downloads on the wired server.

One possible fix is to run two ethernet NICs on the wired server and bind
OpenVPN to just one, then route all clear-text traffic in/out the other NIC.
I haven't tried that yet.

Good luck!

Andrew

> > First thing you'll want to do is change from a bridged (dev 
> tap) setup 
> > to a routed one (dev tun). Basically, you want to run a 
> DHCP server on 
> > your access point to hand out addresses so that your 
> wireless clients 
> > can initiate udp/ip communication with the OpenVPN server. Set the 
> > DHCP
> 
> How do I go about initiating the wireless interface directly 
> to the UDP/IP port?  Right now I am first getting a DHCP 
> address over the air to the AP (Client: 10.10.10.199 AP: 
> 10.10.10.1) -- then starting openvpn.
> 
> I actually want to keep the AP open and unencrpyed for other 
> clients (public access point), but I want my connection to be 
> fully encrpyted (traffic + DNS etc).
> 
> I was thinking with the option "--redirect-gateway local" is 
> there to do what I need, basically route everything over that 
> secure tunnel after I initiate it -- but this appears to give 
> an error on the client "Options
> error: unknown --redirect-gateway flag: 'local'" -- does 
> anyone know if this is a bug or if I'm doing something wrong 
> with it?  Can I just manually change my routes to make this 
> happen (is that this option would do anyway?)
> 
> Here is what my interface/routes look like (After wifi 
> connect and then openvpn start):
> 1) After I first connect to my AP
> ath0      Link encap:Ethernet  HWaddr [removed]
>            inet addr:10.10.10.184  Bcast:10.255.255.255  
> Mask:255.0.0.0
>            inet6 addr: [removed]/64 Scope:Link
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:11281 errors:1510 dropped:0 overruns:0 
> frame:1510
>            TX packets:9438 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:199
>            RX bytes:9207081 (8.7 MiB)  TX bytes:1684308 (1.6 MiB)
>            Interrupt:11 Memory:22900000-22910000
> 
> tun0      Link encap:UNSPEC  HWaddr [removed]
>            inet addr:10.1.1.6  P-t-P:10.1.1.5  Mask:255.255.255.255
>            UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:100
>            RX bytes:0 (0.0 b)  TX bytes:40 (40.0 b)
> 
> # netstat -rn
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS 
> Window  irtt
> Iface
> 192.168.3.1     10.10.10.1      255.255.255.255 UGH       0 0 
>          0
> ath0
> 10.1.1.5        0.0.0.0         255.255.255.255 UH        0 0 
>          0
> tun0
> 10.1.1.1        10.1.1.5        255.255.255.255 UGH       0 0 
>          0
> tun0
> 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0 
>          0
> ath0
> 10.0.0.0        0.0.0.0         255.0.0.0       U         0 0 
>          0
> ath0
> 0.0.0.0         10.1.1.5        0.0.0.0         UG        0 0 
>          0
> tun0
> 
> Actually, I just realized I have configured 'remote 
> 192.168.3.1' in my OpenVPN client config which is my LAN 
> interface on my m0n0wall box.  But my wireless interface is 
> OPT1 10.10.10.1 which I am initially connecting to, I 
> probably want to have OpenVPN bound to OPT1 -- I wonder if 
> that is my problem with DNS traffic going cleartext (will 
> test this evening).
> 
> Thanks...
> 
> Louis
> 
> 
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from 
> real users. Discover which products truly live up to the 
> hype. Start reading now. 
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 



____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users