|
Duplicate Article |
Securing a small Wireless network using VPN
TODO: this document should be split into VPN and wireless specific parts.
TODO: Reorganize this page with other VPN pages, especially the OpenVPN page. Use categories?
Summary
While Wifi encryption generally provides a first protective layer for a wireless network, it is far from being perfect:
- WEP is still widely used and must be considered as very insecure
- WPA can also be broken (it requires more efforts), and many devices are still not WPA-enabled
This document intends to provide a complementary approach to secure a wireless network, by using an additional encryption level using a Virtual Private Network (VPN). It is assumed that the reader understands basic IP networks routing and Linux system administration. However, in an attempt to widen the audience to non-experts, this document will not cover many technical aspects of VPN.
This document contains instructions to setup a routed VPN using a static key, which will work with one client only. Multiple-clients setup requires a public key infrastructure (PKI), which is slightly more complex, and is not treated here.
Routing
Ideally, the wireless access point, as well as the Wifi machine, have no direct Internet access. It should be connected to the VPN server, so that all the routing can be handled by the router. In practice, the VPN server would be connected to the LAN_SUBNET with one network interface, and to the wireless access point with another network interface. It is highly recommended to configure different subnets for these two interfaces.
In the document, the network topology is expected to look like:
[WIFI_MACHINE]----(WIFI)---->[WIRELESS_ACCESS_POINT]----(LAN)---->[VPN_SERVER]----->INTERNET (potentially via a local gateway)
Example:
- The Internet gateway: eth0 inet adr:192.168.0.10 bcast:192.168.0.255 (LAN_SUBNET)
- The VPN server: eth0 inet adr:192.168.0.1 bcast:192.168.0.255 (LAN_SUBNET)
- The VPN server: eth1 inet adr:192.168.1.1 bcast:192.168.1.255 (WIFI_SUBNET)
- The wireless access point: eth0 inet adr:192.168.1.2 bcast:192.168.1.255 (WIFI_SUBNET)
- Wifi machine (SYSTEM): eth0 inet adr:192.168.1.3 bcast:192.168.1.255 (WIFI_SUBNET)
The following iptables configuration could be installed on the VPN server to route the traffic:
# Default declaration, with DROP as a default INPUT policy *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Enable full access from localhost -A INPUT -i lo -p all -j ACCEPT # Allow connections initiated from this machine -A INPUT -p all -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ####################################################### # WIFI --> LAN ####################################################### # Preventing Wifi to reach LAN_SUBNET # LAN_SUBNET: Ethernet LAN subnet. Ex: 192.168.0.0/24 -A FORWARD -d LAN_SUBNET -j DROP # Enable VPN -A INPUT -i tun+ -j ACCEPT -A FORWARD -i tun+ -j ACCEPT # Force the machine(s) identified as SYSTEM to use VPN. # This means that without using VPN, SYSTEM will NOT access the Internet # SYSTEM: A Wifi machine, or the whole Wifi subnet. Ex: 192.168.1.3 # # -A FORWARD -s SYSTEM -j DROP # Allow access to the VPN service -A INPUT -p udp --dport 1194 -j ACCEPT ####################################################### # INTERNET/WIFI -> LAN services ####################################################### # Internal services on the VPN server can potentially # be made available to LAN_SUBNET # LAN_SUBNET: Ethernet LAN subnet. Ex: 192.168.0.0/24 -A INPUT -s LAN_SUBNET -p all -j ACCEPT # Allow SSH from the Internet AND from the Wifi -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # DHCP may also be useful # -A INPUT -p udp --dport 137:138 -j ACCEPT # Log all rejected packets to syslog (useful for debugging) # -A INPUT -j LOG --log-level warn --log-prefix "[DENIED] " COMMIT
Setting up an OpenVPN server
- Install OpenVPN
Install the following package: openvpn (see InstallingSoftware).
- Generate a shared static key
cd /etc/openvpn/ && sudo /usr/sbin/openvpn --genkey --secret static.key
and change its permissions because now it can't be read by other users but root:
sudo chmod 644 /etc/openvpn/static.key
- Comment all the lines from /etc/default/openvpn, and add:
AUTOSTART="openvpn"
- Populate the configuration file /etc/openvpn/openvpn.conf:
dev tun # Network interface used by the VPN server on WIFI_SUBNET # eth1 (192.168.1.1) in the previous example local 192.168.1.1 # The following line defines two new VPN interfaces # ifconfig VPN_SERVER VPN_CLIENT ifconfig 10.1.0.1 10.1.0.2 script-security 3 up ./office.up secret static.key ping 15 tun-mtu 1200 mssfix 1400 verb 3
Note: be carefull to change the IP in the line local 192.168.1.1 to match the server's IP.
- Create /etc/openvpn/office.up and put in it:
# office.up #!/bin/sh route add -net 10.0.1.0 netmask 255.255.255.0 gw $5
Make it executable:
sudo chmod +x /etc/openvpn/office.up
Finally, we can complete the routing for the wireless network in the iptables configuration:
####################################################### # ROUTING WIFI -> LAN/INTERNET # Route the Wifi traffic to the Internet ####################################################### *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Route all the Wifi traffic -even without VPN!- to the Internet # WIFI_SUBNET: Wifi subnet. Ex: 192.168.1.0/24 # -A POSTROUTING -s WIFI_SUBNET -o eth0 -j MASQUERADE # Route traffic from VPN_HOST to the LAN/Internet # VPN_CLIENT: VPN host (or VPN subnet for multiple-clients setups). Ex: 10.1.0.2 -A POSTROUTING -s VPN_CLIENT -o eth0 -j MASQUERADE COMMIT
- If you are trying to start OpenVPN the first time and you want to check everything is OK, then execute:
cd /etc/openvpn sudo openvpn openvpn.conf
If you have tested OpenVPN, then it's better to start it as a service with:
sudo /etc/init.d/openvpn start
Other considerations
OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Setting up an OpenVPN client
- Install OpenVPN
sudo apt-get install openvpn
- Copy the static key /etc/openvpn/static.key to the client system in /etc/openvpn.
- Comment all the lines from /etc/default/openvpn, and add:
AUTOSTART="openvpn"
- Populate the configuration file /etc/openvpn/openvpn.conf with:
dev tun # Network interface used by the VPN client (SYSTEM) on WIFI_SUBNET # eth0 (192.168.1.3) in the previous example local 192.168.1.3 # Network interface used by the VPN server on WIFI_SUBNET # eth1 (192.168.1.1) in the previous example remote 192.168.1.1 nobind # The following line defines two new VPN interfaces # ifconfig VPN_CLIENT VPN_SERVER ifconfig 10.1.0.2 10.1.0.1 up ./home.up down ./home.down secret static.key ping 15 tun-mtu 1200 mssfix 1400 verb 3
- Create /etc/openvpn/home.up with this content:
# home.up #!/bin/sh route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 route add -net 0.0.0.0 netmask 0.0.0.0 dev tun0 # In the following, eth0 is the network interface # used by the VPN client (SYSTEM) on WIFI_SUBNET route del -net 0.0.0.0 netmask 0.0.0.0 dev eth0
Make it executable:
sudo chmod +x /etc/openvpn/home.up
- Create /etc/openvpn/home.down with this content:
# home.down #!/bin/sh # In the following, eth0 is the network interface # used by the VPN client (SYSTEM) on WIFI_SUBNET route add -net 0.0.0.0 netmask 0.0.0.0 dev eth0
Make it executable:
sudo chmod +x /etc/openvpn/home.down
- Start the OpenVPN service:
sudo /etc/init.d/openvpn start
- If the following ping commands do not return an error, it worked!
ping 10.1.0.1 ping 10.1.0.2
CategoryVPN