[Cialug] Slightly OT: Interesting wireless networking article

Nathan Stien nathanism at gmail.com
Tue Mar 27 14:54:31 CDT 2007


On 3/27/07, kristau <kristau at gmail.com> wrote:
> Here's a concept I've considered, but I've never taken time to do a
> test implementation of it.
>
> Set up an unencrypted WAP sitting in front of a combo firewall and
> OpenVPN server.  Configure the firewall to only allow connections to
> the VPN server.  All other traffic is dropped.  Therefore, wireless
> clients must connect to the VPN server and authenticate to get any
> further than the "sandbox."  Connecting to the VPN encrypts all
> traffic traversing the airwaves between the client and VPN server.

I've pondered that as well.

I would guess the best argument against this is that fewer people know
how to connect to a VPN than know how to type in a preshared key for a
WPA2 session.  Anybody with Windows XP SP2 onwards needs no special
knowledge or software to securely connect to your network.  It just
pops up and asks you for your key the first time, and after that
you're set.

(And then if anyone steals that laptop even temporarily, they can get your key.)

On the admin side, most access points / wireless routers of course
have very easy point and click interfaces for setting up WPA2-PSK,
whereas in my experience VPNs are generally more work to get running
unless your router is very fancy.

This being a LUG and your home likely being a very controlled
environment, these drawbacks are probably irrelevant to you.  (Until
your friend comes over with his Vista laptop and wants to check his
email...).  I would imagine OpenVPN to likely have better crypto
(longer keys at the very least) than WPA, though.  Also, potential
attackers would be much less likely to be prepared for this setup.
More security but less usability, which may well be the right tradeoff
for the linux-inclined.


-- 
Nathan P. Stien
Consulting Engineer / Software Developer
Embedded Systems Electronics and Software
http://linkedin.com/in/nathanstien
Mobile: 309.241.2581


More information about the Cialug mailing list