WLAN - Setup and protection with OpenVPN
Access Point Settings
PrefaceOn this page we want to publish our experience in setting up a wireless LAN and protecting it using OpenVPN. We used a Netgear WG302 access point and our laptops with Centrino chipset and Intel WLAN adapters as clients. Here we describe the setup on the basis of the WG302, but we try to keep it as generally valid as possible. However, there could be some options that are not available on every access point.
Once again we want to point out, that we don't guarantee the correctness of the following text and the provided scripts.
We want to integrate a wireless LAN into our existing intranet over a separate subnet. It ought to be secured and connected to the intranet by a VPN. For this purpose the router respectively the firewall (if this is a a usual pc) gets a new lan interface, that later will be connected to the access point. It shouldn't be connected to the existing LAN directly, but rather separated by a firewall. Many devices already come with this functionality, but the WG302 is a dedicated access point without an integrated router or firewall. The part of the VPN server will be handled by a pc in the intranet.
At this point we don't want to commit us to certain systems or software and go into the settings just in a common way.
Setup of th WLAN clientsBy now, really all popular linux distributions support wireless lan adapters. Therefore it should not be a problem to put them into operation using standard linux tools. Usually it is the same as setting up a LAN interface, except that an additional SSID (sometimes also called ESSID), a mode (usually 'managed') and if necessary a key must be provided. As OpenVPN not only runs on Linux, but also on Windows, Mac and several BSD versions, this solution can be called platform independent. As there are no generally valid instruction, we won't go into details here.
Firewall settingsThe firewall of the clients can be restricted to accept only dhcp and OpenVPN traffic to a dedicated port an the wireless interface. Everything else on this interface can be ignored.
The gateway to the intranet will only let the VPN connection pass. This can be done by routing or port forwarding. We will use port forwarding, because this way, in case of need, it is possible to move the vpn server without changing the client configurations. All other packets from and into the WLAN subnet will be blocked.
At the VPN server there are no special settings required as long as the right port is accessible. In case of OpenVPN this is the udp port 1194 (default) or any other free port, even tcp is possible.
Access Point SettingsBasic wireless settings
Wireless security settings
We choosed the WG302, because it has several interesting features, e.g. RADIUS support and VPN-Passthrough. Unfortunately there is no exact statement, what the latter really means. Mostly this stands for the ability to deal with vpn solutions based on IPsec, L2TP and PPTP. According to the manufacturer the access point is prepared for the new security standard IEEE 802.11i, what would be interesting in futur scenarios. It also allows to set the radio output power up to 100 mW, which is the legal maximum here. We will explain the most important settings here.
Basic wireless settingsTo make the setting you have to log in on the device. In this case it can be done from a browser at a web interface or from a terminal using ssh. The default password should be replaced by a new and secure one!
Country settings: Defines the country the acces point will be used in. A wrong setting may violate national law.
SSID: This is the network name. It should be choosen in a way, that would not let someone suggest the used access point (default of the WG302: NETGEAR) or the owner (for non-public networks). Sometime this is also called ESSID.
Broadcast SSID: This option often is disabled to increase network security. In fact this just does not publish the network name and sometimes it even troubles the connecetion process. It is more comfortable to enable this option, even more if there are other security measures anyway.
Operating Mode: Here can be set, wether to use mode b (11 Mbit/s) or mode g (54 Mbit/s). It is also possible to use automatic mode selection. In this case mode g will be used and falls back automaticly when a mode b client connects. But then all other clients are forced to use mode b, too.
Channel/Frequency: For channel selection it is recommended to keep a distance of 5 channels to other wireless networks in range to prevent disruptions. Our access point has a feature named AutoCell, that handles nearby wlan cells and selects an optimal channel automatically.
Data Rate: Here the transfer rate can be set. The WG302 also provides a rate of 108 Mbit/s, if the mode is set to g and the channel is 6. But this rate is not part of the standard and therefore you will alwayse need certain client hardware from the same manufacturer to use this. The most suitable setting here is 'best'.
Output Power: This setting is also managed by AutoCell. If there is no such option, the output power should be set to a value that provides a good coverage on all required places. On the other hand the covered area should not be as large as possible. The place of location of the access point play a major role on this.
IP Settings: Here settings for the access point's IP address, the subnet mask of the WLAN and the gateway can be set. Additional settings like DNS are not required here. Though the WG302 has a DHCP client on board, a static IP is better here. Important: If the IP address was changed, the connection will get lost, when the changes are applied. You have to login again afterwards.
Access Point Settings
Wireless security settingsTo ensure the security of the transmission, the access point provides WEP and, like most of the actual devices, WPA encryption. As mentioned earlier, it is also prepared for IEEE 802.11i, that means it will get WPA2 support by firmware update. As WEP doesn't provide real safety, it should not be used at all. However, WPA isn't supported by older WLAN adapters respectively some drivers don't provide WPA support yet. Because of this we disabled the WLAN encryption and use OpenVPN instead.
Network Authentication: This setting enables the access point to authenticate a user by its shared key. If it is disabled, no authentication will be done (OpenSystem). Then this can be done in an alternative way, like RADIUS. Open VPN also provides several possibilities, so we will confine use to this way to keep the configuration manageable.
Wireless Security Client Seperator: Because everyone can connect to the wlan now, this option prevents the clients to communicate with each other on this level. When connected in the VPN, this is possible again.
MAC Access Control List: This list contains the MAC addresses of the clients that are allowed to connect. This security feature is one of them, that don't provide real security. Faking a MAC address isn't a big hurdle.
Access Point Settings
Additional settingsLike most of actual access points, the WG302 also has a DHCP server. We use it to distribute IP addresses, subnet mask and default gateway to the clients. DNS and WINS are not required, because from the view of the WLAN there is only one service using it: OpenVPN. Here every client creates a connection to a certain static IP address.
Access Point Settings
OpenVPN is an open source project, that is one of a few solutions that don't use IPsec. Some of its features are several encryption algorithms, integrity checks and user authentication mechanisms.
InstallationAfter getting the actual sources from the OpenVPN-Homepage and unpacking it at an adequate place, it can be easily compiled and installed using the 3 well known commands:
./configure make make installWhen using "./configure --help" all available Options will be listed. Then the directory for the configuration files must be created: "/etc/openvpn". The sources also contain a directory called "sample-scripts/". Among others this contains the script openvpn.init, that can be copied to "/etc/rc.d/init.d/openvpn". With the command "chkconfig --add openvpn" every runlevel gets its start and stop entries for the OpenVPN service. For the server this is recommended, but for the clients it makes more sense to start it in another way. The init script looks for .conf files in /etc/openvpn at startup and starts an OpenVPN process for every file found there. If there are additional shell scripts named
Server configurationIn our case we decided to use a netwok bridge, that connects the VPN with our intranet. There are also some example scripts within the sources, among others bridge-start and bridge-stop, that can be used to create and tear down the bridge from the tap and eth interfaces using the tools available from the operating system. Of course these scripts can expanded to your demands, but at least they should be adapted to the own network. Then bridge-start could be invoked in the way described in the previous chapter.
The most important configuration options are:
# Bridge mode --server-bridgeBecause we enabled the Wireless Security Seperator earlier, we use the option --client-to-client here to allow communication between clients. More parameters can be found at the OpenVPN man page. There are also configurations for different scenarios in our examples to demonstrate other options.
Client configurationThe clients require less options, but they have to correspond with the server options in some points. For example, if package compression shall be used, the option --comp-lzo must be used at the server and the clients. Other options don't have to be specified at client side. They will be sent from the server to the client by using --push "
|Copyright © 2000-2009 foobar GmbH Chemnitz | Imprint|